An ob­scure Illi­nois law might let you keep your fin­ger­prints

▶ An ob­scure law could lead to broader lim­its on bio­met­rics ▶ “It just shows how ten­u­ous the pro­tec­tions on our pri­vacy are”

Bloomberg Businessweek (North America) - - CONTENTS - Dune Lawrence

These days, many of us reg­u­larly feed pieces of our­selves into ma­chines for con­ve­nience and se­cu­rity. Our fin­ger­prints un­lock our smart­phones, and com­pa­nies are ex­per­i­ment­ing with more novel biometric mark­ers— voice, heart­beat, grip—as ID for bank­ing and other trans­ac­tions. But there are al­most no laws in place to con­trol how com­pa­nies use such in­for­ma­tion. Nor is it clear what rights peo­ple have to pro­tect scans of their reti­nas or the con­tours of their face from cat­a­loging by the pri­vate sec­tor.

There’s one place where peo­ple seek­ing pri­vacy pro­tec­tions can turn: the courts. A se­ries of plain­tiffs are su­ing tech gi­ants, in­clud­ing Face­book and Google, un­der a lit­tleused Illi­nois law. The Biometric In­for­ma­tion Pri­vacy Act, passed in 2008, is one of the only statutes in the U.S. that sets lim­its on the ways com­pa­nies can han­dle data such as fin­ger­prints, voiceprint­s, and reti­nal scans. At least four of the suits filed un­der BIPA are mov­ing for­ward. “These cases are im­por­tant to scope out the ex­ist­ing law, per­haps point out places where the law could be im­proved, and set prin­ci­ples that other states might fol­low,” says Jef­frey Neuburger, a part­ner at law firm Proskauer Rose.

The bank­ruptcy of fin­ger print scan­ning com­pany Pay By Touch spurred BIPA’s pas­sage. Hun­dreds of Illi­nois gro­cery stores and gas sta­tions used its tech­nol­ogy, al­low­ing cus­tomers to pay with the tap of a fin­ger. As the bank­rupt com­pany pro­posed sell­ing its data­base, the Illi­nois chap­ter of the Amer­i­can Civil Lib­er­ties Union drafted what be­came BIPA, and the bill passed with lit­tle cor­po­rate

op­po­si­tion, says Mary Dixon, leg­isla­tive di­rec­tor of the Illi­nois ACLU.

Un­der the Illi­nois law, com­pa­nies must ob­tain writ­ten con­sent from cus­tomers be­fore col­lect­ing their biometric data. They also must de­clare a point at which they’ll de­stroy the data, and they must not sell it. BIPA al­lows for dam­ages of $5,000 per vi­o­la­tion. “So­cial Se­cu­rity num­bers, when com­pro­mised, can be changed,” the law reads. “Bio­met­rics, how­ever, are bi­o­log­i­cally unique to the in­di­vid­ual; there­fore, once com­pro­mised, the in­di­vid­ual has no re­course, [and] is at height­ened risk for iden­tity theft.”

In April 2015, Chicagoan Carlo Li­cata, a Mor­gan Stan­ley fi­nan­cial ad­viser, sued Face­book un­der BIPA, ar­gu­ing that the com­pany vi­o­lated his pri­vacy by us­ing its fa­cial-recog­ni­tion soft­ware to cre­ate a de­tailed geo­met­ric map of his face and tag him in pho­tos. Two more Illi­nois res­i­dents filed com­plaints against Face­book the fol­low­ing month. That June a lo­gis­tics en­gi­neer and para­triath­lete named Brian Nor­berg brought an al­most iden­ti­cal suit against the photo-shar­ing site Shut­ter­fly.

Two more plain­tiffs sued video game pub­lisher Take-Two In­ter­ac­tive Soft­ware on sim­i­lar grounds in Oc­to­ber, and two more went af­ter Google in March. The com­pa­nies de­clined to com­ment for this story.

“I think peo­ple had re­ally imag­ined, Well, bio­met­rics, it’s got to be an in-per­son thing. You walk in front of a fa­cial scan­ner,” says Mark Eisen, a lawyer at Shep­pard Mullin in Chicago who spe­cial­izes in con­sumer pri­vacy and class-ac­tion suits. (He’s not in­volved in any of the cases.) “So that first law­suit got a lot of at­ten­tion, and fol­low-up law­suits hap­pened pretty quickly.” Most of the suits fo­cus on photo tag­ging; in Take-Two’s case, the plain­tiffs are wor­ried about the game maker’s cre­ation of re­al­is­tic dig­i­tal look-alikes us­ing their fa­cial pro­files.

