Biometric Information Privacy Act (BIPA) – a data protection fail?
Biometrics – fingerprints, retina scans, iris patterns, voiceprints, facial recognition features, and other uniquely identifiable human attributes – give developers the option to improve device security. As anyone who has Touch ID or Face ID services enabled on their smartphone will know, biometrics are convenient for unlocking your device or authorizing a payment. Users don’t need to remember a fingerprint, for example, and modern data capture methods are quick and easy to use. But, as Illinois’ Biometric Information Privacy Act (BPIA) points out, biometrics are different from other unique identifiers such as passwords or social security numbers.
Users can’t easily reset their biological information. And when the Biometric Information Privacy Act was passed in 2008, concern was growing about what would happen if biometric data was compromised and fell into the hands of bad actors. At the time, individuals had no recourse if their biometric data was stolen, and state legislators agreed that some form of protection should be put in place. Pilot studies showed that biometrics are successful in combating fraud, and the use of finger-scanning technologies was growing to secure financial transactions. But the fear was that if users had no recourse for incidents of identity theft, they would withdraw from using biometric systems and progress in fighting financial crime and other fraudulent activity could stall.
And before we dig into the weeds of where things went wrong, it’s worth celebrating the progress that’s been made in the use of biometrics. On TechHQ, we’ve highlighted how voiceprints that incorporate hundreds of other identity signals, such as the cadence at which users enter their details on a keypad, can out-perform conventional knowledge-based authentication (KBA) screening questions used widely by contact centers to secure customer accounts.
Biometrics are useful authentication tools, but they are not secrets, and developers should take that into account when incorporating them into designs. And, as we’ve written previously, if you’re relying on biometrics to possess the characteristics of a key – to be secret, to be random, have the ability to be updated, or reset – then you’re staring at a major security problem.
Class action concerns
The issue with Illinois’ Biometric Information Privacy Act (BIPA) turned out not to be a security problem, as examples of biometric data falling into the hands of bad actors and being misused are hard to find. What happened instead, is that the legislation has backfired. Rather than nurture the adoption of biometrics to combat fraud, the act, in effect, deters companies from using biometric technology. And the reason for firms to hesitate before implementing biometrics is the rise of multi-million dollar class actions such as those faced by Google and Facebook.
BIPA is unusual in that a private cause of action can be brought for violations, making it relatively straightforward for owners of biometric data to seek damages. Class actions, which group claimants who believe that their biometric data has been mishandled, can send the potential damages faced by firms sky-high. And companies that use biometric technology could be subjected to fines totalling hundreds of millions of dollars.
Pushing up the number of claims was a key decision made by the Illinois Supreme Court in 2019, which held that victims didn’t have to show that any harm had been caused through mishandling of their biometric data. The test case involved a child who’d had his thumbprint scanned and stored by an amusement park to ride the various attractions using a ticketless pass.
Illinois’ Biometric Information Privacy Act (BIPA) requires consent from subjects, or their legally authorized representatives, for the collection and storage of biometric data. And operators must make it clear to subjects – for example, customers or employees – that a biometric identifier or biometric information is being collected or stored, and the specific reason for its use, as well as the length of time that the data will be stored.
Facebook was judged to have fallen foul of the legislation when a class action was brought against the social media giant, which ‘claimed Facebook collected and stored the biometric data of Facebook users in Illinois without the proper notice and consent in violation of Illinois law as part of its “Tag Suggestions” feature and other features involving facial recognition technology’. Facebook, which denies it violated any law, agreed to pay USD 550 million to settle the privacy lawsuit.
Time to reconsider
And, if Facebook’s experience didn’t make companies think twice about using biometric technology, then the prospect of even larger fines could be the final straw. Businesses are urging the Illinois Supreme Court to reconsider a recent decision that appears to pave the way for claimants to pursue separate cases for each time that biometric data is collected or transmitted. Separating each fingerprint scan, for example, into a separate claim would, as observers have noted, result in “annihilative liability” for businesses.
“These results are absurd,” Lauren Daming, an attorney at US law firm Greensfelder, told TechHQ. “It’s time for legislators to step up and make some changes.” BIPA was intended to protect consumers from biometrics getting into the hands of bad actors, not to drive companies out of business. What’s worse is that the legislation is a pathfinder for biometric information privacy. Currently, aside from Illinois, there are only two other states that have biometric privacy laws – Texas and Washington – so it’s important for issues to be resolved before BIPA serves as a blueprint more widely.