Patel v. Facebook

Whether collection of an individual's biometric data in violation of the Illinois Biometric Information Privacy Act is sufficient to establish Article III standing
  • EPIC Amicus: Unlawful Collection of Biometric Data Establishes Standing: EPIC has filed an amicus brief in a case concerning Facebook's collection of facial images in violation of the Illinois Biometric Information Privacy Act. In Patel v. Facebook, EPIC argued that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC said that that the legal doctrine of standing "simply requires plaintiffs to demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Earlier in 2018, EPIC filed an amicus brief in Rosenbach v. Six Flags, another case about the Illinois biometric privacy law. EPIC routinely submits briefs in support of standing in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. (Dec. 18, 2018)
  • More top news »
  • EPIC FOIA: Massive DHS Biometric Database Still Lacks a Privacy Impact Assessment » (May. 3, 2019)
    In response to EPIC's Freedom of Information Act request, the Department of Homeland Security confirmed that no privacy impact assessment has been completed for a vast DHS biometric database known as the "Homeland Advanced Recognition Technology." The HART database will include fingerprints, iris scans, and facial images on millions of individuals. The documents EPIC did obtain from DHS consist of privacy threshold reviews that indicate a privacy impact assessment is required and was expected by January 2019. A previous document obtained by EPIC show that the Homeland Advanced Recognition Technology database is part of the facial recognition Biometric Entry/Exit program at US airports.
  • EPIC to TSA: Conduct Rulemaking on Facial Recognition » (Apr. 26, 2019)
    In comments to inform the Transportation Security Administration's 2020 National Strategy, EPIC recommended that TSA to suspend the facial recognition program at US airports. EPIC wrote, "The TSA's use of facial recognition lacks the safeguards necessary for implementation." EPIC has also warned lawmakers and the DHS about the biometric border program that incorporates deploy facial recognition. EPIC has urged the agency to undertake a notice and comment rule making that would provide the public with the opportunity to comment on the controversial program. EPIC successfully required TSA to conduct a rulemaking on its deployment of airport body scanners in EPIC v. DHS. EPIC also recommended that TSA incorporate the Universal Guidelines for Artificial Intelligence, endorsed by over 300 organizations and experts, for AI-based systems.
  • EPIC to Congress: Funding for TSA Facial Recognition Program Must Be Halted » (Apr. 3, 2019)
    EPIC has sent a statement to the House Appropriations Committee regarding the TSA's FY2020 budget request, urging Congress to suspend the "Biometric Entry-Exit" program until privacy safeguards are established. EPIC said Congress should halt funding for TSA's facial recognition program "until CBP establishes proper privacy assessments, policies and procedures, and oversight mechanisms." EPIC recently filed a Freedom of Information Act lawsuit to determine whether travelers are able to to opt-out of facial recognition at airports. According to the CBP, the "alternative screening procedures" allow travelers to provide identification documents, such as a passport, and avoid facial recognition, which "is not mandatory for U.S. citizens." But research by EPIC indicates that CBP has made it increasingly difficult for travelers to opt-out.
  • Buzzfeed: EPIC Docs Reveal Flawed Facial Recognition Program » (Mar. 11, 2019)
    At the start of Sunshine Week, Buzzfeed featured documents obtained by EPIC about a deeply flawed facial recognition program that could impact all U.S. travelers returning to the United States. The documents, released following an EPIC FOIA request, describe the Administration's plan to extend a faulty CBP pilot program to TSA, ICE, and the Coast Guard. Documents previously obtained by EPIC, following a lawsuit against DHS, found similar problems with a facial recognition program at the southern border.
  • Unanimous Decision in Illinois Supreme Court Ensures Strict Limits on Biometric Data Collection » (Jan. 25, 2019)
    The Illinois Supreme Court ruled today in Rosenbach v. Six Flags, a case about a state privacy law that protects biometric data. Parents sued the theme park after it collected a child's fingerprints, charging a violation of the Illinois biometric privacy law. The theme park claimed that it was necessary to show some additional harm, but the Illinois Court held that when companies violate the law, "the injury is real and significant." EPIC filed a "friend of the court" brief in the case, arguing that the biometric privacy law "imposes clear responsibilities on companies that collect biometric identifiers" and that if these provisions are "not enforced, the statute's subsequent provisions are of little consequence." EPIC has long advocated for strict limits on use of biometric data. EPIC also filed an amicus brief the OPM data breach, a case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case.
  • EPIC Amicus: Unlawful Collection of Biometric Data Establishes Standing » (Dec. 18, 2018)
    EPIC has filed an amicus brief in a case concerning Facebook's collection of facial images in violation of the Illinois Biometric Information Privacy Act. In Patel v. Facebook, EPIC argued that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC said that that the legal doctrine of standing "simply requires plaintiffs to demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Earlier in 2018, EPIC filed an amicus brief in Rosenbach v. Six Flags, another case about the Illinois biometric privacy law. EPIC routinely submits briefs in support of standing in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software.
  • EPIC Investigates Airport Facial Recognition Opt-Out Procedures » (Dec. 12, 2018)
