Lawsuits allege Microsoft, Amazon and Google violated Illinois facial recognition privacy law

In a set of new lawsuits, two Illinois residents argue that three tech giants violated state laws prohibiting the use of personal biometric data without permission. Illinois residents Steven Vance and Tim Janecyk allege that images of their faces appeared in IBM’s “Diversity in Faces” database without their consent and were used to train facial recognition systems at Amazon, Microsoft and Google’s parent company Alphabet.

While all three companies are based on the West Coast, the suit accuses the tech giants of running afoul of an Illinois law known as the Biometric Information Privacy Act (BIPA). The suit names Vance and Janecyk as plaintiffs but also seeks class action status on behalf of “all other similarly situated individuals” in Illinois. In the lawsuit, the pair of plaintiffs seek $5,000 per violation of the law, an injunction barring the companies from using Illinois residents’ “biometric identifiers” and the destruction of any relevant facial data that’s been stored.

“In its effort to improve its facial recognition technology, Defendant Microsoft violated Illinois’ Biometric Information Privacy Act… by, among other things, unlawfully collecting, obtaining, storing, using, possessing and profiting from the biometric identifiers and information of Plaintiffs Vance and Janecyk and all other similarly situated Illinois residents and citizens (hereinafter, the “Class Members”),” the version of the suit against Microsoft states.

The law cited in the suit, passed more than a decade ago, is designed to protect Illinois residents from having their biometric data harvested or stored without their explicit permission. Lawsuits involving BIPA pop up with some frequency now, as facial recognition becomes both more commonplace and more controversial. In the absence of federal privacy protections in the U.S., the Illinois law poses an interesting hurdle for companies that are used to extracting data from Americans with little oversight.

In January of this year, Facebook paid $550 million to settle a class action lawsuit stemming from BIPA. The suit was filed on behalf of Illinois residents in 2015 and alleged that the social media giant collected facial recognition data from user images without disclosing it to users. At the time, Snapchat, Google, and Shutterfly faced similar suits.

In 2019, a U.S. Circuit Court of Appeals court swatted away Facebook’s claim that facial recognition data did not count as biometric data, stating that “development of face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”

The IBM dataset the companies trained facial recognition systems on also poses its own controversies. As NBC News reported last year, IBM claimed that its Diversity in Faces dataset was designed “purely for academic research” and not for the company’s own commercial interests. The IBM dataset was apparently culled from more than 100 million Creative Commons-licensed Flickr images, a decision that raised its own ethical questions around the use of facial imagery and if corporations should be allowed leverage images with open licensing for facial recognition applications without the consent of photographers and the people they photograph.