Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 1 of 57 Page ID #1825
`
`IN THE CIRCUIT COURT
`TWENTIETH JUDICIAL CIRCUIT
`ST. CLAIR COUNTY, ILLINOIS
`
`)
`ROSLYN HAZLITT, JANE DOE, by and
`through next friend JOHN DOE, RICHARD )
`Case No.:
`ROBINSON, and YOLANDA BROWN,
`)
`on behalfUNITED STATES DISTRICT COURT FOR THE
`SOUTHERN DISTRICT OF themselves and all other
`)ILLINOIS
`
`persons similarly situated, known
`and unknown,
`
`Plaintiffs,
`
`v.
`
`APPLE INC.,
`
`Defendant.
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`
`
`
`
`JANE DOE, by and through next friend John Doe,
`RICHARD ROBINSON, and YOLANDA BROWN, on
`behalf of themselves and all other persons similarly
`situated, known and unknown,
`
`
`
`v.
`
`APPLE INC.,
`
`Plaintiffs,
`
`Defendant.
`
`JURY TRIAL DEMANDED
`
`Case No. 3:20-cv-00421-NJR
`
`AMENDED CLASS ACTION COMPLAINT
`
`Plaintiffs Roslyn Hazlitt, Jane Doe, a minor, by and through next friend John Doe,
`
`Richard Robinson, and Yolanda Brown (“Plaintiffs”), individually and on behalf of all other
`
`persons similarly situated, bring this class action lawsuit for violations of the Biometric
`
`Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”), against Defendant Apple Inc.
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 2 of 57 Page ID #1826
`
`(“Defendant”). Plaintiffs allege the following facts based upon personal knowledge,
`
`investigation by retained counsel, and on information and belief.
`
`1.
`
`Plaintiffs allege that Defendant violated BIPA by collecting, and possessing, and
`
`profiting from the biometric identifiers and biometric information (collectively, “Biometric
`
`Data”) of Illinois citizens via Defendant’s Photos software application (“Photos App”). For the
`
`reasons discussed in greater detail below, Defendant’s violations of BIPA pose a serious threat of
`
`permanent harm to Illinois citizens.
`
`2.
`
`Defendant’s Photos App comes pre-installed on Defendant’s phones, tablets, and
`
`computers (“Apple Devices”). The Photos App, which cannot be removed or modified,
`
`automatically collects face Biometric Data from Apple Device users’ photographs. Defendant’s
`
`Photos App collects Biometric Data without the knowledge or informed written consent of the
`
`Apple Device users or Apple Device nonusers—including minors—who appear in photographs
`
`on Apple Devices. Users of Apple Devices are not told by Defendant that it is collecting face
`
`Biometric Data, and cannot disable Defendant’s collection of face Biometric Data. Contrary to
`
`Defendant’s public representations, moreover, Defendant collects and possesses Biometric Data
`
`on its servers.
`
`3.
`
`Defendant’s conduct violates BIPA in three waysas follows:
`
`First, Defendant violates Section 15(b) by collecting the Biometric Data of Plaintiffs and
`
`other Illinois citizens. As described in greater detail below, Defendant collects Biometric Data
`
`of Plaintiffs and other Illinois citizens by collecting the face geometries of persons who appear in
`
`photographs on an Apple Device, and storing those face geometries in a database on the Apple
`
`Device., and storing identity information derived therefrom on Defendant’s servers.
`
`
`
`
`2
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 3 of 57 Page ID #1827
`
`Second, Defendant violates Section 15(a) by possessing the Biometric Data of Plaintiffs
`
`and other Illinois Citizens. As is likewise described below, Defendant possesses Biometric Data
`
`by exercising exclusive control over the face Biometric Data of Plaintiffs and other Illinois
`
`citizens, and by prohibiting Apple Device users and nonusers from accessing, modifying, or
`
`removing their face Biometric Data.
`
`Third, Defendant violates BIPA Section 15(c) by profiting from the Biometric Data it
`
`collects and possesses. Defendant profits from the face Biometric Data of Apple device users
`
`and nonusers because it uses the facial recognition capabilities of its Photos App, which violate
`
`BIPA, to market and sell its devices and software.
