By Alexandra M. Franco, Esq.
What do tanning salons, amusement parks, Asian food restaurants, airlines and the FBI have in common? They all collect people’s biometric information.
What is biometric information? The most well-known form of biometric information are people’s fingerprints—perhaps because TV shows and movies have disseminated the knowledge that fingerprints have historically been law enforcement agencies’ biometric identifiers of choice.
But fingerprints are just one type of biometric information that can be collected from a person. Stand up and look into the mirror. Do you see the angles between the different points in your face? Do you notice the particular distance between the end of your nose and the top of your upper lip? Your facial geometry is unlike any other human’s. Now, look closer; take a look at your iris—the colored part of your eye that surrounds the pupil. Do you see all of those little dots, streaks and swirls of different color shades? Those intricate patterns within your irises are as unique to you as your fingerprints. How about the white part of your eye? The retina is home to many tiny blood vessels, the shapes of which are also unique to you.
All of these are your biometric identifiers. Your biometric identifiers cannot be found on any other human on earth, and are a part of you until the day you die.
This is what has made fingerprints so important for law enforcement. Fingerprints allow police agencies to keep accurate records of the people they arrest—whether or not they give the police a false name or are carrying a false identification. Those who commit crimes are also likely to leave fingerprints in a crime scene, also making fingerprints essential in identifying a criminal in a case.
So far, we have entrusted law enforcement and other government agencies to collect our fingerprints because: (1) we trust these entities to keep this information safe (more on this later); and (2) because the societal benefit of doing so for law enforcement and security purposes is significant. Nevertheless, when collected, biometric identifiers become the most sensitive type of data that can be collected about a person. If someone hacks into a database and steals your fingerprints, they can use them to steal your identity in the same way someone who obtains your social security number can steal your identity. However, unlike a social security number that has been stolen, you cannot change your fingerprints. You cannot alter the patterns within your irises. Your biometric data is a permanent part of who you are.
Today, the collection of biometric data has grown exponentially outside of law enforcement agencies. For example, some employers now collect employees’ fingerprints to set up fingerprint access to work areas. Some may argue that depending on the type of work done at these places, fingerprint access may be warranted and more secure—in lieu of another method such as a passcode entry box or a key card entry box.
The problem is that businesses’ use of biometric data is increasing beyond the simple fingerprint entry access. Unfortunately, companies are beginning to think about biometric data in the same way in which we think of physical keys, key fobs, or even retail loyalty cards—as mere tools to make business practices more efficient. These businesses often portray these practices as a perk for costumers. Would you like to skip the line to order your favorite stir fry? Let us scan your face! Do you want the freedom to use any of our tanning salon locations? Cool! Let us have your fingerprints. As a result of this conceptual cheapening of biometric data, the collection and storage of people’s biometric identifiers has exploded out of control in recent years, as businesses are embracing their use as part of their business models.
But there is a difference between collecting and storing people’s biometric data for law enforcement and security purposes and doing so as part of private business models. The collection and storage of biometric data for business gain can have disastrous and irreversible consequences for people.
The best example to illustrate the potential dangers from this new trend is the recent announcement by United Airlines that it is working with Clear—a company that sells biometric technologies to airlines and stadiums—to implement iris and fingerprint scanners at Chicago’s O’Hare airport’s security checkpoints. On a July 29, 2019 interview for WBEZ’s “All Things Considered” newscast, United promoted its new business practice as an exciting new perk for its customers: “Not only do you get the benefit of not having to take out your ID but you also get the benefit of going right in front of the security lane.” The Wall Street Journal reported the service to usually cost $179, but United noted that it would offer discounts to some of its customers and “enroll its top-tier frequent fliers free of charge.”
The information that United has provided raises significant questions. For example, what specific steps will United take to ensure that the biometric data it collects through Clear will be adequately protected from a breach? Clear’s evasive statement to the WSJ as to this issue was that it “has never had a breach” as if a past streak of good luck were an automatic assurance to a certain future.
