Yves here. We received a complaint about AirBnB’s latest privacy intrusion from a long-established reader, here on demanding what will wind up being in most if not nearly all cases, a copy of a photo that is of biometric ID standards. As the unhappy potentially former customer of AirBnB fulminates, this new policy is being applied across the board, even users with impeccable records.
And that ire is not ill-founded. AirBnB is being challenged over this new scheme in Illinois under the state law that puts strict limits on private businesses who try to collecting biometric information. As we’ll discuss, Illinois is far from the only state with privacy laws that restrict the collection and use of biometric information.
And it is not as if AirBnB is lacking in methods of recourse. Hotels regularly charge bad boy guests who trash rooms via damage charges on credit cards. If they are worried a newbie user might be a rogue, require that the user agree to a damage deposit that is refunded if everything is hunky dory. If property misuse were the issue, face pix of users are not much of a solution.
So more generally, why could AirBnB possibly want this info? This sounds an awful like yet another scheme to make more money off customers by selling their data. Many people became desensitized over the issue of letting businesses copy their driver’s licenses or passports in the post 9/11 era, where most office building landlords started new security procedures requiring the presentation, and sometimes copying, of government ID.
The latest AirBnB lack of concern about user privacy has started even before the rental platform recent snooping scandal was finally resolved. Readers may recall AirBnB was embarrassed publicly by Gizmodo via FOIAs to the Federal Trade Commission. Gizmodo published many of the complaints. AirBnB had a not-so-hot policy on cameras and was lax about enforcement and apparently even responding to customer beefs. So the secret camera ban went effective April 30. From Gizmodo yesterday:
Gizmodo filed a Freedom of Information Act request with the FTC for any consumer complaints filed about Airbnb that involved cameras. Some of the complaints are fairly mundane, and simply mention how cameras may have been used to prove things that break the rules at Airbnb properties. But others are pretty horrifying and involve hidden cameras in places where people expect privacy….
Hidden cameras have always been banned at Airbnb, but cameras in public areas like living rooms were allowed. Airbnb will officially ban all indoor cameras at its properties worldwide at the end of this month.
Erm, since when is a living room a public place? Plenty of people shag on couches or might be in a state of considerable undress while watching TV. Admittedly, the old policy said those cameras were OK if not hidden. But how hidden is hidden? Not hard to imagine vacationers doing something they would not want recorded before they noticed a camera.
Now to AirBnB’s new-found photo fetish. A point that may not be obvious is that in the US, most if not all driver’s license photos are to biometric ID standards. Alabama was as of 2019 when I got a driver’s license there. Ditto passport photos. So unless you have an old passport image before the days of biometric IDs being the new normal, and it luckily also fail to capture good enough information to provide the biometric markers, compliance with AirBnB’s new requirements amounts to giving them biometrics. Gah.
We’ll turn to the reader-provided sordid tale and then look at current and possible future legal opposition. Via e-mail:
I have an idiotic saga about Airbnb, which I have used for years as a traveler. I would never host through them because their customer service is atrocious, and I have heard stories from friends who host about what goes on. They were a train wreck during the covid pandemic. But I use it in the US and abroad.
So without warning Airbnb suddenly is demanding identity verification and the site wants me to upload a drivers license or passport before I am allowed to reserve. This makes me irate, of course. They want to use facial recognition to “confirm” with the photo they already have, no doubt AI enhanced at this point. I am not the criminal here, and they have a long internal track record with my profile on reviews and trips and credit card transactions. I have absolutely stellar reviews. A reservation was pending, then canceled. So I took masking tape and doctored my license to cover up certain info, they want both sides, and took photos and uploaded them. I resubmitted the reservation and uploaded the ID photos for it to be finalized (the website doesn’t allow you to advance until you take this step). The reservation goes through, is confirmed, I get inundated with the usual messages confirming the reservation. This means my credit card is charged the full amount, you see. Then my ID photos are rejected again. I call customer non-service, which at this point is located abroad, probably in the Philippines for my call (it used to be in San Francisco). I am exhorted to resubmit ID photos with complete information. I argue, it’s useless, she has no authority even after putting me on hold to speak with a supervisor. They are relying on the Airbnb “system” to verify and retain all this customer data. I rip apart the routine customer service script that my data are protected.
