Since it exploded onto the scene in January after a newspaper exposé, Clearview AI quickly became one of the most elusive, secretive and reviled companies in the tech startup scene.

The controversial facial recognition startup allows its law enforcement users to take a picture of a person, upload it and match it against its alleged database of 3 billion images, which the company scraped from public social media profiles.

But for a time, a misconfigured server exposed the companyinternal files, apps and source code for anyone on the internet to find.

Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearviewsource code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.

The repository contained Clearviewsource code, which could be used to compile and run the apps from scratch. The repository also stored some of the companysecret keys and credentials, which granted access to Clearviewcloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.

The repository also exposed ClearviewSlack tokens, according to Hussein, which, if used, could have allowed password-less access to the companyprivate messages and communications.

Clearview has been dogged by privacy concerns since it was forced out of stealth following a profile in The New York Times, but its technology has gone largely untested and the accuracy of its facial recognition tech unproven. Clearview claims it only allows law enforcement to use its technology, but reports show that the startup courted users from private businesses like Macy&s, Walmart and the NBA. But this latest security lapse is likely to invite greater scrutiny of the companysecurity and privacy practices.

When reached for comment, Clearview founder Hoan Ton-That claimed his company &experienced a constant stream of cyber intrusion attempts, and have been investing heavily in augmenting our security.&

&We have set up a bug bounty program with HackerOne whereby computer security researchers can be rewarded for finding flaws in Clearview AI systems,& said Ton-That. &SpiderSilk, a firm that was not a part of our bug bounty program, found a flaw in Clearview AI and reached out to us. This flaw did not expose any personally identifiable information, search history or biometric identifiers,& he said.

Clearview AIapp for iOS did not need a log-in, according to Hussein. He took several screenshots to show how the app works. In this example, Hussein used a photo of Mark Zuckerberg.

Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.

Hussein, who has previously reported security issues at several startups, including MoviePass, Remine and Blind, said he reported the exposure to Clearview but declined to accept a bounty, which he said if signed would have barred him from publicly disclosing the security lapse.

Itnot uncommon for companies to use bug bounty terms and conditions or non-disclosure agreements to prevent the disclosure of security lapses once they are fixed. But experts told TechCrunch that researchers are not obligated to accept a bounty or agree to disclosure rules.

Ton-That said that Clearview has &done a full forensic audit of the host to confirm no other unauthorized access occurred.& He also confirmed that the secret keys have been changed and no longer work.

Husseinfindings offer a rare glimpse into the operations of the secretive company. One screenshot shared by Hussein showed code and apps referencing the companyInsight Camera, which Ton-That described as a &prototype& camera, since discontinued.

A screenshot of Clearview AIapp for macOS. It connects to Clearviewdatabase through an API. The app also references Clearviewformer prototype camera hardware, Insight Camera.

According to BuzzFeed News, one of the firms that tested the cameras is New York City real estate firm Rudin Management, which trialed use of a camera at two of its city residential buildings.

Hussein said that he found some 70,000 videos in one of Clearviewcloud storage buckets, taken from a camera installed at face-height in the lobby of a residential building. The videos show residents entering and leaving the building.

Ton-That explained that, &as part of prototyping a security camera product we collected some raw video strictly for debugging purposes, with the permission of the building management.&

TechCrunch has learned that the Rudin-owned building is on Manhattaneast side. Several property listings with images of the buildinglobby also confirm this. A representative for the real estate company did not return our emails.

One of the videos from a camera in a lobby of a residential building, recording residents (blurred by TechCrunch) as they pass by.

Clearview has come under intense scrutiny since its January debut. It has also attracted the attention of hackers.

In February, Clearview admitted to customers that a list of its customers was stolen in a data breach — though, it claimed its servers were &never accessed.& Clearview also left unprotected several of its cloud storage buckets containing its Android app.

Vermontattorney generaloffice has already opened an investigation into the company for allegedly violating consumer protection laws, and police departments have been told to stop using Clearview, including in New Jersey and San Diego. Several tech companies, including Facebook, Twitter and YouTube, have already filed cease-and-desist letters with Clearview AI.

In an interview with CBS News in February, Ton-That defended his companypractices. &If itpublic and itout there and could be inside Googlesearch engine, it can be inside ours as well,& he said.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755-8849.

On his personal Facebook account, Mark Zuckerberg offered an update on the companyroadmap for bringing employees back to work in the wake of the coronavirus pandemic.

In the post, he acknowledged that while it might be possible for a small portion of &critical employees& unable to do their work remotely to return sooner, the majority of Facebookworkforce will be required to continue working from home through &at least& the end of May. The selection of employees Facebook will prioritize for the swiftest return includes content reviewers who scan the platform for things like terrorism and self-harm as well as engineers who work with complex hardware. &…Overall, we don&t expect to have everyone back in our offices for some time,& Zuckerberg wrote.

