This post is also available in: heעברית (Hebrew)

Facial-recognition technology, which matches photos of unidentified victims or suspects against enormous databases of photos, has long drawn intense criticism from privacy advocates. Now, these privacy concerns have more to base on.

An intruder gained unauthorized access to a sensitive facial recognition database. The facial recognition startup Clearview AI disclosed that the intruder gained access to its list of customers, to the number of user accounts those customers had set up, and to the number of searches its customers have conducted. 

David Forscey, the managing director of the no-profit Aspen Cybersecurity Group, said the breach is concerning. “If you’re a law-enforcement agency, it’s a big deal, because you depend on Clearview as a service provider to have good security, and it seems like they don’t,” Forscey said. 

According to thedailybeast.com, the company’s notification said its servers were not breached and that there was “no compromise of Clearview’s systems or network.” The company also said it fixed the vulnerability and that the intruder did not obtain any law-enforcement agencies’ search histories. 

However, the fact that the company works with powerful law-enforcement agencies raises concerns about the possible consequences of this data breach.

A New York Times report said that the company had scraped 3 billion images from the internet, including from Facebook, YouTube, and Venmo. That process violated Facebook’s terms of service, according to the paper. It also created a resource that drew the attention of hundreds of law-enforcement agencies, including the FBI and the Department of Homeland Security, according to that report. 

In a follow-up story, the Times reported that law-enforcement officials have used the tools to identify children who are victims of sexual abuse.