People Should Be Allowed to Sue Facebook If It Violates Law on Face Recognition Privacy
Ten years ago, Illinois enacted a law that imposes important protections against companies collecting and storing our biometric information — including using facial recognition— without our knowledge and consent. The law is called the Biometric Information Privacy Act. Although facial recognition was relatively crude when it was passed, the wisdom of Illinois’ decision has been borne out over the last decade, as facial recognition and other biometric collection has developed and spread.
On Monday, the ACLU filed a friend-of-the-court brief in federal appeals court defending the Illinois law against arguments advanced by Facebook trying to remove the law’s pro-privacy teeth. (The brief was filed along with ACLU affiliates in Illinois and California as well as the Electronic Frontier Foundation, Center for Democracy & Technology, and Illinois PIRG).
Under the law, a company may collect a person’s biometric identifiers — like fingerprints or data from a person’s face or iris — only if it first obtains informed consent from that person. In the case now pending in the Ninth Circuit Court of Appeals, Facebook users in Illinois have alleged that the company violated their rights under the law by using facial recognition technology to identify them in digital images uploaded to the site without disclosing its use of facial recognition or obtaining consent.
One of Facebook’s arguments in the case is that people should not have an automatic right to sue when their biometric information has been collected in violation of the law. Rather, they must prove that they have suffered monetary or other damages. As we explain in our brief, however, that runs counter to the Illinois Legislature’s intent, which was to provide strong, enforceable protection against surreptitious collection of sensitive biometric data.
In the decade since passage of the law, the need for its protections has become crystal clear. As we explain in the brief, today:
Retail stores use facial recognition technology to “identify known shoplifters,” and at least some companies are reportedly using such technology to track shoppers in their stores. Employers collect biometrics for time tracking and attendance management, as well as to manage access to company phones, laptops, and cloud storage accounts. Banks have invested in collecting customers’ biometric data, including face scans, fingerprints, iris scans, and voiceprints, to authenticate those customers’ identities. Churches have adopted facial recognition and fingerprint collection technology “to accurately track attendance for various events like Bible studies, worship services and Sunday school.” Many schools now collect fingerprints to manage attendance, cafeteria purchases, library services, and security, and some schools have started installing facial recognition systems to control entry into buildings.
Perhaps most concerning, major technology companies like Amazon have invested heavily in powerful facial recognition systems that they sell access to on the cheap. Amazon says its facial recognition system, called Rekognition, is not only able to store facial recognition images of large numbers of people, but it is also able to “perform real-time face searches against collections with tens of millions of faces” and “detect, analyze, and index up to 100 faces ... in a single image,” such as photographs captured at “crowded events ... [and] department stores.”
Using it is cheap, and as we have warned before, without protections, this technology could enable civil rights and civil liberties violations on a massive scale. Indeed, a recent survey conducted by the ACLU revealed that 18 of the top 20 American retail companies refused to say whether they collect facial recognition scans of their customers.
That’s why we support a strong interpretation of the law’s protections. As the district court wrote in its ruling against Facebook in February, “When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air.”
Without an enforceable requirement that companies disclose their collection of biometric information and obtain consent, people will have no way to protect themselves against surreptitious corporate surveillance.
Sign up for the ACLU’s Best Reads and get our finest content from the week delivered to your inbox every Saturday.