How did an anarcho-transsexual feminist hacker create software that The New York Times proclaimed might end privacy as we know it? And was he indeed the first to have the idea to scrape everyone’s photo off social media?

Howdy partner and welcome to the first episode of The Private Citizen, your weekly data privacy podcast! With a new podcast, introductions are in order. So at first, let me, your host, introduces myself.

I’ve been a professional tech journalist for just about eight years now and have been podcasting for thirteen years. It all started with a little show called Linux Outlaws which some of the old-timers might remember… These days, I’m a freelancer and try to maintain a modicum of journalistic integrity as a writer for hire in a world gone mad. If you’re interested in that part of my work, check out my daily newsletter on tech and policy news.

With The Private Citizen, I’m returning to the arena of weekly podcasts and I’m tackling what is, in my eyes, the most important topic today: The ongoing fight about privacy and freedom of speech in this increasingly unfree surveillance economy.

Every Wednesday, I will discuss a recent development in the fields of data privacy, IT security or policy pertaining to these topics. I will try to provide you with in-depth analysis – hopefully without boring you to tears – and enable you with copious links and source references to dig into the topic further, if you wish to do so.

I hope to encourage free thinking and doing your own research, instead of just reading headlines and then getting outraged about things we barely understand. Remember: Every story has at least two sides to it. In this vein, I welcome feedback from my listeners. Please tell me what you think about the show – anonymously or otherwise.

Clearview AI

As my first topic on this inaugural episode, I’d like to discuss the company Clearview AI and its product. In January, tech reporter Kashmir Hill, writing in the The New York Times, called it “the secretive company that might end privacy as we know it”.

Until recently, Hoan Ton-That’s greatest hits included an obscure iPhone game and an app that let people put Donald Trump’s distinctive yellow hair on their own photos.

Then Mr. Ton-That – an Australian techie and onetime model – did something momentous: He invented a tool that could end your ability to walk down the street anonymously, and provided it to hundreds of law enforcement agencies, ranging from local cops in Florida to the F.B.I. and the Department of Homeland Security.

His tiny company, Clearview AI, devised a groundbreaking facial recognition app. You take a picture of a person, upload it and get to see public photos of that person, along with links to where those photos appeared. The system – whose backbone is a database of more than three billion images that Clearview claims to have scraped from Facebook, YouTube, Venmo and millions of other websites – goes far beyond anything ever constructed by the United States government or Silicon Valley giants.

That last bit is quite a claim. I’m pretty sure it’s bullshit, as we know from the Snowden revelations that the NSA has been working on just such a system for years. In fact, the very same New York Times reported the following in 2014:

The National Security Agency is harvesting huge numbers of images of people from communications that it intercepts through its global surveillance operations for use in sophisticated facial recognition programs, according to top-secret documents.

The spy agency’s reliance on facial recognition technology has grown significantly over the last four years as the agency has turned to new software to exploit the flood of images included in emails, text messages, social media, videoconferences and other communications, the N.S.A. documents reveal. Agency officials believe that technological advances could revolutionize the way that the N.S.A. finds intelligence targets around the world, the documents show. The agency’s ambitions for this highly sensitive ability and the scale of its effort have not previously been disclosed.

The agency intercepts “millions of images per day” – including about 55,000 “facial recognition quality images” – which translate into “tremendous untapped potential,” according to 2011 documents obtained from the former agency contractor Edward J. Snowden.

Still, it is interesting to see such technology outside the realm of state-funded intelligence agencies and in the private sector. It is kind of weird that it took so long for this to happen, though.

Because, even though there’s no technical explanation of Clearview’s products anywhere, if we get right down to it, this is just a bunch of scripts doing OSINT by scraping publicly or semi-publicly available data off the ‘net. There’s probably a bunch of crawlers, similar to what the search engines or the Internet Archive’s Wayback Machine uses, indexing everything and then stuffing as much as possible onto some cloud servers. The “AI” part is most likely cobbled together from well-published image recognition algorithms. It probably sorts the images beforehand as much as possible and then when you upload a reference image, it goes off along pre-computed paths for the most part. If it then gets a hit, it pulls all the metadata and text information that was indexed together with the images and videos it downloaded.

I know, hindsight is 20/20, but it’s kind of obvious if you work in the field. Which is exactly why I’m sure every intelligence service worth their salt has been doing something similar for years.