`
`4.
`
`Through this lawsuit, Plaintiffs, on behalf of a similarly situated class, seek to
`
`enjoin AppleDefendant from collecting, possessing, and profiting from their Biometric Data in
`
`violation of BIPA, and seek to obtain actual and statutory damages for their injuries.
`
`I.
`
`Nature of the Action
`
`5.
`
`Plaintiffs allege that Defendant violated BIPA by collecting their biometric
`
`identifiers and biometric information.
`
`6.
`
`Plaintiffs seek to represent a class of individuals whose face geometries were
`
`collected, stored, and/or used by Defendant, including through the use of Defendant’s Photos
`
`App.
`
`7.
`
`Plaintiffs have suffered significant damage, as more fully described herein,
`
`because Defendant has collected their Biometric Data without their knowledge, consent, or
`
`understanding, thereby materially decreasing the security of this intrinsically inalterable
`
`information, and substantially increasing the likelihood that Plaintiffs will suffer as victims of
`
`fraud and/or identity theft.
`
`
`
`
`3
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 4 of 57 Page ID #1828
`
`8.
`
`Plaintiffs seek actual damages in addition to statutory damages, as provided below
`
`in the Prayer for Relief.
`
`9.
`
`The remedies Plaintiffs seek are remedial, and not penal, in nature.
`
`II.
`
`Parties
`
`10.
`
`Plaintiff Roslyn Hazlitt is a resident of Belleville in St. Clair County, Illinois.
`
`11.10. Plaintiff Jane Doe, a minor, is a resident of O’Fallon in St. Clair County, Illinois.
`
`John Doe, Jane Doe’s next friend, is also a resident of O’Fallon in St. Clair County, Illinois.
`
`12.11. Plaintiff Richard Robinson is a resident of Troy in Madison County, Illinois.
`
`13.12. Plaintiff Yolanda Brown is a resident of Godfrey in Madison County, Illinois.
`
`14.13. Plaintiffs’ face geometries have been scanned by Defendant, and their Biometric
`
`Data were collected, stored, and used by Defendant, as more fully described herein.
`
`15.14. Defendant is a California corporation that is registered to and does conduct
`
`business throughout Illinois and in St. Clair County.
`
`16.15. Defendant is a “private entity” under the meaning of BIPA. 740 ILCS 14/10.
`
`III.
`
`Jurisdiction and Venue
`
`17.16. This Court has personal jurisdiction over Defendant because, during the relevant
`
`time period, Defendant was registered to do business in Illinois, conducted business in Illinois,
`
`committed the violations alleged in Illinois, and purposefully availed itself of the laws of Illinois
`
`for the specific transactions and occurrences at issue.
`
`18.
`
`St. Clair County is an appropriate venue for this litigation because Defendant does
`
`business in St. Clair County, and is therefore a resident of St. Clair County. 735 ILCS 5/2 102.
`
`19.
`
`In addition, the transactions and occurrences out of which the causes of action
`
`pleaded herein arose or occurred, in part, in St. Clair County.
`
`
`
`
`4
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 5 of 57 Page ID #1829
`
`IV.
`
`The Biometric Information Privacy Act
`
`20.17. “Biometrics” refers to “biology-based set[s] of measurements.” Rivera v. Google
`
`Inc., 238 F. Supp. 3d 1088, 1094 (N.D. Ill. 2017). Specifically, “biometrics” are “a set of
`
`measurements of a specified physical component (eye, finger, voice, hand, face).” Id. at 1296.
`
`21.18. BIPA was enacted in 2008 in order to safeguard Biometric Data due to the “very
`
`serious need [for] protections for the citizens of Illinois when it [comes to their] biometric
`
`information.” Illinois House Transcript, 2008 Reg. Sess. No. 276. BIPA is codified as Act 14 in
`
`Chapter 740 of the Illinois Compiled Statutes.
