Biometrics and Privacy Laws
NOTE: This is a reprint of an article originally published by Alex Kilpatrick in December 2017 on a different blog. We are reposting them on the Blink Identity blog because these issues are important and we want to keep our writing on these issues in one place.
Illinois was one of the first states to implement a biometrics law, way back in 2008. The law actually makes a lot of sense. It basically says that use of biometric data requires written consent (opt-in) and that companies can't profit from biometric data. We have always believed that the use of biometrics should be voluntary and transparent.
In Illinois, a number of companies are currently being sued for misuse of biometrics collected from employees for time-clocks. I don't want to speak to the merits of the lawsuit because I am not qualified. However, there are a few interesting points about biometrics that are worth examining. First of all, biometrics are a good match for a time-clock application. They are inexpensive, quick, easy-to-use and more than reliable enough for a company-sized background database. They solve one of the main problems of time-clocks, namely that employees can punch in for another employee (buddy punching) which costs employers $373 Million per year. Verifying someone's identity is the perfect sweet spot for biometrics.
However, the article does bring up a number of confusing factors. First, they highlight a Fear, Uncertainty and Doubt (FUD) aspect of biometrics - namely that if someone steals your fingerprints, they can pretend to be you and since you can't "revoke" your fingerprints, you will not be able to recover from the theft. While this is technically true, it is misleading and not really the fault of biometrics. First, spoofing biometrics is far from trivial. Second, you leave your fingerprints everywhere, so if someone wants to steal them they don't have to hack an employee time card system. Third, biometric systems don't store images of your fingerprints, they store mathematical templates, which can't be used to generate an image of a fingerprint. Finally, even if they were able to steal your fingerprints it shouldn't matter. No high security system should rely on biometrics alone (single factor) - they should use at least two factors such as a fingerprint plus a PIN.
One of the defendants in the lawsuit said the following:
“In a June filing, Roundy’s denies its time clock system uses what the Illinois act considers biometric data. It admits that its “system identifies employees using a scan of a portion of an employee’s finger” but denies that an entire fingerprint is used.”
This is actually a pretty weak defense. I suspect a biometric time-clock used biometric data so I seriously doubt their first claim. Their second claim is weak as well. It doesn't really matter that the system uses a "portion" of the fingerprint because a portion (depending on size) can easily be just as identifiable as an entire fingerprint. That's why crime scene latent prints (partial fingerprint) are used in criminal convictions all the time. It would have been far better for the defendant to make the correct claim that they don't store fingerprints at all - just templates. Therefore they can't be selling fingerprints to other entities because they don't have them.
I believe these kinds of issues will settle out over time. Biometrics will not go away - they are too valuable of a technology in a world where we are more and more worried about establishing identities of people. However, the simple solution of enforcing a single, transparent use for a particular biometric application solves these problems quite well, preserving both strong biometric identification and user privacy free from uncontrolled data sharing.