• by Wendy Davis  @wendyndavis, February 4, 2020

The start-up Clearview AI, which reportedly sells faceprint databases to police departments, is now facing a second potential class-action lawsuit.

In a complaint filed Monday in U.S. District Court for the Eastern District of Virginia, Fairfax County resident Shelby Zelonis Roberson alleges that Clearview violates a state law that gives people the right to control the commercial use of their names and images.

Roberson also claims that the tech company violated a state anti-hacking law by scraping photos from social media services.

Clearview scraped billions of photos from Twitter, Facebook and other companies, used technology to create a faceprint database, then sold that database to police departments across the country, according to an explosive report two weeks ago in The New York Times.

It's not clear whether scraping data that is publicly available violates anti-hacking laws like the one in Virginia, which broadly prohibits people from accessing computer servers without authorization.

Last year, the 9th Circuit Court of Appeals ruled that LinkedIn couldn't rely on the Computer Fraud and Abuse Act -- a federal anti-hacking law similar to the measure in Virginia -- to prevent its service from being scraped by analytics company hiQ. The appellate court said in its ruling that the federal anti-hacking law doesn't appear to outlaw scraping from sites that are not password-protected.

LinkedIn has said it plans to ask the Supreme Court to review the ruling.

In addition, Roberson's complaint doesn't spell out what actions Clearview allegedly took in Virginia, according to Santa Clara University law professor Eric Goldman.

“There are critical missing facts -- like exactly what was scraped, from whom, when, and under what circumstances,” Goldman says. “We don't know if any scraping actually took place in Virginia.”

He adds that it's not clear that consumers -- as opposed to the companies whose servers were accessed --- can can sue over scraping.

Goldman also says Roberson will likely have an uphill battle with the claim that Clearview violated a state prohibition on using people's photos for commercial purposes without permission. That law applies when companies use people's photos in ads, but not when photos are used for editorial purposes.

Databases with names or pictures are typically considered editorial products, even if whoever compiles the databases sells them.

News about Clearview's technology sparked concern by privacy advocates and some lawmakers and other tech companies. New Jersey's Attorney General told state prosecutors to stop using the technology company's program, while Twitter reportedly told Clearview to stop scraping the site for photos.

Last week, an Illinois resident alleged in a the first federal class-action complaint against the company that it was violating the state's biometric privacy law, which prohibits companies from collecting or storing scans of facial geometry without people's consent.