`
`22.19. As set forth in BIPA, biologically unique identifiers, such as scans of individuals’
`
`facial geometry, cannot be changed. 740 ILCS 14/5(c). As is likewise explained in BIPA, the
`
`inalterable nature of individuals’ biologically unique identifiers presents a materially heightened
`
`risk of serious harm when Biometric Data is not protected in a secure and transparent fashion.
`
`740 ILCS 14/5(d)–(g).
`
`23.20. As a result of the need for enhanced protection of Biometric Data, BIPA imposes
`
`various requirements on private entities that collect or possess individuals’ biometric identifiers,
`
`including scans of individuals’ facial geometries.
`
`24.21. Among other things, BIPA regulates “the collection, use, safeguarding, handling,
`
`storage, retention, and destruction of biometric identifiers and information.” 740 ILCS 14/5(g).
`
`25.22. BIPA applies to entities that interact with two forms of Biometric Data: biometric
`
`“identifiers” and biometric “information.” 740 ILCS 14/15(a)–(e).
`
`26.23. “Biometric identifiers” are physiological, as opposed to behavioral,
`
`characteristics. Examples include, but are not limited to, face geometry, fingerprints,
`
`
`
`
`5
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 6 of 57 Page ID #1830
`
`voiceprints, DNA, palmprints, hand geometry, iris patterns, and retina patterns. As the Illinois
`
`General Assembly has explained:
`
`Biometrics are unlike other unique identifiers that are used to access finances or
`other sensitive information. For example, social security numbers, when
`compromised, can be changed. Biometrics, however, are biologically unique to the
`individual; therefore, once compromised, the individual has no recourse, is at
`heightened risk for identity theft, and is likely to withdraw from biometric-
`facilitated transactions.
`
`740 ILCS 14/5(c). Moreover,
`
`A person cannot obtain new DNA or new fingerprints or new eyeballs for iris
`recognition, at least not easily or not at this time. Replacing a biometric identifier
`is not like replacing a lost key or a misplaced identification card or a stolen access
`code. The Act’s goal is to prevent irretrievable harm from happening and to put in
`place a process and rules to reassure an otherwise skittish public.
`
`Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175, ¶ 59, 115 N.E.3d
`
`1080, 1093, appeal denied, 119 N.E.3d 1034 (Ill. 2019).
`
`27.24. In BIPA’s text, the General Assembly provided a non-exclusive list of protected
`
`“biometric identifiers,” including “a retina or iris scan, fingerprint, voiceprint, or scan of hand or
`
`face geometry.” 740 ILCS 14/10. In this case, the biometric identifiers at issue are the scans of
`
`face geometries of individuals, including Plaintiffs, collected by Defendant via its proprietary
`
`software without any notice to or consent from the individuals whose biometric identifiers are
`
`collected.
`
`28.25. “Biometric information” consists of biometric identifiers used to identify a
`
`specific person. BIPA defines “biometric information” as “any information, regardless of how it
`
`
`
`
`6
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 7 of 57 Page ID #1831
`
`is captured, converted, stored, or shared, based on an individual’s biometric identifier used to
`
`identify an individual.” Id.1 (emphasis added).
`
`29.26. In BIPA, the General Assembly identified four distinct activities that may subject
`
`private entities to liability:
`
`(1)
`
`(2)
`
`(3)
`
`(4)
`
`collecting Biometric Data, 740 ILCS 14/15(b);
`
`possessing Biometric Data, 740 ILCS 14/15(a);
`
`profiting from Biometric Data, 740 ILCS 14/15(c); and
`
`disclosing Biometric Data, 740 ILCS 14/15(d).
`
`BIPA also created a heightened standard of care for the protection of Biometric Data. 740 ILCS
`
`14/15(e).
`
`30.27. As the Illinois Supreme Court has held, BIPA “codified that individuals possess a
`
`right to privacy in and control over their biometric identifiers and biometric information.”
`
`Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, ¶ 33, 129 N.E.3d 1197, 1206 (Ill. 2019).
`
`The Illinois Supreme Court further held that when a private entity fails to comply with BIPA
`
`“that violation constitutes an invasion, impairment, or denial of the statutory rights of any person
`
`or customer whose biometric identifier or biometric information is subject to the breach.” Id.
