Class action lawsuits could determine biometric data collection
According to a news feature recently published in Tech.Mic, Facebook might have to dramatically change how it handles identification data due to class-action lawsuits.
Last spring, the social networking firm was accused in multiple class-action suits of violating the privacy of its users by collecting their facial data without proper permission.
The lawsuits allege that Facebook’s facial recognition program violates the privacy of its users, citing a law in Illinois entitled the “Biometrics Information Privacy Act”, which requires companies to get written content from a user if it is collecting biometric data.
Multiple suits, launched by Carlo Licata, Adam Pezen, Frederick Gullen and Nimesh Patel in Illinois argue that Facebook does not properly seek permission for biometric data collection. The suits were filed at the state level since no federal biometric data collection legislation exists in the United States.
Licata’s complaint, as an example, alleges the company was “calculatedly elusive” in introducing the system to its users. Furthermore, his complaint states that Facebook did not put in place a legal release authorizing the collection of their “faceprints,” or a readily available policy describing how Facebook will retain or potentially destroy users’ biometric data. According to the Illinois law, it is unlawful to acquire biometric data without providing details about the purpose and length of the data collection. The lawsuit, according to previous BiometricUpdate.com coverage, thus seeks class certification and an injunction ordering Facebook to comply with the Illinois law, to “put a stop to its surreptitious collection, use and storage” of users’ biometric data.
Facebook’s facial recognition works by running an algorithm against a database comprised of literally millions of faces. The company obtained the algorithm when it purchased Face.com, a Tel Aviv-based technology company that had developed a platform for efficient and accurate facial recognition in photos uploaded via Web and mobile applications. BiometricUpdate.com reported around the time of acquisition that Face.com apps and API services could scan billions of photos monthly and tag faces in those photos, tying them directly to available social networking information.
At a 2012 Senate hearing on biometric technology, Facebook privacy and public policy manager Robert Sherman said that the “tag suggestions” program is simply a “convenience feature” and assured the Senate that users’ data is secure. He also added that Facebook’s faceprint database works only with its own software, and “alone, the templates are useless bits of data”.
In previous statements, Facebook called the lawsuit “without merit” and stated that the company will defend itself vigorously. Facebook also pointed out that the face-tagging feature could be disabled, which deletes the data used to suggest tags of other people.
In October, Facebook filed a motion to dismiss the Licata suit arguing, that based on the “choice of law” provision in its terms of service, California, not Illinois, law should apply users, and that, regardless, the Illinois law expressly “excludes both ‘photographs’ and ‘information derived from photographs’ from its reach.”
The Tech.Mic article also notes that legal analysts are watching another similar class-action case which claims that Shutterfly, the online photo printing and publishing company, violated the Illinois law by way of its application of facial recognition software. In that case, the plaintiff was identified and tagged in a photo, without providing permission or even being a direct user of the service.
In the cases before the Illinois courts, the plaintiffs have asked the judges to create a class of users, which could number in the millions, and award damages of $5,000 per violation. Due to the impact upon biometric data collection, legal analysts will very carefully examine the reasoning and decisions eventually made in these cases.