[shadowgovt]

This lawsuit seems dead on arrival.

From the article (emphasis my own):

""" The suit alleges that Google is violating BIPA because it is “actively collecting, storing, and using—without providing notice, obtaining informed written consent or publishing data retention policies—the biometrics of millions of unwitting individuals whose faces appear in photographs uploaded to Google Photos in Illinois """

From the text of the BIPA law (again, emphasis my own):

""" Biometric identifiers do not include writing samples, written signatures, photographs... """

This interpretation of BIPA would seem to require complex written consent for every corner store running a security camera and every wedding photographer, which clearly isn't the intent of the law. Since the law explicitly carves out photographs, the use to which Google is putting the material in question should be irrelevant; it's explicitly excluded from this law's coverage.

[voxic11]

I have to point out that his exact argument has been made and rejected by the courts in multiple cases already.

> Shutterfly maintains that by excluding data derived from photographs from the definition of “biometric information,” the Illinois legislature intended to exclude from BIPA’s purview all biometric data obtained from photographs... As Shutterfly acknowledges, if biometric identifiers do not include information obtained from images or photographs, the definition’s reference to a “scan of face geometry” can mean only an in-person scan of a person’s face. Such a narrow reading of the term “biometric identifier” is problematic in many respects... The definition of ‘biometric identifier’ does not use words like ‘derived from a person,’ ‘derived in person,’ or ‘based on an in-person scan,’ whereas the definition of ‘biometric information’ does say that it is information ‘based on’ a biometric identifier.”); The Illinois General Assembly clearly sought to define the term “biometric identifier” with a great deal of specificity: the definition begins by identifying six particular types of biometric data that are covered by the term (i.e., retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry); it then provides a long list of other specific types of biometric data that are excluded from the definition. If the legislature had intended a “scan of face geometry” to refer only to scans taken of an individual’s actual face, it is reasonable to think that it would have signalled this more explicitly.

https://www.courthousenews.com/wp-content/uploads/2017/09/Sh...

[shadowgovt]

Interesting. My plaintext reading of the law interpreted "scan of face geometry" as a full 3D mapping (i.e. photographic plus infrared rangefinding), and I stand corrected on the intended reading of the text.

[voxic11]

That is an argument which no one has tested in court yet. But it seems unlikely to succeed as the law doesn't specify any requirements on how “biometric identifiers” such as face geometry are collected. And indeed the courts appear disposed to allow the phrase to cover any extraction of face geometry data regardless of the technological means by which it is done.

[throwaway_tech]

>""" Biometric identifiers do not include writing samples, written signatures, photographs... """

BIPA specifically includes facial geometry scans obtained through photographs...so a photo on its own may not fall under BIPA, but once Google begins to obtain the facial geometry scans from the photos that is covered by BIPA.

Edit: the penalties are: For negligent violations, individuals can recover the greater of $1,000 or their actual losses. For reckless violations, the baseline award increases to $5,000. Seems to me at a minimum this is reckless if not intentional, and I should expect to see Google try to settle this before that get smacked with $5k penalty per violation times millions of (alleged) violations.