The Illinois Biometric Information Privacy Act (BIPA) made national news recently when it drove Clearview AI out of the state, due to a pending lawsuit over the company’s scraping of social media pictures and videos for its facial recognition database. It may now be a problem for some of tech’s biggest names as well. A new biometric privacy lawsuit has emerged that names Amazon, Google parent company Alphabet and Microsoft as violators of the state law as well.
The three tech companies made use of IBM’s “Diversity in Faces” database to train their own facial recognition systems. The new class action lawsuit alleges that the faces of Illinois residents and citizens were included in this database without their knowledge or consent. Under state law, residents must give explicit permission for any biometric identifiers to be collected or stored.
Biometric privacy in Illinois
The lawsuit has been filed by Illinois residents Steven Vance and Tim Janecyk, who discovered images of themselves in the IBM facial recognition database. IBM appears to have collected over a million images from Flickr without notifying the subjects. Though the images were posted under a Creative Commons license allowing non-commercial use, the project has commercial implications for IBM. The images are also supposed to be used with attribution, with the intent of serving as promotion for the photographer by requiring those re-using them to properly attribute the creator. The IBM facial recognition database does not appear to have a mechanism for doing this, and the lawsuit questions whether this type of activity constitutes acceptable use even if it were to be entirely without commercial possibilities.
The focus of the lawsuit shifts to the tech giants making use of IBM’s facial recognition database, however, as IBM itself has bowed out of the market (citing concerns over use of the technology for racial discrimination). Successful action has already been brought under BIPA in a similar case; earlier this year, Facebook paid $550 million to settle a class action lawsuit that alleged it collected facial recognition data without permission from 2011 to 2015. The payout for each member of the suit in that case was about $200, but the potential fine per person can go as high as $5,000 under BIPA. The amount largely depends on how much biometric privacy information was collected without consent and how it was used.
Though Facebook was on the wrong end of a BIPA suit, Google has prevailed against at least one. In 2019 a district court judge ruled that a case could not proceed because the plaintiffs suffered no “concrete injury” from the collection of their biometric privacy data. The suit had alleged that Google violated BIPA by collecting biometric privacy identification markers from pictures that had been uploaded to the Google Photos service. That case is currently under appeal.
Enacted in 2008, BIPA is unique among United States privacy laws in the extent of its protection of unique biometric privacy markers. Even the more modern California Consumer Privacy Act (CCPA) does not have the same level of protection in terms of collection of biometric data, focusing more on consumer rights to control sale and transfer. The CCPA does classify biometric privacy details as “personal information” even if they are collected from public sources, but does not have the same consent requirements for these types of collections.
IBM’s facial recognition database under fire
The crux of IBM’s defense (and by extension the tech companies that made use of its facial recognition database) is that the “Diversity in Faces” dataset was created for academic research purposes. Though IBM may not have profited directly from sale of the database on the facial recognition market, critics have drawn several commercial connections. In addition to generally raising the company’s profile and value, some have questioned whether the IBM Watson Visual Recognition system (used to estimate the age and gender of photo subjects) was trained with this data set. IBM does not disclose training sources, citing a need for intellectual property protection.
IBM has also made it difficult for individuals to opt out of its facial recognition database. It does not provide a list of data subjects, so one must comb through the database searching for their own pictures. Flickr users are required not just to provide their user ID but also a link to each photograph that they want removed. It is not clear if photos can be removed if the user has already deleted them from their Flickr account.
If the current class action suit is successful, the tech companies would have to stop using the IBM facial recognition database in addition to potentially paying out fines for each Illinois resident that files a claim. The lawsuit also named FaceFirst, a smaller company based in Los Angeles that offers shoplifter recognition services to retail stores.