State senator sought to weaken biometric privacy protections he had championed

The first attempt to change the now 10-year-old Biometric Information Privacy Act came as lawsuits were being filed by Illinois residents accusing Facebook of improperly using digital facial recognition in photo tagging. Associated Press

Democratic state Sen. Terry Link championed an Illinois law meant to guard people's data culled from biometric markers on social media.

Then he made what critics said was an attempt two years ago to weaken that law, considered by privacy groups to be the nation's strongest for safeguarding identifiers such as facial features, fingerprints and iris scans.

That issue still percolates in Springfield, with some business interests calling for changes and privacy advocates warning against them.

Link's effort to change the now 10-year-old Biometric Information Privacy Act came as lawsuits were being filed by Illinois residents accusing Facebook of improperly using digital facial recognition in photo tagging. He said he doesn't recall who asked him to introduce the changes -- other than knowing it wasn't Facebook -- and he dropped the idea because of a lack of support in the legislature.

Under the proposal Link withdrew after attracting immediate criticism in May 2016, digital photographs no longer would have been considered biometric information protected by the law. Democratic state Sen. Bill Cunningham of Chicago introduced a similar measure in April, but it appears stalled in the assignments committee.

Link, a Vernon Hills resident, said he has mixed emotions about amending the privacy law he pushed for in 2008 to address how technology has evolved since then.

In calling for changes, the Illinois Chamber of Commerce cites the law leading to worker lawsuits over employers' increased use of fingerprint scan technology.

Privacy advocates envision risks of commercial enterprises using facial recognition to track individuals as they walk down the street or through a store, not to mention the risk of data breaches.

"I am sure in the next session coming up we will be addressing issues of this matter, because it's not going to go away," said Link, who said he was unfamiliar with Cunningham's bill.

The Biometric Information Privacy Act requires businesses and other private entities to obtain consent from people before collecting or disclosing their biometric identifiers such as photographs and fingerprints. There must be secure storage of the biometric identifiers and parties may file lawsuits to hold businesses accountable if they believe they were harmed by violations of the law.

"It's one of these things that's very controversial," Link said. "It's hard to get consensus on it."

Adam Schwartz, a senior staff attorney on the civil liberties team at the San Francisco-based Electronic Frontier Foundation, said he has had concerns about potential changes in Illinois' biometric privacy law since Link's move in 2016.

Privacy groups consider Illinois' law the toughest in the country and don't want it weakened, Schwartz said. The Electronic Frontier Foundation, the ACLU of Illinois and other privacy organizations provided input for the Biometric Information Privacy Act before it became law and sent a letter to Link opposing any changes in 2016.

Schwartz said Facebook's failure to protect its users' data in the Cambridge Analytica scandal is an example of why the law should not exclude digital facial recognition use by private entities.

The New York Times and others reported in March that the GOP-funded Cambridge Analytica took private information from the Facebook profiles of more than 50 million users without their permission.

Use of digital images by Facebook is driving the Illinois lawsuits over the company's photo tagging feature.

"I think that people should have the right to decide whether or not they want other people doing facial recognition on them," Schwartz said.

However, Tyler Diers, director of legislative relations for the Illinois Chamber of Commerce, cited changing technology and how it's used in saying the organization backs changes in the privacy law because it has led to at least 110 lawsuits against businesses in the state since 2008. He said research shows the vast majority of the suits are against businesses that use fingerprints to track employees' time worked, not technology companies.

Under the latest changes to the Biometric Information Privacy Act introduced in April by Cunningham, it no longer would include facial recognition technology, biometrics such as fingerprints that businesses obtain from employees, or what stores capture about customers. He said employers need relief from being hit with the suits over the increased fingerprint scan use.

"I'll tell you this: We support opening the law," Diers said. "It's as old as the iPhone 3G."