On a call in the early days of the U.S. response to the virus, Zuckerberg noted that users could expect more false positives in platform moderation with Facebookarmy of at least 15,000 content reviewers sent home. Facebook said it was leaning more heavily on AI moderation to compensate for the lack of human oversight on the platform, a strategy that Twitter and YouTube turned to in the midst of the crisis as well.

Human moderators engage in some of the social networkmost sensitive work, flagging terrorist activity, suicidal posts, child exploitation and other forms of content with potential legal and psychological consequences.

In his post, Zuckerberg noted that even as additional teams return to the office, employees from populations vulnerable to the virus, those without childcare or anyone with other circumstances that might make their situation difficult can work remotely through the summer months. Facebook will also extend its ban on business travel through this June as the company evaluates the situation.

Zuckerberg also announced that his company would cancel any in-person events of 50 or more people through June of 2021 and planned to make some of them virtual instead, including the annual VR developer event Oculus Connect.

&… We&re slowing our plans to return to the office in order to prioritize helping the rest of our community and local economy to get back up and running first,& Zuckerberg said.

&We also know that when society does eventually start re-opening, it will have to open slowly in staggered waves to make sure that the people who are returning to work can do so safely and that we minimize the possibility of future outbreaks.&

Despite what companies have said about providing personal protective equipment to gig workers, some workers say they are struggling to get masks, gloves and other items from companies like Target-owned Shipt, Uber, Lyft and Instacart.

&PPE is still a huge issue for us,& Shipt shopper and organizer Willy Solis told TechCrunch. &We have dozens of reports across the country where shoppers have gone to pick up their equipment to be told itonly for employees. On top of that, TargetTwitter account essentially said that much.&

Earlier this month, Shipt workers staged a walk-off in protest of Shipttreatment of workers amid the COVID-19 pandemic. Around that time, Shipt said it would provide all shoppers with gloves and a mask within the next two weeks. Those shoppers, Shipt said, would be able to pick them up at their nearest Target stores. Shipt said it also would allow its most active shoppers to claim a free kit that included gloves and hand sanitizer. But some shoppers report struggling to pick up the PPE at Target and through the Shipt app.

Shipt declined to comment for this story, but pointed us to both Shiptand Targetrespective announcements.

Over in Los Angeles, some Uber and Lyft drivers say the rideshare companies have yet to provide them with face masks and other protective equipment. This is in light of LA Mayor Eric GarcettiWorker Protection Order, which requires companies to provide essential workers with PPE.

&As an Uber driver, I&m incredibly vulnerable to infection,& Uber driver Deborah Garcia said in a statement. &I transport dozens of passengers every day, and many are the doctors and nurses dealing with coronavirus cases up close. UberandLyft love to talk about drivers as heroes on the frontlines, but what does it say about these companies that they&d rather brainstorm clever hashtags than use even a small slice of their billions to keep drivers like me safe? Itinfuriating, and ittime for our elected officials to take action.&

Uber says it has begun distributing masks to active drivers and delivery workers throughout the nation, initially focused on New York City and Los Angeles. Active drivers and delivery people in Los Angeles who have requested masks should receive them in the mail by the end of this week, according to Uber.

&This is a long-term commitment,& an Uber spokesperson told TechCrunch. &We have ordered tens of millions of masks for drivers around the world and expect another major shipment to the U.S. very soon.&

Uber says it has also started shipping around 30,000 bottles of disinfectant. Lyft, in response to claims that the company is not providing PPE, says what drivers are saying is not true.

&In light of the latest CDC guidance on cloth face coverings, we&ve ordered face masks for drivers at no cost to them,& a Lyft spokesperson told TechCrunch. &We have been making them available to drivers, prioritizing regions where additional guidance about face coverings has been given. This includes LA, where we&ve already begun handing out thousands of face coverings to drivers.&

Lyft began distributing masks last Saturday, and distributed some more this past Monday and Wednesday. Lyft plans to distribute more on Friday. So far, Lyft says it has been able to hand out thousands of masks.

There are also reports that Instacart shoppers are having difficulty obtaining hand sanitizer and reusable face masks, according to The Hill. Instacart says it has been providing shoppers with hand sanitizer since last week and began shipping thousands of kits with face masks, sanitizer and thermometers this past Monday.

Nationwide, there is an understanding that gig workers delivering food and groceries, and providing rides to people during the pandemic, are essential. As more cities begin to implement rules requiring people to wear masks upon entering grocery stores, companies will be forced to step up their production and delivery of personal protective equipment to workers.

Online grocery delivery company Instacart is launching a prescription delivery service through a partnership with Costco as demand for online delivery continues to rise amid the COVID-19 pandemic.

The company said Thursday the delivery service is now available from nearly 200 Costco locations in Arizona, California, Delaware, Florida, Illinois, New York, Washington and Washington, D.C. The service, which was initially piloted at several locations in Southern California and Washington, will expand nationally in the coming months, the company said.

