Two different ruling in privacy cases over use of biometric data called “faceprints.”

A federal judge threw out the lawsuit against Google.  The judge ruled that the Illinois consumers that sued were unable to prove any damages.  Lindabeth Rivera and Jospeh Weiss were the named plaintiffs in a class action suit that claimed Google violated Illinois’ Biometric Information Privacy Act in using facial recognition technology on photos that were uploaded to Google.

Rivera said she didn’t even have a Google Photos account, but that photos someone else took and uploaded violated her privacy when they used facial recognition software to create a “faceprint” to identify her.

The Illinois law requires company to get written releases before collecting biometric data, including fingerprints, voice prints, and facial scans.

In addition to saying the plaintiffs were unable to prove actual damages, the judge said in his written opinion that faces are “public.”  The judge wrote:  “All that Google did was to create a face template based on otherwise public information — plaintiffs’ faces.”

Meanwhile, the case against Facebook for use of biometric data is moving forward when a different Illinois judge dismissed Facebook’s plea to toss it. The class action suit –is potentially worth billions if successful.  Illinois law can tag each violation with fines up to $5,000.

If you are a Facebook user, you’ve no doubt had the experience where you go to post a picture and it somehow knows who is in it and suggests their name.  The social network is accessing and storing the biometric data to accomplish this, which the suit says violates the Illinois law.

One of Facebook’s claims is that there has been no allegation of harm in the way it uses the data.  Previously, an Illinois Appellate Court reversed a lower court ruling on a similar issue.  A tanning salon in Illinois used fingerprint data and biometric identifiers for users to gain entry to the salon.  The suit, Sekura v. Krishna Schaumburg Tan, Inc., claims the company stored the data, failed to provide disclosures and required written release, and disclosed the fingerprint information to a third-party vendor. The lower court had dismissed the suit on the grounds that there was no provable harm.  The appellate court held that you can sue for a violation of the law without proving additional harm.

The Internet Association – which represents a range of some of the biggest names in tech – filed a friend-of-the-court brief supporting Facebook.  The organization worries about the chilling effect the case could have on future tech developments.

 “Biometric technologies serve many useful purposes in our society—from providing new authentication features that enhance security (like the ability to unlock one’s phone with a fingerprint), to facilitating the organization and sharing of photographs (like the ability to quickly retrieve photographs stored in a private account), to promoting health and wellness (like allowing for digital patient check-ins at the emergency room)…These are applications that millions of people already enjoy, and that offer great potential in the future. It is in no one’s interest that the lawful development and use of biometric technologies be artificially chilled.” – The Internet Association in its court brief

In December, Facebook announced that it will notify users if someone uploads a photo with you in it (whether the user tags you or not).  That gives users the option of tagging it themselves, refuse to be tagged, or report the photo.  That’s still not prior notice in this case, though, because the facial recognition used to identify you had already occurred prior to the consent.

How To Disable The Tech on Facebook

If you want to stop Facebook from looking for you with facial recognition, The Verge has a good article on the steps you need to take to disable the tech.

Facebook can also gather additional data from photos that are uploaded, according to PetaPixel:

  • location from geotag data
  • date
  • device ID of your phone
  • cellular/Internet service provider nearby Wi-Fi Beacons/cell towers (which can be used to triangulate locations)
  • battery level
  • cell signal strength

A portion of Illinois’ Biometric Information Privacy Act:

No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first:

(1) informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;

(2) informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.

No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.