Facebook Sued For Creating Database of 'Faceprints'

Facebook has been hit with a lawsuit alleging that its collection and use of “faceprints” to identify users violates an Illinois law regarding biometric data.

“Not only do Facebook's actions controvert industry best practices, they also violate the privacy rights of Illinois residents,” Carlo Licata alleges in a potential class-action complaint filed in state court in Cook County.

Licata's lawsuit stems from Facebook's automatic photo-tagging feature, rolled out in 2010. That feature recognizes users' faces and suggests their names when they appear in photos uploaded by their friends. To accomplish this, Facebook draws on its vast store of users' photos.

Licata alleges that Facebook's compilation of that database runs afoul of the Illinois Biometric Information Privacy Act, which requires companies to obtain written releases from people before collecting “face geometry” and other biometric data. The Illinois law, passed in 2008, also requires companies that gather biometric data to notify people about the practice, and to publish a schedule for destroying the information.

Facebook allows people to opt out of being automatically tagged, but Licata argues Facebook's opt-outs don't satisfy the Illinois law's requirements.

“Facebook doesn't disclose its wholesale biometrics data collection practices in its privacy policies, nor does it even ask users to acknowledge them,” the lawsuit alleges. “With millions of users in the dark about the true nature of this technology, Facebook secretly amassed the world's largest privately held database of consumer biometrics data.”

The complaint adds that Facebook “doesn't even require users to acknowledge its collection of their biometric data, let alone receive a written release from users before collecting their faceprints.”

A Facebook spokesperson says the lawsuit is “without merit” and that the company will defend itself “vigorously.”

When Facebook rolled out face-tagging in 2010, the feature drew some criticism by lawmakers and privacy advocates, who said that the company should get people's explicit consent before subjecting them to the automatic tagging technology.

But until this lawsuit was filed last week, no one appears to have suggested that Facebook's facial recognition technology potentially violated any state laws.

Illinois lawmakers -- who enacted this measure two years before Facebook rolled out its facial recognition program -- didn't reference social networks in the text of the statute. Instead, the law discusses the growing use of biometrics in “the business and security screening sectors,” and cites examples like “finger-scan technologies at grocery stores, gas stations, and school cafeterias.”

Santa Clara University law professor Eric Goldman points out that lawmakers in Illinois might not have envisioned how companies like Facebook would use faceprints today. “It's a niche statute, enacted to solve a particular problem,” he says. “Seven years later, it's being applied to a very different set of circumstances.”

But Licata's attorneys say that the Illinois legislature presciently envisioned the potential threat posed by biometric databases. “We don't know what would happen if hackers came in and stole this information,” says attorney Jay Edelson, who heads the law firm representing Licata. “No company can guarantee that they won't be hacked.”

3 comments about "Facebook Sued For Creating Database of 'Faceprints'".
Check to receive email when comments are posted.
  1. Henry Blaufox from Dragon360, April 6, 2015 at 6:38 p.m.

    This feature probably has great value for national security. If the facial recognition is reliable, and the data can be moved quickly enough through the Internet communication pipes, suspected terrorists can be identified and stopped at numerous transit points.

    The problem Facebook has is that if the technology is used for that, they are not likely to say what they are doing to aid national security.

  2. Justin Gospodarek from Risefy, April 6, 2015 at 7:57 p.m.

    The case is already laid out in this article. The law was designed for people that don't know they're giving data to a company. In the case of Facebook, obviously all user data is submitted with consent. The "no company can guarantee that they won't be hacked" argument? Really? So, a business shouldn't be able to do something with value, because someone else might do something illegal? Guess we should shut down all banks... they can't guarantee they won't be robbed.

  3. Paula Lynn from Who Else Unlimited, April 6, 2015 at 8:13 p.m.

    Who do you want to control every bit of information about you so they can control/influence control of every bit of everything you say, think and do ? Remember, the same people at fbeast today won't be the same ones in the future. You have no control who becomes the tower of power.

Next story loading loading..