Facial recognition technology is spreading, and so are privacy concerns


Being anonymous in public might be a thing of the past.

Facial recognition technology is already being deployed to let brick-and-mortar stores scan the face of every shopper, identify returning customers and offer them individualized pricing — or find “pre-identified shoplifters” and “known litigious individuals.” Microsoft has patented a billboard that identifies you as you walk by and serves ads personalized to your purchase history. An app called NameTag contends it can identify people on the street just by looking at them through Google Glass.

There are no federal laws that specifically govern the use of facial recognition technology. But both Illinois and Texas have laws against using such technology to identify people without their informed consent. The Illinois law is facing the most public test to date of what its protections mean for facial recognition technology.

A lawsuit filed in Illinois trial court in April alleges Facebook violates the state’s Biometric Information Privacy Act by taking users’ faceprints “without even informing its users — let alone obtaining their informed written consent.” This suit, Licata vs. Facebook, could reshape Facebook’s practices and may even influence the expansion of facial recognition technology.


How common — and how accurate — is facial recognition technology?

Even if you don’t walk by ads that address you by name, odds are that your facial geometry is already being analyzed regularly. Law enforcement agencies deploy facial recognition technology in public and can identify someone by searching a biometric database that contains information on as many as one-third of Americans.

Companies such as Facebook and Google also routinely collect facial recognition data from their users. (Facebook’s system is on by default; Google’s works only if you opt in to it.) Their technology may be even more accurate than the government’s. Google’s FaceNet algorithm can identify faces with 99.63% accuracy. Facebook’s algorithm, DeepFace, gets a 97.25% rating. The FBI, on the other hand, has roughly 85% accuracy in identifying potential matches.

Facebook and Google use facial recognition to detect when a user appears in a photograph and to suggest that he or she be tagged.

With the boom in personalized advertising technology, a facial recognition database of its users is probably very valuable to Facebook. The company hasn’t disclosed the size of its faceprint repository, but it does acknowledge that it has more than 250 billion user-uploaded photos — with 350 million more uploaded every day. The director of engineering at Facebook’s AI research lab recently suggested that this information was “the biggest human data set in the world.”

Eager to extract that value, Facebook signed users up by default when it introduced Tag Suggestions in 2011. The rollout prompted Sen. Al Franken (D-Minn.) to worry that “Facebook may have created the world’s largest privately held database of faceprints — without the explicit consent of its users.”


The introduction of Tag Suggestions is what’s at issue in the Illinois lawsuit. In Illinois, companies have to inform users whenever biometric information is being collected, explain the purpose of the collection and disclose how long they’ll keep the data. Once informed, users must provide “written release” that they consent to the data collection. Only after receiving this written consent may companies obtain biometric information, including scans of facial geometry.

Facebook declined to comment on the lawsuit and has not filed a written response in court.

It’s unclear whether today’s paradigm for consent — clicking a “Sign Up” button that attests you’ve read and agreed to a lengthy privacy policy — fulfills the requirements written into the Illinois law. If the law does apply, Facebook could be on the hook for significant financial penalties. This case is one of the first applications of the Illinois law to facial recognition, and it will set a hugely important precedent for consumer privacy.

Why biometric privacy laws?

Biometric information, like face geometry, is high-stakes data because it encodes physical properties that are immutable, or at least very hard to conceal. Moreover, unlike other biometrics, faceprints are easy to collect remotely and surreptitiously by staking out a public place with a decent camera.

Anticipating the importance of this information, Texas passed a law in 2001 that restricts how commercial entities can collect, store, trade in and use biometric data. Illinois passed a similar law in 2008 called the Biometric Information Privacy Act, or BIPA. A year later, Texas followed up with another law to further regulate biometric data in commerce.

The Texas laws were passed with facial recognition in mind. Brian McCall, now chancellor of the Texas State University system, introduced both Texas bills during his tenure as a state representative.


“Legislation is seldom ahead of science, and in this case I felt it was absolutely necessary that legislation get ahead of common practice,” McCall said. “And in fact, we were concerned about how the market would use personally identifiable information.”

Said James Ferg-Cadima, a former attorney with the ACLU of Illinois who worked on drafting and lobbying for the BIPA: “Oddly enough, there was little voice from the private business sector.”

This corporate indifference might be a thing of the past. Tech companies of all stripes have grown more and more interested in biometrics. They’ve become more politically powerful, too: For instance, Facebook’s federal lobbying expenditures grew from $207,878 in 2009 to $9.34 million in 2014.

Testing the Illinois law

Asked about the privacy law cited in the Licata case, Jay Edelson, the managing partner of the firm representing the plaintiff, said: “The key thing to understand is that almost all privacy statutes are really consent statutes.” The lawsuit stands to determine precisely what kind of consent the Illinois law demands.

If the court finds that Facebook can be sued for violating the Illinois biometrics law, and that its opt-out consent framework for Tag Suggestions violated the law, it may upend the practices of one of the world’s largest Internet companies, one that is possibly the single largest user of commercial facial recognition technology. And if the lawsuit fails for one reason or another, it would emphasize that regulation of facial recognition needs to take place on a federal level if it is to happen at all. Either way, there’s a chance this lawsuit will end up shaping the future of facial recognition technology.


Ben Sobel is a researcher and incoming Google Policy Fellow at the Center on Privacy and Technology at Georgetown Law. He writes occasionally for the Washington Post’s Technology section.