How Facebook's "Tag Suggestions" Lawsuit Could Decide the Future of Your Privacy
Have you ever wondered how Facebook knows who's in your photos before you can tag your friends? You might be alarmed to know the answer: Using a 5-year-old feature called "Tag Suggestions," the social network has built an enormous database of faces. Facebook uses advanced algorithms to scan every photo you upload, identify your friends' faces and connect them to their names. When you hover over a photo and see a name pop up, that's Tag Suggestions doing its job: detecting the specific dimensions of your face and comparing the results to photos you've already tagged.
Sometimes Facebook gets it wrong, though, and suggests the name of someone else: a friend, a stranger, occasionally a celebrity (Facebook once thought I was Ryan Gosling). It's because your biometric data is similar: Maybe your hair is of similar length, or you wear similar glasses.
The storage and use of this data, by Facebook and other tech companies, is at the heart of at least two class-action lawsuits filed recently by concerned users and encouraged by privacy-minded attorneys. Their hope is to rein in unscrupulous data collection — and the users just might win.
If they do, tech companies stand to lose billions of dollars. Companies like Facebook will have to dramatically change how they handle the identification of people like you and me.
There's no federal law regulating the collection of biometric data, so state legislators have taken up the cause. In 2008, the state of Illinois passed the Biometric Information Privacy Act, a response to companies' increased use of biometric identifiers as a way to identify customers.
It began in response to burgeoning programs that aimed to identify people using biometrics. One program, adopted by Shell, allowed returning customers to pay for food using just their fingerprint. Another program identified elementary students on the free lunch program by scanning their irises. The American Civil Liberties Union of Illinois took up the the cause to force companies to answer when and how they could collect biometrics; thus BIPA was born.
The most important provision in BIPA was a requirement that companies obtain direct, explicit consent from consumers whose data they intend to collect. The law went largely unnoticed when adopted in 2008.
In the last year, however, renewed interest in biometric data collection from Silicon Valley has focused attention on the once-obscure state law. There is currently no federal legislation over this sort of data collection, and privacy activists have been turning to BIPA.
To understand the scope of this debate, you have to look at how companies like Facebook collect this personal data and why some think these practices could be violating BIPA.
Over the years, the Tag Suggestions feature has received varied attention, mostly from privacy advocates. Sen. Al Franken (D-Minn.), for example, has made it one of his political missions to pressure Facebook into reconsidering its facial-recognition technology.
Tag Suggestions — and the database of faces and identities Facebook is compiling — is the target once again. According to a lawsuit filed in August, Facebook is in violation of BIPA because its users are never explicitly asked whether they wish to participate.
"Facebook conceals that Tag Suggestions uses proprietary facial recognition software to extract from user-uploaded photographs the unique biometric identifiers (i.e., graphical representations of facial features, also knows as facial geometry) associated with people's faces and identify who they are," the plaintiffs allege. The suit names three plaintiffs — Carlo Licata, Adam Pezen, and Nimesh Patel — but these individuals are filing on behalf of an entire class of Illinois citizens who use Facebook. The cases are still pending in court; Facebook submitted its motion to dismiss in October.
For the majority of the United States, this action is not wholly illegal — but Illinois may be the exception. Now that BIPA has entered the mix, "Facebook did not comply with this law," Joel Bernstein, whose law firm, Labaton Sucharow, represents the plaintiffs in the previously mentioned Facebook case, told Mic. Facebook, he explained, does not disclose why they are collecting this data. Moreover, users "did not give informed consent."
The words "informed consent" are crucial. When new users join Facebook, they're automatically signed up for Tag Suggestions. But according to BIPA, no private entity is allowed to collect user biometric data unless it "informs the subject ... in writing that a biometric identifier or biometric information is being collected or stored." For the lawyers and plaintiffs invoking this law, these words directly implicate Facebook.
Facebook isn't the only company under fire. Last June, a Chicago-based man named Brian Norberg filed a similar class-action lawsuit, claiming that the online photo printing and publishing company Shutterfly's use of facial recognition software violated BIPA. Norberg had found out that a friend of his had uploaded a photo of Norberg into Shutterfly's database and included the name of the plaintiff. This meant Shutterfly's database housed both a biometric fingerprint — or "faceprint" — of Norberg's image as well as his identifying name. If another picture of Norberg was put into the company's system, it detected his features and correctly identified the photos, appending his name.
Given that Norberg neither signed up for Shutterfly nor gave explicit consent to the company to collect his data, Norberg's lawyers believes that this practice is a direct violation of BIPA.
