
Facebook photo-scanning lawsuit could cost it billions - ColinWright
https://www.eastbaytimes.com/2018/04/17/facebook-photo-scanning-lawsuit-could-cost-it-billions/?HN2
======
cromwellian
Clustering images by features seems to be pretty fundamental, and if it runs
afoul of this law, then the law needs to be changed.

I upload photos to Google Photos because I _want_ them to be grouped and
categorized so I can easily find them. That is, if I click on a picture of my
daughter, or my wife, I want to see ALL pictures of I took of them grouped
together.

Looking at the text of the law itself, it seems to exclude photographs, here's
the relevant section:

" (740 ILCS 14/10) Sec. 10. Definitions. In this Act: "Biometric identifier"
means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face
geometry. Biometric identifiers do not include writing samples, written
signatures, photographs, human biological samples used for valid scientific
testing or screening, demographic data, tattoo descriptions, or physical
descriptions such as height, weight, hair color, or eye color."

I'm not really sure what they mean by "face geometry" whereas at the same
time, excluding photographs. Does this mean if my service measures the
distance between the eyes, and the width of the mouth, and clusters photos by
that, or by eye or hair color by using say, segmentation or histogram
clustering, all of a sudden it's illegal? That would seem to be a fairly
absurd and broad definition of biometric security information.

In theory, I suppose, the computation of the features, could be done on the
client, and then have the features cloud-synced and replicated to all clients,
but this would make for a shitty search experience, especially if the machine
learning or feature extraction technique improvements overtime, and all of a
sudden, you've got to download 20,000 photos and recompute everything on your
phone.

~~~
smadge
There’s a difference between offering facial recognition as a feature to users
of the software and collecting biometric data as a additional revenue source.
In one case the user owns their biometric data and is granting the company
access to it for the limited use of tagging photos. In the other case the
company owns the biometric data and is using it for god knows what.

~~~
cromwellian
Where's the evidence Facebook is using it for a revenue source?

~~~
RyanZAG
That's what court cases are about, and why we don't declare innocent or guilty
before the verdict. The evidence (or lack of) will come up during the court
proceedings, you'd expect.

~~~
workinthehead
Semantic nitpick, we don't declare innocence, but only that guilt was not
proven.

~~~
adanto6840
As far as I'm aware or have ever been taught, they're one in the same --
"presumption of innocence _until proven_ guilty".

~~~
workinthehead
Nope, your quote is irrelevant, and it's "one and the same" besides. Why do
you think people are pronounced "guilty" or "not guilty"?

~~~
Retric
Actually, because you can't be retried for the same crime you are in a very
meaningful way declared though not found innocent.

A hung trial is closer in meaning to not being found guilty or innocent.

Arguably, a semantic difference does apply in that you may still be found
liable in a civil case. However, civil cases don't declare people guilty only
liable.

~~~
workinthehead
That's just your opinion, and given you're not even a lawyer, it's worth about
as much as the latest Ethereum ICO.

------
michaelbuckbee
This is being done under the Illinois Biometric Privacy Act (2008), but
Illinois and a number of other states also have some similar (and pretty
forward thinking) rules in place regarding data breaches of biometric data [1]

If facial recognition becomes legally recognized as a "biometric marker" (no
reason it shouldn't) - I think we'll see all sorts of other suits come out of
this.

1 - [https://blog.varonis.com/us-state-data-breach-
definitions/](https://blog.varonis.com/us-state-data-breach-definitions/)

~~~
frockington
If facial recognition was considered a bio metric, would I Phone users have to
click through a screen that says "I will not use this in Illinois". I don't
see how this would accomplish much more than coffee causing cancer in the
state of California

~~~
michaelbuckbee
What it changes are the results of a breach / how the data is to be
considered. It's the difference between "oh, we had a data breach" and "oh
crap why is the Attorney General of Illinois calling our office."

As an aside: Google's Arts and Culture app (that matches your face to historic
artwork) doesn't show up in Illinois - the feature within the app for face
matching is geolocated out.

