Vimeo embroiled in biometric 'face map' lawsuit over user privacy, consent

Updated: The company allegedly collected and stored biometric data without user consent.
Written by Charlie Osborne, Contributing Writer

Vimeo is facing a lawsuit that claims the company has violated Illinois legislation on the collection and storage of biometric information belonging to residents. 

In a lawsuit (.PDF) filed on September 20, as reported by Threat Post, complainants claim that Delaware-based Vimeo has violated the Illinois Biometrics Information Privacy Act (BIPA). 

BIPA requires private companies that collect biometric information to maintain a public, written policy that transparently explains practices concerning this information, as well as guidelines on both data destruction and retention. 

The company provides a platform for the creation, streaming, and sharing of HD and 4K video. The court case claims that Vimeo has illegally collected, stored, and used user biometric information without written consent, as required by BIPA. 

While biometric information can include retina scans and fingerprints, in the video streaming platform's case, the issue surrounds 'face templates' created from Magisto users, including precise geometric maps of their facial features. 

See also: Political targets at risk as Fancy Bear returns with refreshed backdoor malware

"Vimeo is actively collecting, storing, and using -- without providing notice, obtaining informed written consent or publishing data retention policies -- the biometrics of thousands of unwitting individuals throughout the country whose faces appear in photographs and/or videos uploaded to the Magisto "smart video editor" application in Illinois," the lawsuit reads. 

"Each face template that Vimeo extracts is unique to a particular individual, in the same way that a fingerprint or voiceprint uniquely identifies one and only one person," court documents added.

The plaintiff, Illinois resident Bradley Acaley, brought the class-action lawsuit forward after downloading the Magisto app in late 2017. Having purchased a $120 year-long subscription, Acaley uploaded videos and photos of himself and his family, which apparently could no longer be accessed after the subscription expired. 

CNET: Hackers set up a fake veteran-hiring website to infect victims with malware

Court documents claim that immediately after upload, this content was analyzed by Vimeo to create his facial template, later used by Vimeo to locate him in photos, as well as recognize his gender, age, race, and location -- all without permission. 

Acaley has also argued that Vimeo did not give him the possibility of opting out or a way to remove his biometric markers from Vimeo storage. 

The lawsuit, made on behalf of thousands of Illinois residents who may have been caught up in the alleged BIPA violations, attempts to ensure the platform will comply in the future with BIPA, as well as secure statutory damages.

TechRepublic: Latest research says organizations need to integrate security principles with DevOps

Vimeo is not the only technology company to fall foul of BIPA. In August, Facebook lost a case filed with the US Court of Appeals for the Ninth Circuit to have a lawsuit based on the same legislation thrown out. 

A class-action lawsuit levied against the social media giant alleges that Facebook's tag suggestions feature, which compares biometric identifiers with a photo to identify individuals for matches, invades the privacy of over 12 million Illinois residents. Facebook intends to fight the ruling. 

Update 15.17 BST: A Vimeo spokesperson told ZDNet:

"This lawsuit is based upon a fundamental misunderstanding of how the Magisto video creation app works. To help customers create better videos faster, Magisto uses machine learning technology to help identify objects within video frames. Determining whether an area represents a human face or a volleyball does not equate to "facial recognition," and Magisto neither collects nor retains any facial information capable of recognizing an individual. We look forward to having an opportunity to clear this up in court."

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards