What's Next: Facial Misidentification | Dose of Dystopia: Internet God Mode Edition
Apple is accused of using facial identification to nab the wrong guy, an issue that could raise additional issues in the wake of laws like BIPA.
May 08, 2019 at 07:30 AM
6 minute read
Welcome back for another week of What's Next, where we report on the intersection of law and technology. This week, we take a look at a lawsuit accusing Apple of using facial recognition to accuse the wrong person of shoplifting. Plus, questions are surfacing again over when the government tells companies about software exploits it's discovered. As always, thanks for reading.
➤➤ Would you like to receive What's Next as a weekly email? Sign up here.
Facing the Facts
The Illinois Supreme Court made waves earlier this year after ruling that a 14-year-old boy's rights were violated under Illinois' Biometric Information Privacy Act after Six Flags collected and stored his fingerprint for park access without prior required notice and release. Some attorneys thought the ruling might lead to a flood of biometric suits, and whether that actually comes to fruition remains to be seen. But where it might see its most immediate application is in an area of technology that a lot more companies are familiar with: facial recognition.
Last week, an 18-year-old New Yorker named Ousmane Bah sued Apple, alleging he was misidentified in a string of Apple store thefts. What's interesting, though, is that the suit alleges the misidentification occurred through facial recognition technology, as allegedly relayed to Bah by an NYPD officer. Apple claims it doesn't use this technology, but the mere mention of it should raise some eyebrows—especially in Illinois, where that aforementioned BIPA allows for a private cause of action for violations.
Mary Smigielski, a partner at Lewis Brisbois Bisgaard & Smith, told Legaltech News that “there's a great risk to using that technology in a state like Illinois.” The problem, she explained, is that violating the law can occur easily. “You only need a technical violation,” Smigielski said. “You don't need to have a data breach or have the information stolen, just the mere fact that you proceeded without having consent is violation.”
What it means for retailers in Illinois is that they must have that consent: Drinker Biddle & Reath partner Justin Kay suggested a readily available public policy explaining what the retailer is collecting, why it is collecting, consent to share it and “can't otherwise profit from it.” And even outside of Illinois, it may be a good idea to implement public notice of facial recognition policy where possible.
It's not just a legal issue, added Proskauer Rose partner Jeffrey Neuburger, but a public perception one: “I think it takes away some of the creepiness factor if people ultimately find out they are using facial recognition.” —Zach Warren
|
Dose of Dystopia: “Internet God Mode”
In the inaugural issue of this newsletter, we wrote about the “Vulnerabilities Equities Process,” an obscurely-named set of U.S. government policies and procedures that determine whether NSA hackers will tell companies about software exploits they've discovered—or keep them secret as tools to use against enemies. The key phrase there is “keep them secret.”
We already know from the “WannaCry” debacle that that doesn't always pan out as planned. Leaks by a group known as the Shadow Brokers in 2017 unleashed NSA weapons on systems around the world. Certain big tech companies (ahem, Microsoft) were none too happy to find out they had been kept in the dark. And now, on Monday, security firm Symantec revealed that the vulnerability underlying Wannacry was used in the wild even before the Shadow Brokers leak, raising new questions about the U.S. policy.
The so-called SMB vulnerability has been described as “Internet God mode,”giving an attacker access to the guts of the computer's system without the user having to click a link or do anything. Wired reporter Andy Greenberg explains the new findings in depth this week:
Symantec found that by March 2016, the SMB zero-day had been obtained by the Chinese BuckEye group, which was using it in a broad spying campaign. The BuckEye hackers seemed to have built their own hacking tool from the SMB vulnerability, and just as unexpectedly were using it on victim computers to install the same backdoor tool, called DoublePulsar, that the NSA had installed on its targets' machines. That suggests that the hackers hadn't merely chanced upon the same vulnerability in their research—what the security world calls a bug collision; they seemed to have somehow obtained parts of the NSA's toolkit.
Companies have faced legal scrutiny over shoddy device security. Surely, the types of advanced exploits in the hands of the NSA are of a different variety. Still, against that backdrop, this episode seems to present thorny questions of liability. If the computer systems of a bank—or a hospital—get severely compromised by a hack, what responsibility should the maker of the software hold? And how should that equation change if the government was holding the secret keys all along? —Ben Hancock
On the Radar:
Tweet Screening: Elon Musk's latest agreement with the U.S. Securities and Exchange Commission requires the chief executive officer get preapproval from securities counsel before tweeting about Tesla finances, but it's not yet clear who that lawyer is or if he or she has been selected. The agreement resolves SEC allegations that Musk breached an October 2018 settlement with the agency in February by tweeting inaccurate 2019 Tesla sales production estimates without running the post past his general counsel. Read more from Caroline Spiezio here.
