Facebook Pays $550 Million Settlement In Illinois Facial Recognition Lawsuit, Which Could Pose Problems For Clearview

Late last week, legally and ethically-dubious facial recognition tech developer Clearview was sued for violating an Illinois law making certain collection and storage of biometric information illegal. I was very dismissive of the lawsuit, stating that scraping of publicly-posted photos couldn't possibly create an actionable violation of privacy.

My assessment may be wrong. A recent settlement by Facebook in a lawsuit alleging violations of this law suggests the proposed class action against Clearview might actually go somewhere, even if Clearview is an outside party scraping (possibly illegal) photo collections from other sites.

In what lawyers are calling the largest settlement ever reached in a privacy related lawsuit, Facebook will pay $550 million to settle claims it harvested users' facial data without consent and in violation of a 2008 Illinois privacy law.

The announcement comes eight days after the Supreme Court denied Facebook's petition to review the case and halt an impending trial that was put on hold in 2018 when Facebook appealed a lower court decision advancing the case.

This lawsuit dealt with yet another Facebook feature no one asked for: the nearly-automatic tagging of friends and acquaintances in uploaded photos. Facebook's AI scanned uploaded photos for matches and suggested names of people who resembled those in the photograph. Given the sheer amount of uploaded photos hosted by the site, it was speculated Facebook could have faced a $35 billion fine. If true, the $550 million settlement is a bargain.

But let's take another look at the Clearview lawsuit. Once you get past some of the more ridiculous assertions, you're looking at a few fairly plausible allegations that could survive a motion to dismiss and open Clearview up for what is certain to be some damaging discovery. The company is already cruising around on the outer edges of the law by scraping sites for photos in violation of their terms of service.

The law requires companies doing business in Illinois to obtain permission from users before harvesting biometric info. Since Clearview scrapes sites to build its biometric database, it is obviously not securing anyone's explicit permission.

And Clearview does business in Illinois. It claims it has "partnered" with 600-1,000 law enforcement agencies -- claims that should be taken with several doses of salt considering the number of law enforcement rebuttals that have greeted its marketing assertions.

But this is verifiable.

Interim Chicago Police Superintendent Charlie Beck on Thursday offered a vigorous defense of CPD's use of a facial recognition tool that matches images of unknown suspects to three billion photos scraped from social media.

Clearview AI, the Manhattan-based firm that developed the software, has come under fire after a lawsuit was filed in federal court in Chicago earlier this month seeking to halt the company's data collection and after a New York Times report detailed the privacy concerns its technology has brought to the fore.

But, Beck said Thursday the department needs the tool and doesn't abuse it. Without it, Chicago Police would "solve fewer crimes than places" that do use it, he said.

Ok. Seems unlikely an unproven tool would be better at solving crimes than stuff the CPD already does, but who wouldn't prefer to use an app rather than shoe leather to track down perps?

That satisfies the "doing business in" prong. But if we're looking at unauthorized collection of biometric info, it gets a little cloudier. If Facebook's application of facial recognition AI is the key factor for its violation of the state law, Clearview's AI creates the same legal risk for the company. If the sites it's scraping from aren't applying facial recognition AI to the photos, Clearview's application of its AI creates a violation that didn't previously exist when it was simply collecting the photos for its database.

Photos scraped from Facebook don't immediately become contraband, despite Facebook's application of AI to uploaded photos. The photos are inert, so to speak, when they're scraped by Clearview. It's the application of additional software to convert them into biometric information that causes the violation and triggers the rapidly-escalating fines.

Even if its scraping ultimately proves to be legal, its application of AI makes deploying this in Illinois very risky. The bizarre twist is that it might be Clearview's decision to sell only to law enforcement agencies that might save it from being successfully sued. There's a carveout in the law for government agencies and contractors, which might mean the state law does not apply to Clearview.

Nothing in this Act shall be construed to apply to a contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government.

Whew. So, ask the government for some grievance redress and get told another part of the government already let the third branch of the government do whatever it wants with otherwise-illegal biometric collections.

I'm still shorting this lawsuit, but not nearly as aggressively as I did earlier. There's too much unknown about Clearview's data-gathering at the moment. But it appears Clearview can violate the law with impunity as long as it only sells its services to Illinois government agencies.