Supporters of unregulated corporate facial recognition systems are waging a sneak attack against our nation’s strongest protection of biometric privacy. On one side are business interests seeking to profit by using invasive facial recognition technologies to identify and track vast numbers of people without their consent. On the other side are EFF and many other digital privacy and consumer rights organizations. Our side won the latest round. But the future of biometric privacy will require all of our constant vigilance.
The latest example of successfully working together: privacy advocates sprung into action last month and defeated a bill that would have repealed most of the Illinois Biometric Information Privacy Act, a groundbreaking law protecting your biometric data. The bill would have deregulated scans of faces, irises, retinas, and hands, and left in place regulation only of fingerprbrints and voiceprints. In addition to gutting people’s privacy, it would also have undercut lawsuits pending against Facebook and other companies for violating the original strong law. The bill, filed just before the Memorial Day weekend, appeared set for quick passage before the end of the regular legislative session.
The day after the bill was introduced, EFF sent an opposition letter co-signed by the ACLU of Illinois, the Center for Digital Democracy, Consumer Action, the Consumer Federation of America, Consumer Watchdog, Illinois PIRG, the Privacy Rights Clearinghouse, Restore the Fourth, U.S. PIRG, the World Privacy Forum, and Professor Alvaro Bedoya. Illinois PIRG and the World Privacy Forum sent additional opposition letters. The Illinois Attorney General also opposed the bill. Amid this chorus of dissent, the bill’s author announced they would not call the bill for a vote—a win for privacy and for the people of Illinois.
EFF also objects to police use of facial recognition technology. Just last week, EFF joined a coalition effort against the FBI’s attempt to exempt its massive Next Generation Identification database of biometric identifiers from the guarantees of the federal Privacy Act.
Facial Recognition Technologies Endanger Our Privacy
The Illinois law is so important because increasingly sophisticated technology is making it easier than ever to capture and match our faces–remotely, secretly, cheaply, and automatically. New cameras can capture our facial images at ever greater distances and with ever higher precision. New computer programs can match our facial images with ever greater accuracy. New interoperability systems allow this facial matching across ever more databases.
Our faces are readily accessible to other people, and most people must expose their faces to other people in order to participate in society. When we do so, there is very little that we can do as individuals to prevent other people from capturing the images of our faces and subjecting us to facial recognition technologies.
If someone stalks us or commits identify theft against us by using our passwords or credit card numbers, we can defend ourselves by simply changing those unique identifiers. We can even change our names. But contrary to what action movies suggest, we cannot change our faces.
The private sector is deploying facial recognition systems with ever growing frequency. For example, Face First sells systems that retailers use to identify the people entering their stores, and assess whether (in the words of Face First) they are “bad guys” likely to shoplift or “good customers” who should be made more welcome. Similarly, Churchix sells systems that allow houses of worship to automatically determine who is attending their worship services. Analysts expect the global market for facial recognition technologies to double from $3 billion in 2015 to $6 billion in 2020.
The Success of an Illinois Statute
Perhaps it was inevitable that the Illinois Biometric Information Privacy Act would come under threat, as it’s our nation’s strongest law that protects people from facial recognition technology used by private entities. Enacted in 2008, the law was an initiative of the ACLU of Illinois, in response to an episode when a corporation sold off its database of customer biometric information during bankruptcy proceedings.
The Illinois statute requires private entities to get consent from a person before collecting or disclosing their biometric identifiers. Private entities also must destroy collected identifiers within three years, and sooner if they finish using the identifiers for the purpose for which they collected it. The statute extends to “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” The term “face geometry” includes facial recognition. Finally, the statute has teeth: injured parties may sue the private entities that violate these privacy rules.
Facebook now faces litigation under the Illinois statute. The plaintiffs are a class of Illinois residents whose biometric identifiers Facebook collected. They object to Facebook’s “tag suggestions” feature, in which Facebook uses facial recognition technology to identify the people appearing in the hundreds of millions of photos uploaded to Facebook every day.
In May 2016, a federal judge denied Facebook’s motion to dismiss this lawsuit. Now the plaintiffs may gather evidence and try to prove a violation of the Illinois statute. Late last year, another federal judge likewise denied a motion to dismiss a similar lawsuit filed against Shutterfly. Google also faces suit under the Illinois statute. Now that privacy advocates have blocked the bill that would have weakened the law, these lawsuits will continue through the courts.
The Pushback from Big Business
Due to biometric privacy protections in other countries, Facebook does not operate its tag suggestions feature in Europe or Canada. Perhaps this is why corporations have resisted other efforts to regulate their use of facial recognition technologies in the U.S.
In 2014, the National Telecommunications and Information Administration (a division of the U.S. Commerce Department) convened a working group of industry representatives and privacy advocates to write a voluntary code of conduct for companies that use facial recognition technology. The privacy advocates, including EFF, argued that in many contexts, facial recognition of consumers should require consent. Unfortunately, industry stakeholders would not agree to a consent requirement in any concrete scenario. In response, the privacy advocates withdrew from the NTIA process.
In 2015, a legislator in the State of Washington filed a strong biometric privacy bill. But this year, it was amended to exclude facial recognition and most other biometric technologies. EFF opposed the amended bill.
And the most recent threat to the Illinois Biometric Information Privacy Act wasn’t even the first attempt to undermine it this year. An earlier bill would have allowed security firms to automatically screen consumers entering stores against police “mug shot” databases of arrested persons. EFF and the ACLU of Illinois opposed the bill, and it did not advance.
But it’s not all bad news. Texas has enacted a strong biometric privacy law.
Thanks to quick action by EFF and others, last week was a victory for biometric privacy. But we cannot rest. We must enact and enforce new statutes, at the federal and state levels, requiring private groups to obtain consent before subjecting us to facial recognition technologies or otherwise collecting our biometric identifiers. We must also protect the privacy statutes we already have from being gutted. Moreover, we need limits on how law enforcement agencies use these invasive technologies.
Most importantly, we must ensure that future generations enjoy the anonymity of crowded places. People should be free to go about their business in public areas without businesses using their faces, without their permission, to automatically track where they are going and what they are doing.