On January 29, Facebook agreed to a $550 million settlement of a class-action suit based on violations of Illinois' Biometric Information Privacy Act (BIPA). The settlement will compensate Facebook users in Illinois for Facebook's use of facial recognition technology, known as "tagging," without the user's consent and in violation of BIPA. While many people were surprised by the amount of the settlement, more were shocked that Facebook agreed to pay it.
The technology at issue was the nearly automatic tagging of friends and acquaintances in photos that users uploaded to Facebook. During the uploading process, Facebook's systems scanned the pictures, found matches using facial recognition technology, and suggested that users "tag" their Facebook friends who resembled those in the photographs. Given the number of photos that have been uploaded to Facebook, many speculate Facebook could have faced about $35 billion in fines under BIPA. Rather than balking at the $550 million settlement, perhaps we should ask why the amount wasn't larger.
Over the past few years, there has been a substantial increase in the number of laws that protect personal information, including biometrics, throughout the world. However, there are relatively few specific biometric privacy laws in the United States. Biometrics is the measurement and analysis of unique physical or behavioral characteristics such as fingerprints, DNA, or voice patterns, particularly as a means of validating an individual's identity. Accordingly, biometric privacy is the right of an individual to keep their biometric information private and to control how that information may be collected and used by third parties. This freedom arises out of a person's general right of privacy.
The right of privacy is one of the most hotly debated topics in the Bill of Rights. Often, the debates over the right of privacy involve people's religious beliefs, social mores, and opinions about what people can do in their own homes. But, in this instance, the right of privacy confronts something even more powerful and more difficult to overcome — the desire of businesses to make more money by using the resources available to them.
In this case, the resource is information: data about individuals and what makes each of them unique, including their DNA, facial features, fingerprints, and voices. Consequently, this right-to-privacy debate is over whether people get to control how businesses collect and use their personal information.
Facebook was using facial recognition to add a component to its product to keep people interested, stay on its site longer, and give its advertisers more opportunities to market products. And it worked. For instance, my friends and I troll Facebook the day after an event to see what pictures of ourselves have been posted. In doing so, we also view advertisements on our feeds, and many of us have purchased some items we've seen.
So, what's so wrong with that? In reality, Facebook's practice probably isn't that offensive to many people. We expect our pictures to be posted and for other people to recognize us. We also accept that most companies are constantly trying to entice us to buy their products.
But what if you had to give your fingerprints to enter a building you were visiting, and the building manager sold those fingerprints to a third party on the Dark Web? Our fingerprints and other biometric information are specific to us; therefore, their unauthorized use can have disastrous effects. You don't have to watch crime shows to imagine how these fingerprints could be used by nefarious actors.
It's fair to say most people would not be happy about the sale of their fingerprints, but would that sale be illegal? It depends. Biometric privacy laws are meant to protect individuals from having their fingerprints and other biometric information stolen or used in an unauthorized manner, thus providing a definitive answer regarding the legality of such sales.
I believe I should be able to control all uses of my personal information. I don't want people or businesses using my name, telephone number, or email address without my consent, but I'm even more protective of my biometric information. It is unacceptable to think that the DNA I provide to a genetic testing agency to learn about my ancestors could be used for other purposes. I just want to know if my family truly came from Ireland. I don't want a pharmaceutical company reaching out because it got my results and wants to sell me a drug for a disease that runs in my family.
To avoid these types of liabilities, businesses that wish to utilize biometrics should first determine if BIPA or other biometric privacy law applies to their situation. Compliance under each of these laws is slightly different. If BIPA applies, then the business is required to give the type of informed consent referenced above. To that, businesses must:
- Provide written notice to affected individuals of the collection and use of the biometrics, including the specific reason for collection and use of the information and how long it will use and retain the biometric information (before collecting the biometrics).
- Obtain each individual's written consent to such collection and use of the biometrics (again, before collecting the biometrics).
- Keep the biometric information confidential and only disclose the information if the individual consents, it is required for the completion of a financial transaction requested by the individual, or disclosure is required by law, warrant, or subpoena.
- Institute appropriate administrative, technical, and physical safeguards for the protection of biometric information in its care.
- Implement retention and destruction policies documenting that the biometrics will only be retained for so long as they are needed or within three years of the individual's last interaction with the business, whichever occurs first, and ensuring that the information is appropriately disposed of at the end of such period.
Businesses should be guided by the basic principle of "only collect that which you need and only keep it for so long as it is needed," and they cannot sell, lease, or otherwise profit from another person's biometric information.
I hold that more states should follow Illinois' example and enact biometric privacy laws so individuals have control over the use of their biometrics and companies that use biometric information without consent can be held accountable. Furthermore, states that have enacted these laws should be more proactive in enforcement. A $35 billion fine will have a far greater deterrent effect than a $550 million settlement. I say, tag a few companies hard. The others will fall in line, and our information will be protected.
- GDPR's First-Year Impact by the Numbers
- Why Companies Should Care about Data Privacy Day
- Avoid That Billion-Dollar Fine: Blurring the Lines Between Security and Privacy
- How Enterprises Are Attacking the Cybersecurity Problem
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"