Google, reportedly, also had the means to do this years ago, but held it back, because – in the words of its former CEO Eric Schmidt – it coul be used “in a very bad way.” It’s supposedly the only technology they ever decided not to develop.

Who is Hoan Ton-That?

But who’s the guy who came up with turning this into a private sector startup idea? Now, this is where the story gets interesting. Following along from a BuzzFeed article on Clearview’s police contracts, we get to this newsletter from the San Francisco Chronicle. Which leads to this Gawker story from 2009.

Hoan Ton-That
Hoan Ton-That (Photo: Terry Chay)

Yesterday’s ViddyHo worm, which spread over Google Talk and Gmail, has been linked by some to Hoan Ton-That, a San Francisco software developer. A very San Francisco software developer. Even if Ton-That had nothing to do with ViddyHo, he (or she? how am I supposed to respect this person’s deeply nuanced personal concept of gender without hearing explicitly the gender narrative he or she has constructed around a completed sense of self?) would still be an interesting character – a classically quirky yet herd-following San Francisco Web-software entrepreneur. His Twitter profile describes him as an “Anarcho-Transexual [sic] Afro-Chicano American Feminist Studies Major.”

Ton-That frequently posted on Twitter about going to Sugarlump, an overwroughtly hip San Francisco “coffee lounge” in a rough-hewn but gentrifying corner of the Mission District, the preferred neighborhood of twentysomething Web developers. In his work, too, Ton-That has followed the herd. Ton-That’s involvement with Facebook apps tracks precisely the rising and falling arc of Silicon Valley’s craze for the social network’s add-ons. And at the same time as many, Ton-That jumped from the Facebook-app wave to iPhone apps.

Everything about Ton-That’s life and work is a screaming stereotype of San Francisco’s Web crowd – a bunch of supposed individualists who’d be paralyzed with fear by the idea that they’re not living in the right neighborhood, working in the right office, and chasing the right technological trend. That’s the irony of Ton-That’s involvement with ViddyHo. If he is indeed the perpetrator of the worm, it may make him hated. But it would be the first truly original thing he’s done.

And there’s another Gawker story on Ton-That by the same reporter from a bit later in 2009.

Hoan Ton-That, the parodically Left Coast-y San Francisco coder linked to an earlier virus, appears to have resurfaced with a new website, Fastforwarded.com, which aims to coax passwords from users. The new site appears to be identical, save for the name, to ViddyHo.com, a site which spread via instant messenger. The messages, generated automatically by the ViddyHo worm, promised a video once the user followed a link and logged in using a Gmail username and password. The worm then logged into that user’s account and blasted everyone on his or her contact list with new messages.

The makers of Safari and Firefox already list Fastforwarded.com as a “phishing” site, one that tries to fraudulently extract passwords from users. After the ViddyHo worm spread, police began looking for Ton-That. This new attack suggests they never nabbed the hacker, whose code is still at large on the Internet.

Apparently, Ton-That managed to make things good with the police, because they the main target audience for his new company. He did move across the US, from San Francisco to New York, at some point after these stories, though. I wonder if his notoriety in the Silicon Valley yellow press got under his skin.

Closing Thoughts

So what does this all mean? Is this the worst technology ever developed? Does it mean the end of all privacy? Or are people the real problem, uploading copious photos and information about them on publicly accessible websites?

In a way, this technology is a logical extension of how Google changed the way of how people can access information on others online. This kind of thing will be available to everyone in open source form, at some point. So the only way to deal with it seems to be limiting the information we upload about ourselves and others.

There is certainly also a legislative argument against this kind of technology to be had, especially in Europe. With laws like the GDPR already on the books, there’s bound to be pushback. But is that the right way? Does it do enough for individuals who desire privacy?

At least Clearview AI is currently being used by the police, which is subject to oversight. Who knows how intelligence agencies are using technologies like this? If privacy is dying, then these agencies are at the forefront, building the scaffold as we speak…

Feedback

In the future, I’d hope to read out some feedback on previous episodes at this point. But since this was the first ever episode, that is quite impossible. Maybe next week…

If you have thoughts on the topics discussed here, please feel free to contact me.

Support the Show

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and are credited as such above, I’m thankful to Raúl Cabezalí, who recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Kai Siers, Matt Jelliman, Fadi Mansour, Joe Poser and Dave.