`
`A.
`
`Collecting Biometric Data Under Section 15(b)
`
`31.28. BIPA establishes categories of prohibited conduct related to Biometric Data, and
`
`establishes requirements that parties must follow when interacting with Biometric Data. As
`
`Section 15(b) provides:
`
`
`1 As set forth below, in this case the biometric identifiers at issue are the facial
`geometries of individuals, including Plaintiffs, collected by Defendant. These biometric
`identifiers become biometric information when Defendant’s facial recognition algorithms
`identify individuals based on biometric identifiers.
`
`7
`
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 8 of 57 Page ID #1832
`
`No private entity may collect, capture, purchase, receive through trade, or otherwise
`obtain a person’s or a customer’s biometric identifier or biometric information,
`unless it first:
`
`
`informs the subject or the subject’s legally authorized representative
`in writing that a biometric identifier or biometric information is
`being collected or stored;
`
`informs the subject or the subject’s legally authorized representative
`in writing of the specific purpose and length of term for which a
`biometric identifier or biometric information is being collected,
`stored, and used; and
`
`receives a written release executed by the subject of the biometric
`identifier or biometric information or the subject’s legally
`authorized representative.
`
`(1)
`
`
`(2)
`
`
`(3)
`
`
`740 ILCS 14/15(b).
`
`32.29. To “collect” means “to bring together into one body or place,” or “to gather or
`
`exact from a number of persons or sources.”2
`
`33.30. Collection, therefore, is the act of gathering together, and is separate from
`
`possession, which is not an element of collection.
`
`34.31. BIPA imposes three requirements that must be satisfied before any private entity
`
`may “collect” biometric information:
`
`(a)
`
`(b)
`
`(c)
`
`First, the private entity must inform the individual in writing that the
`individual’s biometric information is being collected or stored. 740 ILCS
`14/15(b)(1).
`
`Second, the private entity must inform the individual in writing of the
`purpose and length of time for which their biometric information is being
`collected, stored, and used. 740 ILCS 14/15(b)(2).
`
`Finally, the private entity must receive a written release executed by the
`individual. 740 ILCS 14/15(b)(3).
`
`
`
`2 Definition of “collect”, Merriam-Webster, https://www.merriam-
`webster.com/dictionary/collect (last visited Feb 28, 2020).Dec. 13, 2021) archived at
`https://perma.cc/YR9C-8CER.
`
`
`
`8
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 9 of 57 Page ID #1833
`
`35.32. BIPA defines a “written release,” outside the employment context, to mean
`
`“informed written consent.” 740 ILCS 14/10.
`
`B.
`
`Possessing Biometric Data Under Section 15(a)
`
`36.33. With respect to possession of Biometric Data, BIPA provides as follows:
`
`A private entity in possession of biometric identifiers or biometric information must
`develop a written policy, made available to the public, establishing a retention
`schedule and guidelines for permanently destroying biometric identifiers and
`biometric information when the initial purpose for collecting or obtaining such
`identifiers or information has been satisfied or within 3 years of the individual’s
`last interaction with the private entity, whichever occurs first.
`
`740 ILCS 14/15(a). Entities in possession of Biometric Data therefore must develop and make
`
`public a written policy containing a retention schedule for Biometric Data, as well as guidelines
`
`for the destruction of Biometric Data. Id.
`
`37.34. BIPA requires that the required public, written policy include information about
`
`how the entity will destroy Biometric Data. Id.
`
`38.35. The plain and ordinary meaning of the word “possession” is “the act of having or
`
`taking into control” or “control or occupancy of property without regard to ownership.”3
`
`39.36. A private entity that controls Biometric Data, therefore, possesses Biometric Data
`
`under Section 15(a).
`
`40.37. Section 15(a) regulates Biometric Data that is controlled by a private entity
`
`regardless of whether that entity owns the Biometric Data.