[http://abc7chicago.com/technology/why-googles-face-match-
fea...](http://abc7chicago.com/technology/why-googles-face-match-feature-
doesnt-work-in-illinois/2959613/)

------
merrywhether
How could Facebook ever lose this case in a country where Equifax faced no
punishment? Regardless of what you think about Facebook, DeepFace is seemingly
mostly theoretical harm whereas Equifax definitely provably harmed people’s
privacy and then (initially) charged those same people to help them protect
themselves (via credit freezes). Not saying I don’t want Facebook held to the
law, just thought of the comparison.

~~~
JumpCrisscross
> _How could Facebook ever lose this case in a country where Equifax faced no
> punishment?_

The case hinges on a particularly strict Illinois biometric privacy law.

~~~
faitswulff
This is the same reason Google's Arts & Culture face-matching tool wasn't
available in Illinois:

[http://abc7chicago.com/technology/why-googles-face-match-
fea...](http://abc7chicago.com/technology/why-googles-face-match-feature-
doesnt-work-in-illinois/2959613/)

~~~
toomuchtodo
Also why Nest IQ (which uses biometric face detection) isn't available in
Illinois.

~~~
yojex
Does anybody know if this affects the iPhone's Face ID in any way?

~~~
toomuchtodo
It supposedly does not, as the data is kept on the phone and Apple does not
take possession of the data.

------
thinkcomp
Here's the docket:

[https://www.plainsite.org/dockets/2mwpixhn9/california-
north...](https://www.plainsite.org/dockets/2mwpixhn9/california-northern-
district-court/patel-v-facebook-inc/)

~~~
thinkcomp
Having read through the latest filings, it looks like the District Court judge
is pretty upset with Facebook and its tactics, and was willing to give no
leeway to their request to stay the case as a result. He wanted a trial, and
soon.

One of the tactics that they used was going over his head to the Ninth Circuit
to request a stay at the district level
([https://www.plainsite.org/dockets/download.html?id=253527059...](https://www.plainsite.org/dockets/download.html?id=253527059&z=c4b1abb5)),
which the Ninth Circuit then granted
([https://www.plainsite.org/dockets/download.html?id=253580963...](https://www.plainsite.org/dockets/download.html?id=253580963&z=36003e60)).
So then the district court judge had to effectively grant the stay anyhow,
which he had just denied:

"ORDER. In light of the circuit court's order, all remaining pre-trial and
trial dates are vacated. Signed by Judge James Donato on 5/29/2018\. (This is
a text-only entry generated by the court. There is no document associated with
this entry.) (jdlc3S, COURT STAFF) (Filed on 5/29/2018)"

This is what having infinite cash buys you in the American legal system.

~~~
jhall1468
Appealing to a higher court is literally how the system is intended to work
and gas absolutely nothing to do with infinite money. The Judge ruled and the
9th overturned him. That means the system is working.

------
IBM
NYT had a nice profile of one of the lawyers a few years ago [1]. It had this
quote from Sam Altman:

>Asked to sum up the tech community’s feelings about Mr. Edelson, Sam Altman,
president of Y Combinator, a technology incubator that invests in very young
companies, said the lawyer was regarded as “a leech tarted up as a freedom
fighter.”

He's the American Max Schrems.

[1] [https://www.nytimes.com/2015/04/05/technology/unpopular-
in-s...](https://www.nytimes.com/2015/04/05/technology/unpopular-in-silicon-
valley.html)

~~~
ginko
Are you implying Max Schrems is a leech?

~~~
IBM
Nope.

------
mtgx
Facebook has a very Uber-like mentality in regards to breaking the laws to
make a profit. In the EU it was opting people in by default for its automatic
facial recognition feature only weeks before the GDPR.