A mere day after United’s enthusiastic announcement of its new biometric venture, the news broke about Capital One having been breached in an attack where a hacker obtained “access to 100 million Capital One credit card applications and accounts” in one of the worst data breaches in history. The number of data breaches happening each year continues to grow. Heck, not even the U.S. Government can prevent data breaches.
Clear also claims that it does not share or sell people’s biometric data. That’s great. Will it continue to never share or sell that data? What about if Clear decides to change this particular policy in the future? In such case Clear could present a customer who has a few minutes to run and catch her United flight with a long and dense, digital “Notice of Policy Change” and nifty little box to check that says “I have read and accept the terms and conditions in the Notice of Policy Change.” That is, if Clear and/or United feel magnanimous enough to give any notice to their customers at all.
This leads yet to another issue. Illinois is one of the few states with legislation—the Biometric Information Privacy Act—which among other things, requires businesses who wish to collect people’s biometric data provide those people with detailed information about the security measures it takes to store and dispose of the data before collecting it. This is so that people giving up their fingerprints and iris scans to avoid the oh-so-terrible hassle of taking out their ID at the airport security checkpoint, understand the benefits and risks in agreeing to give up their data. The issue is once more, that passengers will be presented with the familiar “I have read and accept the Notice of Privacy and Data Security” check box, without reading or understanding the implications of their actions.
Even more issues arise from United’s “partnership” with Clear. First, as the WSJ reported, United has actually obtained an ownership stake in Clear. This creates a clear (no pun intended) conflict of interest. In light of this conflict, can United ensure that it will conduct a strict oversight of Clear’s data collection and storage practices? Can United guarantee to do everything in its power to address, remedy and timely notify customers in the case of a hypothetical future breach even if doing so will harm its bottom line?
The second issue from United’s “partnership” with Clear has to do with Clear’s claim that it does not share customers’ data. Delta—another airline using Clear’s technology—also has an equity stake in Clear. Although Clear claims not to share its customers’ information, it is not clear (again, no pun intended) if this policy applies to absolutely everyone under the sun or just anyone so long as they don’t have an ownership stake in Clear. Do companies that have purchased equity in Clear get to look at and share customers’ information with one another? Clear does not sell or share the data, but will United and Delta do it?
It would behoove United and Clear to answer these questions to their customers. It’s already bad enough that United is marketing its new biometric collection business model as a perk for customers who get it free or at a reduced rate—that is, those who don’t get charged the whooping $179 for the privilege. Of course, what United and Clear don’t tell customers is that the data they collect will likely bring these companies significant economic gain; people’s data is inherently—and greatly—valuable to those who collect it. It is valuable enough for companies to offer people chump change to lure them to give it up.
The risks presented by the indiscriminate collection of biometric data are significant. This is due to the extremely sensitive nature of biometric data and what can occur when it is misused, which can range from identity theft to being implicated in a crime you did not commit—facial recognition technology is particularly imprecise when it comes to anyone who is not a white male. Further, an era in which people’s biometric information can be used to track their movements, the places they visit—from gas stations to addiction treatment centers—and even the products they look at in a store, the issue of data sharing and selling is of significant importance for people’s privacy. In 2016, I wrote a blog considering the implications of using facial scans to track people’s attendance in churches. The persistent, continuous and increasing collection and sharing of people’s biometric information for any purpose has connotations beyond data security and privacy which we may not even consider yet. Is it worth to give up one of the most essential aspects of your humanity to enter an airport lounge? In the era of data breaches, artificial intelligence and deepfakes, the answer to that question will likely determine the future of these technologies and how they will shape our society in the years to come.
Meanwhile, in considering whether to give up your fingerprint for a lounge pass to an airline which has come under fire in the recent past for the unfortunate effects of its “established procedures” on customers, it is worth remembering this: if your social security number is stolen, you can change it—yes, the process is painful and tortuous even, but the point is that it can be done.
You cannot ever change your fingerprints.
Alexandra M. Franco is a Visiting Assistant Professor at IIT Chicago-Kent College of Law and an Affiliated Scholar with IIT Chicago-Kent’s Institute for Science, Law and Technology.