My reservation is still valid atm, so I am going to see what happens next time I use the site – if it requires me to “upload photos of an ID” again, recto and verso, I can upload the same doctored photos and see if the reservation goes through, even if the ID photos are subsequently rejected every time. I think they like that money that keeps coming in, the fees. I don’t care if that becomes the new ritual – this is ASININE. I am still irate.
The entire fiasco illustrates where we are heading. Also, Homeland Security has become an evil monster.
So does AirBnB really want the photo or the full driver’s license/passport page? It sure sounds like the latter, given the friend of the site’s clarification of what “doctoring” amounted to:
I used bits of masking tape artfully applied to both sides of the license itself before taking the photos of it. The Airbnb system might detect Photoshop manipulation – someone expert in such matters would know better than I. I did two rounds of doctoring, taking the photos, and uploading them to Airbnb. The photos were deliberately not in ideal lighting, not too close up. One was upside down (that was just me not taking it seriously). All were rejected by the automated system, and if I look at my account profile, the section on government ID says not provided (as if that were an inherent obligation, to which my response is that they can stuff it). There is an option of uploading an identity card, but I did not pursue that, although maybe I will at some point, if I can get away with a photo ID card from work or something. I want to stress that this was not successful in the sense that the Airbnb system did not accept my ID photos because info was missing and it was not recognized as satisfactory. According to the autogenerated message I received from Airbnb, it wants to read and extract all info on the card and could not. I am sure they have many images of licenses from all fifty states, as well as passports. Ah, surveillance dystopia!….
I should have saved the Airbnb message to forward to you. It definitely referred to wanting the *information* on the ID image, which includes the biometric details, date of birth, address, etc., as well as photos, and requiring both sides of the license.
So asking for a photo from a “government ID” is to get the entire ID, not just the image.
So it is telling that even with this policy being pretty new, privacy lawyers have swung into action. They have started with Illinois, which has the oldest state law restricting the use of biometric information, dating from 2008. Bloomberg Law describes how several lawsuits have raised the profile of this statue and the rulings have facilitated filing more cases.
The 2023 Bloomberg article also describes the state of play in other states:
Texas and Washington also have broad biometric privacy laws on the books, but neither creates a private right of action like BIPA does. In addition, California, Colorado, Connecticut, Utah, and Virginia have passed comprehensive consumer privacy laws that, once in full effect, will expressly govern the processing of biometric information. And even more states have enacted data breach notification laws that explicitly include biometric data within their scope.
Various municipalities, such as New York City and Portland, Ore., have also passed tailored biometric privacy measures. New York City’s Biometric Information Privacy Law, applicable to certain commercial establishments, provides a private right of action.
As more states continue to introduce legislation similar to BIPA, insurers have begun expressly excluding biometric liability coverage from their policies, further adding to the risks posed by noncompliance with biometric privacy laws.
And provided a detailed summary of three of the statutes:
If you read the Bloomberg cheat sheet on the Illinois law, you will see it provides for “Intentional or reckless violations: the greater of $5,000 or actual damages.”
The interesting device of “mass arbitration” has AirBnB users in Illinois seeking $5,000 for what sure looks like an intentional violation. From ClassAction.org:
Attorneys working with ClassAction.org need to hear from Illinois residents who used Airbnb as either a guest or a host and had to go through the vacation rental company’s identity verification process.
They have reason to believe the company may have illegally collected and stored the facial scans of Illinois users who were required to upload their photos and government-issued IDs to confirm their identities.
Illegal collection of consumers’ biometrics – which include facial geometries, fingerprints, retina scans and more – could require the offending company to provide consumers with up to $5,000 per violation.
What Am I Signing Up For? What Is Mass Arbitration?
You are signing up for something known in the legal space as mass arbitration. Generally speaking, arbitration is an alternative way to resolve a dispute and takes place outside the courtroom, without a judge, jury or trial. You can learn more about arbitration here.
With mass arbitration, hundreds or thousands of consumers will file individual arbitration claims against the same company over the same issue – such as a potential privacy violation.
While Airbnb has previously faced litigation for various reasons, the company’s terms of service clearly state that U.S. users agree to resolve disputes through arbitration and waive their rights to a class action lawsuit. This is why attorneys working with ClassAction.org have decided to handle this matter on a mass arbitration basis.
Not only is this going to be fun, but AirBnB’s high profile might also give impetus for states and cities to implement or strengthen biometric ID protections.