The proposed law comes as police departments around the country for their use of facial recognition to identify allegedly violent Black Lives Matter protesters.
A bill making its way through the U.S. Senate aims to extend nationwide some of the restrictions on the collection of facial-recognition information already imposed by an Illinois state law, as well as expand private citizens’ legal powers to sue companies that violate them.
The news comes as police departments across the country are coming under fire for using facial recognition to arrest allegedly violent Black Lives Matter (BLM) protesters after the protests were long over.
The National Biometric Information Privacy Act [PDF], introduced by Sens. Jeff Merkley (D-Ore.) and Bernie Sanders (D-Vt.), extends two tenets that already exist in the Illinois Biometric Information Privacy Act (BIPA): Limiting how people’s biometric data is collected and giving them rights to act in court against a company that fails to honor this protection.
The proposed national law would also require that a company acquires written consent before recording anyone’s biometric data, and provides both private citizens and state attorneys general to sue companies that violate these terms.
The move shows that lawmakers are continuing their quest to rein in facial-recognition technology in both law enforcement as well as its use by companies and businesses. The use of the technology has been especially controversial in the law-enforcement realm lately, with police departments in various cities nationwide reportedly using the technology to track down and arrest individuals who allegedly were violent during BLM protests.
NBC affiliate WTVJ reported that Miami police used Clearview AI to identify and arrest a woman for allegedly throwing a rock at a police officer; Columbia, S.C. police reportedly used it to arrest several protesters long after the event, according to local paper The State; Philadelphia P.D. use it to identify protestors from photos posted to Instagram, according to The Philadelphia Inquirer; and Gothamist reported that NYPD officers raided the apartment of someone who allegedly shouted in an officer’s ear during a protest, after identifying the person with facial recognition.
Biometric data that would fall under the jurisdiction of the proposed national law includes: A retina or iris scan; a voiceprint; a faceprint, including any derived from a photograph; fingerprints or palm prints; and “any other uniquely identifying information based on the characteristics of an individual’s gait or other immutable characteristic of an individual,” according to the bill.
The law makes a clear specification between people’s actual consent and an agreement that might be bundled into an employment contract or terms of service, so companies can’t slip in permissions to collect biometric information in the fine print.
“We can’t let companies scoop up or profit from people’s faces and fingerprints without their consent,” Merkley said in a press release. “We have to fight against a ‘big-brother’ surveillance state that eradicates our privacy and our control of our own information, be it a threat from the government or from private companies.”
To this end, the proposed law imposes restrictions on data collections by private companies in their retail locations and workplaces, and even into residential neighborhoods through use of the technology’s integration with home-security services such as Amazon Ring and Google Nest.
Merkley already was part of a push by federal lawmakers to ban the use of facial-recognition technology altogether by law enforcement nationwide through the Facial Recognition and Biometric Technology Moratorium Act, proposed by Merkley alongside fellow Democratic lawmakers Sen. Ed Markey (D-Mass.) and Reps. Pramila Jayapal (D-Wash.) and Ayanna Pressley (D-Mass.).
At the state level, the Illinois BIPA already has been successfully used in litigation. If the federal law passes, it’s likely that there will be many more of these cases, which could cost tech companies hundreds of millions of dollars, if early precedent is any indication of the future.
Facebook already had to shell out $550 million to settle a class-action suit filed under the BIPA concerning the social-media giant’s alleged scanning of facial biometrics without people’s consent when the company introduced its “tag suggestions” feature.
The American Civil Liberties Union (ACLU) also has used the Illinois law to sue New York-based startup Clearview AI for amassing a database of biometric face-identification data of billions of people and selling it to third parties without their consent or knowledge.
The pending case, filed in the Circuit Court of Cook County in Illinois on behalf of a number of organizations comprised of vulnerable communities, said Clearview violated the BIPA for collecting faceprints, or unique biometric identifiers similar to someone’s fingerprint or DNA profile, and then selling them to third parties.
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.