Facebook has asked a federal judge to dismiss a potential class-action lawsuit accusing it of violating an Illinois privacy law by creating a database of "faceprints."
The social networking service argues that the Illinois Biometric Information Privacy Act doesn't prevent companies from storing photos of faces or information gleaned from those photos. The company contends that the privacy law, which regulates the collection of biometric data, only applies to faceprints that derive from in-person scans, as opposed to photos.
"Because plaintiffs’ claims rest entirely on information derived from photographs, their complaint should be dismissed with prejudice," Facebook says in papers filed late last week with U.S. District Court Judge James Donato in San Francisco.
Facebook's arguments come in response to a privacy lawsuit centered on its automatic tagging feature, unveiled in 2010. That feature recognizes users' faces and suggests their names when they appear in photos uploaded by their friends. To accomplish this, Facebook draws on its vast store of photos posted by users.
The lawsuit, initially brought in U.S. District Court in Illinois by Carlo Licata, was recently transferred to federal court in California.
Illinois' biometric privacy law, passed in 2008, requires companies to obtain written releases from people before collecting a "scan of hand or face geometry" and other biometric data, like fingerprints and voiceprints. The statute also requires companies that gather biometric data to notify people about the practice, and to publish a schedule for destroying the information.
Facebook argues that the restrictions on face-geometry scans apply only to faceprints derived from physical scans, such as those that "require a person to present his or her hand or face itself at a console or other type of scanner."
The photo service Shutterfly, which is facing a similar lawsuit in Illinois, recently made the same argument.
No judges have yet decided whether the Illinois law applies to faceprints that are extracted from photographs.
The Illinois law excludes photos from the definition of "biometric identifiers," even though the statute says it applies to scans of face geometry. Another provision of the law says that "biometric information" doesn't include information derived from photos.
"The across-the-board exclusion of photographs and information derived from them would be rendered meaningless if the statute were interpreted to cover data derived from the scan of a photograph," Facebook argues.
But faceprints today typically are derived from photos, according to Alvaro Bedoya, executive director of Georgetown Law School's Center on Privacy & Technology. "I have literally never heard of any facial recognition system that works off of anything other than a photo or a video still," Bedoya recently told MediaPost.
Bedoya, who studied facial recognition technology during his recent tenure as chief counsel to the Senate Judiciary Subcommittee on Privacy, Technology and the Law, says the Illinois law aims to avoid restrictions on taking or storing photos, while also limiting companies' right to extract faceprints from photos.
"Photos are what humans use to identify people," Bedoya said. "Faceprints are what allow computers to analyze millions of photos in a second."
Facebook also argues that the lawsuit should be dismissed because the company's terms of service provide that California law will govern all disputes. California doesn't have a biometric privacy law comparable to the one in Illinois.
"In providing a free service to people across the United States, Facebook relied upon, and is entitled to, the predictability resulting from the parties’ selection of California law to govern their disputes," the company says. Facebook adds that the effort "to pursue claims under another state’s laws should be rejected."