Facebook’s handling of your headshot is now the subject of class action lawsuits that pose the question: When someone turns your mug into data, are those digits theirs or yours?
The lawsuits claim that when Facebook started converting the geometry of your profile picture into what it calls “a unique number,” it broke a 2008 Illinois law giving residents certain rights when their biometric information is collected.
Facebook is disputing the claims, and fired its first legal salvos this month. That developing legal fight, along with the meltdown last month of a government effort to come up with standards for the use of facial recognition technology, suggests that the distances between your eyes, nose and mouth are hot battlegrounds in the privacy wars.
Faces are “a really big deal,” said Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown University. “Facial recognition lets people you never met and never heard of identify you from far away without your knowledge or permission.”
Our faces are now online, often next to our names. Most people neither change their faces, nor hide them as they walk the camera-infested streets, creating a bridge between online activity and real life.
“Suddenly, someone on the street can figure out who you are – and pull up your online dating profile – just by pointing a camera at you,” Bedoya said. “I don’t think people are ready for that world, and I also don’t think people want it.”
The titan of social networks never made any secret of its interest in your face. But three lawsuits filed in federal court in Chicago allege that Facebook went too far when it started converting its billion-person photo album into data.
When you post a photo to Facebook, the database automatically compares the faces in it to those of your friends. It suggests that you confirm its conclusions by “tagging” the friends, so it can notify them. Facebook says the feature makes it “easier for you to share your memories and experiences with your friends.” If you disable the feature, Facebook notes, it will delete the numerical version of your face and stop suggesting that others tag you.
Attorneys Paul J. Geller of Boca Raton, Florida, Jay Edelson of Chicago and Joel Bernstein of New York City, though, claim that Facebook “never gave its members notice that their biometric information would be collected, stored or used.” That, they said, violates the Illinois law that companies can’t collect “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” without telling the subjects in writing, revealing the purpose, saying how long it will be stored and getting written releases.
“This lawsuit is without merit and we will defend ourselves vigorously,” a Facebook spokesman wrote in response to questions. Facebook’s first counterattack, filed early this month, demands that the lawsuits be moved from Chicago to Northern California, since the plaintiffs all clicked on terms of service that specify that all disputes are heard on the company’s home turf.
The case may ultimately hinge on whether a judge defines Facebook’s data as “face geometry” – which the Illinois law covers – or “photographs,” which are explicitly excluded.
The three plaintiffs’ attorneys, in a joint written response to questions, said the lawsuit is most relevant to Facebook users in Illinois, and potentially to those in Texas, which has a similar biometrics privacy law. They wrote that “in our joint opinion, the other 48 states should give serious consideration to providing similar protections.”
The Illinois act was pushed by the American Civil Liberties Union of Illinois after the collapse of a company called Pay By Touch, which had assembled thousands of digitized fingerprints.
With Congress “gridlocked and broken,” the states have been the laboratories of privacy protection, said John M. Simpson, the privacy project director for Consumer Watchdog, based in Santa Monica, Calif.
Pennsylvania has done almost nothing to shore up privacy protections. Simpson said that since Carnegie Mellon University is a world leader in privacy scholarship, it’s “kind of ironic that legislators haven’t seized on their excellent work and put some of their findings into appropriate legal protections.”
State Rep. Mike Schlossberg, D-Lehigh, said government “always lags” and “can’t turn on a dime in order to protect privacy rights” from new technologies without first building consensus.
“We are such a traditional state,” noted Rep. Ryan Bizzarro, D-Erie.
“We are adapting to new forms of communications,” he said, adding that the state is definitely lacking in what we should be doing to protect our citizens. We’ve got to step up our game, absolutely.”
Schlossberg said his “preference on an issue as broad as this would be to see federal action.”
An effort to build a national consensus, started in 2014 by the National Telecommunications & Information Administration, suffered a blow last month.
For 16 months, the NTIA convened regular meetings of a “multistakeholder process” including technologists and advocates, aimed at developing what it called “voluntary, enforceable codes of conduct” for facial recognition technology.
At the June 11 meeting, though, nearly every involved privacy advocate walked out and disavowed the process.
Bedoya, the Georgetown expert who was among those who walked out, said that no participating company was even willing to promise not to use facial recognition on random passersby in public places. So there was little point in attending more meetings.
The NTIA issued a statement saying it was “disappointed” at the walkout, and adding that the process “made good progress” and would continue.
Another federal agency involved in consumer privacy protection also appears to have passed on an opportunity to clarify the rules for facial recognition.
The Federal Trade Commission received in 2011 a lengthy complaint from four advocacy organizations alleging that Facebook eliminated “any pretense of user control over the use of their own images for online identification.”
Although the FTC later that year pushed Facebook into an unrelated 20-year agreement aimed at keeping it from deceiving consumers into thinking their posts were private, the agency hasn’t moved on the social giant’s facial recognition practices.
CMU researchers wanted to prove that technology was increasing the risk of identity theft. So they developed an app that enabled a smartphone to snap a picture, automatically find the subject’s Facebook page and, sometimes, accurately predict parts of their Social Security number.
Meant as a warning, the app may have proved prescient.
Alessandro Acquisti, a CMU professor of information technology and public policy and part of the team that developed the app, said the commercial uses of such technologies are emerging.
He evoked a near future much like that foreshadowed in the 2002 Tom Cruise movie “Minority Report.”
“Perhaps Facebook in some not-so-distant future may decide to share biometric data with brick-and-mortar retailers, with shops in the street, so that next time you enter The Gap on Walnut Street, you may be instantly and automatically recognized,” Acquisti said. The salesperson eyeing your instant profile on a tablet then “knows how to nudge you toward buying much more than you intended.”