Sci&Tech Writer Daniel Bray explains why Facebook’s facial recognition software fell short of privacy laws in Illinois, resulting in a heavy payout

Published

Facebook have just been hit with a $550 million settlement over an Illinois lawsuit filed in 2015 claiming that the company illegally collected data on the faces of its users from Illinois. The class-action suit stems from Facebook’s use of ‘tag suggestions’, more recently changed in name to ‘face recognition’, which allows them to predict who is in photos uploaded to the site. 

Facebook says that their face recognition involves creating a numeric template for your face based on photos of you on Facebook – which could include your profile picture

Facebook says that their face recognition involves creating a numeric template for your face based on photos of you on Facebook – which could include your profile picture, other photos posted by you, and photos that others tag you in. This template is then compared to faces from other photos on Facebook posted by you or your friends, so that the website can attempt to recognise your face appearing in any other content on the site.

Facebook do delete the template if you turn off the face recognition setting, and they seem to take the privacy of this data very seriously – they don’t share the template with anyone else, and won’t suggest that you appear in strangers’ photos.

The Illinois Biometric Information Privacy Act (BIPA) came into effect in 2008. The overview of the act says that in a world where ‘the use of biometrics is growing’, it aims to place a higher level of security around biometric information, which is ‘unlike other unique identifiers used to access finances or other sensitive information’. Secure data such as PIN numbers can be changed when compromised, but biometric information is biologically unique to an individual, and is therefore very hard to deal with when compromised.

The act states that private entities – in this case, Facebook – must develop a written policy establishing how long they will keep the data, and provide guidelines for data destruction. This policy must be made available to the public. It also asserts that private entities must obtain consent before obtaining any biometric identifies, which Facebook did not do when it first introduced its tag suggestions scheme.

The act states that private entities… must develop a written policy establishing how long they will keep the data, and provide guidelines for data destruction

BIPA defines biometric identifiers as scans of the retina or iris, fingerprints, hand geometry, voiceprints, and face geometry. As Facebook was creating and storing face templates for users without telling them, this is a clear breach of BIPA.

This news has come just as another two class-action lawsuits around the BIPA laws have been served in Illinois against the facial recognition service Clearview AI, which has been put under scrutiny by the New York Times for its trawling of websites such as YouTube, Facebook, and Twitter for images of peoples’ faces, without the consent of the websites, or people, in question.

In terms of the financial damage that the previously-mentioned settlement will have on Facebook, the impact looks quite small – Facebook’s net income in the last year was $18.4 billion, so the $550 million lost due to the lawsuit hasn’t really made a dent on the scale at which they’re making money.

Comments