Take-Two has ar­gued that the plain­tiffs lack stand­ing be­cause they haven’t claimed harm. The law­suit against Shut­ter­fly sur­vived a mo­tion to dis­miss in De­cem­ber and ended with an undis­closed set­tle­ment in April. In the Face­book suit, the plain­tiffs are seek­ing in­for­ma­tion about, among other things, Face­book’s mar­ket­ing of and third­party ac­cess to its faceprint data­base. Face­book is ar­gu­ing that BIPA was meant to ap­ply to phys­i­cal fa­cial scans and shouldn’t ap­ply to pho­tos.

The Face­book plain­tiffs, whose cases have been con­sol­i­dated in Cal­i­for­nia, where the com­pany is based, passed a cru­cial test in May. Face­book had ar­gued that ac­cord­ing to its terms of use, dis­putes should be han­dled un­der Cal­i­for­nia law, which lacks BIPA-style pro­tec­tions for biometric data. The judge didn’t agree, rul­ing that BIPA ap­plies. In a June 29 fil­ing, Face­book made the same ar­gu­ment as Take-Two—that the plain­tiffs lack stand­ing to sue be­cause they haven’t claimed harm. Google, mean­while, is chal­leng­ing BIPA as un­con­sti­tu­tional on the grounds that one state can’t set rules for the rest of the coun­try.

Na­tional ef­forts to es­tab­lish biometric guide­lines haven’t gone well. In 2014 a Depart­ment of Com­merce agency led an ef­fort to de­velop a code of con­duct for com­pa­nies us­ing fa­cial-recog­ni­tion tech­nol­ogy, but con­sumer ad­vo­cates with­drew from the group the fol­low­ing year, say­ing tech com­pa­nies re­fused to con­sider the most mod­est of pri­vacy pro­tec­tions. The ef­fort yielded an un­en­force­able set of pri­vacy rec­om­men­da­tions, pub­lished in June.

Part of the prob­lem is that gov­ern­ment agen­cies of­ten have an in­ter­est in looser con­sumer pro­tec­tions. In

May the Depart­ment of Jus­tice pro­posed ex­empt­ing the FBI’s fa­cial­recog­ni­tion pro­gram, called Next Gen­er­a­tion Iden­ti­fi­ca­tion, from pri­vacy pro­tec­tions. In June the Gov­ern­ment Ac­count­abil­ity Of­fice re­ported that the FBI pro­gram failed tests of accuracy and pri­vacy. So far the re­port hasn’t led to any ac­tion.

In Canada and Europe, Face­book stopped of­fer­ing tag sug­ges­tions on pho­tos fol­low­ing pres­sure from reg­u­la­tors to ob­tain con­sent to col­lect peo­ple’s im­ages. In the U.S., BIPA has be­come a tar­get. Just be­fore Memo­rial Day, with the Illi­nois leg­is­la­ture rush­ing to fin­ish its ses­sion, Demo­cratic state Sen­a­tor Terry Link pro­posed an amend­ment to the statute that would have ex­cluded pho­tos and dig­i­tal im­ages from pro­tec­tion and neatly un­der­cut the law­suits. The ACLU’s Dixon says the amend­ment was Face­book’s do­ing. Link de­clined to com­ment. Fol­low­ing out­rage from ad­vo­cacy groups such as the ACLU and the Elec­tronic Fron­tier Foun­da­tion (EFF), it was shelved with­out a vote, but there’s noth­ing stop­ping its rein­tro­duc­tion.

“This mea­sure was in­tro­duced right be­fore the Memo­rial Day week­end and could have been passed and changed the law over that week­end,” says Jen­nifer Lynch, a se­nior staff at­tor­ney at EFF. “If we only have one state with a law that pro­tects use from com­mer­cial biometric data col­lec­tion, and it’s so easy to change that law, it just shows how ten­u­ous the pro­tec­tions on our pri­vacy are.”

The bot­tom line For now, an Illi­nois statute is the strong­est check on cor­po­rate use of biometric data such as fin­ger­prints and fa­cial pro­files.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.