We already know Facebook will do pretty much whatever it wants with your data, but a lawsuit shows the lengths it will go to in defending that approach.
On Monday, the ACLU, Electronic Frontier Foundation (EFF), Center for Democracy & Technology, and Illinois Public Interest Research Group, filed what’s known as a “friend of the court brief.” The brief takes a stance against what appears to be an argument Facebook is advancing in court that would weaken a strong biometric data privacy law.
Three Illinois plaintiffs are suing Facebook in a class-action suit, stating Facebook did not comply with an Illinois law that requires informed and written consent for the collection of biometric data — in Facebook’s case, facial recognition. A federal judge gave the case the go ahead in April.
To defend itself, Facebook is reportedly arguing that the plaintiffs don’t have the right to sue at all, because they haven’t proved that they’ve suffered damages.
But the ACLU et. al say that this argument is not only inconsistent with the law — it also renders it unenforceable and, therefore, toothless.
“Adopting the defendant’s reading of BIPA would effectively gut the statute’s primary purpose and leave people without meaningful recourse in a world of rapidly advancing technology and proliferating uses of biometric information,” the brief reads.
In 2008, Illinois passed the Biometric Information Privacy Act (BIPA). The idea of the law is that biometric information in particular is so sensitive that it needs its own class of extra strong legal protection. Biometric data is sensitive because, unlike a password, you can’t change your face or your fingerprint; once it’s compromised, it’s compromised.
So BIPA states that users have to give companies collecting biometric information written, informed consent. That means they have to affirmatively agree to the collection of data, and they have to know what it’s being used for, the scope of the data, and who has access to it.
Then came 2010, when Facebook rolls out suggested tagging. When people were still, ya know, making Facebook albums, Facebook introduced the option to make tagging easier by “suggesting” who to tag. That means it used facial-recognition technology to pair photos with identities. Most crucially here, the feature was “opt-out” only.
In 2017, Facebook gave users the ability to opt out completely of having their faces recognized, and earlier this year Facebook began automatically notifying users when a picture of them had been uploaded to Facebook, giving them the option to tag themselves.
Facebook is reportedly trying many tacts to rebut the suit. It’s challenging the nature of consent, what even constitutes biometric data, and more. But the portion of their argument that the ACLU et. al. are opposing now concerns the ability of BIPA to actually be enforceable.
Typically, in a lawsuit, plaintiffs have to prove damages or that they have suffered (financially, emotionally, or otherwise) as a result of the defendants’ actions. The nature of suffering is what’s on the table now.
The Amicus Brief argues that the collection of biometric data without informed, written consent is a violation of the law. It states that the act of collecting the data is the damage done; not “some additional harm.”
If Facebook wins the damages argument, the brief says it would set a dangerous precedent, arguing that citizens need to have a legally enforceable way to prevent against the unlawful collection of data, not just misuse of data once it’s collected. And, most importantly, the brief says that that is what the law already does, and that Facebook’s reading would fundamentally change the purpose of the law.
Facebook has taken pains to urge users to review their privacy permissions, though the calls for proactive check-ups took on renewed vigor after this year’s data scandals, and coinciding with the European Union’s adoption of its General Data Protection Regulation (GDPR).