Skip to content
Naked Security Naked Security

Vimeo sued for storing faceprints of people without their say-so

The suit was filed under BIPA, the Illinois law that requires written consent to grab people's faceprints - the same law Facebook's battling.

You didn’t tell me that you’re collecting and storing my faceprint, you didn’t tell me why or for how long, you didn’t get my written OK to do it, and you haven’t told us how long you’re retaining our biometrics or how we can get you to nuke them, another Illinois resident has said in yet another proposed facial recognition class action lawsuit based on the state’s we’re-not-kidding-around biometrics law.

This one’s against the video-sharing, face-tagging website Vimeo.

The complaint was filed on 20 September on behalf of potentially thousands of plaintiffs under the Illinois Biometric Information Privacy Act (BIPA). Illinois resident Bradley Acaley is lead plaintiff.

The suit takes aim at Vimeo’s Magisto application: a short-form video creation platform purchased by Vimeo in April 2019 that uses facial recognition to automatically index the faces of people in videos so they can be face-tagged.

Facebook’s look-alike face-tagging lawsuit

Facebook is facing a similar class-action suit over BIPA: Last month, yet another in a string of US courts reaffirmed that Facebook users can indeed sue the company over its use of facial recognition technology.

That suit – Patel v. Facebook, first filed in 2015 – has been allowed to go forward as a stream of courts have refused to let Facebook wiggle out of it… in spite of Facebook’s many attempts. Last month’s decision to let Patel v. Facebook go ahead was the first decision of an American appellate court that directly addresses what the American Civil Liberties Union (ACLU) calls the “unique privacy harms” of the ever-more ubiquitous facial recognition technology that’s increasingly being foisted on the public without our knowledge or consent.

The suit that Facebook’s up against sounds just like the one that Vimeo’s potentially going to face if it gets affirmed as a class action: namely, both suits accuse their targets – Facebook and Vimeo – of violating Illinois privacy laws by “secretly” amassing users’ biometric data without getting consent from the plaintiffs, collecting it and squirreling it away. In Facebook’s case, that means squirreling it away in what the company has claimed is the largest privately held database of facial recognition data in the world.

BIPA bans collecting and storing biometric data without explicit consent, including “faceprints.”

The complaint against Vimeo claims that users of Magisto “upload millions of videos and/or photos per day, making videos and photographs a vital part of the Magisto experience.”

The court document points to a Magisto website, “How Does Magisto Video Editor Work?” that touts its “so-called ‘artificial intelligence engines’ that intuitively analyze and edit video content” using “facial detection and recognition technology.”

The complaint maintains that unbeknownst to the average consumer, Magisto scans “each and every video and photo uploaded to Magisto for faces” and analyzes “biometric identifiers,” including facial geometry, to “create and store a template for each face.” That template is later used to “organize and group together videos based upon the particular individuals appearing in the videos” by “comparing the face templates of individuals who appear in newly-edited videos or photos with the facial templates already saved in Magisto’s face database.”

Magisto doesn’t just analyze the biometrics of users, the complaint asserts. It also analyzes and face-matches the biometrics of non-Magisto users who happen to appear in the photos and videos. That’s in violation of BIPA, the complaint asserts, given that Vimeo didn’t …

  • First provide notification of the face templates and analysis to Illinois residents appearing in Vimeo videos.
  • Obtain a written release from Illinois residents.
  • Post any “written, publicly available policies” about how the scanned, analyzed and sorted videos and photos, with the associated face templates, will be retained and ultimately destroyed, nor how people could go about initiating the destruction of their biometric data.

Acaley’s history with Magisto

According to the complaint, the lead plaintiff, Acaley, downloaded Magisto in 2017 on both an Android mobile device and an Apple iPad, purchasing a one-year subscription for about $120. When that subscription expired, so too did his access to the videos he had posted through Magisto.

The lawsuit claims that immediately after uploading videos and photos to the Magisto app, Vimeo analyzed the content by automatically locating and scanning Acaley’s face and by extracting “geometric data relating to the contours of his face and the distances between his eyes, nose, and ears” – data Vimeo used to create a unique template of his face.

Using that unique face template, Vimeo located and grouped together the imagery where Acaley showed up. Vimeo also used the face template to record his gender, age, race, and location, according to the complaint – all without his permission, “all in direct violation of the BIPA.”

The suit is looking for $5,000 per class member, along with court fees.

3 Comments

I am a bit confused by the timeline here. Acaley used Magisto in 2017 for one year, meaning his subscription expired at the latest sometime in 2018. According to your article, Vimeo did not purchase Magisto until April 2019 thus making it impossible for Vimeo to have analyzed Acaley’s content and collected his biometric data immediately after he uploaded his videos and photos to the Magisto app. I understand that Vimeo may be included in the suit since they purchased Magisto after the fact, but it sounds like Magisto was the one doing the analysis and collection. Or am I missing something?

Reply

Your confusion is understandable. The class action filed a complaint against Vimeo, because Vimeo now owns Magisto. Like how TikTok merged with Musical.ly in 2018 and hence is the one who paid the big FTC fine in the recent COPPA case, in spite of Musical.ly being the company that pulled the (alleged) shenanigans.

Reply

“The suit is looking for $5,000 per class member, along with court fees.”

If the courts rule for the plaintiff, members of the class will get a nickel each; the lawyers will get the rest.

Sigh…

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!