Follow the Money: As rule makers and politicians continue to debate about whether to disclose third-party funding in multidistrict litigation, some federal judges have forged ahead in requiring plaintiffs lawyers to do just that. Judges in at least three cases have ordered such disclosures in the past year, in most cases as part of the process of appointing plaintiffs attorneys to leadership teams. Read more from Amanda Bronstad here.
Corporate Blockchain: Maryland now allows corporations to keep their records and transmit corporation communications through blockchain. Its Big Law drafter said the amendments should allow for quicker transactions and shareholder communication. Read more from Victoria Hudgins here.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllWhat's Next: Judge to Quash Twitter Subpoena | SCOTUS Won't Review Trial Ban
4 minute readTrending Stories
- 1The Law Firm Disrupted: Playing the Talent Game to Win
- 2GlaxoSmithKline Settles Most Zantac Lawsuits for $2.2B
- 3Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 4BD Settles Thousands of Bard Hernia Mesh Lawsuits
- 5Partner Cuts: The Grim Reality of Post-Merger Integration
Who Got The Work
Eleanor M. Lackman of Mitchell Silberberg & Knupp has entered an appearance for Canon, the Japanese camera maker, and the Brooklyn Nets in a pending trademark infringement lawsuit. The case, filed Sept. 16 in California Central District Court by T-Rex Law on behalf of technology company Phinge Corporation, pursues claims against the defendants for their ongoing use of the 'Netaverse' mark. The suit contends that the defendants' use of the mark in connection with a virtual reality platform will likely create consumer confusion. The case, assigned to U.S. District Judge Consuelo B. Marshall, is 2:24-cv-07917, Phinge Corporation v. Yankees Entertainment and Sports Network, LLC et al.
Who Got The Work
Fox Rothschild partner Glenn S. Grindlinger has entered an appearance for Garage Management Company in a pending lawsuit over alleged wage-and-hour violations. The case was filed Aug. 31 in New York Southern District Court by the Abdul Hassan Law Group on behalf of a manual worker who contends that he was not properly compensated for overtime hours worked. The case, assigned to U.S. District Judge Analisa Torres, is 1:24-cv-06610, Bailey v. Garage Management Company LLC.
Who Got The Work
Veronica M. Keithley of Stoel Rives has entered an appearance for Husky Terminal and Stevedoring LLC in a pending environmental lawsuit. The suit, filed Aug. 12 in Washington Western District Court by Kampmeier & Knutsen on behalf of Communities for a Healthy Bay, seeks to declare that the defendant has violated the Clean Water Act by releasing stormwater discharges on Puget Sound and Commencement Bay. The case, assigned to U.S. District Judge Benjamin H. Settle, is 3:24-cv-05662, Communities for a Healthy Bay v. Husky Terminal and Stevedoring LLC.
Who Got The Work
Caroline Pignatelli of Cooley has entered an appearance for Cooley, partner Matt Hallinan, retired partner Michael Tu and a pair of Cooley associates in a pending fraud lawsuit related to the firm's representation of startup company Carbon IQ and founder Benjamin Cantey. The case, filed Sept. 26 in New Jersey District Court by the DalCortivo Law Offices on behalf of Gould Ventures and member Jason Gould, contends that the defendants deliberately or recklessly concealed critical information from the plaintiffs regarding fraud allegations against Cantey. Gould claims that he would not have accepted a position on Carbon IQ's board of directors or made a 2022 investment in the company if the fraud allegations had been disclosed. The case, assigned to U.S. District Judge Robert Kirsch, is 3:24-cv-09485, Gould Ventures, LLC et al v. Cooley, LLP et al.
Who Got The Work
Attorneys from Skadden, Arps, Slate, Meagher & Flom have stepped in to represent PDD Holdings, the operator of online marketplaces Pinduoduo and Temu, in a pending securities class action. The case, filed Sept. 30 in New York Eastern District Court by Labaton Keller Sucharow and VanOverbeke, Michaud & Timmony, contends that the defendants concealed information that rendered the growth of PDD unsustainable and posed substantial risks to PDD’s business, including merchant policies that made it unprofitable for vendors to do business on PDD platforms; malware issues on PDD applications; and PDD’s failure to implement effective compliance systems. The case, assigned to U.S. District Judge Pamela K. Chen, is 1:24-cv-06881, Macomb County Retiree Health Care Fund v. Pdd Holdings Inc. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250