Be Careful: Criminals and Corporations, Too, Want Your Biometric Data
Even Play-Doh fingerprints can fool your iPhone.
Joseph D. Leckenby
Phil Schiller, a member of Apple’s executive team, unveils the Face ID feature at the company’s 2017 keynote event. Photo.
When unlocking a cell phone these days, one does not need a password: Facial recognition or a fingerprint scan suffices. Called biometric data and used by millions of Americans every day, this nascent form of personal data uses physical or behavioral characteristics unique to each individual to grant users system access. Statista found that “over 75 percent of U.S. consumers have used some sort of biometric technology,” and even “IT professionals view the technology as one of the most secure forms of authentication available.” While biometric data provides users with a myriad of benefits to consumers, including user confidence, it also promotes certain risks that must be reviewed to ensure consumer safety.
One way that biometric data differs from other forms of personal data, such as a password or Social Security number, is that it is not easily replaced. One cannot change the unique nature of fingerprints, irises, retinae, or voice cadences. If someone’s body parts can be technologically exploited against them, biometric data becomes not only a critical privacy issue but an extreme security risk.
With biometric data, users hold the keys to information accessibility in their hands all day, every day. This unique ownership reassures consumers of their data security. But what if an unauthorized malicious actor owned those keys too?
That technology is not perfect extends to biometric data as well. For instance, by holding up a photograph to a facial-recognition scanner, one can trick it into believing that the user’s face in the photograph is authentic, and not a person merely in possession of the user’s photograph.
Take Play-Doh for instance. The classic children’s toy can be used to make molds of fingerprints, which can fool biometric fingerprint scanners into granting unauthorized users access to sensitive, biometrically protected information. And Play-Doh might play nice, but others… not so much.
Out of India, there have been at least two instances of fingerprint-biometric cybercrime this past June. In one incident, cybercriminals exploited Indians’ fear of the COVID-19 pandemic and deceived them into downloading fraudulent oximeter applications, ultimately stealing biometric data. In another case, by spending just 10 rupees (about 10 cents) per fingerprint, criminals were able to clone victims’ fingerprints onto rubber stamps. They’d then use these stamps to access online wallets, stealing their victims’ money. Both of these incidents show the ease — and in many cases the low costs — with which cybercriminals exploit biometric data.
It is not only cybercrime that concerns biometric data privacy; corporations threaten it too. Fortunately, for at least a decade, states have enacted laws to protect consumers’ biometric data from corporate misuse.
Whalen v. Facebook is a class-action lawsuit brought last year before the Superior Court of the State of California, in and for the County of San Mateo. Although Facebook is being sued in California, the case is partially based upon an Illinois law known as the Biometric Information Privacy Act (BIPA).
BIPA was passed in 2008, and it was “the first state law governing the collection, use, safeguarding, and storage of biometric data.” BIPA states that an entity may not “collect, capture, purchase, receive through trade, or otherwise obtain a person’s” biometric data unless they inform them that they are collecting their biometric data, tell them why and for how long their data is being collected, and obtain their written consent. In her complaint lead plaintiff Kelly Whalen, a resident of Illinois, alleges that “Facebook is actively collecting, storing, disclosing, profiting from, and otherwise using the biometric information of its reportedly more than 100 million Instagram users without any written notice or informed written consent, including millions of Illinois residents,” which is a violation of their rights under BIPA.
Recently, the Supreme Court of the State of Illinois heard the case of Rosenbach v. Six Flags, in which a mother sued the theme park company under the Act for improperly collecting and storing her son’s biometric data, his fingerprint. When Mrs. Rosenbach purchased a season pass for her son Alexander, Six Flags scanned and stored his fingerprint as a requirement for him to pick up the physical pass and to return to the park as a season pass holder while neither disclosing required information nor obtaining a written release as is required under BIPA. Six Flags “filed a motion to dismiss stating that Plaintiff was not aggrieved because she had not alleged an ‘actual injury.’” The “Court unanimously held that an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under BIPA, to qualify as an ‘aggrieved’ person and be entitled to bring private action under the Act.” In other words, BIPA violations became actionable per se. After the Court’s decision in Rosenbach, there has been an increased amount of BIPA-related class-action lawsuits brought up across Illinois.
In the wake of Rosenbach, Illinoisans may soon be invited to join more BIPA-related class-action lawsuits because they did something as mundane as punch-in at work or go to a sporting event where their biometric data was improperly handled.
Although BIPA was the first piece of legislation crafted to protect biometric data, it certainly was not the last. Pennsylvania, for example, has followed suit.
State Representative Ed Neilson (D-Philadelphia), a member of the House of Representatives of the General Assembly of Pennsylvania — which has recently been urged to enact legislation related to biometric data — introduced House Bill 1126 on April 7, 2021.
Similar to BIPA, the bill gives Pennsylvanian consumers the right to information on their data and personal information, including biometric data, collected by a business. Consumers also have the right to request businesses to delete their personal information, and, with a few exceptions, businesses must comply. A private right of action against businesses is also available to consumers to remedy violations.
Expect to see more legislation dealing with biometric data privacy crop up soon. Laws like BIPA may sound great, but they often can only be enforced via private action, suggesting that a consumer who feels their rights have been violated must bring suit against the violating party. While this may seem daunting, class-action lawsuits make this more manageable. Not only is the cost burden of an individual filing indeed smaller when filing class-action but the evidence can be more compelling.
Unfortunately, even the toughest class-action lawsuits won’t eradicate biometric technologies. Still, the ever-increasing reliance on technologies of all sorts should lead consumers to be careful about their usage of biometric data. Just like one should not click on strange websites, one should not download strange apps or software that asks for biometric data without checking its legitimacy. Law enforcement, too, should stay current about biometric data–related crimes and laws to prevent their exploitation.
As the lawsuits show, understanding biometric data violations is critical to facing malignant corporations like Facebook or even Play-Doh, as mentioned earlier. Next time you save your data for easier access, just be careful: You may never own that data again.
Note: Credit goes to Julia M. Siracuse whose article “The Future of Our Fingerprints: The Importance of Instituting Biometric Data Protections in Pennsylvania” (Duquesne University Law Review, Summer ’21) inspired me to write on this topic.
*Duquesne University TAP 27 § 2 B Notice: Although this particular piece references other people and organizations affiliated with Duquesne University of the Holy Spirit (Duquesne), and although the author, Mr. Joseph Leckenby, of this piece, is a student at Duquesne, the views expressed in this piece of writing are solely those of Mr. Joseph Leckenby, who is solely writing on behalf of himself. They are not in any way to be construed to be either those of Duquesne or any of its affiliates, including, but not limited to, viz.: The Duquesne University School of Law, The Duquesne University Law Review, or the Duquesne University Chapter of College Republicans (CRs).
**This article should not be construed to be legal advice. For legal inquiries, please consult a licensed attorney.
Joseph Leckenby is a native of Pittsburgh, Pennsylvania, and a rising second semester senior at Duquesne University, where he majors in both Political Science and Philosophy. He is a member of the University’s chapter of the College Republicans. In his spare time, he enjoys rowing and writing.