Week Four Takeaways

The main focus of class in week four was the use of biometric identification systems and the privacy concerns implicated by the use of this technology. In current events, the FTC has recently announced improvements to their identitytheft.gov site. Among the improvements made the provision of “easy-to-use tools” to help victims of identity theft notify the correct people/agencies to mitigate the damage of the theft. The FTC has also recently announced that it has approved “face match to verified photo identification” as a means of verifying that a person consenting to a child’s use of an online service is indeed the child’s parent. These developments underscore the importance of this week’s topic on the increasing use of biometrics and raise the question of what the ramifications would be if biometric data were part of identity information stolen.

The Question of the Week asked if businesses should be required to obtain a person’s consent, express or implied, before using facial recognition technology. The class “vote” was 4-2 in favor of requiring business to obtain some form of consent before using facial recognition technology. Among the issues discussed were:

·      The difficulties with obtaining consent via notice in all circumstances. In some cases by the time someone is notified and can consent their biometric data may already have been captured.

·      The purposes for the use of facial recognition technology that would require consent. Among the purposes discussed were security, marketing, customer service, and tracking someone’s movements.

·      Much of the class discussion revolved around the example of Facebook’s use of facial recognition software for “tag suggestions,” and what the privacy implications of the use of this feature are. Among the issues considered were:

1.     The fact that many people would opt not to use Facebook if they were required to give their fingerprints, yet the use of the facial recognition software does not seem to have the same effect.

2.     Whether Facebook should be required to delete the facial recognition data of someone who has closed their account or opted out of the tagging feature. Some of the considerations discussed were the potential for the theft of the data and the implications of the government potentially having access to that information.

·      Finally, we considered the privacy implications of the app, Screen Tap, which uses facial recognition software but claims that it does not identify individuals. Questions the bar owners might want to consider include:

·      Does the app ID people?

·      Who has access to the data?

·      Is the info retained and if so how long?

·      How is the information protected?

·      Does there have to be notice that this technology is being used

·      How is the information used (i.e. any coordination with law enforcement)?

·      Is this information going to be used for marketing purposes (difficult if they aren’t ID’ing individuals)?

Mike’s post considered the privacy implications of the increased use of biometric technology. In class, we discussed Illinois’ BIPA, which seeks to regulate the commercial use of biometrics. BIPA creates private right of action for those whose biometrics are used in violation of the statute. This act doesn’t attempt to prohibit collection of biometrics, but attempts to regulate their use in an effort to address privacy concerns. It was noted that BIPA does not apply to the government, but to commercial actors. An inconsistency in BIPA was pointed out, as the statute initially says that photographs are not considered a biometric identifier but later says that biometric information means any information, no matter how it is captured, based on an individual’s biometric identifier.

Finally, we discussed the following eight areas of privacy concerns raised by the used of biometrics.

1. Collection

2. Storage and retention

3. Usage

4. Access

5. Data security

6. Data errors

7. Regulation/compliance

8. Protections against “big brother”

Overall, one of the biggest takeaways for me this week is how widespread the use of biometrics for commercial purposes is and what some of the apps are that use this technology. Additionally, the existence of BIPA and the litigation arising under it is something that I was not aware of. I will be interested in seeing how the statute is interpreted in the Shutterfly case and the implications of that decision for the commercial regulation of biometrics.