    In an urgent FOIA request, EPICis seeking documents from CBP about the procedures for travelers to opt-out of biometric entry/exit program. EPIC found that CBP frequently changes the program without any formal procedures. One consequence is that it is now more difficult for travelers to opt-out of the screening procedure EPIC wrote that "CBP is modifying rules as it is implementing the program," contrary to federal law. Earlier this week, EPIC urged Congress to suspend the program until privacy safeguards and meaningful opt-out procedures are established. In comments to the DHS Data Privacy and Integrity Advisory Committee, EPIC explained the substantial privacy risks of CBP's use of facial recognition technology.
  • EPIC to Congress: Federal Agency Making Up the Rules for Facial Recognition Screening » (Dec. 11, 2018)
    EPIC has sent a statement to the Senate Judiciary Committee for an oversight hearing of Customs and Border Protection. EPIC cited frequent changes CBP has made to the opt-out procedures for the biometric entry/exit program. "Without legal authority or the opportunity for public comment, CBP is making up the rules as it rolls out the program," EPIC said. EPIC urged the Committee to suspend the screening program until privacy safeguards and meaningful opt-out procedures are established. Last week, EPIC warned Customs and Border Protection about facial recognition technology and urged the DHS Privacy committee to end the program.
  • Indian Supreme Court Imposes New Limits on National Identity System » (Sep. 26, 2018)
    In a ruling today, the Indian Supreme Court imposed new limits on Aadhar, India's national biometric identification system. The Court found the system did not violate the Indian constitution, but struck down a section of the law permitting private entities to demand Aadhar to verify identity. Aadhar can no longer be mandatory to register for education, open a bank account, or obtain a cell phone connection. However, the state-issued number may still be required for purposes related to government funds, including filing an income tax. The Court also struck down an exception authorizing disclosure of Aadhar data for national security purposes. The Court encouraged the state to establish a "a robust statutory regime" for data protection "in near future." The dissent would have held Aadhar unconstitutional. The biometric system "violates essential norms pertaining to informational privacy, self-determination and data protection," the dissent states, and "dignity of individuals cannot be made to depend on algorithms or probabilities." Last year, India's Supreme Court ruled that privacy is a fundamental right under the Indian Constitution. EPIC has also backed comprehensive privacy legislation in comments to the Indian government, and urged creation of a private right of action and breach notification requirement.
  • EPIC Urges DHS To Abandon Privacy Act Exemptions for New Biometric Database » (Aug. 31, 2018)
    In comments to the Department of Homeland Security, EPIC urged the agency to withdraw proposed Privacy Act exemptions that would reduce privacy safeguards in the federal government. The Immigration Biometric and Background Check database will contain personal data on U.S. and non-U.S. citizens. DHS has proposed to exempt the database from several Privacy Act protections, including ensuring that records are accurate, timely, and complete. DHS also claims numerous “routine uses” that allow the agency to disseminate the data to law enforcement and intelligence agencies. EPIC has urged strict compliance with Privacy Act obligations and warned that inaccurate, insecure, and overbroad government databases threaten both privacy and national security.
  • EPIC Urges Suspension of Biometric Entry/Exit Program » (Jul. 25, 2018)
    In comments to Customs and Border Protection, EPIC urged the agency to suspend the Biometric Entry/Exit Program. EPIC argued that less privacy-invasive alternatives should be considered and that the program should not move forward until Congress has passed regulations implementing safeguards for the use of biometrics. CBP solicited comments about the collection of biometrics, based on facial recognition, from people in vehicles crossing the border. EPIC said that such an expansion could quickly lead to a program of mass surveillance. In EPIC v. CBP, EPIC has sued the agency for details about the program. A report EPIC obtained in the lawsuit showed that facial recognition at a pedestrian border failed to perform at a "satisfactory" level.
  • EPIC Urges Illinois Supreme Court to Uphold Strict Limits on Biometric Data Collection » (Jul. 5, 2018)
    EPIC has filed an amicus brief with the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp, about the collection of a child's biometric data in violation of the Illinois Biometric Information Privacy Act. EPIC explained that the Illinois biometric law "imposes clear responsibilities on companies that collect biometric identifiers" and said the company had failed to comply with the state law. EPIC made clear that "collection is the threshold safeguard in privacy law" and if corresponding provisions are "not enforced, the statute’s subsequent provisions are of little consequence." EPIC first identified the risk of collecting biometric data from children entering amusement parks in a 2005 report "Theme Parks and Your Privacy." The state of Illinois adopted the nation's first biometric privacy law in 2008. EPIC has long advocated for strict limits on use of biometric data. EPIC also routinely submits amicus briefs, including in the recent OPM data breach case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case.
  • EPIC Pursues Privacy Impact Assessments for Proposed DHS Biometric Database » (Jun. 18, 2018)
    EPIC has submitted an urgent Freedom of Information Act request to the Department of Homeland Security seeking the Privacy Impact Assessment for the "Homeland Advanced Recognition Technology," a proposed system that will integrate biometric identifiers across the federal government. HART would replace IDENT, which now contains biometric records on over 220 million unique individuals. In 2015 a breach at the Office of Personnel Management compromised 22 m records, including 5 m digitized fingerprints. It appears that Homeland Security failed to complete the Privacy Assessment prior to launching HART. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that stores personally identifiable information. In EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year.
