Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/18/2020
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Facebook Got Tagged, but Not Hard Enough

Ensuring that our valuable biometric information is protected is worth more than a $550 million settlement.

On January 29, Facebook agreed to a $550 million settlement of a class-action suit based on violations of Illinois' Biometric Information Privacy Act (BIPA). The settlement will compensate Facebook users in Illinois for Facebook's use of facial recognition technology, known as "tagging," without the user's consent and in violation of BIPA. While many people were surprised by the amount of the settlement, more were shocked that Facebook agreed to pay it.

The technology at issue was the nearly automatic tagging of friends and acquaintances in photos that users uploaded to Facebook. During the uploading process, Facebook's systems scanned the pictures, found matches using facial recognition technology, and suggested that users "tag" their Facebook friends who resembled those in the photographs. Given the number of photos that have been uploaded to Facebook, many speculate Facebook could have faced about $35 billion in fines under BIPA. Rather than balking at the $550 million settlement, perhaps we should ask why the amount wasn't larger.

Over the past few years, there has been a substantial increase in the number of laws that protect personal information, including biometrics, throughout the world. However, there are relatively few specific biometric privacy laws in the United States. Biometrics is the measurement and analysis of unique physical or behavioral characteristics such as fingerprints, DNA, or voice patterns, particularly as a means of validating an individual's identity. Accordingly, biometric privacy is the right of an individual to keep their biometric information private and to control how that information may be collected and used by third parties. This freedom arises out of a person's general right of privacy.

The right of privacy is one of the most hotly debated topics in the Bill of Rights. Often, the debates over the right of privacy involve people's religious beliefs, social mores, and opinions about what people can do in their own homes. But, in this instance, the right of privacy confronts something even more powerful and more difficult to overcome — the desire of businesses to make more money by using the resources available to them.

In this case, the resource is information: data about individuals and what makes each of them unique, including their DNA, facial features, fingerprints, and voices. Consequently, this right-to-privacy debate is over whether people get to control how businesses collect and use their personal information.

Facebook was using facial recognition to add a component to its product to keep people interested, stay on its site longer, and give its advertisers more opportunities to market products. And it worked. For instance, my friends and I troll Facebook the day after an event to see what pictures of ourselves have been posted. In doing so, we also view advertisements on our feeds, and many of us have purchased some items we've seen.

So, what's so wrong with that? In reality, Facebook's practice probably isn't that offensive to many people. We expect our pictures to be posted and for other people to recognize us. We also accept that most companies are constantly trying to entice us to buy their products.

But what if you had to give your fingerprints to enter a building you were visiting, and the building manager sold those fingerprints to a third party on the Dark Web? Our fingerprints and other biometric information are specific to us; therefore, their unauthorized use can have disastrous effects. You don't have to watch crime shows to imagine how these fingerprints could be used by nefarious actors.

It's fair to say most people would not be happy about the sale of their fingerprints, but would that sale be illegal? It depends. Biometric privacy laws are meant to protect individuals from having their fingerprints and other biometric information stolen or used in an unauthorized manner, thus providing a definitive answer regarding the legality of such sales.

I believe I should be able to control all uses of my personal information. I don't want people or businesses using my name, telephone number, or email address without my consent, but I'm even more protective of my biometric information. It is unacceptable to think that the DNA I provide to a genetic testing agency to learn about my ancestors could be used for other purposes. I just want to know if my family truly came from Ireland. I don't want a pharmaceutical company reaching out because it got my results and wants to sell me a drug for a disease that runs in my family.

To avoid these types of liabilities, businesses that wish to utilize biometrics should first determine if BIPA or other biometric privacy law applies to their situation. Compliance under each of these laws is slightly different. If BIPA applies, then the business is required to give the type of informed consent referenced above. To that, businesses must:

  • Provide written notice to affected individuals of the collection and use of the biometrics, including the specific reason for collection and use of the information and how long it will use and retain the biometric information (before collecting the biometrics).

  • Obtain each individual's written consent to such collection and use of the biometrics (again, before collecting the biometrics).

  • Keep the biometric information confidential and only disclose the information if the individual consents, it is required for the completion of a financial transaction requested by the individual, or disclosure is required by law, warrant, or subpoena.

  • Institute appropriate administrative, technical, and physical safeguards for the protection of biometric information in its care.

  • Implement retention and destruction policies documenting that the biometrics will only be retained for so long as they are needed or within three years of the individual's last interaction with the business, whichever occurs first, and ensuring that the information is appropriately disposed of at the end of such period.

Businesses should be guided by the basic principle of "only collect that which you need and only keep it for so long as it is needed," and they cannot sell, lease, or otherwise profit from another person's biometric information.

I hold that more states should follow Illinois' example and enact biometric privacy laws so individuals have control over the use of their biometrics and companies that use biometric information without consent can be held accountable. Furthermore, states that have enacted these laws should be more proactive in enforcement. A $35 billion fine will have a far greater deterrent effect than a $550 million settlement. I say, tag a few companies hard. The others will fall in line, and our information will be protected.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Billee Elliott McAuliffe is a member of Lewis Rice practicing in the firm's corporate department. Although she focuses on information technology and privacy, Billee also has extensive experience in corporate law, including technology licensing, cybersecurity and data privacy, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.