Vimeo, the popular ad-free video platform, is facing a lawsuit that alleges it stored people’s facial biometrics without their consent or knowledge.
The lawsuit, which was filed on Sept. 20, claims Vimeo violated the Illinois Biometrics Information Privacy Act (BIPA). This is a law that imposes requirements on businesses that collect or otherwise obtain biometric information, including fingerprints, retina scans and facial recognition scans.
“In direct violation of the BIPA, Vimeo is actively collecting, storing and using—without providing notice, obtaining informed written consent or publishing data retention policies—the biometrics of thousands of unwitting individuals throughout the country whose faces appear in photographs and/or videos uploaded to the Magisto ‘smart video editor’ application in Illinois,” according to the lawsuit.
Vimeo did not immediately respond to a request for comment from Threatpost.
Vimeo’s Magisto application is a short-form video editing platform that was acquired by Vimeo in April 2019, boasting more than 100 million users when acquired. Users can upload videos and pictures to the Magisto platform, and it will then use artificial intelligence-based technology to analyze the footage in order to edit the video.
However, in order to perform this visual analysis, the platform has been collecting and storing thousands of “face templates” from users, the lawsuit alleges. These facial templates are “geometric data” of the face taken using facial recognition technology – such as the distance between eyes, nose and ears – which can then be used to store photos and videos for organizational purposes.
“Each face template that Vimeo extracts is unique to a particular individual, in the same way that a fingerprint or voiceprint uniquely identifies one and only one person,” according to the lawsuit.
The lawsuit was filed on behalf of the lead plaintiff, Illinois resident Bradley Acaley, who in December 2017 downloaded the Magisto app and purchased a one-year subscription to use the app’s Professional Service ($120). He then used the service to upload photos and videos of himself and his family (including his minor children) until December 2018, when his subscription expired and he did not renew it.
However, Acaley said he can now access the uploaded content and claimed that Vimeo is collecting and storing his and his family’s facial biometrics data – which he claimed was used to recognize his gender, race, age and location.
Acaley argued that Vimeo did not ask for his permission to collect unique biometric identifiers, and also did not give him an opportunity to prohibit the storage of such data.
The lawsuit seeks to prevent Vimeo from further violating the privacy rights of Magisto users, and to “recover statutory damages for Vimeo’s unauthorized collection, storage and use of these individuals’ biometrics in violation of the BIPA.”
The Illinois Biometrics Information Privacy Act
Vimeo is only the latest company to be dinged as part of the Illinois BIPA. Facebook is also wrapped up in an ongoing U.S. lawsuit, which alleges that the social-media giant illegally collected biometric data for millions of users without their consent, utilizing facial recognition technology.
Facial recognition is already actively used by police forces and even at the White House. And it’s not just the U.S; biometrics are spreading worldwide. The EU in April approved a massive biometrics database that combines data from law enforcement, border patrol and more for both EU and non-EU citizens.
The lawsuit also comes as concern around biometrics privacy continues to make the news, with biometrics security company Suprema and the U.S. Customs and Border Protection both recently suffering data-leak incidents.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.