A lawsuit pending in a federal court in Chicago may answer whether tagging and storing photos of someone without that person’s permission violates a state law that regulates the collection and use of biometric information.
That’s the hope of Brian Norberg, a Chicago resident, who in June sued Shutterfly, an online business that lets customers turn photos into books, stationery, cards and calendars. The class action represents the latest in a series of challenges to the use of facial recognition and other technologies that record our unique physical attributes.
Norberg, who claims never to have used Shutterfly, charges that between February and June, someone else uploaded at least one photo of him to Shutterfly and 10 more to the company’s ThisLife storage service. According to Norberg, the company created and stored a template for each photo based on such biological identifiers as the distance between his eyes and ears. The service allegedly prompted the person who uploaded the images to also tag them with Norberg’s first and last names—all without Norberg’s permission.
That, charges Norberg, contravened the state’s Biometric Information Privacy Act (BIPA), a law enacted seven years ago that bars businesses from collecting a scan of someone’s “hand or face geometry,” a scan of their retina or iris, or a fingerprint or voiceprint, without their consent. The law authorizes anyone whose biometrics are used illegally to sue for as much as $5,000 per violation.
In July, Shutterfly asked U.S. District Judge Charles Norgle Sr. to dismiss the lawsuit. According to the company, the BIPA specifically excludes photographs and information derived from them. And, even if the law were unclear, says Shutterfly, the legislature intended it to apply to the use of biometrics to facilitate financial transactions and consumer purchases, not to photo-sharing.
“Scanning photos to allow users to organize their own photos is a far cry from the biometric-facilitated financial transactions and security screenings BIPA is aimed at—such as the use of finger-scanning technology at grocery stores, gas stations, or school cafeterias,” the company asserted in court papers.
In a rejoinder filed last Friday, Norberg says that creating templates based on scans of facial features, not the photos themselves, violates the BIPA. “The resulting face templates—not the innocuous photographs from which they were derived, but the resulting highly detailed digital maps of geometric points and measurements—are ‘scans of face geometry’ and thus fall within the BIPA’s definition of ‘biometric identifiers,’” he wrote.
“By [Shutterfly’s] logic, nothing would stop them from amassing a tremendous, Orwellian electronic database of face scans with no permission whatsoever so long as the data base were derived from photographs,” Norberg added. “And indeed, that appears to be exactly what they are doing.”
Of course, facial recognition technology is used widely already. As Ben Sobel, a researcher at the Center on Privacy & Technology at Georgetown Law, explained recently in The Washington Post:
“Facebook and Google use facial recognition to detect when a user appears in a photograph and to suggest that he or she be tagged. Facebook calls this ‘Tag Suggestions’ and explains it as follows: ‘We currently use facial recognition software that uses an algorithm to calculate a unique number (“template”) based on someone’s facial features… This template is based on your profile pictures and photos you’ve been tagged in on Facebook.’ Once it has built this template, Tag Suggestions analyzes photos uploaded by your friends to see if your face appears in them. If its algorithm detects your face, Facebook can encourage the uploader to tag you.”
Facebook also is defending a class action filed last spring that charges the company’s use of facial-recognition software to identify users violates the BIPA. Facebook users have uploaded at least 250 billion photos to the social networking site and continue to do so at a rate of 350 million images a day, reports Sobel, who adds that Facebook’s tagging occurs by default, whereas Google’s requires you to opt in to it.
According to the Federal Trade Commission, companies that use facial recognition technologies should simplify choices for consumers and increase the transparency of their practices. Social networks should provide users with “a clear notice—outside of a privacy policy—about how the feature works, what data it collects and how it will use the data,” the agency wrote in a report published in October 2012. Significantly, social networks should give users an easy way to opt out of having their biometric data collected and the ability to turn off the collection at any time, the agency advised.
Still, that may not cover someone like Norberg, who says he never used Shutterfly. Or prevent an app akin to a Shazam for faces that would allow users to discover someone’s identity (and possibly more, such as their address) by photographing someone regardless whether the subject knows or consents. Situations like those would require the company to obtain the subject’s express affirmative consent—meaning that consumers would have to affirmatively choose to participate in such a system—the FTC noted.
And those are commercial users of biometrics. The photos of at least 120 million people sit in databases—many built from images uploaded from applications for driver’s licenses and passports—that can be searched by the police and law enforcement. Use of biometrics by the government raises additional concerns, including a need to ensure that a suspect has been detained lawfully before police can photograph the person or swab for DNA.
At a hearing in October 2010 that examined use of facial-recognition technology, Senator Al Franken of Minnesota, the senior Democrat on the Judiciary Subcommittee on Privacy, Technology and the Law, noted that in the era of J. Edgar Hoover, the FBI used wiretaps sweepingly with little regard for privacy.
Congress later passed the Wiretap Act, which requires police to obtain a warrant before they get a wiretap and limits use of wiretaps to investigations of serious crimes. “I think that we need to ask ourselves whether Congress is in a similar position today as it was 50 or 60 years ago—before passage of the Wiretap Act,” Franken said