In a blow to Google, a federal judge has refused to dismiss a lawsuit alleging that the company violated an Illinois privacy law regarding "faceprints."
The ruling means that Illinois residents Lindabeth Rivera and Joseph Weiss can move forward with class-action complaints accusing Google of running afoul of the Illinois Biometric Information Privacy Act, which requires companies to obtain written releases from people before collecting certain biometric data, including scans of face geometry.
That measure, passed in 2008, also requires companies that gather biometric data to notify people about the practice, and to publish a schedule for destroying the information. The law also provides for up to $5,000 in damages for intentional violations.
The allegations center on Google's alleged use of facial recognition technology on photos uploaded by users. Rivera said in her complaint that she doesn't have a Google Photos account, but that photos of her were uploaded to the service after they were taken by someone else.
Google "analyzed these photos by automatically locating and scanning plaintiff’s face, and by extracting geometric data relating to the contours of her face and the distances between her eyes, nose, and ears -- data which Google then used to create a unique template of Plaintiff’s face," Rivera's complaint alleges.
Weiss says he has a Google Photos account and uploaded 21 photos of himself. He says Google used data from those photos to create a faceprint of him.
Google argued that the matter should be dismissed at an early stage for several reasons. Among others, the company contended that requiring online photo services to follow a state privacy law regarding faceprints would unconstitutionally burden interstate commerce.
Google elaborated in court papers that it has no way of knowing whether a photo depicts an Illinois resident, which means it also doesn't know whether the Illinois law will apply to any particular photograph. Therefore, Google argued, the only guaranteed way to avoid liability would be to comply with the Illinois law throughout the country.
"In that way, the 'practical effect' of BIPA would be 'to control conduct beyond the boundaries of the State,'" Google said in its motion to dismiss. The company added that this result would be unconstitutional, because only Congress can regulate interstate commerce.
U.S. District Court Judge Edmond Chang rejected that argument for now, but suggested he may revisit Google's contentions after more evidence is developed about whether the facial scans occurred in Illinois, and whether Google has a practical way of excluding Illinois residents from the scans.
"Whether the Privacy Act is ... being summoned here to control commercial conduct wholly outside Illinois is not possible to figure out without a better factual understanding of what is happening in the Google Photos face-scan process," Chang wrote in a ruling issued Monday.
Google also argued that the case should be thrown out because the Illinois law says it excludes "photos" from the definition of "biometric identifiers." A separate definition of "biometric information" excludes any information derived from photos.
Chang also rejected those arguments for now, ruling that the law covers "scans of facial geometry" regardless of how they're created.
"The bottom line is that a 'biometric identifier' is not the underlying medium itself, or a way of taking measurements, but instead is a set of measurements of a specified physical component (eye, finger, voice, hand, face) used to identify a person," he wrote.
The class-action complaint seeks monetary damages as well as injunctions requiring Google to comply with the Illinois law.
Frank Hedin, the Miami-based lawyer representing Rivera and Weiss, says he will push for an order requiring Google to delete any biometrics that it collected without consent, and to implement procedures to obtain people's permission before collecting biometric data in the future.
"Biometric transactions are only becoming more and more prevalent," he says. "Losing control and your right to maintain privacy over that material is not only unnerving for people, but it exposes people to other dangers as well."
For instance, he says, people's security could be compromised if a database of biometric information leaked.
Digital rights advocates including the Electronic Frontier Foundation have raised similar concerns about the growing use of face scans, fingerprints and other forms of biometric data. "It’s not just a matter of a company using our biometrics to invade our privacy, but also the threat of data breaches that may allow criminals to use our biometrics to break into our accounts and steal our identities," the group said in a recent blog post outlining its support for a biometrics privacy law in Montana.