Facial Recognition: Benefits & Risks

Editor’s Note:

Imagine how great technology would be if it weren’t for people. Since the beginning of time man has developed remarkable solutions to common problems. But leave it to nefarious, despicable, criminal or just plain dumb people to ruin them for the rest of us. You know, like gun powder, nuclear power, and the internet. Facial recognition programs and collection of biometric data would appear to have more benefits than risks, but those risks are there. As use of the technology proliferates we can expect more litigation as additional states follow Illinois — the first to enact a state Biometric Information Privacy Act. Martin T. Tully of Actuate Law LLC and Debbie Reynolds of Debbie Reynolds Consulting LLC, outline these risks and how regulation and litigation is responding in their article: Facial Recognition Proliferation: Litigation and Legal Implications of Biometric Technologies. Below are a couple excerpts from their article, published in the January 2021 edition of the Journal on Emerging Issues in Litigation. —Tom Hagy

Some FR technologies use a scanner to identify 4,500 different points of facial geometry to create a map of a person’s face. The application doesn’t necessarily store photos of faces; it generates and stores a unique, algorithmic representation of faces. Think of it as a hash value for that individual. The hash value can then recognize that person when they return to a facility after initially registering. “Ah, you’re Mary, the FedEx driver. You are authorized to go to Suite 501 and deliver this package to Acme Corporation because you previously registered yourself here in that capacity.” Notably, the hash value in this example is encrypted and is not personally identifiable information by itself; it is useless outside the visitor management system. In this situation, if there was unauthorized access to or disclosure of the hashed representations of facial geometry, they could not be used to identify any individuals unless the unauthorized recipient also had access to both the registration system and the registered individual. It is vital to understand how the particular FR technology works when considering its privacy implications.

For all its applications, the technology is not without its drawbacks. Erroneous identification using FR, especially when paired with bias in the use of artificial intelligence (AI), has raised legitimate red flags. Newsweek reported in July 2020 that Amazon’s FR technology falsely identified 28 members of Congress as people who had been arrested for crimes. Similarly, in late 2017, the iPhone X in China was criticized for its inability to distinguish between Chinese faces. Thus, there can be real risk of inaccuracies and bias with the current state of both FR technology and the AI that often powers it.

The Illinois BIPA came to the forefront in 2015 when some enterprising lawyers realized a statute could be used to challenge companies such as Facebook and Google. The statute is pretty broad and punitive in its application. It has led to numerous class action lawsuits not only in Illinois, but across the country.  A case against Facebook was filed in federal court in California, ultimately settling for $550 million (Patel, et al. v. Facebook, No. 3:15-cv-03747-JD, N.D. Calif.). Facebook previously settled a case with the FTC over its use of facial recognition technology for $5 billion.

In many BIPA lawsuits, standing has been an issue of contention. For some time, there was a split in the Illinois appellate courts about whether a claimant needed to show an actual concrete injury in order to sue under the statute. For example, just because I didn’t give you the written policy, or, I didn’t get your consent before I collected your information, do you have to show some other harm to have standing?

Essentially, if nothing’s happened to you, nobody has sold your information, nobody has stolen your identity and if you haven’t been harmed, do you have the standing to sue? That was a big question until early 2019 when the Illinois Supreme Court, in Rosenbach v. Six Flags Entertainment Corp., held that the answer was “no.” The Court found that the Illinois General Assembly clarified that as a public policy matter, violating the statute alone, without any further showing of actual harm, or concrete or tangible harm, is sufficient to confer standing upon somebody to sue under BIPA. Once that issue was resolved, it fanned the flames of additional BIPA class actions (Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, 432 Ill. Dec. 654, 129 N.E.3d 1197).

Get the entire article by contacting the authors directly, or purchasing the January issue which has other insightful articles like this one.

Also, check out their webinar.

Facial Recognition Privacy and Security Concerns
Tom Hagy

Share This Story, Choose Your Platform!

Go to Top