Privacy SOS

Chicago lawsuit against Facebook says media giant violated Illinois biometrics privacy law

A class action lawsuit against Facebook says the data-hungry social media giant violated the Illinois Biometrics Information Privacy Act when it created the world’s largest face-print database without informing users of exactly how their images would be used or obtaining written consent to perform biometric searches on them.

Courthouse News reports:

Lead plaintiff Carlo Licata claims Facebook began violating the Illinois Biometric Information Privacy act of 2008 in 2010, in a "purported attempt to make the process of tagging friends easier."

Through its "tag suggestions" program, Facebook scans all pictures uploaded by users and identifies any Facebook friends they may want to tag, according to the April 1 lawsuit in Cook County Court.

Facebook got its facial recognition technology from the Israeli company Face.com, which Facebook later bought. Face.com is not a party to the lawsuit.

Though it may seem at times that a major purpose of Facebook is to allow people to share too much information about themselves, Licata says this form of data mining violates users' privacy.

He calls it a "brazen disregard for its users' privacy rights," through which Facebook has "secretly amassed the world's largest privately held database of consumer biometrics data.”

In 2011, the Federal Trade Commission held hearings on face recognition. That same year, researcher Alessandro Acquisti published a paper showing that it was possible to identify someone’s Social Security number using only an image of their face posted on the internet. In 2012, the FTC released a paper including recommendations to corporations regarding face recognition deployment. Among the recommendations was one to social media companies like Facebook: “[S]ocial networks using a facial recognition feature should give users clear notice – not something slipped into a dense privacy policy or buried in fine print — to explain how the feature works, the data it collects, and how the information is used,” the FTC wrote.

The new lawsuit in Illinois alleges that Facebook has disregarded this sage FTC advice.

Licata claims in the lawsuit that in 2011 the FTC worried about a "third party maliciously breaching a database of biometric information," and that because a person's face cannot be changed, "once exposed, a victim has no recourse to prevent becoming victim to misconduct like identity theft and unauthorized tracking."

Licata seeks class certification and an injunction requiring Facebook to comply with the Illinois law, to "put a stop to its surreptitious collection, use and storage" of users' biometric data.

Stay tuned to find out what happens with the lawsuit. Illinois is one of few states with biometrics privacy laws on the books. A bill has been introduced in Massachusetts that would expand existing safeguards for personal information held by corporations to include biometric data.

© 2019 ACLU of Massachusetts.