Facebook has asked a federal judge to dismiss a potential class-action lawsuit accusing it of violating an Illinois privacy law by creating a database of "faceprints."
The social
networking service argues that the Illinois Biometric Information Privacy Act doesn't prevent companies from storing photos of faces or information gleaned from those photos. The company contends that
the privacy law, which regulates the collection of biometric data, only applies to faceprints that derive from in-person scans, as opposed to photos.
"Because plaintiffs’ claims rest
entirely on information derived from photographs, their complaint should be dismissed with prejudice," Facebook says in papers filed late last week with U.S. District Court Judge James Donato in San
Francisco.
Facebook's arguments come in response to a privacy lawsuit centered on its automatic tagging feature, unveiled in 2010. That feature recognizes users' faces and suggests their names
when they appear in photos uploaded by their friends. To accomplish this, Facebook draws on its vast store of photos posted by users.
The lawsuit, initially brought in U.S. District Court in
Illinois by Carlo Licata, was recently transferred to federal court in California.
Illinois' biometric privacy law, passed in 2008, requires companies to obtain written releases from people
before collecting a "scan of hand or face geometry" and other biometric data, like fingerprints and voiceprints. The statute also requires companies that gather biometric data to notify people about
the practice, and to publish a schedule for destroying the information.
Facebook argues that the restrictions on face-geometry scans apply only to faceprints derived from physical scans, such
as those that "require a person to present his or her hand or face itself at a console or other type of scanner."
The photo service Shutterfly, which is facing a similar lawsuit in Illinois,
recently made the same argument.
No judges have yet decided whether the Illinois law applies to faceprints that are extracted from photographs.
The Illinois law excludes photos from
the definition of "biometric identifiers," even though the statute says it applies to scans of face geometry. Another provision of the law says that "biometric information" doesn't include information
derived from photos.
"The across-the-board exclusion of photographs and information derived from them would be rendered meaningless if the statute were interpreted to cover data derived from
the scan of a photograph," Facebook argues.
But faceprints today typically are derived from photos, according to Alvaro Bedoya, executive director of Georgetown Law School's Center on Privacy
& Technology. "I have literally never heard of any facial recognition system that works off of anything other than a photo or a video still," Bedoya recently told MediaPost.
Bedoya, who studied facial recognition technology
during his recent tenure as chief counsel to the Senate Judiciary Subcommittee on Privacy, Technology and the Law, says the Illinois law aims to avoid restrictions on taking or storing photos, while
also limiting companies' right to extract faceprints from photos.
"Photos are what humans use to identify people," Bedoya said. "Faceprints are what allow computers to analyze millions of
photos in a second."
Facebook also argues that the lawsuit should be dismissed because the company's terms of service provide that California law will govern all disputes. California doesn't
have a biometric privacy law comparable to the one in Illinois.
"In providing a free service to people across the United States, Facebook relied upon, and is entitled to, the predictability
resulting from the parties’ selection of California law to govern their disputes," the company says. Facebook adds that the effort "to pursue claims under another state’s laws should be
rejected."