Civil Rights Groups Fight to Keep Illinois' Biometric Privacy Law

Civil rights groups, including the EFF, ACLUEPIC, CDT, Chicago Alliance Against Sexual Exploitation, PIRG and Lucy Parsons Labs have filed an amicus with the Supreme Court in Illinois asking it to maintain the privacy protections of the Illinois Biometric Information Privacy Act (BIPA).  

Rosenbach vs. Six Flags

The brief was filed in a case involving Alexander Rosenbach, an adolescent who accused the Six Flags amusement park of scanning and storing his fingerprint without written consent. Before the case reached the Illinois Supreme Court, an appeals court ruled that Rosenbach didn’t have any standing to sue because Six Flags collecting his fingerprint didn’t cause Rosenbach any harm.

However, the EFF and its fellow amici argued that BIPA provides “any person aggrieved by a violation of this Act” the right to sue the companies that violated the law. The state's Supreme Court must now decide whether or not Rosenbach was “aggrieved” by the collection of his fingerprint without opt-in consent, or whether or not he needed to show additional injury.

The civil rights groups claim that this action by Six Flags was, indeed, a grave violation of Rosenbach’s privacy rights in Illinois, the state which passed the first biometric privacy law in 2008. BIPA is also the same law that Google and Facebook are now trying to kill.

Biometric Collection: A Growing Privacy Risk

EFF argued that biometric collection is a growing menace to people’s privacy rights, because often this sort of information can be captured at a distance, whether we’re talking about photos, voice, or even fingerprints. It’s why some experts believe biometric information shouldn’t be used as a password, but as a username.

The argument is that if someone steals biometric information that’s serves as a username, there’s only so much they can do with it as it’s currently implemented on smartphones and laptops, compared to if people used biometric details as a password.

The EFF also argued that other privacy laws that require explicit consent before giving a company biometric or other kinds of sensitive or personal data will soon join the BIPA. Furthermore, allowing lawsuits against companies that violate these laws would be an effective way to ensure their enforcement.

Exploiting Love for Biometric Authentication

Many companies and governments have already started taking advantage of biometric authentication's popularity. They tend to act as if people getting on board with storing cryptographic hashes of their fingerprints in hardware security modules in devices will automatically be okay with having their raw fingerprint data stored in centralized databases on potentially unsecured servers. However, unlike with account passwords, which can be changed if they are stolen, once fingerprint data is stolen a user is unable to "change" their fingerprint. Technically, if someone steals your fingerprint you shouldn’t use that fingerprint for authentication ever again.

The issue is similar to how people use Social Security Numbers (SSNs). SSNs were supposed to serve as usernames but ended up being used as a form of password for certain services. Now that virtually all Americans have had their SSNs exposed in various data breaches, including the Equifax data breach, they are at high-risk of identify fraud.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • chrisbryant
    I'm completely on the side of the EFF and other groups on this (being transparent, I'm an EFF member). First, since court cases are all about setting and acknowledging precedent, this particular case must be found in favor of the adolescent or future cases may not bode well for the future of personal privacy. Second, there is a litmus test here that would easily sway public opinion if by some chance they weren't sure Six Flags was in the wrong. It goes like this: Can you unlock your phone with your fingerprint? If you answered yes, then did you set that up in the expectation only you can then open your phone? If you answered yes to that, how would you feel if I told you that someone with a bio-metric record of your fingerprint could ALSO open your phone - without asking you for permission to do so? On top of that, what if you signed a waiver to that information that would cause you to lose in court if someone had that fingerprint, but had your written permission to have it, and use it? Now, if you read the fine print on agreements you are presented with when engaging in a bio-metric handover, they are probably not so vague as to suggest they are not liable if someone then uses that information to hack your phone. But by even suggesting a company CAN be in the right in obtaining such data in this way (as Six Flags did), you are now opening the door to a flood of vague and dangerously fluid end-user agreements that could clear large companies of liability in the event your phone (or worse) get hacked with your fingerprint. Please pay attention to this case. Let's not start setting precedent for the devaluing of our most valuable security assets.
  • 10tacle
    Anyway, back on topic (again for a SECOND time), I had another thought: I wonder what Illinois' state law says about mobile phone companies storing fingerprint readers for locking a smart phone. Law enforcement can, at least in my state, subpoena said smart phone and access to it by all means necessary including forcing the subpoenaed individual to unlock it with his/her finger. It is no different than confiscating laptops and computers for an investigation and accessing their hard drives for data retrieval. All it takes is for a judge to sign the subpoena. If you do not comply, you can face prison for obstruction of justice. Finally, I can see this going to the Supreme Court if the state of Illinois attempts to block a federal investigation.
  • ubercake
    Once your biometric data is hacked, what's left to prove who you are?