  • Senators Urge DHS to Address Concerns Over Facial Recognition at Airports; Conduct Public Rule-Making » (May. 11, 2018)
    In a letter to DHS Secretary Kirstjen Nielson, Senators Edward Markey (D-MA) and Mike Lee (R-UT) urged the agency to promptly conduct a public rulemaking on the agency's biometric exit program prior to any expansion of the program. The program, currently implemented in nine U.S. airports, requires travelers on departing international flights to submit to facial recognition identification. The Senators requested that DHS determine the accuracy of the technique and the procedures for collecting passenger data. EPIC is currently pursuing documents about the biometric exit program, but documents EPIC obtained about a related program that tested iris and facial recognition scanning at the border revealed that the technology did not perform operational matching at a "satisfactory" level. An earlier EPIC lawsuit against the DHS led to the removal of backscatter x-ray devices — "body scanners" — at US airports.
  • EPIC to Congress: Enhanced Surveillance at Border Will Impact Rights of U.S. Citizens » (Apr. 24, 2018)
    EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing with the Commissioner of Customs and Border Protection. EPIC urged the Committee to ask the CBP Commissioner about the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC is currently seeking records from the federal agency concerning the accuracy of facial recognition. EPIC also recommended the Committee examine how CBP will comply with state laws prohibiting warrantless aerial surveillance when deploying drones at the border. As a result of an earlier FOIA lawsuit, EPIC found that the CBP is deploying drones with facial recognition technology without warrant authority.
  • EPIC FOIA: EPIC Obtains FBI Policy for Disseminating Biometric Info » (Mar. 22, 2018)
    Through a Freedom of Information Act request, EPIC has obtained the FBI’s “Policy for Biometric Information Sharing with Domestic and International Agencies.” The documents EPIC obtained also contain details of the United States’ agreement with Iraq to exchange biometric data, including to not subject the information to any dissemination restrictions of the US or Iraq. The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification” system, which includes facial IDs gathered from international conflicts. In 2007, EPIC, Privacy International, and Human Rights Watch warned the Secretary of Defense that the “system of biometric identification contravene international privacy standards and could lead to further reprisals and killings.” EPIC noted in 2010 "President Obama’s address on the end of the combat mission in Iraq has left open the question of what will happen to the massive biometric databases on Iraqis, assembled by the United States, during the course of the conflict."
  • Court Rules that Users have Standing to Sue Facebook about Facial Recognition » (Feb. 27, 2018)
    The Northern District of California has ruled that Facebook users have standing to pursue a class action challenging Facebook's use of facial recognition software. The court said that the Illinois Biometric Information Privacy Act requires plaintiffs only to show that Facebook has unlawfully collected their biometric data without their consent. Facebook sought to dismiss the suit by arguing that the Supreme Court's decision in Spokeo v. Robins required the plaintiffs to show additional harm. EPIC submitted a friend-of-the-court brief in Spokeo, arguing that courts should not second-guess privacy laws. The Ninth Circuit Court of Appeals recently agreed with EPIC that internet users have standing when a company has disclosed their personal information in violation of the Video Privacy Protection Act.
  • EPIC Urges Congress to Suspend Facial Recognition At US Airports » (Feb. 26, 2018)
    EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC previously pursued a significant lawsuit against the TSA that led to the removal of x-ray body scanners from US airports. EPIC is currently seeking records from Customs and Border Protection concerning the accuracy of facial recognition.
  • Republican DACA Bill Would Expand Use of Drones, Biometrics » (Feb. 21, 2018)
    The Secure and Succeed Act (S. Amdt. 1959 to H.R. 2579), sponsored by several Republican Senators, would link DACA with hi-tech border surveillance. Customs and Border Protection would use facial recognition and other biometric technologies to inspect travelers, both US citizens and non-citizens, at airports. The bill also establishes "Operation Phalanx" that instructs the Department of Defense—a military agency—to use drones for domestic surveillance. EPIC has pursued many FOIA cases on border surveillance involving biometrics, drones, and airport body scanners, In a statement to Congress, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens."
  • EPIC Urges FBI to Limit Fingerprint-Based Background Checks » (Jan. 9, 2018)
    In response to a request for comments, EPIC has urged the FBI to expand its use of name-based — rather than fingerprint-based — background checks for noncriminal purposes, such as employment. The FBI currently uses fingerprints, stored in the Next Generation Identification (NGI) database, to conduct non-criminal background checks. "Names checks" were only conducted for individuals whose fingerprints failed the NGI matching requirements. EPIC told the FBI that the "name-based background check accomplishes the same purpose as the fingerprint-based background check without requiring the collection of sensitive biometric information." EPIC has opposed the expansion of the NGI system for non-law enforcement purposes. EPIC has also pursued a series of Freedom of Information Act requests to assess the reliability of the NGI system.
  • EPIC FOIA: Report Reveals Failure of Border Biometric Matching Program » (Dec. 18, 2017)
