Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Connect Directly
E-Mail vvv

Facebook Got Tagged, but Not Hard Enough

Ensuring that our valuable biometric information is protected is worth more than a $550 million settlement.

On January 29, Facebook agreed to a $550 million settlement of a class-action suit based on violations of Illinois' Biometric Information Privacy Act (BIPA). The settlement will compensate Facebook users in Illinois for Facebook's use of facial recognition technology, known as "tagging," without the user's consent and in violation of BIPA. While many people were surprised by the amount of the settlement, more were shocked that Facebook agreed to pay it.

The technology at issue was the nearly automatic tagging of friends and acquaintances in photos that users uploaded to Facebook. During the uploading process, Facebook's systems scanned the pictures, found matches using facial recognition technology, and suggested that users "tag" their Facebook friends who resembled those in the photographs. Given the number of photos that have been uploaded to Facebook, many speculate Facebook could have faced about $35 billion in fines under BIPA. Rather than balking at the $550 million settlement, perhaps we should ask why the amount wasn't larger.

Over the past few years, there has been a substantial increase in the number of laws that protect personal information, including biometrics, throughout the world. However, there are relatively few specific biometric privacy laws in the United States. Biometrics is the measurement and analysis of unique physical or behavioral characteristics such as fingerprints, DNA, or voice patterns, particularly as a means of validating an individual's identity. Accordingly, biometric privacy is the right of an individual to keep their biometric information private and to control how that information may be collected and used by third parties. This freedom arises out of a person's general right of privacy.

The right of privacy is one of the most hotly debated topics in the Bill of Rights. Often, the debates over the right of privacy involve people's religious beliefs, social mores, and opinions about what people can do in their own homes. But, in this instance, the right of privacy confronts something even more powerful and more difficult to overcome — the desire of businesses to make more money by using the resources available to them.

In this case, the resource is information: data about individuals and what makes each of them unique, including their DNA, facial features, fingerprints, and voices. Consequently, this right-to-privacy debate is over whether people get to control how businesses collect and use their personal information.

Facebook was using facial recognition to add a component to its product to keep people interested, stay on its site longer, and give its advertisers more opportunities to market products. And it worked. For instance, my friends and I troll Facebook the day after an event to see what pictures of ourselves have been posted. In doing so, we also view advertisements on our feeds, and many of us have purchased some items we've seen.

So, what's so wrong with that? In reality, Facebook's practice probably isn't that offensive to many people. We expect our pictures to be posted and for other people to recognize us. We also accept that most companies are constantly trying to entice us to buy their products.

But what if you had to give your fingerprints to enter a building you were visiting, and the building manager sold those fingerprints to a third party on the Dark Web? Our fingerprints and other biometric information are specific to us; therefore, their unauthorized use can have disastrous effects. You don't have to watch crime shows to imagine how these fingerprints could be used by nefarious actors.

It's fair to say most people would not be happy about the sale of their fingerprints, but would that sale be illegal? It depends. Biometric privacy laws are meant to protect individuals from having their fingerprints and other biometric information stolen or used in an unauthorized manner, thus providing a definitive answer regarding the legality of such sales.

I believe I should be able to control all uses of my personal information. I don't want people or businesses using my name, telephone number, or email address without my consent, but I'm even more protective of my biometric information. It is unacceptable to think that the DNA I provide to a genetic testing agency to learn about my ancestors could be used for other purposes. I just want to know if my family truly came from Ireland. I don't want a pharmaceutical company reaching out because it got my results and wants to sell me a drug for a disease that runs in my family.

To avoid these types of liabilities, businesses that wish to utilize biometrics should first determine if BIPA or other biometric privacy law applies to their situation. Compliance under each of these laws is slightly different. If BIPA applies, then the business is required to give the type of informed consent referenced above. To that, businesses must:

  • Provide written notice to affected individuals of the collection and use of the biometrics, including the specific reason for collection and use of the information and how long it will use and retain the biometric information (before collecting the biometrics).

  • Obtain each individual's written consent to such collection and use of the biometrics (again, before collecting the biometrics).

  • Keep the biometric information confidential and only disclose the information if the individual consents, it is required for the completion of a financial transaction requested by the individual, or disclosure is required by law, warrant, or subpoena.

  • Institute appropriate administrative, technical, and physical safeguards for the protection of biometric information in its care.

  • Implement retention and destruction policies documenting that the biometrics will only be retained for so long as they are needed or within three years of the individual's last interaction with the business, whichever occurs first, and ensuring that the information is appropriately disposed of at the end of such period.

Businesses should be guided by the basic principle of "only collect that which you need and only keep it for so long as it is needed," and they cannot sell, lease, or otherwise profit from another person's biometric information.

I hold that more states should follow Illinois' example and enact biometric privacy laws so individuals have control over the use of their biometrics and companies that use biometric information without consent can be held accountable. Furthermore, states that have enacted these laws should be more proactive in enforcement. A $35 billion fine will have a far greater deterrent effect than a $550 million settlement. I say, tag a few companies hard. The others will fall in line, and our information will be protected.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Billee Elliott McAuliffe is a member of Lewis Rice practicing in the firm's corporate department. Although she focuses on information technology and privacy, Billee also has extensive experience in corporate law, including technology licensing, cybersecurity and data privacy, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...