~~~
a_imho
I still can't decide whether FB (and others) think they can get away with
being non compliant or just accepted violating GDPR is the cost of doing
business.

~~~
cromwellian
Is running a photo hosting service a violation of GDPR itself? That is, if I
take a photo of someone else (not myself) and upload it without consent of
that person to AcmePhoto.com, and AcmePhoto.com now has personal information
stored about someone without their consent, is the site liable? Do I need to
get the consent of every person of every photo I upload?

Where do you draw the line? If the site processes the EXIF metadata are they
in violation? If they use a neutral clustering algorithm to group visually
similar images, are they in violation (be it humans, cars, or chairs)? if I
take a visually clustered group of images and tagthem "a_imho", have I now
made the site have biometric data related to you?

I mean, a lot of people say "well, as long as you're in the spirit of the
GDPR, don't worry", but lawyers don't care whether you're in the spirit of
something, they only care if they can win a case, and when the law is vague,
"spirit" seems like one judge could hang you, and another judge could free you
depending on the luck of the draw.

~~~
weinzierl
> if I take a photo of someone else (not myself)

This is were you draw the line. Taking pictures of people without their
consent (and a good reason) is a big no-no in most parts of the world.

This is either because it's not considered appropriate or because it's
condemnable [1] or both. It is also nothing new and not some effect of GDPR,
but deeply rooted in culture. Germany, Austria, Switzerland, Italy long had
strong laws regarding the right of persons to their own likeness. There is
also a big rift, not only legally but primarily culturally, between Anglo-
Saxon culture and mostly the rest of the world.

GDPR and other laws concerning informational self-determination[2] never can
be interpreted without context. They are always limited by other rights and
freedoms, like the right of artistic freedom. So a lot depends on your intent
and if you can justify what you do.

I'm not saying this is all well and good. As kind of a street photographer
wannabe I'm very sympathetic to the position that the UK and the USA take on
this. I'm just saying that the rest of the world has very different ideas
about this and this has consequences if you operate globally.

[1]
[https://commons.wikimedia.org/wiki/Commons:Country_specific_...](https://commons.wikimedia.org/wiki/Commons:Country_specific_consent_requirements)

[2] [https://en.wikipedia.org/wiki/Informational_self-
determinati...](https://en.wikipedia.org/wiki/Informational_self-
determination)

~~~
c12
The link you referenced counters your point that its a big no-no in most parts
of the world to take a photo of someone without their consent. In the majority
of the countries listed on that wiki page no consent is required with certain
exceptions.

I'd personally say taking pictures of people without their consent is a big
no-no in _some_ parts of the world, but not all.

I have never personally had any issues with my street photography in the UK,
it boils down to being respectful and not behaving in a harassing manor. If
there is a reasonable expectation of privacy then one should consider taking
an unsolicited photo as an invasion of privacy.

~~~
weinzierl
> The link you referenced counters your point that its a big no-no in most
> parts of the world to take a photo of someone without their consent. In the
> majority of the countries listed on that wiki page no consent is required
> with certain exceptions.

I added the reference to the list as support for my thesis that it can have
legal consequences, a fact that in my experience people from the USA or the UK
are often oblivious about. Just because it is not forbidden doesn't mean it is
acceptable though. I think it is no coincidence that we see strictest
regulation in central Europe because these countries are around the border
line between the different attitudes. Go farther east and there is no need to
regulate the culturally obvious.

> I have never personally had any issues with my street photography in the UK,

Of course not, UK is one of the best countries for shooting street.

> it boils down to being respectful and not behaving in a harassing manor. If
> there is a reasonable expectation of privacy then one should consider taking
> an unsolicited photo as an invasion of privacy.

Absolutely.

------
sagebird
I wonder - to what extent does cooperating with gov’t on data collection act
as insurance against being sued out of existence. IE - if you play nice and
install a backdoor for nsa to query your data, will they influence trials?
Obviously they would need to keep up appearances by allowing the trials to
move naturally, but perhaps a well timed visit or phone call at the last
minute could instruct a judge to go easy on damages — ostensibly for national
security’s sake.

~~~
wu-ikkyu
Somewhat related:

[https://en.m.wikipedia.org/wiki/Joseph_Nacchio](https://en.m.wikipedia.org/wiki/Joseph_Nacchio)

------
mehrdadn
> Donato previously rejected Facebook’s argument that the case had to be
> dismissed because the attempt to enforce Illinois law runs afoul of its user
> agreement that requires disputes to be resolved under the laws of
> California, where it’s based.

Could someone please elaborate on this? I feel like I've seen clauses like
this all over the place. Are they really unenforceable? What is the judge's
reasoning?

