Facebook Hit With Lawsuit for Scanning, Storing Users' Facial Data

Facebook anonymity
Michael Dalder/Reuters

Have you ever uploaded pictures onto Facebook and found that the site has automatically identified the people in each image, asking if you'd like to tag them?

This "tag suggestion" feature comes courtesy of the site's facial recognition software, added in 2010, which a class-action lawsuit filed April 1 says violates users' privacy.

Facebook's facial recognition technology is able to identify friends in pictures by scanning their faces, isolating their facial features and comparing the information against its database of faces. And with the development of "DeepFace" last year, a technology with a 97.25 percent accuracy rate (humans are successful in identifying faces 97.5 percent of the time), the company is getting pretty good at recognizing its users.

Lead plaintiff Carlo Licata of Illinois's Cook County claims that by collecting users' facial data and "secretly amass[ing] the world's largest privately held database of consumer biometrics data," Facebook is violating Illinois's Biometric Information Privacy Act of 2008.

The Illinois law requires that companies get written consent before collecting biometric data and notify customers about how long their information will be kept. Licata says this "is precisely what Facebook did not do when it rolled out its facial recognition program."

He also contends that Facebook is "actively conceal[ing]" the controversial practice, as he was never asked for permission before his facial data was collected and stored, provided with an opportunity to opt out or told how long his data would be kept.

While Facebook allows users to change their privacy settings so they cannot be tagged in photos, Licata's attorney, Jay Edelson, says it is too late—his client has been on the site since 2009.

"If he changed the privacy setting [now], that wouldn't change anything because [Facebook] had taken his data and they're holding on to it," Edelson told the Chicago Tribune. "There's no delete button."

Edelson also worries about his client's security. "If there's a data breach and hackers get it," he told the Tribune, "that would be a total mess."

In 2011, the Federal Trade Commission echoed Edelson's concern, saying a third party could maliciously breach the database. The commission added that because people cannot change their faces, "once exposed, a victim has no recourse to prevent becoming victim to misconduct like identity theft and unauthorized tracking."

In a 2012 Senate hearing about biometric technology, however, Facebook's privacy and public policy manager, Roger Sherman, asserted that not only is user data secure but the company's face-print database works only with the company's own software and "alone, the templates are useless bits of data."

Licata's case is not the first to take issue with Facebook's facial recognition program. In 2012, Facebook promised European regulators it would stop using the facial recognition software until it complied with European privacy rules. It has since been restored.

Licata hopes his suit will force Facebook to comply with Illinois law and "put a stop to its surreptitious collection, use and storage" of users' facial data.

Facebook did not respond with a comment by publication time.