    Through a Freedom of Information Act lawsuit, EPIC has obtained a report from Custom and Border Protection, which evaluated iris imaging and facial recognition scans for border control. The "Southwest Border Pedestrian Field Test" reveals that the agency program does not perform operational matching at a "satisfactory" level. In a statement to Congress earlier this year, EPIC warned that biometric identification techniques are unreliable and lack proper privacy safeguards. EPIC is pursuing related documents for the use of biometrics at airports. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA (concerning body scanner modifications) and EPIC v. DHS (concerning full body scanner radiation risks).
  • EPIC Urges Senate to Block Biometric Collection At US Airports » (Sep. 28, 2017)
    EPIC has sent a statement to the Senate Commerce Committee following a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing and regulated use of biometrics in US airports, often targeting US citizens. EPIC previous pursued a significant lawsuit against the TSA to limit the use of body scanners. EPIC is currently seeking records from Customs and Border Protection concerning the agency's use of facial recognition for a biometric entry/exit program at airports. EPIC has also objected to a proposal to increase the collection of biometric data for the TSA Pre-Check program.
  • NGOs to Meet with Privacy Commissioners at Public Voice Event in Hong Kong » (Sep. 19, 2017)
    The Public Voice will host an event with NGOs and Privacy Commissioners at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. "Emerging Privacy Issues: A Dialogue Between NGOs & DPAs" will address emerging privacy issues, including biometric identification, Algorithmic transparency, border surveillance, the India privacy decision, and implementation of the GDPR. Speakers include Chairman Isabelle Falque-Pterrotin of the CNIL and Article 29 Working Party, Commissioner John Edwards of New Zealand, and Director Eduardo Bertoni of Argentina. Also participating will be representatives of Access Now, EPIC, GP Digital, Privacy International, and the World Privacy Forum. The Public Voice, established in 1996, facilitates public participation in decisions concerning the future of the Internet.
  • EPIC Obtains Final Report on "Face ePassport Air Entry Experiment" » (Sep. 8, 2017)
    As the result of a Freedom of Information Act request, EPIC has obtained a report on the use of face recognition on travelers entering the United States at Dulles Airport. The report was obtained after EPIC filed a lawsuit against Customs and Border Protection for documents about the agency's biometric entry/exit program, expedited by Executive Order 13769. As the report was heavily redacted, EPIC's FOIA lawsuit is ongoing. In a statement to the House Homeland Security Committee earlier this year, EPIC warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA, concerning airport body screening.
  • Supreme Court of India Rules Privacy is a Fundamental Right » (Aug. 24, 2017)
    India's Supreme Court has ruled that privacy is a fundamental right under the Indian Constitution. In a unanimous ruling, the Court explained the "right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution." The Court also recognized that "Informational privacy is a facet of the right to privacy" and modern privacy risks are caused by both the public and private sector. The ruling may impact significant cases pending in India, including a challenge to Aadhaar, India's massive biometric identification system, and WhatsApp's privacy policy change. In 2009 NGOs and privacy experts set out the Madrid Privacy Declaration, which affirmed privacy as a fundamental human right. In 2010, EPIC urged the US Supreme Court to recognize the right of "informational privacy." EPIC explained that the Whalen decision and a famous German census case, "influenced international privacy jurisprudence, resulting in the widespread recognition of the right to informational privacy." EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world.
  • EPIC to Congress: Examine Facial Recognition Surveillance at the Border » (Jul. 24, 2017)
    EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on "Technology's Role on Securing the Border." EPIC alerted the Committee to EPIC's recent FOIA lawsuit about the federal government's deployment of a biometric "entry/exit tracking system," including at US airports. A recent Executive Order on immigration will push forward the biometric identification system, and will include citizens returning to the U.S. EPIC has warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC noted that the federal agency pursuing the border identification program is also deploying drones, and should comply with state laws and a 2015 Presidential Memorandum that limit drone surveillance.
  • EPIC Files FOIA Lawsuit Over Border Biometrics, Expanded Tracking » (Jul. 20, 2017)
    EPIC has filed a FOIA lawsuit against Customs and Border Protection for information about the agency’s deployment of a biometric entry/exit tracking system, including at US airports. Trump's recent Executive Order regarding immigration ordered the expedited implementation of a biometric entry/exit tracking system, which will include U.S. citizens. Biometric techniques, including facial recognition, lack proper privacy safeguards. EPIC previously sued the FBI over the Bureau’s Next Generation Identification database, which contains face prints, fingerprints, and other biometrics of millions of Americans. EPIC's lawsuit against the FBI revealed that biometric identification is often inaccurate.
  • EPIC Urges TSA to Consider Alternative to Biometric Collection » (Jul. 5, 2017)
    In comments to the Transportation Security Administration, EPIC urged the agency to consider alternatives to expanding the collection of biometric identifiers for the TSA Pre-Check application. EPIC explained the potential for biometric identifiers to be used for purposes other than determining eligibility for Pre-Check and the substantial personal privacy risks for applicants if the databases associated with Pre-Check were compromised. EPIC also proposed privacy enhancing alternatives, such as limiting the storage of biometric identifiers or providing information on how to have information removed from databases associated with Pre-Check. EPIC routinely highlights the risks of large, overbroad government databases and the privacy risks inherent in the collection of biometric information.
