Illinois to revisit BIPA law?

Illinois Considering Amendments to Biometric Privacy Law (BIPA) That Would Create Major Exemptions to Its Scope (Proskauer.com)

“Biometric privacy remains an important issue, as facial recognition and other biometric technologies are increasingly in use. As such, it is desirable to find a balance between privacy and security while at the same time allowing companies to use the advances in biometrics in productive ways. Some argue that the Illinois law, in its present form, fails to strike that balance. It appears that some of the Illinois legislators have heard that argument and are trying to correct any imbalance that the law might present. Given what’s at stake, we will closely follow these legislative developments.”

Proskauer Rose, the source of the linked article, is an international law firm with offices in Chicago. The full piece has a lot of links to more information on the Illinois BIPA law. Read the whole thing, especially if you’re interested in biometrics, privacy, or in business in Illinois.

Our previous posts touching on the Illinois BIPA law can be found here.

Another Illinois Facebook face recognition lawsuit

Gillen v Facebook (Scribd)

Note: BIPA = Biometric Information Privacy Act

I have removed two footnotes in original.

NATURE OF ACTION

1. Plaintiff brings this action for damages and other legal and equitable remedies resulting from the illegal actions of Facebook in collecting, storing and using Plaintiff’s and other similarly situated individuals’ biometric identifiers and biometric information (referred to collectively at times as “biometrics”) without informed written consent in violation of the BIPA.

2. The Illinois Legislature has found that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information.” 740 ILCS 14/5(c). “For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

3. In recognition of these concerns over the security of individuals’ biometrics – particularly in the City of Chicago, which was recently selected by major national corporations as a “pilot testing site[] for new applications of biometric-facilitated financial transactions, including finger-scan technologies at grocery stores, gas stations, and school cafeterias,” 740 ILCS 14/5(b) – the Illinois Legislature enacted the BIPA, which provides, inter alia, that a private entity like Facebook may not obtain or possess an individual’s biometrics unless it: (1) informs that person in writing that biometric identifiers or information will be collected or stored, see id.; (2) informs that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used, see id.; (3) receives a written release from the person for the collection of his or her biometric identifiers or formation, see id.; and (4) publishes publically available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information, see 740 ILCS 14/15(a).

4. In direct violation of each of the foregoing provisions of § 15(a) and § 15(b) of the BIPA, Facebook is actively collecting, storing, and using – without providing notice, obtaining informed written consent or publishing data retention policies – the biometrics of its users and unwitting non-users.

5. Specifically, Facebook has created, collected and stored over a billion “face templates” (or “face prints”) – highly detailed geometric maps of the face – from over a billion individuals, millions of whom reside in the State of Illinois. Facebook creates these templates using sophisticated facial recognition technology that extracts and analyzes data from the points and contours of faces appearing in photos uploaded by their users. Each face template is unique to a particular individual, in the same way that a fingerprint or voiceprint uniquely identifies one and only one person.

6. Plaintiff brings this action individually and on behalf of all others similarly situated to prevent Facebook from further violating the privacy rights of Illinois residents, and to recover statutory damages for Facebook’s unauthorized collection, storage and use of unwitting non-users’ biometrics in violation of the BIPA.

A wrinkle in this lawsuit is that the plaintiff is not, and never has been, a registered Facebook user and therefore could not have agreed to Facebook’s terms of service.

Virginia court rules fingerprint security not protected by 5th Amendment

Police can demand fingerprints but not passcodes to unlock phones, rules judge (Naked Security)

Cops can force you to unlock your phone with your fingerprint, but not with your passcode, according to a judge in the US state of Virginia.

We touched on this in early 2012 in United States: ID Technology & the Bill of Rights which drew inspiration from a bank fraud case in Colorado.

I still think that voice-based technologies may still exist in the legal gray area this case attempts to clear up.

As for fingerprints, those may be taken from persons at the time of their arrest, so it’s hard to argue that they are somehow out of bounds for investigative purposes. One may be forgiven, however for wondering what’s the big deal. After all, I’ve been reading for years that finding a latent fingerprint and using it to hack biometric security systems is child’s play. So, either the police would rather go to court than use such a simple workaround, or the rubber finger trick is much harder to pull off than some suggest.

