Illinois to revisit BIPA law?

Illinois Considering Amendments to Biometric Privacy Law (BIPA) That Would Create Major Exemptions to Its Scope (Proskauer.com)

“Biometric privacy remains an important issue, as facial recognition and other biometric technologies are increasingly in use. As such, it is desirable to find a balance between privacy and security while at the same time allowing companies to use the advances in biometrics in productive ways. Some argue that the Illinois law, in its present form, fails to strike that balance. It appears that some of the Illinois legislators have heard that argument and are trying to correct any imbalance that the law might present. Given what’s at stake, we will closely follow these legislative developments.”

Proskauer Rose, the source of the linked article, is an international law firm with offices in Chicago. The full piece has a lot of links to more information on the Illinois BIPA law. Read the whole thing, especially if you’re interested in biometrics, privacy, or in business in Illinois.

Our previous posts touching on the Illinois BIPA law can be found here.

Security and adoption of online health record access

25% of Patients Did Not Access Data Over Patient Privacy Concerns (Health IT Security)

“Using National Cancer Institute survey data, the study found that 52 percent of US citizens were offered access to an online medical record by a healthcare provider or insurer in 2017, up from 42 percent in 2014. Of those who were offered access, 53 percent viewed their records at least once in the past year.

However, of the individuals offered access to online medical record, one-quarter did not access that information because of privacy/security concerns.”

So, is it fair to imply that up to 25% more patients would access their online health record if they were more confident in the security of their access to it?

Illinois: Google faces face-rec lawsuit

Google Gets Sued Over Face Recognition, Joining Facebook And Shutterfly In Battle Over Biometric Privacy In Illinois (IBTimes)

In the latest scuffle over biometric data collection in Illinois, Google Inc. this week was hit with a lawsuit over its face-recognition technology, making Google the latest tech giant to be accused of violating an unusual state privacy law that restricts the collection and storage of so-called faceprints. Illinois and Texas are the only two states that regulate how private companies may use biometric data, and Illinois is the only state that authorizes statutory damages for violations.

Security vs Privacy discussion matures…

Roundtable: Identity and access management (SC Magazine)

It’s a line that’s hard to walk, the one between usability, security and privacy – one that might get harder and harder to walk if things keep going the way they are. Increasingly, businesses depend on personal information offered by customers, Chandler reminds us: “We’re going on to a shared business environment, where we share information in order to make the community better.” With the growth of wearables, sensors and the Internet of Things – voice-activated TVs for instance – this trend might be hard to mitigate.

Another Illinois Facebook face recognition lawsuit

Gillen v Facebook (Scribd)

Note: BIPA = Biometric Information Privacy Act

I have removed two footnotes in original.

NATURE OF ACTION

1. Plaintiff brings this action for damages and other legal and equitable remedies resulting from the illegal actions of Facebook in collecting, storing and using Plaintiff’s and other similarly situated individuals’ biometric identifiers and biometric information (referred to collectively at times as “biometrics”) without informed written consent in violation of the BIPA.

2. The Illinois Legislature has found that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information.” 740 ILCS 14/5(c). “For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

3. In recognition of these concerns over the security of individuals’ biometrics – particularly in the City of Chicago, which was recently selected by major national corporations as a “pilot testing site[] for new applications of biometric-facilitated financial transactions, including finger-scan technologies at grocery stores, gas stations, and school cafeterias,” 740 ILCS 14/5(b) – the Illinois Legislature enacted the BIPA, which provides, inter alia, that a private entity like Facebook may not obtain or possess an individual’s biometrics unless it: (1) informs that person in writing that biometric identifiers or information will be collected or stored, see id.; (2) informs that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used, see id.; (3) receives a written release from the person for the collection of his or her biometric identifiers or formation, see id.; and (4) publishes publically available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information, see 740 ILCS 14/15(a).

4. In direct violation of each of the foregoing provisions of § 15(a) and § 15(b) of the BIPA, Facebook is actively collecting, storing, and using – without providing notice, obtaining informed written consent or publishing data retention policies – the biometrics of its users and unwitting non-users.