  • EPIC Urges Senate Committee to Investigate FBI's Massive Biometric Database » (May. 1, 2017)
    EPIC has sent a statement to the Senate Judiciary Committee for an upcoming FBI oversight hearing. EPIC urged the Committee to investigate the FBI's Next Generation Identification system, a massive biometric database. EPIC has sought to ensure that the FBI database complies fully with the federal Privacy Act which the Bureau has opposed. EPIC explained to the Senate Committee that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." In a leading FOIA lawsuit, EPIC v. FBI, EPIC also uncovered documents which revealed high error rates in the biometric system. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.
  • EPIC Joins Coalition to Urge FOIA Compliance on Immigration Enforcement » (Apr. 25, 2017)
    EPIC joined a coalition of civil society organizations to urge the Immigration and Customs Enforcement to comply with the Freedom of Information Act. The letter to DHS Secretary Kelly calls upon the federal agency to "fully disclose information on immigration enforcement cooperation between federal and non-federal law enforcement agencies." EPIC previously received documents through a Freedom of Information Act Request about DHS's immigration enforcement practices. The documents obtained by EPIC detail the "Priorities Enforcement Program," a controversial program that relied on biometric data collection for immigration enforcement.
  • EPIC Urges House Oversight Committee to Explore FBI's Use of Biometric Data » (Mar. 21, 2017)
    EPIC has sent a letter to the House Committee on Oversight concerning "Law Enforcement's Use of Facial Recognition Technology." EPIC urged the Committee to investigate the FBI's Next Generation Identification program. EPIC explained that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." The FBI biometric database is one of the largest in the world, but the FBI has opposed privacy safeguards that EPIC supported. The Bureau proposed to exempt the database from Privacy Act protections. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.
  • Data Protection Experts Recommend New protections for Biometric Identification Online » (Mar. 17, 2017)
    The International Working Group on Data Protection in Telecommunications adopted new recommendations to improve the privacy and security of biometric identification online. The Berlin-based Working Group includes Data Protection Authorities and experts who work together to address emerging privacy challenges. The "Working Paper on Biometrics in Online Authentication )" explains that “biometrics in online authentication offers one possibility to address some of the shortcomings” of conventional online passwords, but the “data protection and privacy risks” must be considered. Among their recommendations, the experts urge policymakers to support for “[p]roactive privacy tools,” and contend biometric authentication should “remai[n] an active choice by the user and not a condition of use.” EPIC will host the 61st meeting of the International Working Group in Washington DC in April 2017.
  • EPIC FOIA: EPIC Seeks Information about Airport Eye Scans of U.S. Travelers » (Mar. 2, 2017)
    EPIC has filed an urgent FOIA request with U.S. Customs and Border Protection for details of eye scans conducted on U.S. citizens traveling internationally. The CBP has long been testing biometric identification of travelers, including U.S. citizens, and a recent report indicates U.S. citizens were subject to eye scans before traveling abroad. EPIC seeks public disclosure of the details of CBP policies for scanning U.S. citizen irises and retinas upon entry or exit to the U.S. EPIC makes frequent use of the Freedom of Information Act. As the result of a FOIA lawsuit, EPIC recently obtained several memorandum of understanding regarding the transfer of biometric identifiers between the FBI and DOD. Last month, EPIC also prevailed in EPIC v. FBI, a FOIA lawsuit public release of the FBI's privacy assessments.
  • EPIC FOIA: EPIC Obtains FBI-DoD Biometric Data Plans » (Jan. 30, 2017)
    Through a Freedom of Information Act lawsuit, EPIC has obtained several memorandum of understanding regarding the transfer of biometric identifiers between the Federal Bureau of Investigation and the Department of Defense. One of the agreements, which includes the State Department, calls for "a direct conduit for the parties to access databases storing biometric information." Last year, EPIC filed extensive comments scrutinizing the FBI's proposal to remove Privacy Act safeguards from the Bureau's massive biometric database known as "Next Generation Identification." EPIC also lead a coalition effort urging Congress to hold an oversight hearing on the FBI database. The case is EPIC v. FBI, No. 16-2237 (D.D.C. filed Nov. 10, 2016) (Biometric Data Transfer Agreements).
  • Open Government Lawsuits at Near-Record Highs in 2016 » (Dec. 9, 2016)
    Advocates, journalists, and businesses have brought a near-record 512 lawsuits under the Freedom of Information Act in 2016. The findings, complied by for FOIAproject.org by the Transactional Records Access Clearinghouse, show a 35 percent increase in FOIA litigation over the past five years. According to the new report, the lawsuits have covered diverse issues including "private email accounts, national security, immigration, the environment and even Donald Trump." In 2016, EPIC brought FOIA suits for the DOJ's secret inspector general reports, the DOT's drone task force records, and the FBI's biometric data transfer memos.
  • EPIC FOIA: EPIC Obtains Secret Inspector General Reports » (Nov. 21, 2016)