Keeping school lunch biometrics in perspective

Maryland: Bill from Carroll senator would ban collection of students’ biometric data (Baltimore Sun)

Earlier this school year, Carroll County Public Schools had biometric scanners in place in about 10 school cafeterias, where they were used to help expedite the process of paying for school meals. Officials said the scanners would be more efficient than processing cash transactions or using a PIN keypad system.

But officials fielded complaints from some parents who felt the scanners were an invasion of privacy.

If you think biometrics for school lunch payment are bad, you’re not going to like this:

Joy Pullmann: Data mining kids crosses line (Orange County Register)

The U.S. Department of Education is investigating how public schools can collect information on “non-cognitive” student attributes, after granting itself the power to share student data across agencies without parents’ knowledge.

The feds want to use schools to catalogue “attributes, dispositions, social skills, attitudes and intrapersonal resources – independent of intellectual ability,” according to a February DOE report, all under the guise of education.

Read the whole thing.

Like we’ve said before, “If schools are unable to keep data secure, biometric template information is the last thing that should concern parents.” “Secure” doesn’t really apply in the situation described above but the observation that schools already possess very detailed information about students stands.

For the curious: This is an actual biometric template created using one finger, an off-the-shelf fingerprint reader and their freely-circulated software development kit (SDK). It consists of 800 hexadecimal characters.

2aba08229b3b2a44e72c8f14da168a560a3caf2257add068a7fc1636215bff53152546da3fc8071ea84433a42261f4ff7bc3b455199be8980eea2bb1e922f18aa309e050130d72ca124ecd6e9e86459e60858ff44f71d0c1c4e23b97a9a6554619543e8d347f79ea8fa70db87eaea7f37bf2cac4e697d5525479cc72fb653b5d32089e7b3cbcd01f8dba60eda95a50a31b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c

Something similar could be used instead of a PIN number for lunch purchases in Maryland schools unless the state bans the technology.

Now which is more risky to student privacy, those 800 characters which I’ve freely put online and made public, or other types of records schools routinely and uncontroversially* keep?

*Ms. Pullmann seems to find the potential sharing of information without parental knowledge and the chipping away of existing privacy protections that prevented sharing of non-academic information (including biometric information) more problematic than the fact that schools know a lot of non-cognitive details about students.

On another note the mention of “a biometric wrap on kids’ wrists” caught my eye. Within the large and growing list of biometric modalities, I’ve never heard of wrist biometrics. I suspect that this is another example of confusion that arises when “biometrics” and “biostatistics” are needlessly lumped together, a subject we have covered in some detail.

US: Biometrics figure in President’s immigration policy overhaul

A plan to fix immigration system (Record Online)

Obama’s plan requires people living in the U.S. illegally to register, submit biometric data, pass criminal background and national security checks, and pay fees and taxes before becoming eligible for legal status. After eight years, they would be eligible for legal permanent resident status and five years later could apply for citizenship. They enter the green card application system behind everyone else already waiting for permits. Children brought to the country illegally by their parents would be eligible for expedited citizenship if they attend college or complete two years of military service. The president also supports equal treatment of same-sex couples when one partner is from outside the U.S. That provision isn’t included in the Senate framework and may be a flash point with Republicans who oppose offering equal rights to same-sex couples.

US: Iowa bank adds biometrics into customer ID mix

Bridge Community Bank introduces in-branch biometric security (Finextra)

…[C]ustomers submit fingerprint and facial biometric data as well as their name, address, date and country of birth and gender. Tascet uses this data to generate a 16-digit ‘financial security number’ which is linked to the customer account. To identify themselves in a branch and carry out transactions, customers then provide their name and fingerprint.

This is exactly the kind of thing we predicted in the wake of Patco Construction v People’s United Bank.

[B]anks [now] have more responsibility to shield their business customers from fraud. That responsibility, however, will entail a cost that will ultimately be borne by customers in higher fees — applied directly to this this case, wiring fees. But if not appealed and/or upheld, it means banks will be offering customers more security and charging higher prices, part of which will flow to security providers including biometric ID management providers.