`
`
`3 Definition of “possession”, Merriam-Webster, https://www.merriam-
`webster.com/dictionary/possession (last visited Feb. 28, 2020). Dec. 13, 2021) archived at
`https://perma.cc/5SDZ-LHRZ.
`
`
`
`9
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 10 of 57 Page ID #1834
`
`41.38. Here, for example, Defendant controls Plaintiffs’ Biometric Data, even though
`
`Defendant does not own that data. Therefore, as alleged in further detail below, Defendant
`
`possesses Plaintiffs’ Biometric Data under Section 15(a).
`
`C.
`
`BIPA’s Unqualified Prohibition on Profiting from Biometric Data
`Under Section 15(c)
`
`42.39. BIPA additionally bars private entities from profiting from Biometric Data.
`
`Section 15(c) provides as follows:
`
`No private entity in possession of a biometric identifier or biometric information
`may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric
`identifier or biometric information.
`
`740 ILCS 14/15(c).
`
`43.40. Section 15(c) is an unqualified prohibition on profiting from Biometric Data.
`
`Section 15(c) applies to this case, for among other reasons, because Defendant developed the
`
`face recognition “feature” of its Photos App in order to competitively position its devices and
`
`software in the marketplace, compete with other software applications, and thereby profit.
`
`V.
`
`The Serious Threats Posed by Biometric Data
`
`44.41. Extracting an individual’s face geometry data in order to confirm a subsequent
`
`match of the individual’s face—also known as “facial recognition” or “faceprinting”—uses
`
`biological characteristics to verify an individual’s identity.
`
`45.42. Use of facial recognition technology can be highly lucrative. The global facial
`
`recognition market size is expected to grow dramatically—according to one source, from $3.2
`
`billion in 2019 to $7 billion by 2024.4
`
`
`4 Facial Recognition Market Worth $7.0 Billion by 2024, Markets and Markets,
`https://www.marketsandmarkets.com/PressReleases/facial
`recognition.asphttps://www.prnewswire.com/news-releases/facial-recognition-market-worth-7-0-
`
`
`
`
`10
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 11 of 57 Page ID #1835
`
`46.43. However, the potential dangers of the use of facial recognition technology and
`
`other biometric identifiers are widely known.
`
`47.44. “Stolen biometric identifiers . . . can be used to impersonate consumers, gaining
`
`access to personal information.”5
`
`48.45. Unlike other identifiers such as Social Security or credit card numbers, which can
`
`be changed if compromised or stolen, biometric identifiers linked to a specific voice or face
`
`cannot be modified—ever. These unique and permanent biometric identifiers, once exposed,
`
`leave victims with no means to prevent identity theft and unauthorized tracking. Recognizing
`
`this, the Federal Trade Commission has urged companies using facial recognition technology to
`
`ask for consent before scanning and extracting Biometric Data from photographs.6
`
`49.46. The threats posed by facial recognition technology can be more insidious than the
`
`threats posed by the use of other biometric information, such as fingerprints. Indeed, as
`
`
`billion-by-2024--exclusive-report-by-marketsandmarkets-300876154.html (last visited Mar. 3,
`2020).Dec. 13, 2021) archived at https://perma.cc/7CN9-LPNR.
`
` 5
`
` Elias Wright, The Future of Facial Recognition Is Not Fully Known: Developing
`Privacy and Security Regulatory Mechanisms for Facial Recognition in the Retail Sector, 29
`Fordham Intell. Prop. Media & Ent. L.J. 611, 629 (2019).
`
` 6
`
` See Facing Facts: Best Practices for Common Uses of Facial Recognition
`Technologies, Federal Trade Commission (Oct. 2012), https://www.ftc.gov/
`sites/default/files/documents/reports/facing-facts-best-practices-common-uses-facial-recognition-
`technologies/121022facialtechrpt.pdf2012),
`https://www.ftc.gov/sites/default/files/documents/reports/facing-facts-best-practices-common-
`uses-facial-recognition-technologies/121022facialtechrpt.pdf archived at https://perma.cc/438A-
`A7AE.
