Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 1 of 29 PageID #:113
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE NORTHERN DISTRICT OF ILLINOIS
`EASTERN DIVISION
`
`STEVEN VANCE and TIM JANECYK, for
`themselves and others similarly situated,
`
`
`
`
`
`
`
`Plaintiffs,
`
`
`
`
`
`v.
`
`
`
`INTERNATIONAL BUSINESS MACHINES
`CORPORATION,
`
`
`
`
`
`Defendant.
`
`
`)
`Case No. 20 C 577
`)
`
`)
`Judge Charles P. Kocoras
`)
`
`)
`Magistrate Judge Gabriel A. Fuentes
`)
`
`)
`SECOND AMENDED
`)
`CLASS ACTION COMPLAINT
`)
`
`)
`JURY TRIAL DEMANDED
`)
`
`)
`INJUNCTIVE RELIEF DEMANDED
`)
`
`
`SECOND AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`
`
`
`
`Plaintiffs STEVEN VANCE and TIM JANECYK, on behalf of themselves and all other
`
`similarly situated individuals (“Plaintiffs”), by and through their respective attorneys, bring this
`
`Second Amended Class Action Complaint against Defendant INTERNATIONAL BUSINESS
`
`MACHINES CORPORATION (“IBM”) and allege the following:
`
`INTRODUCTION
`
`1.
`
`Every individual has unique biometric identifiers by which he or she can be
`
`identified. One such biometric identifier is a person’s facial geometry.
`
`2.
`
`As the Illinois General Assembly has found: “[b]iometrics are unlike other unique
`
`identifiers that are used to access finances or other sensitive information. For example, social
`
`security numbers, when compromised, can be changed. Biometrics, however, are biologically
`
`unique to the individual; therefore, once compromised, the individual has no recourse, is at
`
`heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
`
`740 ILCS § 14/5(c).
`
`
`
`1
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 2 of 29 PageID #:114
`
`3.
`
`Pursuant to Illinois’ Biometric Information Privacy Act (“BIPA”), 740 ILCS §14/1,
`
`et seq., Illinois prohibits among other things, private entities from collecting, capturing, obtaining,
`
`disclosing, redisclosing, disseminating or profiting from the biometric identifiers or information
`
`of an individual without providing written notice and without obtaining a written release from the
`
`impacted individual or his authorized representative. BIPA also requires private entities in
`
`possession of biometric identifiers to adopt retention and destruction policies and to take measures
`
`to prevent the release of that information.
`
`4.
`
`In violation of BIPA, at relevant times, Defendant IBM, a multinational technology
`
`company headquartered in the State of New York, collected, captured, obtained, disclosed,
`
`redisclosed, disseminated and profited from the facial geometric scans of thousands of Illinois
`
`citizens in violation of BIPA’s requirements. Specifically, using a set of images from the photo-
`
`sharing service Flickr, IBM collected, captured and otherwise obtained facial geometric scans of
`
`individuals depicted in approximately one million photos and built a database containing each of
`
`the scanned individuals’ unique “craniofacial measurements.” IBM then, among other things,
`
`disclosed, redisclosed and otherwise disseminated to third parties the biometric identifiers and
`
`information in the database in order to profit. IBM possessed the biometric identifiers and
`
`information without having adopted or made public any policy, written or otherwise, to govern the
`
`retention and destruction of thereof.
`
`5.
`
`Defendant IBM engaged in the above-described conduct: (a) without informing the
`
`impacted individuals, including Plaintiffs and members of the proposed class (the “Class
`
`Members”), that their biometric identifiers were being collected, captured, obtained, disclosed,
`
`redisclosed and otherwise disseminated; (b) without informing the impacted individuals in writing
`
`of the purpose of the collection, capture, obtainment, disclosure, redisclosure and dissemination of
`
`
`
`2
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 3 of 29 PageID #:115
`
`the biometric identifiers and information; and (c) without seeking and obtaining written releases
`
`from such impacted individuals or their authorized representatives.
