Privacy advocates cheered when Illinois passed its Biometric Information Privacy Act (BIPA) in 2008 regulating commercial use of finger, iris, and facial scans. With companies such as Facebook Inc. and Google Inc. developing facial tagging technology, it was clear that laws would be needed to ensure companies didn’t collect and use biometric data in ways that compromised an individual’s right to privacy. If you lose your credit card, it’s easily replaced. But what happens when a company loses, or tries to profit from, your fingerprint?
Although the Illinois law was seen as a possible model for other states, aggressive lobbying by companies most interested in gathering biometrics has reshaped or killed similar efforts across the country. Only two other states have enacted biometric privacy laws—Texas, in 2009, and Washington, in May. Bills introduced in eight other states didn’t pass, leaving a regulatory chasm over data privacy across the U. In some states, like New York, agreeing on even a basic definition of biometrics to include in the proposals was a challenge. Congress and the White House remain committed to using biometrics in the interest of intelligence gathering and national security, while retail regulation has been limited to best practices’ guidance by the Federal Trade Commission.
The Washington law might be the best example of industry pushback on attempts to regulate biometric data. The measure, which takes effect on July 23, is a watered-down version of BIPA, at best, says Alvaro Bedoya, executive director of Georgetown Law’s Center on Privacy & Technology. It places fewer limits on the use of biometric data than BIPA while narrowing consumer consent requirements and allowing certain exemptions for images already online.
A law like Washington’s “hurts everyone,” says Pam Dixon, executive director of the World Privacy Forum in San Diego, and is “useless.” Adam Scwartz, staff attorney with the Electronic Frontier Foundation in San Francisco, describes it as “a facial recognition law that doesn’t protect people from facial recognition. … There are companies whose business model is collecting biometric information without consumer consent.”
Jeff Morris, the state representative who sponsored the Washington bill, says balancing consumer privacy with the rights of companies that develop new technologies—crucial, given the number of tech companies in the state—was a challenge. “One of the things that was tough was this juxtaposition about being tech neutral and businesses being able to evolve. It took three years to get there,” he says.
Industry groups representing the likes of Google, Facebook, Amazon., and Wal-Mart Stores Inc. have used various arguments to defeat or weaken proposals. The lobbyists point to what they say are practical benefits in using facial recognition, allowing them to develop new technologies for marketing and security. Strict laws can even encourage fraud, some industry groups say, because businesses will avoid using biometric data for fraud and security detection purposes. That carries a “huge risk of costly class action,” according to a letter from a five-member coalition that successfully lobbied this spring to defeat a Montana bill. That measure, the group said, “imposes highly specific notice and consent requirements that would make it unworkable to obtain consent for positive users of biometric data.”The Illinois law caught the industry off-guard in 2008 when a company called Pay By Touch, possessing a mountain of fingerprint data, filed for bankruptcy. When the company considered liquidating its assets, including its biometric database, alarm bells over data privacy went off from Chicago to the capital in Springfield, prompting the state’s general assembly to pass BIPA. It quickly became a thorn in the side of the nation’s tech giants and spurred several lawsuits.
Three cases filed against Facebook have fought to limit the company’s use of its facial tagging tool, claiming the social media giant “secretly amassed the world’s largest privately held database of consumer biometric data.” As the plaintiffs’ case cleared procedural hurdles in court, Facebook’s representatives lobbied a long-serving Illinois state senator to propose an amendment to rewrite BIPA. While the amendment was ultimately withdrawn, the industry’s plan to influence regulation became evident. Facebook did not respond to a request for comment.
Meanwhile, companies such as Apple Inc. are making greater use of biometrics. The company is working on a way for iPhone users to unlock devices using their face. Amazon Web Services Inc. has an image-matching software that recognizes objects, faces, and themes. It makes a database of billions of images available to customers, mostly security companies and marketers. An Apple spokesman declined to comment; Amazon did not respond to a request for comment.
Georgetown’s Bedoya fears regulation won’t be approved until it’s too late—once a company has already connected all of the photos on the internet and linked them to facial recognition technology. “Once that happens, someone’s son or daughter is going to be identified by a stranger while walking through the mall or grocery store or just on their way to school,” he says. “That’s when Congress and legislatures will wake up to the fact that we’re not ready for this technology.
0 comments:
Post a Comment