    Through a Freedom of Information Act lawsuit EPIC has obtained nonpublic reports from the Department of Justice's Inspector General. The documents include audits of drug control funds. Another set of documents include audits of other grant programs, as well as a list of information security audits conducted since 2005. EPIC also obtained a previously unpublished audit of a state lab's DNA database. The mission of the DOJ Inspector General is "to detect and deter waste, fraud, abuse, and misconduct in DOJ programs and personnel." EPIC also recently sued the Federal Bureau of Investigation to obtain information on the massive biometric database "Next Generation Identification."
  • EPIC Sues FBI Over Biometric Data Program » (Nov. 14, 2016)
    EPIC has filed a FOIA lawsuit against the Federal Bureau of Investigation for information about the agency's plans to transfer biometric data to the Department of Defense. The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification" system, but the FBI has resisted maintaining privacy safeguards. The Bureau previously proposed to exempt the database from many of the safeguards in the federal Privacy Act, which EPIC opposed. Then EPIC, following a FOIA lawsuit, obtained documents that revealed an error rate up to 20% for facial recognition searches in the FBI database. Now EPIC has filed an open government lawsuit to obtain a secret document that details the transfer of personal data in the FBI system to the Department of Defense. [Press Release]
  • High Court Extends Fourth Amendment Protections to DUI Blood Tests » (Jun. 23, 2016)
    In Birchfield v. North Dakota, the U.S. Supreme Court today held that states cannot criminalize an individual’s refusal to submit to a warrantless blood test. The Court also found that the Fourth Amendment does not allow warrantless blood tests incident to arrest, but does permit warrantless breath tests. In the 2013 case Maryland v. King, EPIC urged the Supreme Court to protect genetic privacy by extending Fourth Amendment protections the collection of DNA from arrestees. In that case, the Supreme Court held that a cheek swab incident to an arrest was permissible.
  • Federal Court Upholds Photo Tagging Suit Against Facebook » (May. 8, 2016)
    A federal judge has rejected Facebook's argument that the company did not violate an Illinois law that requires companies to obtain consent from consumers before collecting biometric data such as a "faceprint." Describing the biometric privacy law, the court said that Facebook's position was "antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology." In 2011, EPIC filed a complaint with the Federal Trade Commission, arguing that the facial identification of users was an unfair and deceptive trade practice. In 2012, EPIC urged the FTC to suspend facial recognition "until adequate safeguards and privacy standards are established." Canada and Europe have since required Facebook to suspend the use of photo tagging.
  • Federal Agencies Seek Comment on Protections for Human Research Subjects » (Sep. 8, 2015)
    The Department of Health and Human Services is seeking public comment on proposed revisions to the "Common Rule," ethical rules regarding biomedical and behavioral research involving human subjects in the United States. The proposal seeks to strengthen requirements for informed consent but would also exempt certain categories of research from administrative review. The Department will accept public comments on the proposed revisions until December 6, 2015. EPIC previously submitted comments to the Department of Health and Human Services, warning that medical privacy standards for deidentification were "gravely inadequate" and urged support for stronger techniques of deidentification. EPIC routinely comments on privacy issues involved in health data.
  • California Court Strikes Down DNA Collection Law » (Dec. 4, 2014)
    A state appeals court in California has struck down a state law that requires collection of DNA from people arrested on felony charges. The California court ruled that DNA collection by a cheek swab is an unreasonable search and seizure prohibited by the state's constitution. "The California DNA Act intrudes too quickly and too deeply into the privacy interests of arrestees," wrote the court. The appeals court also said that the U.S. Supreme Court's ruling in Maryland v. King, which upheld a similar law in Maryland, did not apply in this case because of significant differences between each state's DNA collection laws. EPIC has participated as amicus in several cases concerning the collection of DNA. In Maryland v. King, EPIC argued that the government collection of DNA opens the door to misuse and threatens personal privacy. For more information, see EPIC: Maryland v. King, EPIC: Maryland v. Raines, EPIC: Kohler v Englade, EPIC: US v. Kincade, EPIC: Herring v. US, EPIC: Comments on TSA Biometric Systems, and EPIC: Genetic Privacy.
  • Senate to Hold Homeland Security Oversight Hearing » (Jun. 10, 2014)
    The Senate Judiciary Committee will hold an oversight hearing for the Department of Homeland Security. Secretary Jeh Johnson will testify. EPIC has objected to many of the agency's mass surveillance practices, including the secret profiling of American air travelers, the use of drones for aerial surveillance, the amassing of information on Americans into "fusion centers", and the collection of biometric identifiers. EPIC has also warned that the DHS Chief Privacy Officer has failed to safeguard privacy, a legal obligation for that office. According to the DHS, the number of privacy complaints increased in 2013. EPIC has several Freedom of Information Act case pending against the DHS. In an earlier case, EPIC determined the DHS was monitoring social media and news organizations for criticisms of the agency. Another EPIC case led to the removal of the x-ray backscatter devices from US airports. For more information, see EPIC v. DHS - Social Media Monitoring and EPIC v. DHS (Suspension of Body Scanner Program).
  • Sen. Franken Questions Apple on iPhone Fingerprint Scanning » (Sep. 21, 2013)
    Senator Al Franken has raised questions about the privacy and security implications of the fingerprint reader on Apple's new iPhone 5S. "If someone hacks your password, you can change it—as many times as you want. You can't change your fingerprints," Senator Franken wrote. He also pressed Apple for additional details on the protection available to users against law enforcement access to biometric data. In Congressional testimony, EPIC has previously warned that biometric identifiers will "allow for greater data collection and tracking of individuals." For more information, see EPIC: Biometric Identifiers.