`
`6.
`
`In violation of BIPA, Defendant IBM also profited from its unlawful use of the
`
`biometric identifiers and information of Plaintiffs and Class Members. On information and belief,
`
`IBM used the biometric identifiers and information of Plaintiffs and Class Members to improve
`
`the accuracy of its own facial recognition products and to cement its market-leading position in
`
`artificial intelligence. From 2016 to 2018, IBM derived more revenue from artificial intelligence
`
`than any other company in the world. In 2018 alone, IBM’s revenue from artificial intelligence
`
`products totaled more than $2.5 billion. Those products include IBM Watson Visual Recognition,
`
`which IBM clients can use to estimate the age and gender of people depicted in images and, in
`
`some instances, identify specific individuals. IBM owns the intellectual property developed by its
`
`researchers and will not disclose the data sets used to train its Watson products.
`
`7.
`
`As the Illinois General Assembly has found and the Illinois Supreme Court has
`
`confirmed, the harm to Plaintiffs and Class Members as a result of the BIPA violations alleged
`
`herein has already occurred.
`
`8.
`
`Further, as businesses worldwide compete to develop ever more advanced facial
`
`recognition technology, the race for data imperils the privacy of individuals everywhere. Public
`
`policy in Illinois provides that given the risks of unwanted data collection and disclosure, its
`
`citizens need the power to make decisions about the fate of their unique biometric identifiers and
`
`information. Defendant IBM’s actions robbed Plaintiffs and Class Members of that power.
`
`9.
`
`Moreover, as a direct result of Defendant IBM’s actions, each individualized scan
`
`of a person’s facial geometry can be tied back to the Flickr account to which an originating photo
`
`was posted. This, in turn, made and continues to make it possible for third parties to connect the
`
`
`
`3
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 4 of 29 PageID #:116
`
`biometric identifiers and information of Plaintiffs and Class Members that have been collected,
`
`captured, and otherwise obtained to other photos in which Plaintiffs, a member of the Class and/or
`
`others appear, subjecting Plaintiffs and Class Members to increased surveillance, stalking, identity
`
`theft, social engineering (a type of hacking technique) and other invasions of privacy and fraud.
`
`Moreover, as a direct result of IBM’s actions, Plaintiffs’ and Class Members’ biometric identifiers
`
`and information are no longer under their control and are available to a potentially unlimited range
`
`of unknown individuals for whatever uses they please. These injuries, which are imminent and
`
`clearly impending, are in addition to the injuries Plaintiffs and Class Members have already
`
`sustained as a result of IBM’s actions.
`
`10.
`
`Plaintiffs bring this Second Amended Class Action Complaint seeking: (a) statutory
`
`damages of $5,000 per BIPA violation, or, alternatively, if Defendant IBM acted negligently,
`
`$1,000 per BIPA violation, along with attorneys’ fees and costs; (b) disgorgement of IBM’s ill-
`
`gotten gains derived from the use of the unlawfully-acquired data; and (c) an injunction (i) barring
`
`Defendant IBM from any further use of individuals’ biometric identifiers and information; (ii)
`
`barring IBM from continuing to collect, capture, obtain, disclose, redisclose, disseminate and profit
`
`from Plaintiffs’ and Class Members’ biometric identifiers and information; (iii) requiring IBM to
`
`delete and destroy all biometric identifiers and information in its possession, custody and control;
`
`and (iv) requiring IBM to claw back the biometric identifiers and information from any third
`
`parties to whom IBM disclosed, redisclosed and disseminated it.
`
`PARTIES
`
`11.
`
`At relevant times, Plaintiff STEVEN VANCE was – and remains – an Illinois
`
`resident. Defendant IBM performed facial geometric scans of Plaintiff Vance from photos
`
`Plaintiff Vance had uploaded to Flickr.
`
`
`
`4
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 5 of 29 PageID #:117
`
`12.
