Facebook has lost its appeal that its facial recognition technology did not invade the privacy of its users located in Illinois, United States, leaving the company vulnerable to a class action moving forward.
The US Court of Appeals for the Ninth Circuit ruled on Thursday that Facebook's tag suggestions feature, launched in 2010, caused "concrete injury-in-fact [that is] sufficient" enough for a trial to arise regarding the social network allegedly infringing upon privacy rights of Illinois users.
Tag suggestions allows Facebook to analyse whether a user's Facebook friends are in a photo uploaded by the user. When a photo is uploaded, the technology scans the photo to detect if there are any geometric data points -- such as the distance between the eyes, nose, and ears -- that can be used to identify a person's face. The technology then compares the face signature to faces in Facebook's database of user face templates to determine if there is a match.
The people who sued Facebook during the case's initial proceedings accused the company of violating Illinois' Biometric Information Privacy Act (BIPA Act), which requires private companies in possession of biometric information to develop a written policy made available to the public, in addition to having a retention schedule and guidelines for destroying the information when its purpose had been satisfied or within three years of the individual's last interaction with company.
When Facebook rolled out the tag suggestions feature, it collected, used, and stored biometric identifiers without a written release, and failed to maintain a retention schedule or guidelines for destroying biometric identifiers. The judge panel found the alleged privacy injuries arising from this are sufficient enough for the respondents to sue.
See also: Facebook data privacy scandal: A cheat sheet (TechRepublic)
"Taking into account the future development of such technology … it seems likely that a face-mapped individual could be identified from a surveillance photo taken on the streets or in an office building. Or a biometric face template could be used to unlock the face recognition lock on that individual's cell phone," Judge Sandra Ikuta said.
"We conclude that the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual's private affairs and concrete interests."
According to the American Civil Liberties Union (ACLU), the ruling is the first decision by an American appellate court directly addressing privacy harm posed by the face recognition technology.
"This decision is a strong recognition of the dangers of unfettered use of face surveillance technology," Nathan Freed Wessler, an attorney for the ACLU Speech, Privacy, and Technology Project said. "The capability to instantaneously identify and track people based on their faces raises chilling potential for privacy violations at an unprecedented scale."
During the hearing, Facebook argued for the case to be thrown out as the biometric information it collected was stored in servers outside of Illinois, meaning state law did not apply. It also argued that Illinois state law did not apply to any photographs taken outside of the state of Illinois.
See also: FTC reportedly approves $5B settlement with Facebook
The judge panel disagreed with Facebook's arguments, saying it was reasonable to conclude that the law was meant to protect people in Illinois, "even if some relevant activities occur outside the state".
Facebook will appeal the decision, according to a spokesperson's email to Reuters. "We have always disclosed our use of face recognition technology and that people can turn it on or off at any time," the email reportedly said.
With this decision, the case can now be heard at US District Court, potentially leaving Facebook with a class action from millions of Illinois Facebook users. Illinois has a population of over 12.7 million people, according to the United States Census Bureau.
Under Illinois state law, each BIPA Act violation can be subject to up to $1,000 in damages, and intentional violations of privacy can be subject to $5,000 in penalties.