
Google Sued Under Illinois Biometric Information Privacy Act - tonymarks
https://www.lexology.com/library/detail.aspx?g=51dd0122-9399-48e9-b6ef-fc357760d387
======
shadowgovt
This lawsuit seems dead on arrival.

From the article (emphasis my own):

""" The suit alleges that Google is violating BIPA because it is “actively
collecting, storing, and using—without providing notice, obtaining informed
written consent or publishing data retention policies—the biometrics of
millions of unwitting individuals _whose faces appear in photographs_ uploaded
to Google Photos in Illinois """

From the text of the BIPA law (again, emphasis my own):

""" Biometric identifiers do not include writing samples, written signatures,
_photographs_... """

This interpretation of BIPA would seem to require complex written consent for
every corner store running a security camera and every wedding photographer,
which clearly isn't the intent of the law. Since the law explicitly carves out
photographs, the use to which Google is putting the material in question
should be irrelevant; it's explicitly excluded from this law's coverage.

~~~
voxic11
I have to point out that his exact argument has been made and rejected by the
courts in multiple cases already.

> Shutterfly maintains that by excluding data derived from photographs from
> the definition of “biometric information,” the Illinois legislature intended
> to exclude from BIPA’s purview all biometric data obtained from
> photographs... As Shutterfly acknowledges, if biometric identifiers do not
> include information obtained from images or photographs, the definition’s
> reference to a “scan of face geometry” can mean only an in-person scan of a
> person’s face. Such a narrow reading of the term “biometric identifier” is
> problematic in many respects... The definition of ‘biometric identifier’
> does not use words like ‘derived from a person,’ ‘derived in person,’ or
> ‘based on an in-person scan,’ whereas the definition of ‘biometric
> information’ does say that it is information ‘based on’ a biometric
> identifier.”); The Illinois General Assembly clearly sought to define the
> term “biometric identifier” with a great deal of specificity: the definition
> begins by identifying six particular types of biometric data that are
> covered by the term (i.e., retina or iris scans, fingerprints, voiceprints,
> scans of hand or face geometry); it then provides a long list of other
> specific types of biometric data that are excluded from the definition. If
> the legislature had intended a “scan of face geometry” to refer only to
> scans taken of an individual’s actual face, it is reasonable to think that
> it would have signalled this more explicitly.

[https://www.courthousenews.com/wp-
content/uploads/2017/09/Sh...](https://www.courthousenews.com/wp-
content/uploads/2017/09/ShutterflyRuling.pdf)

~~~
shadowgovt
Interesting. My plaintext reading of the law interpreted "scan of face
geometry" as a full 3D mapping (i.e. photographic plus infrared rangefinding),
and I stand corrected on the intended reading of the text.

~~~
voxic11
That is an argument which no one has tested in court yet. But it seems
unlikely to succeed as the law doesn't specify any requirements on how
“biometric identifiers” such as face geometry are collected. And indeed the
courts appear disposed to allow the phrase to cover any extraction of face
geometry data regardless of the technological means by which it is done.

------
lmkg
To save y'all a click: The alleged biometrics in question are the use of
facial-recognition software on photos uploaded to Google Photos (without
informed consent from the user).

~~~
rygxqpbsngav
I remember google popping up a consent to store the AI models for the facial
recognition locally on my phone (not in the cloud)! If this is the case, the
lawyers are wasting their time, I guess.

~~~
bogwog
I've never received a popup like that, nor ever heard of anyone receiving one.
Are you in Illinois?

~~~
rygxqpbsngav
UK. I recently bought a new phone and when I opened google photos app for the
first time, it asked to store local trained models to enable AI features for
the app.

------
rahuldottech
If a friend clicks a photo of me and uploads it to Google Photos, IMO, it's
not okay for Google to use my face to train models without explicit permission
from me.