`
`At relevant times, Plaintiff TIM JANECYK was – and remains – an Illinois
`
`resident. Defendant IBM performed facial geometric scans of Plaintiff Janecyk from photos
`
`Plaintiff Janecyk had uploaded to Flickr.
`
`13.
`
`Defendant IBM is a New York corporation with its corporate headquarters in
`
`Armonk, New York and a regional headquarters in Chicago, Illinois. IBM has a registered agent
`
`in Illinois.
`
`JURISDICTION AND VENUE
`
`14.
`
`This Court has jurisdiction pursuant to 28 U.S.C. § 1332(d)(2) (the “Class Action
`
`Fairness Act”) because sufficient diversity of citizenship exists between the parties in this action,
`
`the aggregate amount in controversy exceeds $5,000,000, exclusive of interests and costs, and
`
`there are 100 or more members of the Class. Because it is estimated that the Class will have
`
`thousands of members and Defendant IBM’s intentional and reckless violations of BIPA are
`
`punishable by statutory damages of $5,000 per violation, the amount in controversy is well in
`
`excess of $5,000,000. This Court has supplemental jurisdiction over the state law claims pursuant
`
`to 28 U.S.C. § 1367.
`
`15.
`
`This Court has personal jurisdiction over Defendant IBM because IBM used and
`
`disseminated data derived directly from Illinois-based Flickr accounts and exposed residents of
`
`Illinois to ongoing privacy risks within Illinois based on the collection, capture, obtainment,
`
`disclosure, redisclosure and dissemination of their biometric identifiers and information.
`
`Furthermore, many of the photographs IBM used for its unlawful collection, capture and
`
`obtainment of biometric identifiers and information were created in Illinois, uploaded from
`
`Illinois, and/or managed via Illinois-based user accounts, computers, and mobile devices. Because
`
`of the scope and magnitude of IBM’s conduct, which included identifying the location of the
`
`
`
`5
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 6 of 29 PageID #:118
`
`subjects in a large percentage of affected photographs, IBM knew that its collection, capture,
`
`obtainment, disclosure, redisclosure and dissemination of impacted individuals’ biometric
`
`identifiers and information would injure Illinois residents and citizens. IBM knew or had reason
`
`to know that collecting, capturing, obtaining, disclosing, redisclosing and disseminating Illinois
`
`citizens’ and residents’ biometric identifiers and information without providing the requisite notice
`
`or obtaining the requisite releases would deprive Illinois citizens and residents of their statutorily-
`
`protected privacy rights, neutralize Illinois citizens’ and residents’ ability to control access to their
`
`biometric identifiers and information via their Illinois-managed devices, expose Illinois citizens
`
`and residents to potential surveillance and other privacy harms as they went about their lives within
`
`the state, and impair Plaintiffs’ ability to continuing posting pictures of themselves and other
`
`Illinois residents to Flickr and other social media or image hosting platforms. IBM also has had a
`
`large and continuous presence in Illinois for many years, including a regional headquarters and, at
`
`least, hundreds of employees. Some of those Illinois employees work on IBM's visual recognition
`
`products that IBM, on information and belief, has been able to develop and improve due in part to
`
`its unlawful use of Plaintiffs’ and Class Members’ biometric information and identifiers. As part
`
`of its extensive business activities in Illinois, IBM also promotes its visual recognition products
`
`— on information and belief, developed in part from the unlawful use of Plaintiffs’ and Class
`
`Members’ biometric identifiers and information — to current and potential customers within the
`
`state.
`
`16.
`
`Venue is proper under 28 U.S.C. § 1391(b)(2) because a substantial part of the acts
`
`or omissions giving rise to the claims alleged herein occurred in Illinois. Alternatively, venue is
`
`proper under 28 U.S.C. § 1391(b)(3) because this Court has personal jurisdiction over Defendant
`
`IBM.
`
`
`
`6
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 7 of 29 PageID #:119
`
`ILLINIOIS BIOMETRIC PRIVACY LAWS
`
`BIPA seeks to safeguard individuals’ biometric identifiers and information.