5. Specifically, Facebook has created, collected and stored over a billion “face templates” (or “face prints”) – highly detailed geometric maps of the face – from over a billion individuals, millions of whom reside in the State of Illinois. Facebook creates these templates using sophisticated facial recognition technology that extracts and analyzes data from the points and contours of faces appearing in photos uploaded by their users. Each face template is unique to a particular individual, in the same way that a fingerprint or voiceprint uniquely identifies one and only one person.

6. Plaintiff brings this action individually and on behalf of all others similarly situated to prevent Facebook from further violating the privacy rights of Illinois residents, and to recover statutory damages for Facebook’s unauthorized collection, storage and use of unwitting non-users’ biometrics in violation of the BIPA.

A wrinkle in this lawsuit is that the plaintiff is not, and never has been, a registered Facebook user and therefore could not have agreed to Facebook’s terms of service.

Microsoft, privacy and biometrics

Microsoft moves to quell Windows 10 privacy fears (Daily Nation)

According to the company’s privacy statement, some of the information collected include “your typed and handwritten words”, emails, conversations users have with the digital assistant, Cortana, location data and selections, such as stocks a user follows in a finance app, or the team a user supports in a sports app. Articles detailing privacy concerns have appeared in The Guardian, Newsweek and the Financial Times.

In the statement supplied Monday, the company says Microsoft does not sell the information customers provide it, but makes it available to employees and third-party engineers to improve Microsoft services.

Users can choose the level of information they send to it and selectively remove the information that Cortana, the digital assistant, tracks, while no biometric data from Windows Hello is shared with third parties, the company said.

It looks like the attention Microsoft is getting for privacy concerns surrounding Windows 10 is mostly to do with default settings. It also appears that Microsoft treats biometric information differently by default, not sharing it even with trusted third-party developers.

Two of the issues, surrounding Wifi Sence and how Windows Update Delivery Optimization (WUDO), are covered very well by The Hacker News which provides simple instructions for how to address them by changing default settings.

Reading through both of the Hacker News pieces, a picture of Windows 10 emerges that shows Microsoft giving serious thought to how make connectivity simpler with Wifi Sense while making the Windows ecosystem more resilient to the security threats already out there and those that easier connectivity implies with WUDO.

US: Face recognition code of conduct confab loses privacy advocates

The National Telecommunications and Information Administration (NTIA) has convened a privacy multistakeholder process regarding the commercial use of facial recognition technology. On December 3, 2013, the NTIA announced that the goal of the second multistakeholder process is to develop a voluntary, enforceable code of conduct that specifies how the Consumer Privacy Bill of Rights applies to facial recognition technology in the commercial context.

Privacy Advocates Walk Out in Protest Over U.S. Facial-Recognition Code of Conduct (The Intercept)

“At a base minimum, people should be able to walk down a public street without fear that companies they’ve never heard of are tracking their every movement — and identifying them by name – using facial recognition technology,” the privacy advocates wrote in a joint statement.

The quoted article is full of links to NTIA online resources.

An “open letter” of resignation on the part of the named privacy advocates lists their concerns here.
Concluding paragraph:

We hope that our withdrawal signals the need to reevaluate the effectiveness of multistakeholder processes in developing effective rules of the road that protect consumer privacy – and that companies will support and implement.

Ultimately, of course, these are political questions rather than technological ones, but the focus on one type of technology (facial recognition) is a little difficult to understand. If it’s wrong for a private corporation to track an unsuspecting individual’s every movement, identifying them by name, why single out facial recognition (the means) rather than the tracking (the end)?

The privacy advocates, however, have a point in their favor. The effectiveness of confabs of privacy advocates, sub-cabinet-level administrators, and corporate executives in defining a society’s scope for privacy in public should be questioned.

Also mentioned in the article is the fact that the states of Texas and Illinois have passed laws limiting the use of facial recognition technology to identify individuals in public without their affirmative consent.

Illinois: More on the Facebook facial recognition lawsuit

Facebook lawsuit calls collection of biometrics data illegal (Biometrics Update)

According to the Illinois Biometrics Information Privacy Act, it is unlawful to acquire biometric data without first providing the subject with a written disclaimer that details the purpose and length of the data collection, and without the subject’s written consent.

Read the whole thing.

Photos aren’t simply records of something that happened, mere mementos, anymore. They’re search terms and search results. That has implications for both public and private entities who collect and store images of people. Ordinary snapshots are now biometric data.