Bridge Community Bank is in Iowa.

Court: Students cannot opt out of ID badge policy

Student Suspended for Refusing to Wear RFID Tracker Loses Lawsuit (Wired)

Sophomore Andrea Hernandez was notified in November by the Northside Independent School District in San Antonio that she won’t be able to continue attending John Jay High School unless she wears the badge around her neck. The district said the girl, who objects largely on religious grounds, would have to attend another high school that does not employ the RFID tags.

She sued, a judge tentatively halted the suspension, but changed course Tuesday after concluding that the 15-year-old’s right of religion was not breached. That’s because the district eventually agreed to accommodate the girl and allow her to remove the RFID chip while still demanding that she wear the identification like the other students.

The Hernandez family claims the badge and its chip signifies Satan, or the “Mark of the Beast” warning in Revelations 13:16-18. The girl refused the district’s offer, sued, and was represented by the Rutherford Institute.

It is clear that the public hasn’t quite come to grips with the use ID technology technology in the administration of (more-or-less compulsory) public services involving children.

France severely limits biometrics for time-and-attendance

No biometrics to control working hours (CNIL)

October 23, 2012

In recent years, the control techniques employed in their workplaces have experienced unprecedented growth, including through the use of biometric devices. Therefore, the CNIL wished to obtain the opinion of trade unions and employers, the General Directorate of Labour as well as some professionals, the use of this technology. The issue of biometrics as a tool for management and control of attendance zones has been analyzed under the Data Protection Act and in accordance with the Labour Code.

The Commission has always been vigilant about biometrics. They have the peculiarity of being unique and permanent, because they identify an individual from its physical, biological or behavioral (eg fingerprint, hand contour). They are not assigned by a third party or by the person chosen. They are produced by the body itself and the means permanently thereby allowing the “tracing” of individuals and their identification.

The sensitive nature of these data that explains the Data Protection Act provides a specific control of the CNIL essentially based on the proportionality of the device in relation to the objective sought, such as time management.

On 27 April 2006, the Commission adopted a single authorization for the implementation of biometric recognition based on the contour of the hand with the purpose of access control and time management and restoration of the site work (AU-007).

Following more than a dozen hearings, consensus is clearly expressed to consider the disproportionate use of biometrics for control schedules.

Therefore, the Commission has decided to modify the TO-007 in that it allowed the use of the hand contour for time management. now, no single authorization are used to control the schedules of employees by a biometric device.

Transitional measures
Organizations that already use this device to control schedules and staff who have made ​​a commitment to comply before the publication of this new debate will continue to use it for a period of five years. After this time, they will stop using the biometric feature, which will not involve systematically changing hardware. Organizations can indeed set the system to inhibit the function and use biometric instead, codes, cards and / or badges without biometrics. The CNIL has informed individually organizations having previously sent a commitment to comply with the AU-007.

However, devices contour of the hand can still be used to control access to the premises or manage the restoration of the workplace. These treatments will continue to be a commitment to comply with the AT-007

The fact install a biometric device for purposes other than those covered by the AU-007 will give rise to requests for specific permission, which will be considered on a case by case basis by the Commission. [ed. Translation by Google; Emphasis in original]

See also: No more single authorization of the CNIL can now monitor employee schedules by a biometric hand recognition.

It seems that France has placed some limits on biometrics for time-and-attendance, preventing new adoption   and requiring a five-year phaseout for those who are currently using the technology.

CNIL explicitly okays biometrics for physical access control.

No example of actual “tracing” or violation of privacy is mentioned in the statement.

It appears the CNIL has preserved by law a certain degree inefficiency in the French labor market — inefficiency that biometric technology can help reduce. So far, this is the only case of its kind that I’m aware of.