`
`Biometric identifiers include a scan of an individual’s face geometry. 740 ILCS §
`
`17.
`
`18.
`
`14/10.
`
`19.
`
`Biometric information is “any information . . . based on an individual’s biometric
`
`identifier used to identify an individual.” 740 ILCS § 14/10.
`
`20.
`
`Pursuant to BIPA, a private entity, such as Defendant IBM, is among other things:
`
`(a) prohibited from collecting, capturing or otherwise obtaining an individual’s biometric
`
`identifiers and information without providing written notice and obtaining a written release; (b)
`
`prohibited from selling, leasing, trading or otherwise profiting from an individual’s biometric
`
`identifiers and information; (c) prohibited from disclosing, redisclosing or otherwise disseminating
`
`an individual’s biometric identifiers or information in the absence of circumstances specifically
`
`set forth in the statute; and (d) required, to the extent it is in possession of biometric identifiers or
`
`information, to develop a written policy, made available to the public, that establishes a retention
`
`schedule and guidelines for permanently destroying such identifiers and information. 740 ILCS §
`
`14/15.
`
`21.
`
`BIPA provides for a private right of action and allows a prevailing party to recover
`
`liquidated damages in the amount of: (a) $1,000 or actual damages, whichever is greater, for
`
`negligent violations of its provisions; and (b) $5,000 or actual damages, whichever is greater, for
`
`intentional or reckless violations of its provisions. 740 ILCS § 14/20. BIPA also allows for the
`
`recovery of attorneys’ fees and costs and injunctive relief. 740 ILCS § 14/20.
`
`
`
`
`
`
`
`7
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 8 of 29 PageID #:120
`
`I.
`
`Allegations Related to Plaintiff Vance
`
`ALLEGATIONS
`
`22.
`
`23.
`
`Plaintiff Vance has been a member of Flickr since 2006.
`
`In or about 2008, Plaintiff Vance uploaded a photo of himself and two family
`
`members to Flickr from his computer in Illinois (the “2008 Photo”). Plaintiff Vance uploaded
`
`numerous other photos to Flickr.
`
`24.
`
`Flickr and its parent company – Yahoo! – subsequently made the 2008 Photo,
`
`among millions of other photos, available to Defendant IBM, among others.
`
`25.
`
`Defendant IBM subsequently collected, captured and otherwise obtained biometric
`
`identifiers and information of individuals, including Plaintiff Vance, in sixty-one of Plaintiff
`
`Vance’s photos, including the 2008 Photo. IBM then disclosed, redisclosed, disseminated and
`
`profited from Plaintiff Vance’s biometric identifiers and information.
`
`26.
`
`Defendant IBM: (a) never advised Plaintiff Vance in writing or otherwise that it
`
`was performing scans of his facial geometry; (b) never informed Plaintiff Vance in writing or
`
`otherwise of the purpose for which it was collecting, capturing, obtaining, disclosing, redisclosing
`
`and disseminating Plaintiff Vance’s biometric identifiers and information; and (c) never sought,
`
`nor received, a written release from Plaintiff Vance or his authorized representative that allowed
`
`IBM to collect, capture, obtain, disclose, redisclose and disseminate Plaintiff Vance’s biometric
`
`identifiers and information.
`
`27.
`
`As alleged above, Defendant IBM’s conduct has injured Plaintiff Vance and
`
`subjected him to additional imminent and certainly impending injuries.
`
`
`
`
`
`
`
`8
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 9 of 29 PageID #:121
`
`II.
`
`Allegations Related to Plaintiff Janecyk
`
`28.
`
`Plaintiff Janecyk is an accomplished photographer, having focused his work in
`
`portraiture and street life photography. Plaintiff Janecyk has pioneered a certain style of portraiture
`
`that involves taking extreme close-ups of faces, often placing a wide-angle lens less about twelve
`
`inches from the subject’s face. Plaintiff Janecyk has taken many thousands of such photographs,
`
`and has taught several related photography classes.
