Capitol Fax.com - Your Illinois News Radar » The bitter and puzzling BIPA fight
SUBSCRIBE to Capitol Fax      Advertise Here      About     Exclusive Subscriber Content     Updated Posts    Contact Rich Miller
CapitolFax.com
To subscribe to Capitol Fax, click here.
The bitter and puzzling BIPA fight

Monday, Jul 10, 2023 - Posted by Rich Miller

* My weekly syndicated newspaper column

Illinois Senate President Don Harmon told public radio talk show host Brian Mackey in late June that some of the most prominent business association leaders had “punched us in the nose” after Senate Democrats devised what he called a “good faith solution” to solve problems created by the state’s super-controversial Biometric Information Privacy Act.

Harmon also claimed the Senate Democratic proposal that the business groups attacked was “very friendly to the business community that has been asking for these changes.”

Companies routinely collect biometric data like facial recognition and fingerprint scans. But in Illinois that’s illegal, unless the companies first obtain informed consent. Lots of lawsuits have been filed as a result, and businesses want relief.

The Illinois Supreme Court all but begged the General Assembly earlier this spring to take another look at the law in its ruling against the White Castle company. That ruling could ultimately cost the burger chain as much as $17 billion for collecting employee fingerprint scans.

The Illinois Retail Merchants Association, the Illinois Manufacturers’ Association and the Illinois Chamber of Commerce held a press conference with other business leaders near the originally scheduled end of the spring legislative session to denounce the Senate Democrats’ proposal in no uncertain terms.

IMA President and CEO Mark Denzler, who has not exactly been known for vitriol, claimed the proposal would make the problem even worse. The legislation, Denzler claimed, “will only increase abuse of this law by trial attorneys” who have filed thousands of claims under the statute.

The three business groups either refused to respond to Harmon’s comments, or, in one case, didn’t respond at all.

Senate President Pro Tempore Bill Cunningham, who helped lead the negotiations and is also not generally known for his temper, said he was even more upset than Harmon after the business groups’ press conference.

He said he reached out to them, and said the Democrats were “trying to draft a pro-business piece of legislation,” and since they claimed the bill would make matters worse, he and the Senate Democrats decided to not run any bill during the spring session and maintain the status quo.

The Supreme Court ruled that the legislative intent of BIPA was to penalize each and every collection of employee biometric information. With large numbers of White Castle employees being scanned several times a day for five years, “that’s how we ended up with a $17 billion” penalty, Cunningham said.

The Democratic proposal would’ve specifically changed the law to base the penalty on the number of employees, not the number of scans. But they also increased the penalty from $1,000 to $1,500, which the business groups denounced as well.

Opponents of the BIPA law claim the original state statute has little to nothing to do with the real world. The idea behind the law is to protect people against having their biometric data stored and even traded without their knowledge or permission. After all, an online password can be changed after a data hack, but people can’t just change their fingerprints to protect their identities.

All true, the critics say, but the fingerprints that are used to verify timecards, etc., aren’t kept or stored after they are scanned. Instead, the fingerprints are immediately converted into a set of numbers using a proprietary algorithm.

“The only biometric information utilized by employers to identify employees is an encrypted string of numbers, systemically created as a result of the mathematical algorithm,” according to a white paper released last week by Littler, a pro-employer law firm. “There is no biometric identifier being stored or disseminated,” and, therefore, “it is virtually impossible to reverse engineer an employee’s original fingerprint.”

Cunningham said he heard a theory from a Republican lawmaker that the business groups have been told by the corporate defense bar that they’re confident they can get the state law overturned by the U.S. Supreme Court, so there was no reason to settle for a compromise at the state level.

“I have no idea if that’s true or not,” Cunningham said, “But it’s a better explanation than I can come up with.”

Another person close to the issue said the Senate Dems ordered the handful of people involved with the talks to not communicate with anyone outside the room. The business groups, this person claimed, weren’t experts on the topic, so it wasn’t until the actual legislation surfaced when experienced business lawyers could see what was going on, and that’s when everything fell apart.

Cunningham said while they took input from others, the “big lobbying groups” were what they were most concerned with.

       

16 Comments
  1. - Suburban Mom - Monday, Jul 10, 23 @ 8:56 am:

    I will say it every time this comes up: Smart businesses are looking for ways to comply with BIPA, not overturn it. Similar laws are coming in a variety of states, and the EU is going to be stricter. Moreover, biometrics have much lower accuracy rates than claimed, and every available system has known problems with disproportionately giving false negatives to members of particular genders, races, or disability groups.

    Stop courting discrimination lawsuits because someone told you fingerprint timeclocks are cool, and stop investing time and money into systems that are increasingly regulated or banned.


