Facial Recognition Faceoff

Facebook has been resisting outside efforts to rein in its “faceprints” facial recognition initiative – and mostly losing.

I’ve blogged before about the concerns many people have about facial recognition technology, and the troubling implications of the technology being misused in the wrong hands.

Facebook would claim to be the “right hands” rather than wrong ones when it comes to the database of “faceprints” it’s been compiling over the past decade or so. But its initiative has run afoul of an Illinois biometric privacy law passed in 2008.

The Illinois measure, which prohibits companies from collecting or storing people’s biometric data without their consent, is one of the strongest pieces of legislation of its kind in that it also allows individual consumers to sue for damages – to the tune of up to $5,000 per violation.

And that’s precisely what’s happened.  A class-action suite was filed in 2015 by a group of Illinois residents, alleging that Facebook has violated the Illinois privacy law through its photo-tagging function which draws on a trove of “faceprint” photos to recognize faces and suggest their names when they appear in photos uploaded by friends on Facebook.

Facebook has vigorously resisted efforts to rein in its faceprint initiative, arguing that any such lawsuits should be dismissed because users haven’t actually been injured by any alleged violations of the state law.

That stance has been rejected – first in U.S. district court and then in the court of appeals. Undaunted, Facebook appealed to the U.S. Supreme Court which turned down the appeal in late January.

Rebuffed at all legal levels, Facebook has now decided to settle the suit for a reported $550 million, including payments of ~$200 each to claimants in the Illinois class-action suit.

Facebook has lost, but the whole notion of facial recognition technology could well be like playing a game of whack-a-mole. As it turns out, another firm has developed similar functionality and is busily selling facial recognition data to police departments across North America.  According to a recent investigative article publishing in The New York Times, a company called Clearview AI has mined billions of photos from Twitter, Facebook and other social platforms.  (Clearview is now being sued in Illinois for allegedly violating the same biometric privacy law that was at the center of the Facebook suit.)

And indeed, the efforts to rein in facial recognition activities may be a little too little, a little too late: According to a recent report from Business Insider, the faces of more than half of all adults in America have already been logged into police or government databases.

… Which brings us to a parallel response that appears to be gaining traction: figuring out ways to fool facial recognition software.  A number of entrepreneurs are developing intriguing methods to beat facial recognition software.  Among them are:

  • Clothing designers have begun to target weaknesses in the ability of facial recognition software to process overlapping or unusual shapes, as well as deciphering multiple similar images appearing in close proximity. One such example is a pair of goggles fitted with near-infrared LEDs that interfere with the ability to scan facial features.
  • Headscarves decorated with different faces “confuse” the software by overloading it with excessive amounts of data in the form of numerous facial features.
  • So-called “adversarial patches” – a graphic print that can be added to clothing – exploit the vulnerabilities in facial recognition scanning by making a person “virtually invisible for automatic surveillance cameras,” according to creators Simen Thys, Wiebe Van Ranst and Toon Goedemé.

Will the two-front attack on facial recognition technology from the legal as well as technology standpoint succeed in putting the facial recognition genie back in the bottle? It’s debatable.  But it’s certainly making things more of a challenge for the Facebooks and Clearviews of the world.

In the Facebook-faceprint tussle, score one for the little guys.

Is that Maria Callas? Check with Facebook -- they'll know.
Is that Maria Callas? Check with Facebook — they’ll know.

I blogged last year about privacy concerns surrounding Facebook’s “face geometry” database activities, which have led to lawsuits in Illinois under the premise that those activities run afoul of that state’s laws regarding the use of biometric data.

The Illinois legislation, enacted in 2008, requires companies to obtain written authorization from subjects prior to collecting any sort of face geometry or related biometric data.

The lawsuit, which was filed in early 2015, centers on Facebook’s automatic photo-tagging feature which has been active since around 2010. The “faceprints” feature – Facebook’s term for face geometry – recognizes faces based on the social network’s vast archive of users and their content, and suggests their names when they appear in photos uploaded by their friends.

The lawsuit was filed by three plaintiffs in a potential class-action effort, and it’s been mired in legal wrangling ever since.

From the outset, many had predicted that Facebook would emerge victorious.  Eric Goldman, a law professor at Santa Clara University, noted in 2015 that the Illinois law is “a niche statute, enacted to solve a particular problem.  Seven years later, it’s being applied to a very different set of circumstances.”

But this past week, a federal judge sided not with Facebook, but with the plaintiffs by refusing to grant a request for dismissal.

In his ruling issued on May 5th, U.S. District Court Judge James Donato rejected Facebook’s contention that the Illinois Biometric Privacy Information Act does not apply to faceprints that are derived from photos, but only when it’s based on a source other than photos, such as in-person scans.

The Judge roundly rejected this contention as inconsistent with the purpose of the Illinois law. Donato wrote:

“The statute is an informed consent privacy law addressing the collection, retention and use of personal biometric identifiers and information at a time when biometric technology is just beginning to be broadly deployed. Trying to cabin this purpose within a specific in-person data collection technique has no support in the words and structure of the statute, and is antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology.”

This isn’t the first time that the Illinois law has withstood a legal challenge. Another federal court judge, Charles Norgle, sided against Shutterfly recently on the same issues.

And Google is now in the crosshairs; it’s facing a class-action lawsuit filed early this year for its face geometry activities involving Google Photos.

Clearly, this fight has a long way to go before the issues are resolved.

If you have strong opinions pro or con about social networks’ use of face geometry, please share your views with other readers in the comment section below.