Cyber Week in Review: Feb 28, 2020

Controversial Facial Recognition Start-up Hacked

Clearview AI, a controversial facial recognition start-up that gained prominence after the New York Times released an exposé about its activities last month, announced Wednesday that it had suffered a breach. According to a notification sent to its customers, the company’s entire client list was stolen, though the company claims no further information—such as the pictures uploaded to its database—was accessed. The company has stated that its technology is only used for legitimate law enforcement purposes, but it has faced intense scrutiny after the exposé showed it had scraped Facebook and other social media platforms for photos, stored sensitive images uploaded by law enforcement, and pitched its product to Paul Nehlen, a white-supremacist candidate for Congress.

Lawmakers Object to ICE Searching Maryland Driver’s License Database

 Maryland state lawmakers complained this week that U.S. Immigration and Customs Enforcement (ICE) has been conducting facial recognition searches on the state driver’s license database. In Maryland, law enforcement does not require prior court approval to do this, which is rare; in other states, like Utah, Vermont, and Washington, ICE has had to make requests to state officials before accessing driver’s license databases. Because Maryland issues special driver’s licenses for undocumented immigrants, immigration activists have expressed concern that ICE could use the data that it collects to target migrants. In response, Maryland Democratic lawmakers have proposed a bill that would force ICE to acquire a warrant for these kinds of activities in the future. For its part, ICE claims the searches are consistent with federal law and are not “routinely” used for civil immigration cases.

Court Rules YouTube Not a Public Forum

On Wednesday, the Ninth U.S. Circuit Court of Appeals ruled unanimously that YouTube is not a public forum and thus not “subject to judicial scrutiny under the First Amendment.” [PDF]. This means that privately operated platforms are allowed to censor content that violates their terms of use. The ruling is in response to a case brought by Prager University, a conservative non-profit, against YouTube and its parent company Google, which alleged YouTube’s opposition to conservative views led it to restrict advertising on certain videos. Prager also alleged that YouTube’s professed enthusiasm for free speech constituted false advertising, which was rejected by the court. Prager filed the lawsuit after YouTube flagged dozens of its videos as “inappropriate,” thereby stripping them of advertising and making them less accessible to students, libraries, and children. Google claimed vindication from the ruling and insisted that its products are not politically biased.

Apple Shareholders Express Human Rights Concerns in Vote

Nearly 41 percent of Apple’s shareholders voted in favor of a proposal that would require the company to report whether it was “publicly committed to respect freedom of expression as a human right.” Experts say the massive rise in shareholder concern for human rights—a similar proposal in 2018 only gained approximately 5 percent of the vote—will force Apple to respond in some way. The company has faced heavy criticism for yielding to pressure from the Chinese government to remove a mapping app used by protesters in Hong Kong from its app store last fall. SumOfUs, the advocacy group that filed the proposal, suggested that Apple’s cooperation with the Chinese government over the past ten years clearly had not advanced the cause of freedom and that it was time for the company to take a stronger stand.

Insights From the RSA Conference About Accused Chinese Hackers Abandoning Techniques After Indictments

In a keynote speech on Wednesday at the RSA security conference, CrowdStrike co-founder Dmitri Alperovitch argued that U.S. indictments against individual members of the People’s Liberation Army (PLA) have prevented them from using the same infrastructure in future cyberattacks. According to Alperovitch, hacking infrastructure associated with PLA hackers disappeared after the U.S. government publicized charges against them, unlike indicted Russian hackers who continue using the same infrastructure. His presentation came just weeks after the U.S. Department of Justice announced new charges against four members of the PLA for allegedly hacking Equifax in 2017. Some have questioned whether these “name-and-shame” tactics are effective in deterring or preventing future attacks, and Alperovitch’s talk suggests that they do impose some costs on PLA hackers. As Alperovitch also noted PLA cyber forces underwent a restructuring, and, as a result, hackers connected to China’s Ministry of State Security appear to be conducting most of the country’s cyber espionage in recent years.