April 6, 2015 -
A new class action suit against Facebook alleges that the social media giant violated its users’ privacy rights to acquire the largest privately held database of facial recognition data in the world, according to a report by Courthouse News Service.
Lead plaintiff Carlo Licata, represented by attorney Jay Edelson, claims that Facebook first began violating the Illinois Biometric Information Privacy act of 2008 in 2010, in a “purported attempt to make the process of tagging friends easier.”
The lawsuit, recently filed in Cook County Court, relates to Facebook’s “tag suggestions” program, which scans users’ uploaded pictures and identifies any Facebook friends they may potentially want to tag.
The facial recognition technology is taken from Israeli firm Face.com, which Facebook eventually acquired.
The lawsuit argues that this method of data mining directly violates users’ privacy laws, describing the facial recognition feature as a “brazen disregard for its users’ privacy rights,” through which Facebook has “secretly amassed the world’s largest privately held database of consumer biometrics data.”
The tagging feature works by scanning the faces of Facebook friends in photos and extracting facial feature data to cross-match it against their “faceprint database,” or what the company refers to as templates.
However, Licata’s lawsuit alleges that Facebook “actively conceals” this information from its user base, and “doesn’t disclose its wholesale biometrics data collection practices in its privacy policies, nor does it even ask users to acknowledge them” – a practice that is illegal in Illinois.
According to the Illinois Biometrics Information Privacy Act, it is unlawful to acquire biometric data without first providing the subject with a written disclaimer that details the purpose and length of the data collection, and without the subject’s written consent.
Additionally, the Federal Trade Commission also backs this same sentiment by suggesting that private companies should provide clear notice of how the technology works, what data they are collecting and for what reasons, and attain consent from the subject, before using biometric data.
The lawsuit alleges that Facebook “automatically enrolled its users into its facial recognition program to collect their biometric identifiers-a practice that continues to this day,” as well as being “calculatedly elusive” in describing how the program works.
At a 2012 Senate hearing on biometric technology, Facebook privacy and public policy manager Robert Sherman said that the “tag suggestions” program is simply a “convenience feature” and assured the Senate that users’ data is secure .
He also added that Facebook’s faceprint database works only with its own software, and “alone, the templates are useless bits of data”.
The lawsuit also states that in 2011 the FTC was concerned about a “third party maliciously breaching a database of biometric information,” and that “once exposed, a victim has no recourse to prevent becoming victim to misconduct like identity theft and unauthorized tracking.”
Finally, the lawsuit seeks class certification and an injunction ordering Facebook to comply with the Illinois law, to “put a stop to its surreptitious collection, use and storage” of users’ biometric data.
In an email statement, a Facebook spokesperson called the lawsuit “without merit”, and stated that the company will “defend [itself] vigorously”. The statement also said that the face-tagging feature could be disabled, which deletes the data used to suggest tags to other people.
Previously reported, Facebook has been quietly restoring elements of its face recognition services in Europe, two years after data privacy advocates removed it.