`
`29. Many of Plaintiff Janecyk’s subjects include strangers Plaintiff Janecyk approaches
`
`on the streets in and near Chicago. While introducing himself to individuals, Plaintiff Janecyk
`
`often assures them that he is taking their photographs as a hobbyist, that their photographs will not
`
`be used by other parties, and that he is not using them for a commercial purpose. Plaintiff Janecyk
`
`must sometimes invest time into building a relationship of trust before subjects will allow
`
`photographs— for instance, Plaintiff Janecyk has spent several days building relationships with
`
`weary subjects at rallies and other sensitive events.
`
`30.
`
`In 2008, Plaintiff Janecyk signed up for a Flickr account in the Village of Tinley
`
`Park, Illinois, and has since then uploaded in excess of a thousand of his photographs to Flickr.
`
`Among those photos is a 2011 photo depicting Plaintiff Janecyk’s own face (“2011 Photo”).
`
`31.
`
`Flickr and its parent company – Yahoo! – subsequently made the 2011 Photo,
`
`among millions of other photos, available to Defendant IBM, among others.
`
`32.
`
`Defendant IBM subsequently collected, captured and otherwise obtained biometric
`
`identifiers and information of individuals, including Plaintiff Janecyk, in seven of Plaintiff
`
`Jannecyk’s photos, including the 2011 Photo. IBM then disclosed, redisclosed, disseminated and
`
`profited from Plaintiff Janceyk’s biometric identifiers and information.
`
`
`
`9
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 10 of 29 PageID #:122
`
`33.
`
`As is the case for all Plaintiffs and Class Members, IBM has, upon information and
`
`belief, captured biometrics from Plaintiff Janecyk’s photographs appearing in the dataset —
`
`including the 2011 Photo — by automatically locating and scanning Plaintiff Janecyk’s face, and
`
`by extracting geometric data relating to the contours of his face and the distances between his eyes,
`
`nose, and ears – data which IBM then used to create a unique template of Plaintiff Janecyk’s face,
`
`as set forth more fully below.
`
`34.
`
`The resulting unique face template was: (a) used by Defendant IBM for research
`
`purposes and to develop its facial recognition technology; and (b) disseminated by IBM to third
`
`parties.
`
`35.
`
`Plaintiff Janecyk’s face template was also used to recognize his gender, age, and
`
`race.
`
`36.
`
`Plaintiff Janecyk never consented, agreed, or gave permission – written or
`
`otherwise – to Defendant IBM for the collection or storage of his unique biometric identifiers or
`
`biometric information. Plaintiff Janecyk had no idea IBM was ever in possession of any of his
`
`photographs.
`
`37.
`
`Further, Defendant IBM never provided Plaintiff Janecyk with, nor did Plaintiff
`
`Janecyk ever sign, a written release allowing IBM to collect or store his unique biometric
`
`identifiers or biometric information.
`
`38.
`
`Likewise, Defendant IBM never provided Plaintiff Janecyk with an opportunity to
`
`prohibit or prevent the collection, storage, use, or dissemination of his unique biometric identifiers
`
`or biometric information.
`
`39.
`
`Nevertheless, Defendant IBM took copies of Plaintiff Janecyk’s photographs,
`
`located Plaintiff Janecyk’s face in the photos, scanned Plaintiff Janecyk’s facial geometry, created
`
`
`
`10
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 11 of 29 PageID #:123
`
`a unique face template corresponding to Plaintiff Janecyk, and shared the biometric data with third
`
`parties, all in direct violation of BIPA.
`
`III. Defendant IBM’s Unlawful Conduct
`
`40.
`
`In 2014, Yahoo!, then the parent company of Flickr, released to the public over 99
`
`million photos uploaded by Flickr users from 2004 through 2014 as part of a single, downloadable
`
`dataset called YFCC100M (“Flickr Dataset”). Each image in the Flickr Dataset – identified via a
`
`URL – came with information that could connect the image back to the Flickr account with which
`
`the photo was affiliated. For many photos, the dataset also contained geographic information
`
`regarding where the photo was taken, as well as “tags” that provided further information about the
`
`photos’ subjects.