~~~
Sacho
IANAL, but his reasoning would probably be in the summary judgement denial
that's on the docket:

ORDER re Summary Judgment Motions ([257], [299], [307]). Signed by Judge James
Donato on 5/14/2018\. (jdlc3S, COURT STAFF) (Filed on 5/14/2018)

Unfortunately, I don't really have access to PACER or money to gamble on
opening random documents to see which one has the actual info. The US "public
access to court electronic records" isn't very "public"-friendly.

(docket listing kindly provided by user thinkcomp -
[https://www.plainsite.org/dockets/2mwpixhn9/california-
north...](https://www.plainsite.org/dockets/2mwpixhn9/california-northern-
district-court/patel-v-facebook-inc/))

------
em-bell
What a total cluster f __@. Facebook must have an army of lawyers to deal with
both domestic and foreign lawsuits.

This country's legal system is like a swiss cheese with holes everywhere.
Dealing with states, federal governments and municipalities costs our
businesses billions of dollars each year.

~~~
s73v3r_
No, not following the law costs the businesses.

------
parvenu74
While I'm a big proponent of States' Rights and a strict reading of the 10th
Amendment, in the case of Facebook which, by it's nature is not only national
but international, I have a hard time understanding how a State law can have
jurisdiction over Facebook in this case. It seems to me that Federal Law
should have original jurisdiction by virtue of the Interstate Commerce clause
in this case UNLESS it can be shown that residents of Illinois were targeted
or all of the servers and logic for doing facial recognition, analysis, and
storage of biometrics were in the State of Illinois. That said, I am not a
constitutional lawyers...

~~~
ceejayoz
They've got jurisdiction over Facebook's relationship with Illinois residents.
Same reasons Amazon has to collect sales tax in states they're not necessarily
headquartered in.

Facebook also has Chicago offices.
[http://www.chicagotribune.com/business/ori/ct-facebook-
expan...](http://www.chicagotribune.com/business/ori/ct-facebook-expanding-
ryan-ori-20171009-story.html)

~~~
frockington
So could they just add a clause in the user agreements that states "You cannot
use this if you live in Illinois" and be done with it?

~~~
ceejayoz
Facebook has extensive location history available for most users, so just a
EULA clause probably wouldn't do the trick. They'd probably have to show a
more active attempt to block Illinois residents from the system.

It wouldn't be a retroactive solution, either.

------
ipsum2
I'm not worried about Facebook or Google, because they spend millions on
lawyers, but this seems potentially terrifying for startups. Any U.S. state
can make a law making some part of their service illegal, and someone can sue
the startup even if their company wasn't operating in that state. A startup
would need to know and obey all laws in all states, and have enough money to
fight legal cases.

I wonder if the golden age of startups is over. It would be impossible to
navigate through these regulations if you just wanted to create a side project
for fun.

~~~
blackbrokkoli
While I see your point, as a EU citizen it baffles me how anyone is allowed to
generate and store _biometric_ data without consent and face no legal trouble
- it's not like this is some nitpicking on a highly specific legal detail...

~~~
frockington
As an American it baffles me that the EU has regulated themselves out of the
growth that is occurring almost everywhere else. It's just a difference in
cultural beliefs and preferences

~~~
TomVDB
How much growth can be attributed to something like this? And what's the total
impact on overall growth of the economy?

It's probably a rounding error, and a pretty reasonable trade-off to make.

~~~
frockington
Considering GDP growth is the normal metric for economic health, growth is the
economy. And while you can't assign a number for each policy the EU has, the
Q1 differences between America and the EU can paint the picture

~~~
TomVDB
Exactly: it’s impossible to quantify such a minor policy in the context of
vastly different kinds of economies.

------
egypturnash
There is no part of this headline that does not make me happy. <3

