Silicon Valley is facing a big privacy headache in America’s heartland, and it just got bigger.
In the latest scuffle over biometric data collection in Illinois, Google Inc. this week was hit with a lawsuit over its face-recognition technology, making Google the latest tech giant to be accused of violating an unusual state privacy law that restricts the collection and storage of so-called faceprints. Illinois and Texas are the only two states that regulate how private companies may use biometric data, and Illinois is the only state that authorizes statutory damages for violations. Facebook Inc. and Shutterfly Inc. are facing similar legal showdowns in the Land of Lincoln.
The latest lawsuit, filed Tuesday in U.S. District Court in Northern Illinois, revolves around Google’s cloud-based photo-sharing service, Google Photos, which analyzes the facial features of people who appear in pictures uploaded to it. Lindabeth Rivera, a resident of Chicago, claims in the lawsuit that a Google Photos user took approximately 11 pictures of her with an Android-based smartphone that automatically captured the images and uploaded them to Google Photos. After the upload, Google software allegedly scanned Rivera’s unique face geometry and created a template of her face.
Rivera claims she does not use Google Photos or even own an Android phone, thereby making her an unwitting participant in what her lawyers describe as an ambitious data-collection scheme on the part of the Mountain View, California, search giant.
“The use of facial recognition technology in the commercial context presents numerous consumer privacy concerns,” lawyers for Rivera wrote.
Google did not respond to requests for comment.
Privacy advocates say biometric data — and in particular face-recognition — poses specific privacy and security risks because it revolves around information that identifies people for life. “You can’t turn off your face,” Alvaro M. Bedoya, founding executive director of Georgetown University’s Center on Privacy & Technology, told International Business Times in an interview last year.
Face-recognition software is becoming an increasingly common tool for photo-sharing services, but laws regulating the technology have not caught up. Privacy advocates, frustrated by what they describe as a Wild West environment of unchecked data collection, say tech companies and lobbying groups have fought tooth and nail to thwart measures that would place any limits on their carte blanche ability to collect, store and profit from sensitive biometric identifiers. So far it seems to have worked: Currently, no federal laws regulate the collection and storage of biometric data by private companies.
But if U.S. regulators have been an ally to tech companies in their war with privacy advocates, Illinois may prove to be their Vietnam. State legislators there quietly passed the Biometric Information Privacy Act, or BIPA, back in 2008, when social media and photo-sharing services were still in their relative infancy, and many people were not thinking about the potential of face-recognition technology as a way of tracking online photos.
BIPA prohibits private companies from collecting or storing biometric identifiers — including face geometry — without first obtaining expressed written consent. The law was far off most people’s radar until April of last year, when a resourceful Chicago privacy lawyer sued Facebook Inc. over its tag-suggestion feature, which uses software to create templates based on users’ facial features. Similar lawsuits followed against Facebook and Shutterfly, which uses face recognition for its ThisLife cloud storage platform. In each case, the lawsuits came from Illinois residents who accused the companies of collecting so-called faceprints without their consent.
The legal battles over a state law have proven especially thorny for tech companies that operate on the world stage. Facebook scored a small victory in January when a federal judge in Illinois dismissed one of the lawsuits on the matter of jurisdiction, but the dismissal did not address the merits of the case. Other suits against Facebook are still pending.
Shutterfly, conversely, suffered a blow in January when a judge allowed a lawsuit against it to go forward, essentially affirming that the case has enough merit that it should not be tossed out in a summary judgement.
But the reality is, the law has yet to be tested. Both Facebook and Shutterfly are arguing that their face-recognition technology falls outside the scope of BIPA because it makes face scans from photographs, not actual faces. Meanwhile, the language of the statute is murky enough that such an argument might just work. BIPA clearly says that “face geometry” is considered a biometric identifier, but law exempts photographs. So in the end it’s really a variation on an age-old question: What’s in a face?