Customers who use the online prescription service will receive a text message from their Costco pharmacy when their prescription is ready. The text will include a link with the option to schedule their prescription for delivery. Once the customer clicks the link, they will be redirected to Costcosite. From there, customers can confirm their prescription and continue to add groceries and household goods to their Instacart Costco delivery order. The orders are delivered to customers in a sealed, tamper-proof bag to ensure customer safety and privacy.

Instacart is also offering contactless delivery for most medications. Instacart shoppers are able to scan a customerID for verification without a signature on qualifying prescription orders. Customers are also able to schedule delivery up to one week in advance under the new service.

The new service was driven by demand in the wake of COVID-19, said Instacart president Nilam Ganenthiran.

&For many people, we know that part of their grocery shopping experience goes beyond fresh produce, meat, seafood and pantry staples, and also includes getting much-needed medications,& said Ganenthiran.

Instacart has seen demand for its grocery service skyrocket as the COVID-19 pandemic spread. The companytotal order volume last week was 400% higher than the same week last year. Customers are spending more, as well. The average customer basket size — meaning the total amount a customer spends on their order on Instacart — is more than 25% month-over-month, according to the company.

The increase in demand has prompted Instacart to expand its reach by adding nearly 150 new stores to its marketplace since March 1. Italso adding workers to keep up with the increase in customers.

Instacartannounced April 10 that it doubled its &Care& team, from 1,200 agents to 3,000 agents. These employees answer questions about how Instacart works as well as respond to delivery issues and other mishaps with orders.

The hiring news followed a strike in March organized by Instacart shoppers whodemanded personal protective equipment, hazard pay, default tips and extended sick pay.

Energy demand has fallen globally. Oil prices are plummeting. Everywhere in the energy world things look fairly grim, but keeping the lights on and electrons moving remains critical to keeping even the hobbled economies of the world humming.

Thatwhy startups like Amperon, which use data analysis to provide predictive tools for energy retailers and grid operators, are still relevant — and still raising money.

The company raised $2 million in a round that closed in February before the pandemic hit U.S. shores. And the service, according to co-founder Abe Stanway, is still vital.

&We tell them how much electricity their customers are going to use on a short-term and long-term basis,& Stanway said of the companyservice. &When these exogenous shocks and black swan events occur we get much more valuable because you need this machine learning in order to understand how the grid is going to behave.&

The value proposition was clear to investors like Blackhorn Ventures, which led the round, and other backers, including Garuda Ventures, Intelis Capital, Powerhouse Ventures, SK Ventures and V1.VC.

&Amperon builds real-time operational grid intelligence tools via smart meters and AI for utilities, energy retailers, grid operators and institutional traders,& said Emily Kirsch, Powerhouse founder and chief executive. &Amperoniterative demand forecasting is able to account for never-before-seen grid volatility resulting from a global pandemic, climate disasters or an increasingly complex grid.&

Amperon is working with four major geographies, including Australiatwo major grid regions and the ERCOT regional transmission organization responsible for Texas, and PJM, which manages the mid-Atlanticelectricity grid.

Stanway said the new money would be used to expand the companyreach across more grid operators in the U.S.

While Amperontechnology is incredibly useful for utilities and grid operators during times of crisis, it can help save money in normal times too. Long-term utility planners typically over-budget their energy needs by 1% every year, which adds up to billions of dollars spent on unnecessary additional generation capacity, according to Amperon.

Lower spending means reduced electricity prices for consumers. Another issue that Amperon says it can help energy providers address is the increasing complexity of grid management. Renewable energy generation adds variability to the grid that utilities and grid operators have yet to effectively manage, the company said.

While it quickly became clear that the tech and developer conference held during the spring would need to be cancelled due to COVID-19, tech companies are beginning to pull the plug on events taking place later in 2020.

Today, Facebook announced that it would be shelving the in-person component of its virtual reality-focused Oculus Connect 7 conference due to COVID-19 concerns and would be focusing on a digital format. Facebook hadn&t announced dates for the event, the conference is typically held in late September or early October.

&In light of the evolving public health risks related to COVID-19, we&ve decided to shift Oculus Connect 7 to a digital format later this year,& a company blogpost read. &This was a tough decision to make, but we need to prioritize the health and safety of our developer partners, employees, and everyone involved in OC7.&

Earlier this week, California governor Gavin Newsom said it was &unlikely& that sporting events with fans in attendance would return this summer. While the major tech giants had already cancelled the in-person components of their spring and summer developer conferences, this cancellation calls into question how realistic timelines are for tech events that have been rescheduled from spring to the fall.

Conferences have long been critical to the indie games industry with small studios often using the gatherings to form relationships with publishers. With many of the virtual reality industrymajor events shuttering over the past couple years ashype has waned, Oculus Connect has remained perhaps the most important event of the year for VR developers.

As with the in-person cancelation of F8, Facebook says they are making a $500,000 donation that &will prioritize organizations serving local San Jose residents.&