Attorney General Mark Brnovich

Attorney General Mark Brnovich

A new federal court ruling — coupled with a provision in the state constitution — could give Arizonans new legal protections against the use of software by private firms that captures and stores facial images.

The ruling came in a lawsuit that some Illinois residents filed against Facebook for invasion of privacy.

They claim the company’s practice of scanning uploaded photos to match against those already in its database violates that state’s laws against the collection of anyone’s biometric information by a private company without written consent.

The 9th Circuit Court of Appeals earlier this month rejected a bid by Facebook to have the case thrown out.

In a sometimes strongly worded opinion, the judges said there is reason to believe that such practices are an invasion of privacy rights and that such an invasion can be considered a harm victims can litigate.

Arizona does not have a similar law.

But Attorney General Mark Brnovich pointed out  Arizona has a specific right to privacy in the state constitution.

And if that isn’t enough, Brnovich said state lawmakers should take action to enact a specific statute spelling out what private companies can — and cannot — do with someone’s biometric information, similar to what exists in Illinois.

House Speaker Rusty Bowers, R-Mesa, tried to do that earlier this year with legislation to restrict putting biometric information into a database for commercial purposes and generally prohibiting that information from being sold, leased or disclosed for commercial purposes without consent.

But Bowers yanked the measure from consideration before it got to the House floor “to give stakeholders more time to improve it.’’

Brnovich told Capitol Media Services much is at stake.

“We’re talking about facial recognition, voice recognition, the way you walk, your mannerisms, maybe when it starts coming down to issues like DNA and blood information,’’ he said. “And that’s the kind of stuff that, if it’s compromised or stolen, you can never get back.’’

For example, Brnovich said, if credit card information is stolen, the user can cancel the card and get a new one.

“But if someone steals the information on my voice or voice identity, my facial patterns and stuff, that’s something that I can’t change,’’ he said. “And that’s something that’s lost forever.’’

That’s exactly the logic used by Judge Sandra Ikuta in writing the unanimous opinion for the 9th Circuit in allowing the lawsuit against Facebook.

“Biometric data are biologically unique to the individual,’’ Ikuta wrote. “Once compromised, the individual has no recourse, is at a heightened risk for identify theft and is likely to withdraw from biometric-facilitated transactions.’’

Brnovich said the possible harms go far beyond that.

He said that once someone has digitized a person’s face, voice and mannerisms, it’s a small step to use artificial intelligence to create an image that mimics someone’s behaviors and patterns.

“There’s something really creepy about that,’’ he said.

According to court records, the specific issue here involves Facebook practice to analyze uploaded pictures to see if they contain faces.