`
`41.
`
`The photographs Yahoo took to create the Flickr Dataset were taken from Flickr
`
`users without their knowledge or express consent, and were made publicly available to entities
`
`such as IBM.
`
`42.
`
`Images of Plaintiffs’ and Class Members’ faces were among the photos in the Flickr
`
`Dataset.
`
`43.
`
`In or about January 2019, after the Flickr Dataset was made available, Defendant
`
`IBM created its own dataset (the “IBM Dataset”) from a subset of the Flickr Dataset. The IBM
`
`Dataset consisted of approximately one million frontal-facing images of human faces – including
`
`Plaintiffs’ and Class Members’ faces – that were clear enough to permit further analysis.
`
`44.
`
`After culling the photographs to be used in its IBM Dataset, Defendant IBM
`
`processed the photographs to capture the biometrics of the faces appearing therein. Specifically,
`
`for every detected face it extracted 68 key-points and processed each one by extracting at least ten
`
`facial coding schemes, including: (b) Craniofacial Distances (which characterize all the vertical
`
`
`
`11
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 12 of 29 PageID #:124
`
`distances between elements in a face: the top of the forehead, the eyes, the nose, the mouth, and
`
`the chin); (b) Craniofacial Areas (measures corresponding to different areas of the cranium, such
`
`as eye fissures and lips); (c) Craniofacial Ratios; (d) Facial Symmetry; (e) Facial Regions Contrast;
`
`(f) Skin Color; (g) Age Prediction; (h) Gender Prediction; (i) Subjective Annotation; and (j) Pose
`
`and Resolution.
`
`45.
`
`The below figure illustrates the data points Defendant IBM employed as the basis
`
`for its extraction of class members’ craniofacial measures for the first three coding schemes, supra.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`46.
`
`By doing so, Defendant IBM collected, captured, and obtained Plaintiffs’ and Class
`
`Members’ biometric identifiers and information in violation of BIPA. In further violation of BIPA,
`
`IBM engaged in the conduct described herein without providing the requisite notice to, or
`
`obtaining the requisite releases from, the subjects of the photos or their authorized representatives,
`
`including Plaintiffs and Class Members.
`
`
`
`12
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 13 of 29 PageID #:125
`
`47.
`
`In 2019, Defendant IBM began disclosing, redisclosing and otherwise
`
`disseminating its own “Diversity in Faces” dataset (the “DiF Dataset”) to third-party researchers
`
`and private entities. The DiF Dataset included the approximately one million images of faces
`
`contained in the IBM Dataset — again, including images of Plaintiffs’ and Class Members’ faces
`
`— along with the biometric identifiers and information of the subjects whose faces appeared in
`
`the photos, such as a “comprehensive set of annotations of intrinsic facial features that includes
`
`craniofacial distances, areas and ratios, facial symmetry and contrast, [and] skin color.”
`
`48.
`
`Each image in the DiF Dataset could be traced back to the individual Flickr account
`
`to which it was originally uploaded.
`
`49.
`
`In collecting, capturing and otherwise obtaining the biometric identifiers and
`
`information of Plaintiffs and Class Members and, subsequently, disclosing, redisclosing and
`
`otherwise disseminating those biometric identifiers and information – all without providing the
`
`requisite notice, obtaining the requisite releases or satisfying any of BIPA’s other provisions that
`
`would excuse it from BIPA’s mandates – Defendant IBM violated BIPA.
`
`50.
`
`In further violation of BIPA, Defendant IBM failed to use a reasonable standard of
`
`care to protect Plaintiffs’ and Class Members’ biometric identifiers and information from
`
`disclosure and, in fact, affirmatively disclosed their biometric identifiers and information.
`
`51.
