Skip to main content

Is Facebook’s photo-tagging system violating privacy law?

Is Facebook’s photo-tagging system violating privacy law?

Share this story

If you were building a system to catalog and study the human face, it would be hard to do better than Facebook. Just 12 years after its creation, the network is not just the largest photo-storage service but the largest single collection of images that human beings have ever had access to. The total number of photos is hard to gauge, but it passed 250 billion pictures in 2013, and by now is likely closing in on 1 trillion, spread across 1.2 billion users worldwide.

That much data is a powerful thing, and Facebook has made good use of it. Since 2010, the company has been using those photos to fuel a powerful facial recognition engine. When you upload a photo of someone, Facebook will almost always know who that person is, encouraging you to tag them and let them know. Thanks to the mountains of data, it’s become one of the most advanced facial recognition systems available, far beyond the FBI’s face-scanning system. It’s also a crucial product for Facebook itself, integrated into the Messenger app earlier this year.

Nearly 1 trillion photos, spread across 1.2 billion users worldwide

Now, a new lawsuit has called that system into question, claiming Facebook's biometric faceprints violate user privacy. Facebook disputes the claim, although it has avoided rolling out facial recognition in Europe and Canada, presumably over similar concerns. If the latest complaints are upheld, it could mean a profound shift in how Facebook treats user photos, potentially even pushing the feature out of the US entirely.

The case centers around the Illinois Biometric Information Privacy Act, which deals with fingerprints, voiceprints, and scans of facial geometry. According to the law, anyone collecting those identifiers has to notify users in advance, say why they’re being collected, and how long they’re being retained. It also puts strict limits on how those identifiers can be shared and how long they can be stored.

Notably, photographs are explicitly ruled out as a biometric, but the plaintiffs argue the relevant biometric is the facial geometry scans created from those photographs. If Facebook were a simple photo service, it wouldn’t have to worry about biometrics at all — but the plaintiffs argue that as long as the company is using those photos to create and apply faceprints, the Illinois law applies. The key point isn’t the collection of data, but using that data to create a profile specific to a person’s body. Alvaro Bedoya, who has been following the case for the Center on Privacy and Technology at Georgetown Law, described it this way: "If you run a bar, the law doesn’t prevent you from picking up my used pint glass, but it prevents you from pulling my DNA off it."

The biggest question facing the court is whether Facebook’s photo-tagging system crosses that line. The system is more complex than simply producing a scan from a photograph, relying heavily on known friends of the person uploading the photo. (If a face doesn’t belong to one of your friends, it won’t be suggested as a tag.) At the same time, the machine learning that powers the feature means matches are fuzzier than conventional biometrics, working off broad similarities rather than hard certainties. Still, the net result is the same, reaching 97 percent accuracy in a recent test.

"If you run a bar, the law doesn’t prevent you from picking up my used pint glass, but it prevents you from pulling my DNA off it."

Then there’s the question of whether Facebook has users’ consent to build that profile. There’s nothing about facial recognition or biometric collection in Facebook’s terms of service. The company’s data policy (which users are also required to approve) does refer to the system, saying tag suggestions are created by "comparing your friend's pictures to information we've put together from your profile pictures and the other photos in which you've been tagged." Users are also able to opt out of the system at any time, as described in the Help Center. Somewhat confusingly, the option is nested in Settings under the question "Who sees tag suggestions when photos that look like you are uploaded?" As long as the option is set to "no one," Facebook won’t build a facial recognition profile for that user. Neither the help center nor the settings page mention facial recognition or biometrics by name. They refer to the system simply as "tag suggestions."

Even if the court agrees Facebook’s system violates the Illinois law, it may not matter. Last week, in a motion to dismiss the suit, Facebook argued that the company was bound only by the state laws of California, as agreed to in the terms of service. If the court agrees, it would mean that plaintiffs have forfeited their rights under Illinois law simply by signing up with the service. That would be a serious blow to state sovereignty — effectively meaning Illinois can’t pass laws concerning its own citizens’ data privacy — but courts have upheld similar clauses in the past. If the case survives the motion, Facebook will have plenty more chances to dismiss the case before it reaches a final verdict.

"We will defend ourselves vigorously."

But even if the case is dismissed, the issues are unlikely to disappear entirely. As biometric data like fingerprints and iris scans become more pervasive, more states are considering privacy laws like the one passed in Illinois. Texas already has a similar criminal statute although testing it would require a state attorney general to bring the company up on charges. Alaska and Washington have brought similar bills to the legislature, although neither one made it into law.

If any of those laws do affect Facebook, it won’t be alone. Google released a similar system in Photos earlier this year, and facial recognition is quickly becoming a must-have feature for photo storage systems, raising the stakes even higher. In theory, the problems could be solved by simply disclosing the recognition systems more aggressively, but it’s unlikely either company would want to submit to the law’s retention rules or any other policies that might be handed down in the future. Either way, Facebook isn’t giving up the Illinois case without a fight. "This lawsuit is without merit," a spokesperson said in a statement, "and we will defend ourselves vigorously."