Now, about those Florida school yearbooks…

Facial recognition technology is changing how we think about photography

SCOTLAND: Cash-strapped police spend £700k on UK database (The Scotsman)

The MPs noted a “worrying” lack of government oversight and regulation of the use of biometrics by public bodies.

It called for day-to-day independent oversight of the police use of all biometrics, and for the Biometrics Commissioner’s jurisdiction to be extended beyond DNA and fingerprints.

ILLINOIS: Does Facebook’s facial recognition technology violate privacy laws? (ABA Journal)

The lawsuit, filed Wednesday, argues that the social media company was required by Illinois law to inform Carlo Licata in writing that it would collect and retain his “biometric data,” and specify when it would destroy that data.

Both Facebook and the police in Scotland have been collecting photos of individuals for years but facial recognition technology changes things. Photos aren’t simply records of something that happened, mere mementos, anymore. They’re search terms and search results.

That has implications for both public and private entities who collect and store images of people.

Ordinary snapshots are now biometric data. The news pieces above both show long-standing policies being scrutinized in the context of reliable facial recognition technology.

EPIC success

Privacy group wins $20,000 in lawsuit against FBI biometric ID program (Red Alert Politics)

Privacy advocates won a lawsuit demanding information on the FBI’s biometric identification program, “Next Generation Identification” (NGI). A federal judge has now awarded the privacy group $20,000 in legal fees and ruled that the public has an interest in obtaining information on the program, the National Journal reported.

The Electronic Privacy Information Center (EPIC) is the group that won the suit.

Virginia court rules fingerprint security not protected by 5th Amendment

Police can demand fingerprints but not passcodes to unlock phones, rules judge (Naked Security)

Cops can force you to unlock your phone with your fingerprint, but not with your passcode, according to a judge in the US state of Virginia.

We touched on this in early 2012 in United States: ID Technology & the Bill of Rights which drew inspiration from a bank fraud case in Colorado.

I still think that voice-based technologies may still exist in the legal gray area this case attempts to clear up.

As for fingerprints, those may be taken from persons at the time of their arrest, so it’s hard to argue that they are somehow out of bounds for investigative purposes. One may be forgiven, however for wondering what’s the big deal. After all, I’ve been reading for years that finding a latent fingerprint and using it to hack biometric security systems is child’s play. So, either the police would rather go to court than use such a simple workaround, or the rubber finger trick is much harder to pull off than some suggest.

Mobile devices pose privacy risks and biometrics can help

Forget silly privacy worries – help biometrics firms make MILLIONS (The Register)

Tech firms are set to experience a biometric bonanza – as long as they can persuade ordinary folk to give up worrying about their privacy.

That’s the claim in a briefing note from “growth consulting firm” Frost & Sullivan, which suggested the number of smartphones equipped with biometric gubbins will soar from 43 million to 471 million by 2017.

This, according to the beancounters, means the biometric revenue from smart phones will soar from increase from $53.6m in 2313 to $396.2m in 2019, amounting to an annual growth rate of 39.6 per cent.

“Due to existing hardware capabilities across devices, most of the growth is expected from facial and voice authentication technologies,” said Frost & Sullivan ICT Global Programme Director Jean-Noël Georges.

The goals of mobile device fingerprint technology are the epitome of privacy protection. Mobile fingerprint technology doesn’t spy on users and, by itself, it’s hard to see how it can create commercially valuable information for a third party to sell. It is put in place to make the “always on,” web-connected pocket computer a more secure platform from which to perform the functions financial institutions and users seem to want.

Dick Dastardly – not a banker or 
biometrics executive

The other two biometric technologies mentioned by the author, face and voice recognition, would perhaps be easier to abuse by a third party. The more acute risk to individual privacy associated with mobile biometrics, however comes not from a bunch of moustache-twirling banks and biometrics companies, but from flippy birds and fuzzy bunnies, or downloaded apps accessing onboard biometric technology for no other reason than to sell on to its customers the information gleaned. But that type of privacy risk is inherent in mobile technology. With its location services, cameras, microphones, wifi, NFC and bluetooth, modern mobile devices already contain an astonishing array of sensors and communications devices waiting to be abused or used in ways consumers don’t necessarily anticipate, and that’s happening right now.