  • EPIC FOIA - DHS Facial Recognition System Lacks Privacy Safeguards » (Aug. 22, 2013)
    In response to an EPIC FOIA request, the Department of Homeland Security has produced documents revealing that the agency has failed to establish privacy safeguards for "BOSS" (the Biometric Optical Surveillance System), an elaborate system for facial recognition and individual identification. The documents obtained by EPIC indicate that none of the agency's contracts or statements of work require any data privacy or security protections for BOSS' design, production, or test implementations. The New York Times reported on EPIC's acquisition of these documents, noting also high failure rates for these systems. EPIC is also pursuing a FOIA lawsuit with the FBI over the agency's development of "Next Generation ID," which, when complete, will be the largest biometric identification database program in the world. For more information, see EPIC: Face Recognition, EPIC: EPIC Opposes DHS Biometric Collection, and EPIC - Biometric Identifiers.
  • EPIC Opposes DHS Biometric Collection » (Jun. 21, 2013)
    EPIC has submitted comments to the Department of Homeland Security, staunchly opposing the agency's border biometric collection, facilitated through the Office of Biometric Identity Management program. Since at least 2004, DHS has collected fingerprint and facial photos from individuals entering the United States. DHS then disseminates this information to DHS agency components, other federal agencies, and "federal, state, and local law enforcement agencies," and the "federal intelligence community." Currently, at least 30,000 individuals from federal, state, and local governments access the data contained obtained by DHS's biometric collection program. DHS shares this biometric data with foreign governments, including Canada, Australia, and the United Kingdom. In its comments, EPIC urged the agency to cease collecting biometric information without proper privacy safeguards in place. Should the agency continue to collect this sensitive information, EPIC recommends that DHS: (1) impose strict information security safeguards on its biometric information collection and limit its dissemination of biometric information; (2) conduct a comprehensive privacy impact assessment on the biometric collection program; (3) grant individuals Privacy Act rights before collecting additional biometric information; and (4) adhere to international privacy standards. For more information, see EPIC: US-VISIT and EPIC: Biometric Identifiers.
  • FBI Performs Massive Virtual Line-up by Searching DMV Photos » (Jun. 17, 2013)
    Through a Freedom of Information Act request, EPIC obtained a number of agreements between the FBI and state DMVs. The agreements allow the FBI to use facial recognition to compare subjects of FBI investigations with the millions of license and identification photos retained by participating state DMVs. EPIC also obtained the Standard Operating Procedure for the program and a Privacy Threshold Analysis that indicated that a Privacy Impact Assessment must be performed, but it is not clear whether one has been completed. EPIC is currently suing the FBI to learn more about its development of a vast biometric identification database. For more information, see EPIC: Face Recognition and EPIC: Biometric Identifiers.
  • EPIC Sues FBI to Obtain Details of Massive Biometric ID Database » (Apr. 8, 2013)
    EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition.
  • US to Retain Biometric Database on Iraqis » (Dec. 21, 2011)
    According to Wired, although the war in Iraq is officially over US Central Command will retain a massive database with retinal scans, thumb prints, religious affiliation, as well as other personal data on millions of Iraqis. In 2007, EPIC, Privacy International, and Human Rights Watch sent a letter to then Secretary of Defense Robert Gates to warn that the collection of biometric data in the region poses a direct risk to human rights and could result in genocidal violence. The Defense Science Board also warned that the database could "become a hit list if it gets in the wrong hands." For more information, see EPIC - "Iraqi Biometric Identification System."
  • EPIC, Coalition Seeks Investigation of New FBI ID Program and "Secure Communities" » (Sep. 26, 2011)
    A coalition of civil liberties and civil rights organizations have asked the Inspector General of the Department of Justice to investigate the FBI's Next Generation Identification program, a "billion-dollar initiative to create the world's largest biometric database." The 70 organizations, including EPIC, have also urged an assessment of "Secure Communities," the mismanaged federal deportation effort. Several states, including Illinois, Massachusetts, and New York, have already withdrawn from the DHS program. For more information, see EPIC - "Secure Communitities."
  • FTC Announces Workshop on Facial Recognition Technology » (Sep. 20, 2011)
    The Federal Trade Commission announced that it will host a workshop on December 8, 2011, on the privacy and security issues raised by the increasing use of facial recognition technology. Facial recognition technology has been used by Facebook to build a secret data base of users’ biometric data and to enable Facebook to automatically tag users in photos. The Army has also used facial recognition technology to collect biometric data from Iraqi and Afghan civilians at checkpoints, workplaces, the sites of attacks, and door-to-door canvasses. EPIC, Privacy International, and Human Rights Watch wrote to the US Secretary Defense in 2007 to warn that the system could lead to reprisals and further killings. Police agencies are also using facial recognition to identity political protesters. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, EPIC: Face Recognition, and EPIC: Iraqi Biometric Identification System.

