Facebook has been hit with a class-action complaint over its biometrics slurpage, with millions of possible plaintiffs who may claim damages if the advertising giant is found to have acted unlawfully.
The complaint (PDF) states that "Facebook has created, collected and stored over a billion 'face templates' (or 'face prints')", which, ostensibly, are as uniquely identifiable as fingerprints. These have been gathered "from over a billion individuals, millions of whom reside in the State of Illinois".
It is alleged that in doing this, the ZuckerBorg is in violation of the Illinois Biometric Information Privacy Act (BIPA), which was passed by the state legislature in 2008.
As noted in the complaint, under BIPA a private entity such as Facebook is prohibited from obtaining or possessing an individual's biometrics unless it achieves suitable consent, which is constituted by:
- Informing that person in writing that biometric identifiers or information will be collected or stored
- Informing that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used
- Receiving a written release from the person for the collection of his or her biometric identifiers or information
- Publishing publicly available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information
The complaint alleges that:
In direct violation of... BIPA, Facebook is actively collecting, storing, and using – without providing notice, obtaining informed written consent or publishing data retention policies – the biometrics of its users and unwitting non-users.
The plaintiff asserts that he does not have, and has never had, a Facebook account, but notes that a Facebook user uploaded to Facebook at least one photograph depicting him which has resulted in the non-consensual creation of a biometric template of his face. The action is brought on behalf of a class of similarly situated individuals, defined as:
All non-Facebook users who, while residing in the State of Illinois, had their biometric identifiers, including "face templates" (or "face prints"), collected, captured, received, or otherwise obtained by Facebook.
There's previous – so we're told
Back in July 2012, a hearing was held before the United States Senate Subcommittee on Privacy, Technology and the Law, specifically to address what facial recognition technology may mean for privacy and civil liberties.
In the opening statement of the hearing (PDF) to the subcommittee, Senator Al Franken (D-MN) commented:
In 2010, Facebook, the largest social network, began signing up all of its then 800 million users in a programme called Tag Suggestions. Tag Suggestions made it easier to tag friends in photos, and that is a good thing.
But the feature did this by creating a unique faceprint for every one of those friends. And in doing so, Facebook may have created the world’s largest privately held database of faceprints — without the explicit consent of its users. To date, Tag Suggestions is an opt-out program. Unless you have taken the time to turn it off, it may have already been used to generate your faceprint.
Similar concerns were raised by a German data protection authority in 2011. At the time, a Facebook spokesperson said that the ZuckerBorg "firmly reject any claim that we are not meeting our obligations under European Union data protection law."
Facial recognition remains a key interest for the Facebook Artificial-Intelligence Research Team (FART), however, which presented a paper on "Web-Scale Training for Face Identification" at the IEEE Conference on Computer Vision and Pattern Recognition in June. The paper, notably, makes no mention of the words "consent" or "legal".
More recently, an attempt to establish a voluntary code of conduct for the commercial use of facial recognition technology on a federal level in the US came to a practical halt in June when privacy advocates withdrew from the talks en masse.
The advocates, including the ACLU and EFF, complained of failing to get industry stakeholders "to agree on any concrete scenario where companies should employ facial recognition only with a consumer's permission".
The class action complaint was filed in the United States District Court, Northern District of Illinois, and is case number 1:15-cv-07681. ®
Sponsored: Webcast: Simplify data protection on AWS