`
`
`
`
`
`11
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 12 of 57 Page ID #1836
`
`commentators have recognized, “facial recognition creates acute privacy concerns that
`
`fingerprints do not.”7 Once a person or entity has an individual’s facial Biometric Data:
`
`[T]hey can get your name, they can find your social networking account, and they
`can find and track you in the street, in the stores that you visit, the . . . buildings
`you enter, and the photos your friends post online. Your face is a conduit to an
`incredible amount of information about you, and facial recognition technology can
`allow others to access all of that information from a distance, without your
`knowledge, and in about as much time as it takes to snap a photo.8
`
`50.47. Researchers have even demonstrated the ability to “infer personally predictable
`
`sensitive information through face recognition.”9
`
`51.48. Further, facial recognition technology may “be abused in ways that could threaten
`
`basic aspects of our privacy and civil liberties[:]”10
`
`Biometrics in general are immutable, readily accessible, individuating, and can be
`highly prejudicial. And facial recognition takes the risks inherent in other
`biometrics to a new level. Americans cannot take precautions to prevent the
`collection of their image. We walk around in public. Our image is always exposed
`to the public. Facial recognition allows for covert, remote, and mass capture and
`identification of images, and the photos that may end up in a data base include not
`just a person’s face but also what she is wearing, what she might be carrying, and
`
`
`7 What Facial Recognition Technology Means for Privacy and Civil Liberties: Hearing
`Before the Subcomm. On Privacy Tech & the Law of the S. Comm. On the Judiciary, 112th
`Cong. 1 (2012) (statement of Sen. Al Franken, Chairman, Subcomm. On Privacy, Tech. & the
`Law of the S. Comm. On the Judiciary), available at https://www.govinfo.gov/content/
`pkg/CHRG-112shrg86599/pdf/CHRG-112shrg86599.pdf. archived at https://perma.cc/9XE4-
`62GH.
`
` 8
`
` Franken, supra.
`
` 9
`
` Alessandro Acquisti et al., Face Recognition and Privacy in the Age of Augmented
`Reality, J. Privacy and Confid. (2014), available at https://www.heinz.cmu.edu/~acquisti/papers/
`AcquistiGrossStutzman-JPC-2014.pdf. archived at https://perma.cc/ZUV3-4EHN.
`
`10 Franken, supra.
`
`
`
`
`
`12
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 13 of 57 Page ID #1837
`
`who she is associated with. This creates threats to free expression and to freedom
`of association that are not evident in other biometrics.11
`
`52.49. Many experts believe that “facial recognition technology is the most uniquely
`
`dangerous surveillance mechanism ever invented.”12
`
`53.50. Because of these dangers, “privacy protections,” such as those found in BIPA, are
`
`necessary for “all facial recognition technologies, including those that do not individually
`
`identify consumers.”13
`
`54.51. Indeed, the Illinois Supreme Court has held that in BIPA the Illinois “General
`
`Assembly has codified that individuals possess a right to privacy in and control over their
`
`biometric identifiers and biometric information.” Rosenbach, 129 N.E.3d at 1206.
`
`55.52. In so holding, the Court explicitly recognized the “difficulty in providing
`
`meaningful recourse once a person’s biometric identifiers or biometric information has been
`
`compromised.” Id. As it further held, “[t]he situation is particularly concerning, in the
`
`legislature’s judgment, because [t]he full ramifications of biometric technology are not fully
`
`known.’” Id. (citing BIPA).
`
`
`11 What Facial Recognition Technology Means for Privacy and Civil Liberties: Hearing
`Before the Subcomm. On Privacy Tech & the Law of the S. Comm. On the Judiciary, 112th
`Cong. 1 (2012) (statement of Jennifer Lynch, Staff Attorney, Electronic Frontier Foundation),
`available at https://www.govinfo.gov/content/pkg/CHRG-112shrg86599/pdf/CHRG-
`112shrg86599.pdf. archived at https://perma.cc/9XE4-62GH.
`
`12 See, e.g., Woodrow Hartzog & Evan Selinger, Facial Recognition Is the Perfect Tool
`for Oppression, Medium (Aug. 2, 2018), https://medium.com/s/story/facial-recognition-is-the-
`perfect-tool-for-oppression-bc2a08f0fe66 archived at https://perma.cc/99LL-2FEQ.