Summary

Facebook users have brought a class action lawsuit under the Illinois Biometric Information Privacy Act ("BIPA") challenging Facebook's collection of their biometric face information without notice or consent. Facebook collects this information for use in its Tag Suggestions tool, which uses facial recognition software to identify the faces of users in images uploaded to Facebook. The U.S. District Court for Northern California denied Facebook's many motions to dismiss and for summary judgment, and ultimately certified the class. Facebook sought permission to appeal the class certification at the Ninth Circuit, which was granted. Facebook claims that the class should not have been certified because Plaintiffs have not alleged any harm beyond Facebook's violation of BIPA. Plaintiffs argue, and the District Court agreed, that an individual has standing if they allege a violation of BIPA.

Question Presented

Whether the collection of an individual's biometric data in violation of the Illinois Biometric Information Privacy Act is sufficient to establish Article III standing.

Background

Factual Background

Facebook users in Illinois allege that Facebook collected their biometric data without notice or consent through the Tag Suggestions tool, which scans for and identifies people in photographs users upload to Facebook. Tag Suggestions works through a four-step facial recognition process. First, the tool tries to detect faces in uploaded images. The tool then standardizes, or "aligns," the face along a set of parameters, such as orientation and size. In the third step, the software computes a "face signature," which is a string of numbers that represents that particular face. The software then searches a database of stored "face templates" for a match. The stored face templates are calculated based on other photographs that a user is tagged in. A match occurs when the face signature falls within a threshold of similarity to a stored face template, at which point Facebook suggests tagging the user to whom the face template is assigned. Facebook claims that they only store face templates, and not face signatures.

Facebook estimates that 90% of faces appearing in photographs are successfully detected, and of those, 85% are successfully aligned. Thus, approximately 76% of faces appearing in photographs have face signatures computed. According to Facebook, in 2014, it was able to match around 67% of detected faces with users.

Legal Background

The Illinois Biometric Privacy Information Act ("BIPA") requires a corporation that obtains a person's biometric information to 1) obtain a "written release" from them prior to collection, 2) to provide them notice that their information is being collected and stored, and 3) to state the duration the information will be collected, stored and used as well as its specific purpose. The law gives a private right of action to anyone "aggrieved" under the statute. Several courts have considered, and disagreed on, the meaning of the term "aggrieved" under BIPA. While some courts have considered a violation of the biometric notice and consent requirements to be a privacy violation that is actionable in itself, other courts have held that an aggrieved party must both allege a technical violation of the law combined with a separate and additional claim of injury.

The Illinois Legislature passed the BIPA in 2008 to protect the "welfare, security, and safety" of Illinois residents by "regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric information." Seeing the use of biometric identifiers growing, especially in the financial sector, the Illinois Legislature was cognizant that unlike other unique identifiers, biometrics are biologically unique and cannot be changed even if compromised. Furthermore, knowing that the implications of using of biometric identifiers for a commercial purpose is unknown, the Illinois Legislature intended BIPA to address the concerns of a wary public that may be deterred from transactions that require biometric identification.

To combat these worries, BIPA requires a corporation that obtains a person's biometric information to first obtain a "written release" from the customer or the customer's representative. The law also requires a corporation that seeks to obtain biometric information from a customer to first provide "in writing" various information: (1) that the biometric information is being "collected" (2) that the biometric information is being "stored;" (3) the "length of term" that that the biometric information will be collected, stored, and used; and (4) the "specific purpose" for the collection, storage, and use of the information.

Federal courts are courts of limited jurisdiction, meaning that they may only consider a case if the subject matter and parties meet certain requirements. One of these requirements is that the plaintiffs have "standing." In Spokeo v. Robins, the Supreme Court decided that, for a plaintiff to have standing, they must demonstrate that they have "suffered 'an invasion of a legally protected interest' that is ‘concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.'" The Court went on to say that Congress can create statutory rights and causes of action "that will give rise to a case or controversy where none existed before," and that “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified." The Ninth Circuit has recognized that state legislatures can also create interests that support standing in federal courts.

Procedural History

Facebook users filed several lawsuits against Facebook under the Illinois Biometric Information Privacy Act ("BIPA"). The cases were consolidated in the U.S. District Court for the District of Northern Califnornia. Facebook sought to dismiss the case, arguing that Plaintiffs lacked standing because they had only alleged that Facebook collected their biometric data in violation of BIPA, but did not allege any actual damages. Plaintiffs moved for the court to certify the class under Federal Rule of Civil Procedure 23(b)(3). The District Court rejected Facebook's objections to standing and class certification, certifying the class of Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011. The District Court recognized that the Illinois legislature codified a right to privacy in personal biometric information, and that it was the judgment of the legislature that violation of BIPA's procedures would cause actual and concrete harm sufficient to confer Article III standing on those whose rights were violated. Facebook sought permission from the Ninth Circuit to appeal the District Court's decision, which the Ninth Circuit granted.

EPIC's Interest

EPIC has long advocated for strict limits on the use of biometric data and facial recognition software. EPIC argues that biometric data is personally identifiable information that cannot be changed, even if compromised. Improper collection of this information can contribute to identity theft, inaccurate identifications, and infringement on constitutional rights. Strict limits on biometric data is the best practice to prevent abuse.

EPIC has been long been concerned with Facebook's privacy practices and with Facebook's use of facial recognition software. In 2011, EPIC and other consumer protection groups complained to the FTC about Facebook's face identifying software. In 2018, EPIC again complained to the FTC about Facebook's use of face recognition software, and the FTC's failure to enforce the 2011 Facebook consent order.

EPIC has filed amicus briefs several cases arguing that violation of a statutory duty to protect data is sufficient to confer standing. Earlier in 2018, EPIC filed an amicus brief in the Illinois Supreme Court in Rosenbach v. Six Flags, another case concerning who has standing to sue under Illinois's Biometric Information Privacy Act. EPIC also filed an amicus in In re OPM, arguing that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained."

Legal Documents

U.S. Court of Appeals for the Ninth Circuit (No. 18-15982)

U.S. District Court for the Northern District of California (No. 3:15-cv-0374)

Resources:

EPIC Resources

News

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

EPIC Mueller Report book