Ten years ago, Illinois enacted a law that imposes important protections against companies collecting and storing our biometric information — including using facial recognition — without public knowledge and consent.
The law is called the Biometric Information Privacy Act. Although facial recognition was relatively crude when it was passed, the wisdom of the Illinois decision has been played out over the last decade, as facial recognition and other biometric collection has developed and spread.
On December 17, the American Civil Liberties Union (ACLU) co-filed a friend-of-the-court brief in federal appeals court defending the Illinois law against arguments advanced by Facebook trying to remove the law’s pro-privacy teeth.
Under the law, a company may collect a person’s biometric identifiers — like fingerprints or data from a person’s face or iris — only if it first obtains informed consent from that person. In the case now pending in the Ninth Circuit Court of Appeals, Facebook users in Illinois have alleged that the company violated their rights under the law by using facial recognition technology to identify them in digital images uploaded to the site without disclosing its use of facial recognition or obtaining consent.
One of Facebook’s arguments in the case is that people should not have an automatic right to sue when their biometric information has been collected in violation of the law. Rather, they must prove that they have suffered monetary or other damages. As we explain in our brief, however, that runs counter to the Illinois Legislature’s intent, which was to provide strong, enforceable protection against surreptitious collection of sensitive biometric data.
In the decade since passage of the law, the need for its protections has become crystal clear. As explained in the brief from December 18:
Retail stores use facial recognition technology to “identify known shoplifters,” and at least some companies are reportedly using such technology to track shoppers in their stores. Employers collect biometrics for time tracking and attendance management, as well as to manage access to company phones, laptops, and cloud storage accounts. Banks have invested in collecting customers’ biometric data, including face scans, fingerprints, iris scans, and voiceprints, to authenticate those customers’ identities. Churches have adopted facial recognition and fingerprint collection technology “to accurately track attendance for various events like Bible studies, worship services and Sunday school.” Many schools now collect fingerprints to manage attendance, cafeteria purchases, library services, and security, and some schools have started installing facial recognition systems to control entry into buildings.
Perhaps most concerning, major technology companies like Amazon have invested heavily in powerful facial recognition systems that they sell access to on the cheap. Amazon says its facial recognition system, called Rekognition, is not only able to store facial recognition images of large numbers of people, but it is also able to “perform real-time face searches against collections with tens of millions of faces” and “detect, analyze, and index up to 100 faces in a single image,” such as photographs captured at “crowded events and department stores.”
Using it is cheap, and as we have warned before, without protections, this technology could enable civil rights and civil liberties violations on a massive scale. Indeed, a recent survey conducted by the ACLU revealed that 18 of the top 20 American retail companies refused to say whether they collect facial recognition scans of their customers.
That is why the ACLU supports a strong interpretation of the law’s protections. As the district court wrote in its ruling against Facebook in February, “When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air.”
Without an enforceable requirement that companies disclose their collection of biometric information and obtain consent, people will have no way to protect themselves against surreptitious corporate surveillance.