`
`13 See Facing Facts: Best Practices for Common Uses of Facial Recognition
`Technologies, Federal Trade Commission (Oct. 2012), https://www.ftc.gov/sites/
`default/files/documents/reports/facing-facts-best-practices-common-uses-facial-recognition-
`technologies/121022facialtechrpt.pdf. archived at https://perma.cc/438A-A7AE.
`
`
`
`
`
`13
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 14 of 57 Page ID #1838
`
`53.
`
`Defendant acknowledges that “face data is . . . so personal” it warrants
`
`“extraordinary measures to protect it.”14
`
`54. With respect to face data used to unlock Apple Devices, Defendant claims that it
`
`takes “extraordinary measures,” including encrypting it, storing it on a “secure enclave,”
`
`preventing access to the data by the operating system or any applications, and ensuring that it is
`
`“never stored on Apple servers or backed up to iCloud or anywhere else.”15
`
`55.
`
`Defendant also represents to the public that in order to “protect[] your privacy,” in
`
`the Photos app, “all the face recognition and scene and object detection are done completely on
`
`your device.”16
`
`56.
`
`Storing Biometric Data on personal devices (as opposed to on a server) does not
`
`remove the substantial dangers associated with Biometric Data, because personal devices are
`
`intrinsically vulnerable to hackers and other malicious bad actors.17 Instead, storing Biometric
`
`
`14 Apple Privacy Control, https://www.apple.com/privacy/control/ archived at
`https://perma.cc/3XKN-ZCWB.
`
`15 Id.
`
`16 However, as alleged infra, Defendant, contrary to its public statements, does in fact
`store Biometric Data on its servers. https://support.apple.com/en-us/HT207368 archived at
`https://perma.cc/E3AE-AJFZ.
`
`17 See, e.g., Taylor Telford, Google Uncovers 2-Year iPhone Hack That Was ‘Sustained’
`and ‘Indiscriminate’, Washington Post (Aug. 30, 2019, 8:52 AM), https://www.washingtonpost.
`com/business/2019/08/30/google-researchers-uncover-year-iphone-hack-tied-malicious-
`websites/ archived at https://perma.cc/Y7X5-PEAM (citing Ian Beer, A Very Deep Dive Into iOS
`Exploit Chains Found in the Wild, Google Project Zero Blog (Aug. 29, 2019),
`(https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html archived
`at https://perma.cc/6DCD-QGE4); Jeb Su, Apple Issues 3 Emergency Security Fixes To Block
`Hackers From Taking Over iPhones, Macs, Apple TVs, Forbes (Aug. 26, 2019, 7:17 PM),
`https://www.forbes.com/sites/jeanbaptiste/2019/08/26/apple-issues-3-emergency-security-fixes-
`to-block-hackers-from-taking-over-iphones-macs-apple-tvs/#6fc6f3a76da2 archived at
`https://perma.cc/V2RJ-YQQ8.
`
`
`
`
`
`14
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 15 of 57 Page ID #1839
`
`Data on personal devices creates an independent threat of serious harm that is associated with
`
`each personal device that contains Biometric Data.
`
`57. Moreover, Biometric Data may persist on discarded devices. “Realistically,
`
`unless you physically destroy a device, forensic experts can potentially extract data from it.”18
`
`The Federal Trade Commission has recognized that sensitive data on individual devices poses
`
`grave risks, including of identity theft.19
`
`58.
`
`The use of Biometric Data “leads to the fear that a data breach or sale by one
`
`holder of a piece of a person’s biometric information would compromise the security of all
`
`relationships that are verified by that same piece.”20
`
`59.
`
`This fear is not based on mere conjecture. Biometric Data has been illicitly
`
`targeted by hackers. For example, a security firm recently uncovered a “major breach” of a
`
`biometric system used by banks, police, defense firms, and other entities.21 This breach involved
`
`exposure of extensive biometric and other personal data, including facial recognition data and
`
`fingerprints. Id.
