From the article (emphasis my own):
""" The suit alleges that Google is violating BIPA because it is “actively collecting, storing, and using—without providing notice, obtaining informed written consent or publishing data retention policies—the biometrics of millions of unwitting individuals whose faces appear in photographs uploaded to Google Photos in Illinois """
From the text of the BIPA law (again, emphasis my own):
""" Biometric identifiers do not include writing samples, written signatures, photographs... """
This interpretation of BIPA would seem to require complex written consent for every corner store running a security camera and every wedding photographer, which clearly isn't the intent of the law. Since the law explicitly carves out photographs, the use to which Google is putting the material in question should be irrelevant; it's explicitly excluded from this law's coverage.
> Shutterfly maintains that by excluding data derived from photographs from the definition of “biometric information,” the Illinois legislature intended to exclude from BIPA’s purview all biometric data obtained from photographs... As Shutterfly acknowledges, if biometric identifiers do not include information obtained from images or photographs, the definition’s reference to a “scan of face geometry” can mean only an in-person scan of a person’s face. Such a narrow reading of the term “biometric identifier” is problematic in many respects... The definition of ‘biometric identifier’ does not use words like ‘derived from a person,’ ‘derived in person,’ or ‘based on an in-person scan,’ whereas the definition of ‘biometric information’ does say that it is information ‘based on’ a biometric identifier.”); The Illinois General Assembly clearly sought to define the term “biometric identifier” with a great deal of specificity: the definition begins by identifying six particular types of biometric data that are covered by the term (i.e., retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry); it then provides a long list of other specific types of biometric data that are excluded from the definition. If the legislature had intended a “scan of face geometry” to refer only to scans taken of an individual’s actual face, it is reasonable to think that it would have signalled this more explicitly.
https://www.courthousenews.com/wp-content/uploads/2017/09/Sh...
BIPA specifically includes facial geometry scans obtained through photographs...so a photo on its own may not fall under BIPA, but once Google begins to obtain the facial geometry scans from the photos that is covered by BIPA.
Edit: the penalties are: For negligent violations, individuals can recover the greater of $1,000 or their actual losses. For reckless violations, the baseline award increases to $5,000. Seems to me at a minimum this is reckless if not intentional, and I should expect to see Google try to settle this before that get smacked with $5k penalty per violation times millions of (alleged) violations.
Unfortunately, as is often the case with technology, laws have not kept up with the lastest developments, and likely will not in my country for several more decades. Welp.
When you use Google Photos, it is using that pre-trained model to determine the features of the faces it finds in your library and it builds a vector, which is just a long string of numbers (also known as a face template or feature vector) that represents each face. Through various machine learning techniques it is able to compare 2 vectors to see how close those 2 faces are alike. If the confidence score it finds is higher than some predetermined threshold (say 70%), it is assumed they are the same person. Running these comparisons over and over through all the photo pairs, the software can group or cluster faces so that it knows all these photos have person 1 and these photos have person 2. Google never knows who those people are, unless you tag those images with a name.
The images in your camera roll aren't used for re-training the original model because Google doesn't know the ground truth about your photos. Google can guess that these 3 faces are the same, but it doesn't know for certain that they are, so they can't use that to retrain the model that would be used in the Photos app because they have no way to judge the accuracy.
Another interesting point is that the vector is also unique to the specific model that was used to create it. So, if in the future they do retrain the model, the vectors that had been created with previous models would be 100% incompatible with the new model and would need to be recreated from the source image.
Note: I have no inside knowledge of Google, but as the former CTO of a facial recognition company, I have a good idea how these systems work in general.
You can't do "celebrity" recognition from a generalized data set.
uCaptcha V3: “Click the people you know.”
It becomes really messy really fast. A law is established at some local level (local to a borough, state/canton, country), it will surely contradicts with laws from other places while overlapping with them.
From a very abstract view, companies will need to identify the person uploading the picture, the person in the picture, somehow determine which law to follow in the given circumstances (which depends on the context), determine if a consent exists at the correct local level for each person in the picture, then and only then they can train a model.
Normally, you don't have much expectation of privacy in public spaces. Generally, a photographer is free to take photos in public and use those photos as they see fit. Why is Google's use of your photo different than the photographer's use of the photo?
The law doesn't protect your image, it protects your biometric information.
To extend your flawed analogy, a photographer isn't allowed to take a gigapixel photograph of someone in public and then use the data from their fingerprints or iris to uniquely identify them.
This is a wrong assumption to make. What if the photos were clicked in my house? In a private gathering?
No; by default they (should) have no right to my personal data unless I explicitly opt in to it—and they shouldn't have a right to find me to ask me to use it, either.
(I read the law, and it appears to cover the person being photographed, if the photograph is taken in Illinois. So basically according to the law Google ought not build face models from photographs taken in Illinois, except of people who have consented.)
I wonder if in the broadest configuration (basically any configuration other than "consent of the user, who is a resident of Illinois"), this law would probably be struck down as an unconstitutional restraint on interstate commerce? I guess we'll see! Should be exciting.
The realistic alternative is having government agencies prosecute these sorts of cases. It's a very good alternative, and is used in most other countries. It's an odd confluence of factors that results in private class action litigation being more popular in the U.S. (From the left, trial lawyers are major supporters of Democrats. From the right, Republicans would rather have these class actions than new government agencies.)