Oh well, vive la différence.

h/t:
PogoWasRight.org
@M2SYS

New European Data Protection Supervisor Opinion on Data Privacy & Biometrics

Privacy guardian wants one EU rulebook on ID databases (The Register)

“The EDPS [ed. European Data Protection Supervisor] considers that the proposed Regulation should establish a minimum set of requirements, in particular with respect to the circumstances, formats and procedures associated to security as well as the criteria, conditions and requirements, including the determination of what constitutes the state of the art in terms of security for electronic trust services,” it said.

The watchdog said that if common security requirements are not to be set out in the new laws, then provision should be put in place to allow the European Commission to “define where needed, through a selective use of delegated acts or implementing measures, the criteria, conditions and requirements for security in electronic trust services and identification schemes”.

Assistant EDPS Giovanni Buttarelli, who signed the opinion, said that the proposed new law should set out a requirement that trust service providers and electronic identification issuers should have to provide individuals who use their services with “appropriate information on the collection, communication, and retention of their data”. He added that those organisations should also have to provide individuals with “a means to control their personal data and exercise their data protection rights”.

The world can always use more Transparency and Consent.

Special attention for biometric data follows the section quoted above.

The pdf of the Supervisors report can be found here:
Opinion of the European Data Protection Supervisor on the Commission proposal for a Regulation of the European Parliament and of the Council on trust and confidence in electronic transactions in the internal market (Electronic Trust Services Regulation)

The legal status of non-scientists processing DNA

Legal hurdles threaten to slow FBI’s ‘Rapid DNA’ revolution ()PC Advisor)

What’s more, the DNA Identification Act of 1994 passed by Congress gave the FBI the authority to establish its DNA index system, but didn’t envision that DNA information would be uploaded to the FBI database from a police station using Internet-connected Rapid DNA equipment. The law covers only accredited DNA labs in use today, not the mobile Rapid DNA equipment that can be operated by non-technical personnel anywhere, according to Clark Jaw, an auditor at the FBI Laboratory for the Combined DNA Index System (CODIS). It appears there needs to be a change to the DNA Identification Act to accommodate use of the new technology, he says.

See also: “Rapid” DNA: Not super rapid. Still really cool. More steak than sizzle.

Israel High Court of Justice on Biometric Database Pilot

Hight Court: Biometric database should be changed (Jerusalem Post)

The petitioners said the ministry should examine whether a central database was in fact needed and whether there were other options that could prevent data leaks or information theft.

Though the court rejected the petition as premature because the pilot has not yet run, Justices Miriam Naor, Hanan Melcer and Isaac Amit also accepted the petitioners’ arguments that the state must rework its planned pilot of the program to evaluate whether it is necessary to store the population’s biometric data in a single, centralized database.

The Interior Ministry has been planning for years to replace existing ID cards with ones containing biometric data, and in 2009, the Knesset approved the biometric data law that allowed the initiative to move forward.

Patco Construction v People’s United Bank is a Big Deal

Court Rules Bank’s Security Procedures Were Not Commercially Reasonable (Day Pitney LLP)

In an important decision last week, the U.S. Court of Appeals for the First Circuit held, as a matter of law, that People’s United Bank’s online banking security procedures were not commercially reasonable, even though its selected authentication technology fully complied with the Federal Financial Institutions Examination Council (FFIEC) guidelines for Authentication in an Internet Banking Environment.

This case of PATCO CONSTRUCTION COMPANY, INC. v. PEOPLE’S UNITED BANK is a really big deal but a little outside the scope of what we usually deal with around here.

The gist is that with today’s decision, banks have more responsibility to shield their business customers from fraud. That responsibility, however, will entail a cost that will ultimately be borne by customers in higher fees — applied directly to this this case, wiring fees. But if not appealed and/or upheld, it means banks will be offering customers more security and charging higher prices, part of which will flow to security providers including biometric ID management providers.

A couple of good blog posts already exist out there to bring interested readers up to speed:

Technology & Marketing Law Blog: Bank ACH Fraud Victims Get Mixed Rulings (Venkat Balasubramani – June 18, 2011). This one covers the first round and mixed decisions in two different but related cases.

Thinking About Security: Decision on Appeal of Patco v. Ocean Bank (Bill Murray – July 11, 2012). This one covers more recent news.