We pose and smile for selfies with friends and put them on Facebook, TikTok, Instagram, and Snapchat. We look up as we walk outside and see cameras on every street intersection pole, or at the city park. We believe they are looking for cars going through red lights or watching out for crime. What we may not realize is that our favorite apps and ever-present street cameras are using facial recognition to identify us and, using advanced A.I. software, tag us as we move from location to location. We also may not be aware that cameras can identify us by our gait and body movement, as well as our face. “Walk that way” has a new meaning.
New York City police reportedly used facial recognition from 15,000 cameras 22,000 times to identify individuals since 2017.1 Fear of crime is driving us, or being used to drive us, to give up our privacy by allowing law enforcement to use those ubiquitous street cameras to identify where we are, and even to listen to our words to recognize us. This technique, commonly called “voiceprint” identification, lets surveillance equipment instantly turn our words into searchable text as we walk down the street.
The legal issue of advanced technologies taking away our right of privacy is not new. In 1890, a young Boston lawyer, Louis Brandeis, co-wrote a Harvard Review article asserting that privacy was a fundamental right even if not listed as a right in the US Constitution. Brandeis was upset that two new inventions, the Kodak camera and the Edison dictating machine, were invading our private lives, exposing them to the public without our consent:
Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house-tops.2
In 1928, almost four decades later, then-Supreme Court Justice Brandeis penned his famous Olmsted v. US dissent on the issue of privacy. The case involved law enforcement wiretapping a new device located on the sidewalk: the public telephone. Brandeis explained:
Whenever a telephone line is tapped, the privacy of the persons at both ends of the line is invaded, and all conversations between them upon any subject, and although proper, confidential, and privileged, may be overheard.3
Justice Brandeis advocated limiting law enforcement’s use of wiretapping. His views on regulating privacy rights eventually became law. Nine decades later, state legislators are again working to rein in the use of new technology: the pervasive placement of high-quality cameras and corresponding use of A.I. software. The concept of facial and biometric recognition has been around since the 1960s. However, the technology to make facial recognition accurate and fast has only been achieved in the last two decades with improvements in “computer vision” algorithms, faster processers, ubiquitous broadband, and inexpensive cameras. Law enforcement showed the world the effectiveness of the cameras and biometric A.I. software after the January 6th Insurrection by accurately identifying hundreds of perpetrators within days.
Several states and municipalities are seeking to protect persons from abuse of biometrics by private companies and by law enforcement. The new laws generally attempt to limit private firms from using facial recognition without opt-in consent, or to limit law enforcement’s use of biometric identification tools.
Illinois Law Allows a Private Right of Action
Illinois led the way in this legislative trend by limiting private firms’ ability to collect biometric data without consent. In 2008, the state passed the Biometric Information Privacy Act, or BIPA. BIPA arose in response to a software company that collected fingerprint data at cash registers to allow for easy checkout but then, when the company went bankrupt, attempted to sell the customers’ fingerprint data as a bankruptcy asset. BIPA defines a biometric identifier as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” The law requires written consent for an entity to collect, capture, purchase, receive, disclose, or disseminate biometric information. Most significantly, it gives a person a right of action “against an offending party.” Damages are set per violation: $1,000 if caused by negligence and $5,000 if intentional.
The private right of action is one of the most controversial aspects of various privacy laws being proposed around the country. With a private right of action, plaintiffs’ attorneys are enforcing the privacy law by constantly seeking out potential defendants who are allegedly violating the law. Without a private right of action, state attorney generals must decide who to sue, if there are resources to sue, and if it is politically a good move to sue. Companies are often adamantly opposed to laws creating a private right of action, as such suits can result in large, complex class actions lasting for years and, potentially, very large judgements and settlements.
The private right of action is one of the most controversial aspects of various privacy laws being proposed around the country.