`
`
`18 Josh Frantz, Buy One Device, Get Data Free: Private Information Remains on
`Donated Tech, Rapid7 Blog (Mar. 19, 2019), https://blog.rapid7.com/2019/03/19/buy-one-
`device-get-data-free-private-information-remains-on-donated-devices/. archived at
`https://perma.cc/4APW-3ZUF.
`
`19 How to Protect Your Phone and the Data On It, https://www.consumer.ftc.gov/articles/
`how-protect-your-phone-and-data-it (last visited Mar. 3, 2020).Dec. 13, 2021) archived at
`https://perma.cc/Q285-NVQS.
`
`20 Matthew B. Kugler, From Identification to Identity Theft: Public Perceptions of
`Biometric Privacy Harms, 10 UC Irvine L. Rev. 107, 132 (2019).
`
`21 Josh Taylor, Major Breach Found in Biometrics System Used by Banks, UK Police and
`Defence Firms, The Guardian (Aug. 14, 2019, 3:11 PM), https://www.theguardian.com/
`technology/ 2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-
`and-defence-firms archived at https://perma.cc/3TSS-E8ZS.
`
`
`
`
`
`15
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 16 of 57 Page ID #1840
`
`60.
`
`Even anonymized Biometric Data poses risks. For example, according to a recent
`
`report:
`
`In August 2016, the Australian government released an “anonymized” data set
`comprising the medical billing records, including every prescription and surgery,
`of 2.9 million people. Names and other identifying features were removed from the
`records in an effort to protect individuals’ privacy, but a research team from the
`University of Melbourne soon discovered that it was simple to re-identify people,
`and learn about their entire medical history without their consent, by comparing the
`dataset to other publicly available information, such as reports of celebrities having
`babies or athletes having surgeries.22
`
`
`Indeed, “[t]here is a growing skepticism in the field of data protection and privacy law
`
`that biometric data can never truly be deidentified or anonymized.”23
`
`61.
`
`The collection and use of Biometric Data is especially problematic in relation to
`
`the collection of Biometric Data from minors, who cannot provide informed consent and may be
`
`unaware of the serious harms that can result from the release of Biometric Data.
`
`62.
`
`The heightened sensitivity of minors’ personal data has been recognized by the
`
`federal government in the Children’s Online Privacy Protection Act, which provides special
`
`protections for children’s personal data.24
`
`
`22 Olivia Solon, ‘Data Is A Fingerprint’: Why You Aren't as Anonymous As You Think
`Online, The Guardian (Jul. 13, 2018, 4:00 PM) https://www.theguardian.com/world/2018/jul/13/
`anonymous browsing data medical records identity
`privacyhttps://www.scribd.com/article/383773122/Data-Is-A-Fingerprint-Why-You-Aren-t-As-
`Anonymous-As-You-Think-Online archived at https://perma.cc/96VH-D462 .
`
`23 Justin Banda, Inherently Identifiable: Is It Possible To Anonymize Health And Genetic
`Data?, International Association of Privacy Professionals Privacy Perspectives (Nov. 13, 2019),
`13, 2019), https://iapp.org/news/a/inherently-identifiable-is-it-possible-to-anonymize-health-and-
`genetic-data/ archived at https://perma.cc/W3FZ-LDBQ.
`
`24 See Child Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501-6506; 16 C.F.R. §
`312.2 (defining personal information as including “[a] photograph, video, or audio file where
`such file contains a child’s image or voice”; see also Children’s Online Privacy Protection Rule:
`A Six-Step Compliance Plan for Your Business, FTC (June 2017), https://www.ftc.gov/tips-
`
`
`
`
`16
`
`Exhibit 1
`
`

`

`Case 3:20-cv-00421-NJR Document 110-1 Filed 03/07/22 Page 17 of 57 Page ID #1841
`
`63.
`
`“The monetization of children’s biometric . . . data is also concerning even if such
`
`data are anonymized.”25 Even “before minors come of age their immutable biometric or health-
`
`related data could be collected[