Kash Hill recently joined The New York Times as a technology reporter, shifting from her previous role as a senior reporter with the Gizmodo Media Group. Ms. Hill originally broke into journalism as a blogger, first writing about legal news at Above The Law, and later starting her own blog on privacy called The Not-So Private Parts. In 2010, she took her blog to Forbes Magazine, where she covered technology and privacy as a senior online editor for four years. In 2014, Ms. Hill joined Fusion as a senior editor and ran its technology vertical, Real Future. When Fusion merged with Gizmodo Media Group in 2017, she joined the Special Projects Desk, a newly formed investigative journalism team at Gizmodo. Ms. Hill has hacked a smart home, lived in a monitored one, created a fake business and bought it a fake reputation, worked as a crowdsourced girlfriend, lived on Bitcoin, and spent a whole week writing in caps lock, because, in her words, “The best way to prepare people for future possible tech dystopias is for me to live in them and report back.” She and Surya Mattu received the 2018 Technology in Journalism Award from the National Press Foundation for their work on “The House That Spied On Me.” After joining The New York Times in 2019, the publication declared her “one of the most compelling and distinct writers on technology today.”
You recently published a piece, “The Secretive Company That Might End Privacy as We Know It,” which went viral for exposing a company that’s been supplying facial recognition technology to local police forces. How surprised were you when you discovered Clearview’s facial recognition technology?
As someone who’s been writing about privacy for over 10 years, I assumed facial recognition would be ubiquitous, and that we would be able to take a photo, match it with a name, and see an online footprint. But so far, tech companies have held back on that. At least in the U.S., Google said it was the one technology that they would hold back on developing. Facebook could easily build such a tool, and according to Business Insider they actually did build one, but they ultimately shut that down.
So, while I was expecting facial recognition to be ubiquitous, I was surprised to see it developed by a random little startup that experts had never heard of before, and I was also surprised that law enforcement agents were actively using it. The company scraped the web, where we put up lots of photos, and combined that with a facial recognition algorithm. At first, the company didn’t want to talk to me, but I talked to police officers that use the app, and they said it’s amazing, so I decided to investigate.
Everyone was using FaceApp, and then it turned out that Russian developers were using it to collect our data. How true is the assumption that all of our data is out there?
It’s definitely true. In October, I wrote about researchers at the University of Washington who had created a data set with four million photos of people taken from Flickr. They even hosted a “MegaFace Challenge” to see who could create the best facial recognition algorithm. The people in the data set didn’t have a clue they were in it, but it was still downloaded by more than 6,000 people, including, for instance, engineers and companies in China which have engaged in objectionable surveillance of Uighurs.
Is it safe to expect companies not to develop facial recognition technology?
Companies like Google have held it back for 10 years. It’s smaller actors that are pushing it.
Is that a strategic play on the part of large tech companies? I.e., Allowing smaller companies to take the heat for facial recognition tech, and then either contract those companies now or come out with proprietary tech later when it’s ubiquitous?
Yeah, I mean that’s the significance of Clearview. They’ve broken the taboo and crossed the line. I think there’ll be copycat companies and that it’ll open the door for bigger companies to do the same. The question is, how do we react to Clearview? What happens to that company? Is there some kind of law passed which makes this illegal? Do regulators crack down?
In that regard, what’s happened since you published the piece and exposed Clearview?
A lot has happened. Two class action lawsuits were filed in Illinois and then Virginia. There’ve been facial recognition bans proposed in multiple states. New Jersey’s Attorney General, Gurbir S. Grewal, banned the use of the app by New Jersey police officers and sent Clearview a cease-and-desist letter to stop advertising the role the company’s app played in a child predator sting. Massachusetts Senator Mark Markey called for an investigation. Oregon Senator Ron Wyden and his office plan to meet with the company. Twitter sent the company a cease-and-desist letter, and Google, YouTube, Venmo, and LinkedIn later followed. There’s a lot that can happen in terms of regulating facial recognition technology in the U.S.
Did Clearview violate terms of service (TOS) by using web scrapers?
This company just scrapes public data, so they didn’t agree to any terms. It’s a bit complicated because there was a case in the Ninth Circuit decided in September called hiQ Labs, Inc. v. LinkedIn Corp. hiQ scraped data from LinkedIn, and LinkedIn said, “Hey, you violated our TOS.” But the Ninth Circuit found that this was publicly available information and sided with hiQ Labs. (The court found that “using automated scripts to access publicly available data is not the sort of ‘breaking and entering’ into computers that the Computer Fraud and Abuse Act is intended to police,” according to the Electronic Frontier Foundation.)
The general response to your piece sounds amazing and so important, too. Out of curiosity, is this the biggest impact you’ve had with a single exposé?
I don’t know how familiar your readers are with my work, but there’ve been some stories that got a lot of attention. Last year, for example, I cut the five tech giants (Amazon, Facebook, Google, Microsoft, and Apple) out of my life, one by one, and then I published a series of eight pieces in Gizmodo called, “Goodbye Big Five.” That was a big talking point in various antitrust discussions. The year before that, I did a story called “The House That Spied on Me,” where I turned my apartment in San Francisco into a “smart home” and measured the data that left my home and came into it. Two years ago, I looked into how “People You May Know” works on Facebook, and the dangerous way in which its algorithm, for instance, outted sex workers to their clients. So there’ve been a lot of important pieces, but this is certainly the first time I’ve had multiple class action lawsuits filed and had legislators call for an app to be banned.
Any projects you’re working on right now?
I’m working on a baby which is due soon, so that’s my focus!
Fair enough! Any general privacy advice for us simpletons?
I would recommend Signal for encrypted messaging, and also because it’s quite convenient. It works on your phone or laptop seamlessly. I also think a password manager (e.g., 1Password or LastPass) is the single most important app a regular person can have for security. They lock each of your passwords behind a cryptographically complicated and unique key. I would also say to buy your sensitive products in cash, for instance, if you don’t want the world to know about your pregnancy plans.
It’s hard to give general privacy advice because it really differs from person to person, especially in terms of what someone considers “private.” That being said, in general, no one wants their accounts to be compromised, so password managers and 2FA (two-factor authentication) are really important because then it’s not just your password alone that’s a gate to your account but also a code you’re receiving.
Then, there are a lot of personal considerations. For instance, do you own a lot of Bitcoin? If so, you’ll probably attract a lot of hackers and need more security. Have you dated someone who’s abusive and likely to stalk you? Are you worried about companies knowing what you’ve purchased?
I just think there’s a big question right now about whether we’ll continue to have anonymity in public, whether we’ll be able to walk down the street with the assumption that we’re strangers, and whether we’ll be able to have conversations in restaurants without someone taking a photo and identifying who we are. It will change how we move through the world if we can no longer assume our anonymity. And then the bigger question around Clearview is just our ability to control information about ourselves, because we do create these extensive digital trails, and there’s a lot more public information about us now than ever before.