`
`In further violation of BIPA, as a private entity in possession of Plaintiffs’ and Class
`
`Members’ biometric identifiers and information, Defendant IBM failed to adopt or make available
`
`to the public a retention schedule or guidelines for permanently destroying such biometric
`
`identifiers and information once the initial purpose for collecting them had or has been satisfied.
`
`52.
`
`In further violation of BIPA, Defendant IBM profited from the biometric identifiers
`
`and information of Plaintiffs and Class Members. For instance, IBM profited from its unlawful
`
`
`
`13
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 14 of 29 PageID #:126
`
`collection, disclosure, redisclosure and dissemination of Plaintiffs’ and Class Members’ biometric
`
`data by, among other things, developing and improving its own for-profit facial recognition
`
`technology using the insights gleaned from the biometric identifiers and information and the
`
`algorithms trained on it, allowing IBM to: (a) sell more of its facial-recognition products to
`
`customers; (b) become a market leader in facial-recognition technology; and (c) burnish its brand
`
`reputation as a leader in the field.
`
`53.
`
`Defendant IBM’s violations of BIPA were intentional and reckless or, in the
`
`alternative, negligent.
`
`III.
`
`Plaintiffs’ and Class Members’ Injuries and Damages
`
`54.
`
`As alleged herein, as a result of Defendant IBM’s unlawful conduct, Plaintiffs and
`
`Class Members have already sustained injuries and face many more imminent and certainly
`
`impending injuries, which injuries they will continue to suffer.
`
`55.
`
`Defendant IBM’s unlawful conduct has resulted in, among other things: (a)
`
`Plaintiffs’ and Class Members’ unique biometric identifiers and information being collected,
`
`captured, obtained, disclosed, redisclosed, and otherwise disseminated without the requisite notice
`
`having been given and without the requisite releases having been obtained; and (b) Plaintiffs and
`
`Class Members being deprived of the very control over their biometric identifiers and information
`
`that BIPA was designed to protect.
`
`56.
`
`To this day, Plaintiffs and Class Members do not know which, or how many,
`
`individuals or entities have received, obtained, accessed, stored, disclosed, redisclosed or
`
`otherwise made use of Plaintiffs’ and Class Members’ biometric identifiers and information,
`
`
`
`14
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 15 of 29 PageID #:127
`
`exposing them to the imminent and certainly impending injuries of identity theft, fraud, stalking,
`
`surveillance, social engineering and other invasions of privacy.1
`
`57.
`
`As a result of Defendant IBM’s misconduct, Plaintiffs and Class Members have no
`
`recourse for the fact that their biologically unique information has been compromised. Moreover,
`
`Plaintiffs and Class Members are likely to withdraw from biometric-facilitated transactions and
`
`other facially-mediated electronic participation.
`
`CLASS ACTION ALLEGATIONS
`
`58.
`
`Plaintiffs brings this action on behalf of himself and as a class action under Federal
`
`Rule of Civil Procedure 23, seeking damages and equitable relief on behalf of the following Class
`
`for which Plaintiffs seek certification: All Illinois residents whose faces appear in the IBM Dataset
`
`and/or DiF Dataset.
`
`59.
`
`Excluded from the Class are: (a) Defendant IBM; (b) any parent, affiliate or
`
`subsidiary of Defendant IBM; (c) any entity in which Defendant IBM has a controlling interest;
`
`(d) any of Defendant IBM’s officers or directors; or (e) any successor or assign of Defendant IBM.
`
`Also excluded are any judge or court personnel assigned to this case and members of their
`
`immediate families.
`
`60.
`
`Plaintiffs reserve the right to amend or modify the class definitions with greater
`
`specificity or division after having had an opportunity to conduct discovery.
`
`61.
