Facebook’s privacy problems suffered a major setback in a US Federal Court this week. Judge James Donato of the Northern District federal court in San Francisco allowed a class action brought by Facebook users in Illinois to go ahead.
The case was brought by Nimesh Patel and others representing a class of Facebook users alleging that the “Tag Suggestions” feature violates their privacy rights. Facebook’s tagging feature allows users to tag themselves or friends in photos, and Facebook also uses facial recognition technology to suggest friends be tagged. Patel alleged that the collection and storage of such biometric data violates provisions of the Illinois Biometric Privacy Act (BIPA).
Illinois is one of only a small number of states in the US (Texas and Washington are the others) with legal protection for biometric data. Industry lobbies have killed off proposed legislation in other states including California and Facebook is apparently lobbying to remove the Illinois law.
How does facial recognition work on Facebook?
Facebook’s tag suggestions program scans photographs uploaded by users, identifies people who appear in photographs and enables them to be tagged.
To identify faces, the tool first separates faces from other objects in the photograph. It then standardises faces based on certain attributes, such as size.
Facebook gives each face a signature in the form of a string of numbers. This signature is then matched against “face templates” to locate matches from a database of images. A face template distinguishes the facial signature of a particular user from other images.
Face templates are created from photographs uploaded by users, such as profile images. When Facebook finds a match between a photograph and the template, it suggests tagging. Facebook only stores templates and not facial signatures.
What did the court decide?
The evidence showed that not every uploaded photo results in the collection of biometric data because Facebook’s program sometime fails to compute facial signatures from photographs. Therefore, the court limited the class of plaintiffs to those users from Illinois for whom Facebook had created a facial template.
In certifying the class action, the court decided that two questions in relation to users who had their facial templates created after June 7, 2011 would have to be answered at trial: whether Facebook had collected and stored biometric data under the BIPA; and whether users were notified about these practices and had given their consent.
Facebook argued that users had to be “aggrieved” in order for their claim to be valid. In other words, victims had to suffer a “serious injury or harm”.
Here’s a hypothetical example of being aggrieved: a Facebook friend uploaded a photo of you at a tennis match you attended during working hours and Facebook then identified you in the image, which was later seen by your employer. Since you had taken sick leave that day, your employer sacked you based on the Facebook evidence showing you lied. In this circumstance, you would have suffered actual harm because of the tagging feature.
The judge rejected this argument, saying that the intention of the statute was to codify “a right of privacy in personal biometric information”. Crucially, the court said that a person is “aggrieved” when “a legal right is invaded by the act complained of”.
Here, the court is saying that even without actual harm – that is, even if you didn’t lose your job as a result of being identified at the tennis court – the mere breach of the legal right is sufficient to constitute injury.
What does it mean for Australian Facebook users?
Facebook argued that because its data servers were not located in Illinois, the BIPA law should not apply – but the court rejected this too. If the argument had been successful, the plaintiffs’ case would have collapsed.
Instead, the judge ruled that the geographic location of data servers was not a determining factor, stating:
…the functionality and reach of modern online services like Facebook’s cannot be compartmentalised into neat geographic boxes.
Facebook was also unable to show that the violations did not occur “primarily and substantially” within Illinois.
This is significant for Australians since Facebook may not have servers here. If Australian users try to bring a class action here under our privacy law – which is weaker than the Illinois biometrics protection statute – Facebook can be expected to mount a similar argument claiming that Australian privacy protections do not apply because the data is collected, processed, and stored outside our borders.
The decision is a major blow for Facebook. The company itself stated in the proceedings that damages could amount to billions of dollars. If similar actions are brought in other states, and other countries such as Australia, Facebook could face catastrophic consequences for ignoring the privacy interests of its users.
As part of changes Facebook has made to its privacy policies to comply with GDPR, the company has started to ask EU and Canadian users for consent to opt-in to facial recognition. The company had turned off facial recognition for EU users due to privacy concerns in 2012 stemming from a regulatory investigation at its headquarters in Ireland. Canadian users did not have access to the feature due to a backlash in 2011.
Today it was announced Facebook has amended its terms of service so that the EU law doesn’t apply to users outside the EU, US, and Canada. This makes the success of Patel’s class action even more significant – it could force Facebook to treat the privacy rights of all its users with more respect.
Authors: Sandeep Gopalan, Pro Vice-Chancellor (Academic Innovation) & Professor of Law, Deakin University