Unfortunately, as is often the case with technology, laws have not kept up
with the lastest developments, and likely will not in my country for several
more decades. Welp.

~~~
coleca
Just to be pedantic in the spirit of HN. Google isn't training models w/your
face from your photo library. The way face recognition works is that Google
would collect a dataset somehow and label that for the various feature and
train a model for face recognition. Usually this is done with a carefully
curated dataset that would be sure to include various ages, genders,
ethnicities, lighting conditions, angles, and camera types.

When you use Google Photos, it is using that pre-trained model to determine
the features of the faces it finds in your library and it builds a vector,
which is just a long string of numbers (also known as a face template or
feature vector) that represents each face. Through various machine learning
techniques it is able to compare 2 vectors to see how close those 2 faces are
alike. If the confidence score it finds is higher than some predetermined
threshold (say 70%), it is assumed they are the same person. Running these
comparisons over and over through all the photo pairs, the software can group
or cluster faces so that it knows all these photos have person 1 and these
photos have person 2. Google never knows who those people are, unless you tag
those images with a name.

The images in your camera roll aren't used for re-training the original model
because Google doesn't know the ground truth about your photos. Google can
guess that these 3 faces are the same, but it doesn't know for certain that
they are, so they can't use that to retrain the model that would be used in
the Photos app because they have no way to judge the accuracy.

Another interesting point is that the vector is also unique to the specific
model that was used to create it. So, if in the future they do retrain the
model, the vectors that had been created with previous models would be 100%
incompatible with the new model and would need to be recreated from the source
image.

Note: I have no inside knowledge of Google, but as the former CTO of a facial
recognition company, I have a good idea how these systems work in general.

~~~
vorpalhex
Google absolutely allows you to confirm it's tags and uses that for
retraining, which means yes, my facial profile is collected, stored and used
for model training (unless you disable it in preferences).

You can't do "celebrity" recognition from a generalized data set.

~~~
coleca
Logically, that doesn't seem likely because that would mean any individual or
set of individuals, could enter false data and poison Google's model going
forward.

------
asdfasgasdgasdg
Whose consent is needed, according to the law? The person who took the photos,
or the person being photographed? And is the consent required only if the
product is used in Illinois? Or if the photo is taken in Illinois? Or if the
person photographed is a resident of Illinois?

(I read the law, and it appears to cover the person being photographed, if the
photograph is taken in Illinois. So basically according to the law Google
ought not build face models from photographs taken in Illinois, except of
people who have consented.)

I wonder if in the broadest configuration (basically any configuration other
than "consent of the user, who is a resident of Illinois"), this law would
probably be struck down as an unconstitutional restraint on interstate
commerce? I guess we'll see! Should be exciting.

~~~
voxic11
BIPA requires the consent of the person that the biometrics identify. However
it specifically excludes photographs from the definition of biometric
information so its not clear how it applies in this case.

~~~
lmkg
It excludes photographs, but includes certain data derivable from photographs.
Storing the photograph is not a violation, but the lawsuit alleges that the
facial recognition software that Google runs constitutes a violation.

------
tonymarks
We have a large client/customer in Illinois who has decided against using our
voice sdk in their iOS/Android app because of the fear of getting sued for
BIPA violation. It's not that they think we're creating voice prints without
consent, it's just that their legal team has warned them that if they get
sued, it could be very costly to defend. We even changed our privacy policy to
note that "biometrics" are not obtained, and even went to on-device speech
recognition apis provided by Google and Apple.

~~~
ocdtrekkie
What about using truly on-device options that aren't connected to cloud
services at all? Picovoice, DeepSpeech, etc.?

------
rickncliff
Profiteering lawyers as middlemen to technology application is what these
overly strict privacy laws are trying to establish and that's a shame.

~~~
dmitryminkovsky
That’s what all this stuff inevitably becomes unfortunately. It’s a shame that
lawyers have to mediate our access to our rights. I sincerely believe if we
replaced high school with law school we’d all be much better off.

~~~
rayiner
The barrier here isn't really the need for a law degree. Prosecuting these
kinds of cases against deep-pocketed defendants like Google doesn't only take
expertise in the law, but the resources to review millions of pages of Google
emails to establish how the system works and what Google's intentions were, as
well as experts to opine on technical aspects as well as calculation of
damages. There is no practical way for individuals without significant
resources to prove up this sort of case on their own.

The realistic alternative is having government agencies prosecute these sorts
of cases. It's a very good alternative, and is used in most other countries.
It's an odd confluence of factors that results in private class action
litigation being more popular in the U.S. (From the left, trial lawyers are
major supporters of Democrats. From the right, Republicans would rather have
these class actions than new government agencies.)

~~~
dmitryminkovsky
> The realistic alternative is having government agencies prosecute these
> sorts of cases.

I wasn't saying the result would be that we each tend to our own legal matters
instead of having regulatory agencies. I was saying that when only a tiny
fraction of the citizens is legally literate, and only a small fraction of
those people are actual trained lawyers, not many people are going to be
looking out for our rights, muchless even know what those rights are or should
be.