`
`Numerosity. While the exact number of Class Members is not known at this time,
`
`Defendant IBM collected, captured, obtained, disclosed, redisclosed and otherwise disseminated
`
`biometric identifiers and information from approximately one million images of faces, and
`
`
`1 Facial Recognition Tech: 10 Views on Risks and Rewards,
`https://www.forbes.com/sites/forbestechcouncil/2018/04/03/facial-recognition-tech-10-views-on-risks-
`and-rewards/#54d3e1716b3c (accessed on Mar. 12, 2020)
`15
`
`
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 16 of 29 PageID #:128
`
`Plaintiffs estimate the total number of Class Members to be in the thousands. Consistent with Rule
`
`23(a)(1), the proposed Class is therefore so numerous that joinder of all members is impracticable.
`
`Class Members may be identified through objective means, including objective data available to
`
`Defendant IBM regarding the images in the IBM and DiF Datasets. Class Members may be
`
`notified of the pendency of this action by recognized, Court-approved notice dissemination
`
`methods, which may include U.S. mail, electronic mail, internet postings, social media and/or
`
`published notice
`
`62.
`
`Commonality and predominance. Common questions of law and fact exist as to
`
`all Class Members. These common questions of law or fact predominate over any questions
`
`affecting only individual members of the proposed Class. Common questions include, but are not
`
`limited to, the following:
`
`a.
`
`Whether Defendant IBM collected, captured and otherwise obtained the
`
`biometric identifiers and information of Plaintiffs and Class Members;
`
`b.
`
`Whether Defendant IBM possessed
`
`the biometric
`
`identifiers and
`
`information of Plaintiffs and Class Members;
`
`c.
`
`Whether Defendant IBM disclosed, redisclosed and otherwise disseminated
`
`the biometric identifiers and information of Plaintiffs and Class Members;
`
`d.
`
`Whether Defendant IBM profited from the biometric identifiers and
`
`information of Plaintiffs and Class Members;
`
`e.
`
`Whether Defendant IBM provided the notice required by BIPA before
`
`collecting, capturing, obtaining, disclosing, redisclosing and otherwise
`
`disseminating the biometric identifiers and information of Plaintiffs and
`
`Class Members;
`
`
`
`16
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 17 of 29 PageID #:129
`
`f.
`
`Whether Defendant IBM obtained written releases from Plaintiffs and Class
`
`Members or their authorized representatives before collecting, capturing,
`
`obtaining, disclosing, redisclosing and otherwise disseminating the
`
`biometric identifiers and information or Plaintiffs and Class Members;
`
`g.
`
`Whether Defendant IBM had in place – and disclosed to the public – the
`
`written retention and destruction policies required by BIPA while in
`
`possession of Plaintiffs’ and Class Members’ biometric identifiers and
`
`information;
`
`h.
`
`Whether Defendant IBM protected Plaintiffs’ and Class Members’
`
`biometric identifiers and information from disclosure using the reasonable
`
`standard of care within IBM’s industry and in a manner that was the same
`
`as or more protective than the manner in which IBM protects other
`
`confidential and sensitive information;
`
`Whether Plaintiffs and Class Members suffered damages as a proximate
`
`result of Defendant IBM; and
`
`Whether Plaintiffs and Class Members are entitled to damages, equitable
`
`i.
`
`j.
`
`relief and other relief.
`
`Moreover, based on Defendant IBM’s public statements, there is no reason to believe it treated
`
`any of the photos on which it performed a facial geometric scan differently from any others in
`
`terms of: (a) the way in which IBM obtained the photos; (b) the biometric identifiers and
`
`information collected, captured and otherwise obtained therefrom; (c) IBM’s failure to provide the
`
`requisite disclosures to Plaintiffs and Class Members or their authorized representatives; (d) IBM’s
`
`failure to obtain the requisite releases from Plaintiffs and Class Members or their authorized
`
`
`
`17
`
`

`

`Case: 1:20-cv-00577 Document #: 19 Filed: 03/12/20 Page 18 of 29 PageID #:130
`
`representatives; (e) IBM’s disclosure, redisclosure and dissemination of Plaintiffs’ and Class
`
`Members’ biometric identifiers and information to third parties; or (f) the nonex