Naked Security

Facebook hit with class action lawsuit over facial recognition data

A new class action lawsuit claims Facebook violated its users’ privacy rights in acquiring what it describes as the largest privately held database of facial recognition data in the world.

According to a report from Courthouse News Service, lead plaintiff Carlo Licata, of Cook County, claims the social network violated Illinois privacy laws by not providing him with written notification that his biometric data was being collected or stored.

Furthermore, Licata claims that it’s also unlawful to collect biometric data in the state without clearly stating the purpose for which that data is being collected, along with notification of how long it would be stored for.

Licata, represented by attorney Jay Edelson, claims that Facebook began violating the Illinois Biometric Information Privacy Act of 2008 when it introduced its facial recognition tech in 2010 in a “purported attempt to make the process of tagging friends easier”.

At the centre of the lawsuit lies Facebook’s “tag suggestions” program which scans images uploaded by users – with facial recognition technology developed by Face.com, a company later acquired by Facebook – and then identifies any friends who may also be using the service so that they may tag them if they so wish.

The lawsuit claims this type of data mining is a direct violation of users’ privacy laws with Licata describing it as a “brazen disregard for its users’ privacy rights”.

In the lawsuit Licata says he first signed up for Facebook in 2009 and has since been tagged in photos by friends – despite never giving the company permission to collect or store his biometric data. He also claims he was never informed that his biometric data would be collected and that he has never been afforded the opportunity to block Facebook from doing so.

Facebook does of course allow users to change their privacy settings, via an opt-out, to prevent other users from tagging them in photos. Edelson, however, claims that feature is insufficient and does not address his client’s concerns:

If he changed the privacy setting, that wouldn’t change anything because (Facebook) had taken his data and they’re holding on to it. There’s no delete button.

Edelson also expressed worries over security, hinting at the potential damage that could be caused in the event of a breach:

If there’s a data breach and hackers get it that would be a total mess.

Facebook has been under fire for its facial technology for years now, especially in Europe where, in 2012, the company opted to ditch the program and delete user-identifying data it already held.

In the US, the feature suffered a temporary suspension before returning after a series of technical improvements.

Along the way, Facebook privacy and public policy manager Robert Sherman appeared before a 2012 Senate hearing on biometric technology, testifying that the company’s “tag suggestions” program is a feature that merely provides convenience and that user data is secure.

Sherman said Facebook’s ‘faceprint’ database only works with its own proprietary software and “alone, the templates are useless bits of data,” adding that users can choose to opt out of the feature, at which time their data will be deleted.

Licata, however, claims that Facebook has been “calculatedly elusive” in explaining the program, leading to the situation whereby users can opt out only after they have been unknowingly opted in.

The lawsuit also draws attention to the fact that the Federal Trade Commission (FTC) said in 2011 that it was concerned about a “third party maliciously breaching a database of biometric information”.

The FTC noted how, because a person could not change their face, “once exposed, a victim has no recourse to prevent becoming victim to misconduct like identity theft and unauthorized tracking.”

Licata is seeking class certification as well as an injunction that would require Facebook to comply with the Illinois law, which he hopes will “put a stop to its surreptitious collection, use and storage” of users’ biometric data.

A Facebook spokeswoman told Business Insider that

This lawsuit is without merit and we will defend ourselves vigorously.


Image of biometrics courtesy of Shutterstock.