Naked Security Naked Security

Facebook facial recognition: class action suit gets court’s go ahead

The court said facial recognition could well harm privacy rights, given its “detailed, encyclopedic, and effortlessly compiled” biometrics collection.

Yes, yet another US court has reaffirmed, Facebook users can indeed sue the company over its use of facial recognition technology.

The US Court of Appeals for the Ninth Circuit on Thursday affirmed the district court’s certification of a class action suit – Patel v. Facebook – that a steady progression of courts has allowed to proceed since it was first filed in 2015.

Though a stream of courts has refused to let Facebook wiggle out of this lawsuit – and boy oh boy, has it tried – this is the first decision of an American appellate court that directly addresses what the American Civil Liberties Union (ACLU) calls the “unique privacy harms” of the ever-more ubiquitous facial recognition technology, that’s increasingly being foisted on the public without our knowledge or consent.

The lawsuit was initially filed by some Illinois residents under Illinois law, but the parties agreed to transfer the case to the California court.

What the suit claims: Facebook violated Illinois privacy laws by “secretly” amassing users’ biometric data without getting consent from the plaintiffs, Nimesh Patel, Adam Pezen and Carlo Licata, collecting it and squirreling it away in what Facebook claims is the largest privately held database of facial recognition data in the world.

Specifically, the suit claims that Facebook didn’t do any of the following:

  • Properly inform users that their biometric identifiers (face geometry) were being generated, collected or stored.
  • Properly inform them, in writing, what it planned to do with their biometrics and how long the company planned to collect, store and use the data.
  • Provide a publicly available retention schedule and guidelines for permanently destroying the biometric identifiers of users who don’t opt out of “Tag Suggestions”.
  • Receive a written release from users to collect, capture, or otherwise obtain their biometric identifiers.

The Illinois law in question – the Illinois Biometric Information Privacy Act (BIPA) – bans collecting and storing biometric data without explicit consent, including “faceprints.” This is one of the first tests of the powerful biometrics privacy law. Another test of BIPA is a class action suit, proposed in September 2018, brought against the US fast-food chain Wendy’s over its use of biometric clocks that scan employees’ fingerprints to track them at work.

Nathan Freed Wessler, staff attorney with the ACLU Speech, Privacy, and Technology Project, had this to say about the court’s decision to let the Facebook facial recognition class action go ahead:

This decision is a strong recognition of the dangers of unfettered use of face surveillance technology.

The capability to instantaneously identify and track people based on their faces raises chilling potential for privacy violations at an unprecedented scale. Both corporations and the government are now on notice that this technology poses unique risks to people’s privacy and safety.

In her opinion, Judge Sandra Segal Ikuta wrote that the court concludes that Facebook’s development of a “face template” using facial recognition, allegedly without consent, could well invade an individual’s privacy rights:

The facial-recognition technology at issue here can obtain information that is ‘detailed, encyclopedic, and effortlessly compiled,’ which would be almost impossible without such technology.

In short, yes, the court concluded: the plaintiffs have made a case for having allegedly suffered sufficient privacy injuries to have standing to sue.

Rebecca Glenberg, senior staff attorney at the ACLU of Illinois, said that with this court go-ahead, Illinois’s BIPA law has passed legal muster. Citizens can let the lawsuits fly for having their faceprints taken without consent, even if nobody’s actually stolen it:

BIPA’s innovative protections for biometric information are now enforceable in federal court. If a corporation violates a statute by taking your personal information without your consent, you do not have to wait until your data is stolen or misused to go to court.

As our General Assembly understood when it enacted BIPA, a strong enforcement mechanism is crucial to hold companies accountable when they violate our privacy laws. Corporations that misuse Illinoisans sensitive biometric data now do so at their own peril.

Leave a Reply

Your email address will not be published. Required fields are marked *