| LXBN | June 9, 2016
Almost all new cell phones come equipped with some
sort of fingerprint scanner, aimed to help users secure their phones so they
can keep their files, finances, and data to themselves. It’s time we start
protecting that.
The password is increasingly cited as insecure (even Mark Zuckerberg
isn’t safe from password hackers), and the social security
system was never designed to be secure in the first place. Fingerprints are difficult to steal, and
they are literally at a user’s fingertips at any point in time; they’re the
perfect password successor. Of course, that’s if there’s a system in place to
keep them safe.
Until now the most lasting and ubiquitous
means of authentic security has been social security numbers. But social
security numbers face a difficult quandary: Currently they are used as both
identifiers and authenticators. The things which keep us secure (like PIN codes or
passwords) are supposed to be private, not used as a way for us to identify
ourselves. And yet, these numbers are routinely used with cell phone companies,
cable providers, and more to help verify users. Many states
have stepped up to help restrict the use and retain the privacy of social security numbers. Now
it might be time that fingerprints, and other biometric data, gets the same
treatment.
Currently users have very limited options for
protecting what biometric data is protected by them. The most talked about
protections are in Illinois, where amendments to
the state’s Personal Information Protection Act (PIPA) that take effect January 1, 2017 will expand the
definition of “personal information” to include medical information, health
insurance information, or unique biometric data. Texas has a comparable law, which similarly
covers “biometric identifiers” to include retina and iris scans, fingerprints, voiceprints, hand
geometry, and face geometry. Illinois also features the Biometric
Information Privacy Act (BIPA) which since 2008 has required companies to get a
person’s explicit consent before a company can make a scan of their body (and
features a publishing
schedule for destroying that information).
And according to David Almeida, Laura Jehl and Paul Werner from Eye on Privacy, the law has caught a lot of high profile
flies in its web—increasingly so, as of late:
Over
the last year, more than a half dozen class action lawsuits have been filed
under the BIPA. Google, Shutterfly and a handful of social media companies have
each been sued over the alleged use of facial geometry recognition software
used for photo tagging. Palm Beach Tan and LA Tan were each sued over the
alleged use of fingerprint data to act as a membership card, and Smarte Carte
was sued over the alleged use of fingerprint security technology to lock and
unlock lockers. Daycare company Crème de la Crème was sued recently over the
alleged use of fingerprint technology to ensure the secure pickup of children.
…Expect
the growth in BIPA class actions to continue. Not only will use of biometric
data by tech and other companies continue to grow as new services and product
offerings come online, but the variety of defendants already facing BIPA claims
– including the recent lawsuit against the Crème de la Crème daycare company –
suggests that plaintiffs’ counsel have broadened their focus from the tech
industry and may assert claims against employers, childcare facilities,
healthcare companies and the financial services industry. Whether it is
businesses protecting trade secrets through fingerprint access, childcare
facilities using fingerprint technology for secure child pickup, health
insurers collecting biometrics outside of the treatment setting or banks using fingerprints
for account access, the list of possible defendants is extensive.
According to them, there’s only going to
be an influx of litigation under statutes like this one as biometric data use
and collection increases.
Which is good because biometric data
collection is happening everywhere these days: the church, your apps,the corner store, social media
sites. Even the government
is getting in on the action. Essentially data collection is coming
from all sides, and people are starting to fear that attacks to these
protections are too.
Last month reports started rolling in of a
proposed amendment to BIPA that would rule out scans of preexisting
photography, which would conveniently
wipe out three lawsuits brought against Snapchat, Facebook, and Google Photos and possibly even shape
legislation and litigation in other states that have or are contemplating laws like BIPA. The amendment did
not survive, but advocates worry that it’s only one part of a
bigger trend. This week, the EFF came to the case by reporting on the danger of corporate
facial recognition technology, right after they released a report of
tattoo recognition research from the FBI and NIST that “threatens free speech and
privacy.”
“The future of biometric privacy will
require all of our constant vigilance,” said the EFF in their article on the
subject. “We must enact and enforce new statutes, at the federal and state
levels, requiring private groups to obtain consent before subjecting us to
facial recognition technologies or otherwise collecting our biometric
identifiers…Most
importantly, we must ensure that future generations enjoy the anonymity of
crowded places. People should be free to go about their business in public
areas without businesses using their faces, without their permission, to
automatically track where they are going and what they are doing.”
And that’s a point that’s more important
than strictly privacy concerns. Social security numbers and passwords can be
changed—perhaps laboriously, but ultimately breaches can be remedied. The same
is not as easily said for a fingerprint or iris scan. It’s part of the appeal,
and part of what makes a potential breach so daunting. Protecting the security
of biometric identifiers is more than just more privacy concerns. It’s
quite literally personal security at stake.
No comments:
Post a Comment