Civil rights groups, including the EFF, ACLU, EPIC, CDT, Chicago Alliance Against Sexual Exploitation, PIRG and Lucy Parsons Labs have filed an amicus with the Supreme Court in Illinois asking it to maintain the privacy protections of the Illinois Biometric Information Privacy Act (BIPA).
Rosenbach vs. Six Flags
The brief was filed in a case involving Alexander Rosenbach, an adolescent who accused the Six Flags amusement park of scanning and storing his fingerprint without written consent. Before the case reached the Illinois Supreme Court, an appeals court ruled that Rosenbach didn’t have any standing to sue because Six Flags collecting his fingerprint didn’t cause Rosenbach any harm.
However, the EFF and its fellow amici argued that BIPA provides “any person aggrieved by a violation of this Act” the right to sue the companies that violated the law. The state's Supreme Court must now decide whether or not Rosenbach was “aggrieved” by the collection of his fingerprint without opt-in consent, or whether or not he needed to show additional injury.
The civil rights groups claim that this action by Six Flags was, indeed, a grave violation of Rosenbach’s privacy rights in Illinois, the state which passed the first biometric privacy law in 2008. BIPA is also the same law that Google and Facebook are now trying to kill.
Biometric Collection: A Growing Privacy Risk
EFF argued that biometric collection is a growing menace to people’s privacy rights, because often this sort of information can be captured at a distance, whether we’re talking about photos, voice (opens in new tab), or even fingerprints. It’s why some experts believe biometric information shouldn’t be used as a password, but as a username.
The argument is that if someone steals biometric information that’s serves as a username, there’s only so much they can do with it as it’s currently implemented on smartphones and laptops, compared to if people used biometric details as a password.
The EFF also argued that other privacy laws that require explicit consent before giving a company biometric or other kinds of sensitive or personal data will soon join the BIPA. Furthermore, allowing lawsuits against companies that violate these laws would be an effective way to ensure their enforcement.
Exploiting Love for Biometric Authentication
Many companies and governments have already started taking advantage of biometric authentication's popularity. They tend to act as if people getting on board with storing cryptographic hashes of their fingerprints in hardware security modules in devices will automatically be okay with having their raw fingerprint data stored in centralized databases on potentially unsecured servers. However, unlike with account passwords, which can be changed if they are stolen, once fingerprint data is stolen a user is unable to "change" their fingerprint. Technically, if someone steals your fingerprint you shouldn’t use that fingerprint for authentication ever again.
The issue is similar to how people use Social Security Numbers (SSNs). SSNs were supposed to serve as usernames but ended up being used as a form of password for certain services. Now that virtually all Americans have had their SSNs exposed in various data breaches, including the Equifax data breach, they are at high-risk of identify fraud.
