Facebook Photo-Scanning Suit Is a Multibillion-Dollar Threat
Facebook Photo-Scanning Suit Is a Multibillion-Dollar
Threat
Class-action ruling is major win for users under Illinois
law
Judge notes company’s worry about exposure to large
damages
By Joel Rosenblatt April 16, 2018, 3:11 PM PDT Updated
Facebook Inc. may have to pay a real price for claims it
invaded users’ privacy: billions of dollars.
A federal judge ruled Monday that millions of the social
network’s users can proceed as a group with claims that its photo-scanning
technology violated an Illinois law by gathering and storing biometric data
without their consent. Damages could be steep -- a fact that wasn’t lost on the
judge, who was unsympathetic to Facebook’s arguments for limiting its legal
exposure.
The case dates back to 2015, long before Facebook became
mired in controversy over revelations that millions of its users’ private
information fell into the hands of British consulting firm Cambridge Analytica.
It’s rare for consumers to win class-action status in privacy cases. In
Facebook’s history, most such cases don’t get that far.
Facebook has for years encouraged users to tag people in
photographs they upload in their personal posts and the social network stores
the collected information. The company has used a program it calls DeepFace to
match other photos of a person. Alphabet Inc.’s cloud-based Google Photos
service uses similar technology and Google faces a lawsuit in Chicago like the
one against Facebook in San Francisco federal court.
Illinois Law
Both companies have insisted in court that gathering data
on what you look like isn’t against the law, even without your permission. But
under the Illinois Biometric Information Privacy Act of 2008, the companies
could be fined $1,000 to $5,000 each time a person’s image is used without
consent.
Shawn Williams, a lawyer for the users, said it’s not
clear yet whether the lawsuit might prompt changes in the way Facebook uses
biometric data.
“As more people become aware of the scope of Facebook’s
data collection and as consequences begin to attach to that data collection,
whether economic or regulatory, Facebook will have to take a long look at its
privacy practices and make changes consistent with user expectations and
regulatory requirements,” he said.
Facebook said it’s reviewing the ruling. “We continue to
believe the case has no merit and will defend ourselves vigorously,”
spokeswoman Genevieve Grdina said in an emailed statement.
Facebook’s Long History of Resolving Privacy Claims on
the Cheap
The company “seems to believe” that the lawsuit should be
pursued by individuals, not as a group, because “damages could amount to
billions of dollars,” U.S. District Judge James Donato wrote in the ruling.
The company argued each individual user could be “aggrieved”
differently, and must prove that they suffered an actual injury beyond a
privacy right. Nonetheless, the judge said “substantial damages are not a
reason to decline class certification,” because he could reduce them at a later
stage of the litigation.
The class of users approved by Donato dates back to June
2011, when Facebook had an Illinois user base of more than 6 million people,
according to lawyers for the plaintiffs. “Although many individuals may not
have had enough tagged photos to generate a face template in Facebook’s
database, in January 2011 (i.e., before Facebook implemented tag suggestions
for all users) the average user was tagged in 53 photos, far more than the 10
needed to generate a face template,” according to a December court filing.
Privacy advocates have said the billions of images
Facebook is thought to be collecting could be even more valuable to identity
thieves than the names, addresses, and credit card numbers now targeted by
hackers. While those types of information are mutable -- even Social Security
numbers can be changed -- biometric data for retinas, fingerprints, hands, face
geometry and blood samples are unique identifiers.
When Facebook Chief Executive Officer Mark Zuckerberg
testified in Congress last week over the Cambridge Analytica scandal, Illinois
Senator Richard Durbin accused the company of trying to water down the state’s
biometric privacy law.
“I’m afraid Facebook has come down to the position of
trying to carve out exceptions to that,” the Democrat said, according to a
transcript of the April 11 hearing. “I hope you’ll fill me in on how that is
consistent with protecting privacy.”
The Illinois residents who sued argued the 2008 law gives
them a “property interest” in the algorithms that constitute their digital
identities. The judge has agreed that gives them grounds to accuse Facebook of
real harm.
Facebook, which got the case moved to San Francisco from
Illinois, argued the users hadn’t suffered a concrete injury such as physical
harm, loss of money or property; or a denial of their right to free speech or
religion.
Courts have struggled over what qualifies as an injury to
pursue a privacy case in lawsuits accusing Facebook and Google of siphoning
users’ personal information from emails and monitoring their web-browsing
habits. Suits over selling the data to advertisers have often failed.
Donato has ruled that the Illinois law is clear: Facebook
has collected a “wealth of data on its users, including self-reported residency
and IP addresses.” Facebook has acknowledged that it can identify which users
who live in Illinois have face templates, he wrote.
Donato previously rejected Facebook’s argument that the
case had to be dismissed because the attempt to enforce Illinois law runs afoul
of its user agreement that requires disputes to be resolved under the laws of
California, where it’s based.
The case is In re Facebook Biometric Information Privacy
Litigation, 15-cv-03747, U.S. District Court, Northern District of California
(San Francisco).
Comments
Post a Comment