* Greg Bensinger writing for the New York Times…
The facial recognition company Clearview AI agreed in a settlement this month to stop selling its massive database of photographs culled from the internet to private firms across the United States. That decision is a direct result of a lawsuit in Illinois, a demonstration that strong privacy laws in a single state can have nationwide ramifications.
The Biometric Information Privacy Act of Illinois sets strict limits on the collection and distribution of personal biometric data, like fingerprints and iris and face scans. The Illinois law is considered among the nation’s strongest, because it limits how much data is collected, requires consumers’ consent and empowers them to sue the companies directly, a right typically limited to the states themselves. While it applies only to Illinois residents, the Clearview case, brought in 2020 by the American Civil Liberties Union, shows that effective statutes can help bring some of Big Tech’s more invasive practices to heel.
Technology companies are in a feverish race to develop reliable means to automate the identification of people through facial scans, thumbprints, palm prints and other personal biometric data. The data is considered particularly valuable because unlike, say, credit card info or home addresses, it cannot be changed. But as these data companies profit by deploying the technology to police departments, federal agencies and a host of private entities, consumers are left with no real guarantees that their personal information is protected.
Facial recognition software, in particular, has been shown to fail too often at identifying people of color, leading in some cases to wrongful arrests and concerns that the software could put up additional barriers to people seeking jobs, unemployment benefits or home loans.
Because the United States lacks meaningful federal privacy protections, states have passed a patchwork of laws that are largely favorable to corporations. By contrast, Europe passed the General Data Protection Regulation six years ago, restricting the online collection and sharing of personal data, despite a tremendous lobbying push against it by the tech companies.
I didn’t fill out the paperwork for the Facebook settlement, but, in full disclosure, I did sign up for a settlement against RayBan…
A proposed settlement has been reached in a class action lawsuit under the Illinois Biometric Information Privacy Act regarding biometric facial geometry allegedly collected from consumers who used the Virtual Try-On Application Tool on RayBan.com. The case is Vo v. Luxottica of America Inc., Case No. 2019-CH-10946, currently pending in the Circuit Court of Cook County, Illinois, Chancery Division. The proposed Settlement is not an admission of wrongdoing by the Defendant, and the Defendant denies that it violated the law. The Court has not decided who is right or wrong. Rather, to save the time, expense, and distraction of litigation, the parties have agreed to settle the lawsuit. That Settlement has been preliminarily approved.
I used that app several times when I was looking for new shades.
Your thoughts on this topic?
- ;) - Tuesday, May 31, 22 @ 12:33 pm:
Illinois should pass Sheriff Tom Dart’s IL Right to Know law that Sen Hastings sponsored.
- Yahoo - Tuesday, May 31, 22 @ 12:40 pm:
Protect BIPA.
- 47th Ward - Tuesday, May 31, 22 @ 12:41 pm:
Both my wife and I got our $397 checks from FB. We finally found a way to make some cash from social media.
- Steve Polite - Tuesday, May 31, 22 @ 12:43 pm:
Biometric data should have the strongest privacy protections at the federal level, because if your biometrics are stolen, you can’t change them like you can a password or credit card.
- Abe - Tuesday, May 31, 22 @ 12:46 pm:
I just deposited my $397 check from the Facebook settlement yesterday. Thanks BIPA.
Its amazing to me that every year legislators file bills to weaken / dismantle BIPA.
- Leap Day William - Tuesday, May 31, 22 @ 1:21 pm:
== Its amazing to me that every year legislators file bills to weaken / dismantle BIPA. ==
We don’t need this law because the free market will provide all the protection you need. You can just opt-out of using anything you don’t want surreptitiously collecting your immutable biometric data, as is your right. /sarcasm
We gleefully cashed our $397 checks in this house, and are looking forward to future payments from other services.
- Dotnonymous - Tuesday, May 31, 22 @ 1:31 pm:
Speaking of Poindexter…
https://publicintegrity.org/national-security/outsourcing-big-brother/
- nunya - Tuesday, May 31, 22 @ 1:36 pm:
Cashed my Facebook check, signed up for the Snapchat and Android user class action. It’s good law, IMO.
- Nick - Tuesday, May 31, 22 @ 2:35 pm:
BIPA is just wholly good.
Protect it at all costs.
- Chicagonk - Tuesday, May 31, 22 @ 3:17 pm:
BIPA is my new favorite Illinois law - Wife and I both got the Facebook checks. And yes I did rub it into the faces of my Iowa friends.
- thechampaignlife - Tuesday, May 31, 22 @ 6:13 pm:
BIPA is a good law, but in my opinion it has been erroneously extended to facial recognition. It absolutely should apply to face scans where a laser measures face geometry, to infrared scans of vein and capillary patterns, and to retinal scans. Those data are not readily shared simply by being in public. But taking a normal photo and comparing it to other photos to recognize similarities (something that would not be illegal for a human to do) is a far stretch from biometric data that we should protect legislatively.
A single photo of you posted online is enough to give anyone in the world the ability to recognize you manually or with software, so the cat is already out of the bag anyway. This just penalizes something which has great potential and practical application while doing little to actually protect your privacy.
Facial recognition is not the issue. Monetization of your data, lack of control over your data, and collection and use of data about you without your awareness are the issues, biometrics or not. Actual biometrics - DNA, fingerprints, retinal scans, and more - deserve the protection of BIPA, but facial recognition should fall under regular data privacy laws similar to GDPR.
- RNUG - Wednesday, Jun 1, 22 @ 8:48 am:
Illinois has been a leader in all the various aspects of internet privacy, abuse and cyberbullying for at least 25 years. And, as such, they have helped to shape the nationwide debate on those issues. Now is not the time to slack off on those issues.
And the household did appreciate the two $397 checks from Facebook.
- Suburban Mom - Wednesday, Jun 1, 22 @ 8:39 pm:
Major tech companies that are out in front are already largely complying with the GDPR w/r/t their US customers. They already had to put in the time and money to get in compliance 6 years ago, and that’s obviously cheaper to do just once with ALL customer data than in a patchwork fashion over and over. Those companies are already in compliance for the CCPA in California, and prepared for the CRPA update.
Smart companies also know the federal law is coming and don’t want to be testifying to Congress about their horrible data practices.
I approve of BIPA extending to photo-matching facial recognition, for a couple of reasons. First, most people did not give their consent for AI to be trained using their personal data. Second, one of the GDPR’s most important provisions is about machine decision-making; there is a HUGE difference between one person looking at two photos and deciding if they match, and a machine making that decision millions of times a day. The latter is far more open to abuse, and very difficult to “appeal.”