The plaintiffs in these and other cases claim they have the legal standing to fight against the tech juggernauts. This could cause the companies to change how they handle customer data, and could force the companies to fork over heaps of money to both the plaintiffs and their counsel.
Jay Edelson, a Chicago-based class action lawyer who's been called the "most hated man in Silicon Valley," told Mic that under BIPA, plaintiffs could be entitled to collect damages as high as $5,000. His firm, Edelson PC, is working with Labaton Sucharow on the Facebook case. Facebook, said Edelson, is a ubiquitous service and many Illinoisans use it. If the judges rule in favor of the plaintiffs, the company would have to pay damages to every Illinois user.
What the companies say: Both Facebook and Shutterfly dispute the validity of each of these cases. In a motion to dismiss filed in October, Facebook makes two important counterpoints: that Facebook's terms of service should fall under the jurisdiction of California state law instead of Illinois, and that photographs are excluded from the purview of BIPA altogether.
This latter claim is crucial because the wording of BIPA leaves it up for interpretation. The bill reads:
"Biometric identifier" means a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions...
The plaintiffs claim Facebook's and Shutterfly's facial recognition programs are in clear violation of BIPA's stipulations. The companies counter that photographs are explicitly not considered biometric identifiers.
The issue comes down to whether analyzing a photograph of a person is the equivalent of analyzing a person. Judges have yet to rule in either case — and the outcomes of both will likely hinge on this nuance. Until then, the cases remain in limbo.
Mic contacted Facebook about its stance on BIPA. A spokesperson provided us with the following statement: "This lawsuit is without merit and we will defend ourselves vigorously." Shutterfly did not respond to Mic's request for comment.
The business of class-action lawsuits is controversial at best. On one hand, these cases represent the swaths of people dissenting ingrained practices. But the lawyers handling these cases are often considered extortionists, finding loopholes to cash in on valuable companies. Edelson represents a new brand of lawyers, aiming his cases directly at Silicon Valley. The New York Times described Edelson's understanding of his role as "acting like a sort of private attorney general, forcing companies to change their worst behaviors." When a firm like his discovers laws like BIPA, it pounces.
It's important to note what stands to be lost from this case. According to one estimate, Illinois houses over 7 million Facebook users. That means damages could reach as much as $35 billion. Of course, the most common track that tech companies follow when they're facing class action lawsuits is to throw the book at the plaintiffs trying to get the case thrown out of court, or settle quietly. Both Shutterfly and Facebook are working to get their cases dismissed. Even the lawyers involved admit that it's far too early to see how judges will respond.
If these lawyers' interpretations of BIPA are correct, however, it could mean a world of hurt for many Silicon Valley companies. While BIPA is just one state's law, it has the potential to create a huge ripple effect for how customer biometric data is handled.
"I would expect it to have a nationwide impact," Edelson said. Bernstein said that if his suit proves successful, Facebook will have to make a decision about whether "it wants to have two different policies in the United States."
Data collection is undoubtedly the issue du jour for these companies. In recent years, questions have surfaced about what companies handling personal data can and cannot do with the information it collects. This has expanded into a debate not only about individual rights to privacy, but how different countries handle changing data collection standards. For instance, the European Court of Justice recently ruled that that the U.S. government doesn't give adequate protection of user data. This ruling called into question the data-handling practices of big U.S. companies like Google and Facebook as well as the now-known snooping of the U.S. government. The European Court of Justice was clearly stating that Europeans should think twice about trusting their personal data with non-European companies. The result will likely be a huge customer fallout for U.S. companies.
One of the main differences between the European ruling and the cases using BIPA: perspective. In the United States, potentially invasive data practices have become standard for so many companies. To advocates like Mary Dixon, the legislative director of the ACLU of Illinois, that's why BIPA was such a landmark law and is proving to be an important piece of legislation now. Her organization helped draft, lobby and ultimately pass BIPA almost a decade ago. "You have to be ahead of the curve or the technology becomes ubiquitous and it's difficult to impose regulations," she told Mic.
Illinois isn't the only state. Texas already has a similar law that was passed in 2001; other states are pushing similar legislation. Biometric privacy bills are reportedly pending in both Alaska and Washington, and sources told Mic other state advocates are drafting similar bills.
For now, lawyers like Bernstein and Edelson must wait until the courts begin to respond. Meanwhile, advocates like Dixon hope their earlier work pays off for future generations. While BIPA may seem clear-cut in its wording, it is distinctly new territory.
"This is not a statute that has been interpreted before," Edelson said. "I think we're going to know a lot more in a couple of years."
