Do You Own Your Own Fingerprints? An obscure law could lead to broader limits on biometrics

Do You Own Your Own Fingerprints?
An obscure law could lead to broader limits on biometrics.
By Dune Lawrence
July 7, 2016 — 4:00 AM PDT

These days, many of us regularly feed pieces of ourselves into machines for convenience and security. Our fingerprints unlock our smartphones, and companies are experimenting with more novel biometric markers—voice, heartbeat, grip—as ID for banking and other transactions. But there are almost no laws in place to control how companies use such information. Nor is it clear what rights people have to protect scans of their retinas or the contours of their face from cataloging by the private sector.

There’s one place where people seeking privacy protections can turn: the courts. A series of plaintiffs are suing tech giants, including Facebook and Google, under a little-used Illinois law. The Biometric Information Privacy Act, passed in 2008, is one of the only statutes in the U.S. that sets limits on the ways companies can handle data such as fingerprints, voiceprints, and retinal scans. At least four of the suits filed under BIPA are moving forward. “These cases are important to scope out the existing law, perhaps point out places where the law could be improved, and set principles that other states might follow,” says Jeffrey Neuburger, a partner at law firm Proskauer Rose.

The bankruptcy of fingerprint-scanning company Pay By Touch spurred BIPA’s passage. Hundreds of Illinois grocery stores and gas stations used its technology, allowing customers to pay with the tap of a finger. As the bankrupt company proposed selling its database, the Illinois chapter of the American Civil Liberties Union drafted what became BIPA, and the bill passed with little corporate opposition, says Mary Dixon, legislative director of the Illinois ACLU.

Under the Illinois law, companies must obtain written consent from customers before collecting their biometric data. They also must declare a point at which they’ll destroy the data, and they must not sell it. BIPA allows for damages of $5,000 per violation. “Social Security numbers, when compromised, can be changed,” the law reads. “Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, [and] is at heightened risk for identity theft.”

In April 2015, Chicagoan Carlo Licata, a Morgan Stanley financial adviser, sued Facebook under BIPA, arguing that the company violated his privacy by using its facial-recognition software to create a detailed geometric map of his face and tag him in photos. Two more Illinois residents filed complaints against Facebook the following month. That June a logistics engineer and paratriathlete named Brian Norberg brought an almost identical suit against the photo-sharing site Shutterfly. Two more plaintiffs sued video game publisher Take-Two Interactive Software on similar grounds in October, and two more went after Google in March. The companies declined to comment for this story.

“I think people had really imagined, well, biometrics, it’s got to be an in-person thing. You walk in front of a facial scanner,” says Mark Eisen, a lawyer at Sheppard Mullin in Chicago who specializes in consumer privacy and class-action suits. (He’s not involved in any of the cases.) “So that first lawsuit got a lot of attention, and follow-up lawsuits happened pretty quickly.” Most of the suits focus on photo tagging; in Take-Two’s case, the plaintiffs are worried about the game maker’s creation of realistic digital look-alikes using their facial profiles.

Take-Two has argued that the plaintiffs lack standing because they haven’t claimed harm. The lawsuit against Shutterfly survived a motion to dismiss in December and ended with an undisclosed settlement in April. In the Facebook suit, the plaintiffs are seeking information about, among other things, Facebook’s marketing of and third-party access to its faceprint database. Facebook is arguing that BIPA was meant to apply to physical facial scans and shouldn’t apply to photos.

The Facebook plaintiffs, whose cases have been consolidated in California, where the company is based, passed a crucial test in May. Facebook had argued that according to its terms of use, disputes should be handled under California law, which lacks BIPA-style protections for biometric data. The judge didn’t agree, ruling that BIPA applies. In a June 29 filing, Facebook made the same argument as Take-Two—that the plaintiffs lack standing to sue because they haven’t claimed harm. Google, meanwhile, is challenging BIPA as unconstitutional on the grounds that one state can’t set rules for the rest of the country.

National efforts to establish biometric guidelines haven’t gone well. In 2014 a Department of Commerce agency led an effort to develop a code of conduct for companies using facial-recognition technology, but consumer advocates withdrew from the group the following year, saying tech companies refused to consider the most modest of privacy protections. The effort yielded an unenforceable set of privacy recommendations, published in June.

Part of the problem is that government agencies often have an interest in looser consumer protections. In May the Department of Justice proposed exempting the FBI’s facial-recognition program, called Next Generation Identification, from privacy protections. In June the Government Accountability Office reported that the FBI program failed tests of accuracy and privacy. So far the report hasn’t led to any action.

In Canada and Europe, Facebook stopped offering tag suggestions on photos following pressure from regulators to obtain consent to collect people’s images. In the U.S., BIPA has become a target. Just before Memorial Day, with the Illinois legislature rushing to finish its session, Democratic state Senator Terry Link proposed an amendment to the statute that would have excluded photos and digital images from protection and neatly undercut the lawsuits. The ACLU’s Dixon says the amendment was Facebook’s doing. Link declined to comment. Following outrage from advocacy groups such as the ACLU and the Electronic Frontier Foundation (EFF), it was shelved without a vote, but there’s nothing stopping its reintroduction.

“This measure was introduced right before the Memorial Day weekend and could have been passed and changed the law over that weekend,” says Jennifer Lynch, a senior staff attorney at EFF. “If we only have one state with a law that protects use from commercial biometric data collection, and it’s so easy to change that law, it just shows how tenuous the protections on our privacy are.”

The bottom line: For now, an Illinois statute is the strongest check on corporate use of biometric data such as fingerprints and facial profiles


http://www.bloomberg.com/news/articles/2016-07-07/do-you-own-your-own-fingerprints

Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more