A proposed class action lawsuit out of Illinois claims that International Business Machines Corporation—IBM—scanned millions of photos without permission in order to develop and train facial recognition software.
According to the case, Yahoo provided IBM with photographs from Flickr – once a Yahoo subsidiary – for use in its “diversity in faces” (DiF) dataset. IBM allegedly used these photographs to create highly detailed geometric maps of the subjects’ faces, known as “face templates” or “faceprints,” which the lawsuit claims the company then shared with third parties without authorization for the purpose of further developing its facial recognition technology.
The photos uploaded to Flickr and consequently shared with third parties included information on who created the photo, the camera that took the picture, the time it was taken and uploaded, and the potential location of the image, according to the case. The lawsuit says that in processing the photos to be used in its dataset, IBM also extracted the “pose and 68 key-points” for each image, including measurements on the distances between an individual’s eyes, ears, nose, mouth and chin and predictors for age and gender. Flickr users who uploaded photos to the platform, as well as individuals who appear in those photos, “had no idea” IBM would acquire or use the pictures for its own purposes, the suit argues.
Illinois’ Biometric Information Privacy Act (BIPA) was enacted in order to protect consumers’ biometric data given biometric identifiers such as fingerprints and facial geometries are a permanent, unique part of an individual that cannot be changed if stolen or otherwise compromised, the case states. The BIPA, the lawsuit explains, restricts the collection, storage and disclosure of biometric identifiers, and requires companies to:
Inform consumers in writing that biometric information is being collected and stored;
Inform consumers of the specific length and purpose for which biometric information will be stored and used;
Provide a written retention schedule and guidelines for the permanent destruction of biometric identifiers; and
Receive a written release from the person whose biometrics are being collected.
The complaint contends that the defendant violated the BIPA in that IBM never provided subjects of the photos in its dataset with mandatory notification that their biometrics would be collected, stored and disclosed. Furthermore, the case claims that neither the people in the photos nor the photographers provided consent for IBM to use their pictures in any way.
According to the suit, IBM’s practice of scanning photos without permission is used frequently among facial recognition software developers. From the complaint:
“To satisfy the ever growing demand for myriad high-resolution images of faces, unchecked companies have begun turning to the internet, where photographs are sometimes taken without the photographer’s or subject’s knowledge or consent. This has been called the ‘dirty little secret’ of AI training sets. Researchers often just grab whatever images they can find ‘in the wild.’”
The lawsuit looks to represent all Illinois citizens whose biometric identifiers, including facial geometry scans, were collected by IBM from photos in its DiF dataset. The suit requests damages in the amount of $1,000 for each negligent BIPA violation committed against its class and $5,000 for each intentional or reckless offense.