Biometrics didn’t create this situation but they might be able to help.

A modest proposal

Time to shape our biometric future (The Age)

…[W]hile biometrics are indeed an important tool and will be part of future security solutions, we cannot afford “biometric creep”, a situation in which we gradually cede our privacy. Now is the time to have the debate to determine what an acceptable biometric future will look like.

The article linked above, by a thoughtful former federal police officer, is worth reading in its entirety.

We offered a framework for this debate in the early days of this blog. The tone of the series of posts is highly academic but I don’t think they suffer because of it.

The posts titles are:
Debating biometrics [Introduction]
Part I: The Right to Privacy
Part II: The Nature of Consent
Part III: Transparency
Part IV: A Framework for the Discussion of Privacy Issues
Part V: Filling in the framework; Absolute advocacy dos and don’ts
Part VI: Filling in the framework, subjectivity and interpretation

Praise for Ann Cavoukian, Privacy Commissioner of Ontario

Canada’s Global Player in the Privacy Debate (Governing.com)

To Cavoukian, the notion that personal privacy is sacrificed for the greater good — from health reporting to communications tracking — is the lazy way out. She has developed what she calls Privacy by Design, the idea that personal privacy protections and new technology advancements can actually live in harmony. “Why do we have to look at it as one interest versus another?” she asks. “I always call it the power of ‘and.’ Get rid of the word ‘versus;’ substitute the word ‘and.’ I want privacy and security.”

We have also had good things to say about Ms. Cavoukian in the past.

Data privacy in schools is about much more than biometrics

As we’ve often said before, if schools can’t be trusted with private information, biometrics aren’t the problem. It’s nice to see that education professionals take a broad view of student privacy issues.

State Lawmakers Ramp Up Attention to Data Privacy (Education Week)

As the appetite for educational data on students has grown across the K-12 sector, so has the stated desire among many state lawmakers to try to protect the privacy and security of sensitive student information.

Spurred by concerns that the rise of education technology and the increasing prevalence of new assessments will place student data in unreliable hands or be put to nefarious uses, lawmakers in dozens of states have acted this year to clarify who has what access to student data and to specify the best practices for shielding that data.

Biometrics gets an undue amount of attention where child privacy issues are concerned and they are mentioned quite a few times in the article. The article, however, is written for the education insider so it is missing the “passion” one often finds in the techy press and political news stories.

Schools, technology, and privacy

Scrutiny in California for Software in Schools (NY Times)

A leading California lawmaker plans to introduce state legislation on Thursday that would shore up privacy and security protections for the personal information of students in elementary through high school, a move that could alter business practices across the nearly $8 billion education technology software industry.

The bill would prohibit education-related websites, online services and mobile apps for kindergartners through 12th graders from compiling, using or sharing the personal information of those students in California for any reason other than what the school intended or for product maintenance.

This strikes me as a much better approach to technology in schools than what Florida state Senate is contemplating.

As we’ve mentioned before, the issue of privacy in schools is very much bigger than biometrics. Schools also keep academic records, behavioral records, medical records, socio-economic assessments for administering school lunch programs, home address information, counseling notes and a ton of other information that is much more sensitive than a fingerprint template consisting of a string text characters that cannot be used to learn anything about a student. If schools are unable to keep data secure, biometric template information is the last thing that should concern parents.

Too often, news accounts use biometrics as the ultimate example of private information and the hook on which to hang all sorts of fears the reader is supposed to imagine — i.e. part of the problem — when they are actually part of the solution. Because biometrics are far superior to usernames and passwords for securing personal information, why isn’t all electronic access to student information should be controlled biometrically?

US: Government sues energy company over biometric time clocks

U.S. sues company over miner’s religious objection to handscan (Reuters)

The Equal Opportunity Employment Commission filed a lawsuit against Consul Energy Inc, stating that Beverly Butcher Jr. had worked at the company’s coal mine in Mannington, West Virginia, for more than 35 years, until he was required to use a biometric hand scanner to track his hours.

Consul, with headquarters in Western Pennsylvania, was accused of discriminating against Butcher, who repeatedly told mining officials that using the scanner violated his Evangelical Christian beliefs, given his view of the relationship between hand-scanning technology and the mark of the beast in the New Testament’s Book of Revelation, the lawsuit said.