Facebook has made extensive use of artificial intelligence in recent years, including the ability to automatically store and recognize users’ likenesses, and enabling automated facial tagging. While it may be convenient for quickly sharing a picture with many friends, the feature obviously raises some privacy concerns. In Illinois, for example, a law that goes by the name of the Biometric Information Privacy Act says, in essence, that people’s biometric information, especially that which could be used for authentication, is protected by law. Three Facebook users in Illinois, Nimesh Patel, Adam Pizen and Carlo Licata, have decided that scans of their facial features that the service normally takes and stores automatically, although the feature can be opted out of, violate this law. The case wound up on Facebook’s doorstep in California as a class action lawsuit, where a judge ruled that Facebook would have to answer to it.
Facebook argued, once the case hit California courts, that the company was governed by California law and thus exempt from compliance with BIPA. The judge that presided, however, stated that Illinois law did apply here, since the users were in Illinois, and that the definitions outlined in BIPA ambiguously state that facial recognition of the sort that Facebook conducts could be included in the law. The act also states that if such data on users is to be kept, informed consent must be made and the users must be given the option to deny consent prior to data collection starting. Although opting out deletes the facial data on file, it’s still quite possible for the data to have already been compromised by then.
At the center of the case is a concern over the nature of biometrics. Complex facial recognition technologies, like what Facebook uses, collect more than enough information to fully reconstruct a user’s face from the data. Naturally, this presents a serious risk of identity theft, should the data fall into the wrong hands. With biometric data at their disposal, hackers could have a better chance at scoring users’ other records and gaining access to confidential information and assets, while the user will have less power to fight back and mitigate the damage done. At this time, no court date is set for the matter, but a California judge did assert that the plaintiffs have more than enough cause to justify arguing their case in court.