  2. - TheInvisibleMan - Monday, Jul 10, 23 @ 9:14 am:

    “penalize each and every collection of employee biometric information.”

    Yes, that’s the designed intention.

    We’re dancing around the obvious solution. Stop collecting biometric data.

    I’d argue that the penalty has to be severe, because even with these penalties there is still pushback to continue to allow this biometric collection. That continued existence of this attitude shows why the law is still important, not why it needs to be made weaker.

    “it is virtually impossible to reverse engineer an employee’s original fingerprint.”

    And it is literally impossible to reverse engineer it if it isn’t collected.”

    What happens when someone attaches a skimmer onto one of these devices. The intended device might not store the data, but it opens the door for other devices to.

    The underlying issue is employers are trying to offload the risk of timecard fraud from a small amount of employees, and place that risk fully onto all of the employees instead of keeping that risk internalized to the business where it belongs.

    Strengthen the law even more. Increase the penalties and continue to call out this attempted transfer of business risk onto the backs of employees.


  3. - Rich Miller - Monday, Jul 10, 23 @ 9:23 am:

    ===What happens when someone attaches a skimmer===

    Seems like a stretch.


  4. - Leap Day William - Monday, Jul 10, 23 @ 9:26 am:

    “The only biometric information utilized by employers to identify employees is an encrypted string of numbers, systemically created as a result of the mathematical algorithm,” according to a white paper released last week by Littler, a pro-employer law firm. “There is no biometric identifier being stored or disseminated,” and, therefore, “it is virtually impossible to reverse engineer an employee’s original fingerprint.”

    This is one of the most laughable things I think I’ve read. Having done IT consulting work in a past life, I can all but assure you that “proprietary algorithms” mean the bare minimum and are continually compromised. Equifax was entrusted with all of our credit information and protected it using “proprietary algorithms” and “state of the art systems.” Yet, they let part of that “state of the art system” fail for *10 MONTHS*, and also failed to patch their systems once acritical vulnerability was discovered for MONTHS, while hackers pulled all that supposedly safe data down from May to July 2017.

    Do you think a company like White Castle is going to somehow be MORE diligent about patching their hardware across hundreds of locations around the country?

    “Virtually impossible” isn’t impossible and as Rich noted an online password can be changed after a data hack, but people can’t just change their fingerprints to protect their identities. Once that data IS in the hands of nefarious actors, all they have is time to go through and continually slam that dataset until it cracks and coughs up the requisite data and it gets sold on the dark web or falls into the hand of a foreign government (as is the current theory on what happened with Equifax). It won’t happen tomorrow, but it will happen eventually.

    All true, the critics say, but the fingerprints that are used to verify timecards, etc., aren’t kept or stored after they are scanned. Instead, the fingerprints are immediately converted into a set of numbers using a proprietary algorithm.

    I’ve said it before, and I’ll repeat it every time: If your trust in your employees is so low you have to use immutable biometric data to verify that it is indeed them punching in for their barely above minimum wage burger flipping job, that’s very much a *you* problem, and sounds like a failure of corporate culture from the top down. Maybe the IMA and the Chamber of Commerce should look into what causes their members to be so poorly run that they are willing to risk the digital lives of their employees to save a few bucks on buddy punches and other time card fraud.


  5. - Leap Day William - Monday, Jul 10, 23 @ 9:31 am:

    ===What happens when someone attaches a skimmer===

    Seems like a stretch.

    Not as much of a stretch as we’d all like to think. It’s been kicking around in data security circles since 2016: https://www.sciencedirect.com/science/article/abs/pii/S096947651630145X


  6. - Hannibal Lecter - Monday, Jul 10, 23 @ 9:32 am:

    BIPA is a terrible law that was designed by the Plaintiff’s bar to allow for huge penalties/attorneys fees for minimal, if not nominal, damages. That’s the real problem with the law. I have never seen a bigger example of killing a fly with an elephant gun than BIPA.


  7. - TheInvisibleMan - Monday, Jul 10, 23 @ 9:34 am:

    “Seems like a stretch.”

    It’s almost the main impetus behind the creation of the law.

    This security article is 7 years old.

    “The security outfit has found at least 12 sellers offering skimmers capable of stealing victims’ fingerprints.”

    https://www.finextra.com/newsarticle/29518/new-atm-skimmers-steal-fingerprints


  8. - Hannibal Lecter - Monday, Jul 10, 23 @ 9:39 am:

    === I’ve said it before, and I’ll repeat it every time: If your trust in your employees is so low you have to use immutable biometric data to verify that it is indeed them punching in for their barely above minimum wage burger flipping job, that’s very much a *you* problem, and sounds like a failure of corporate culture from the top down. ===

    Then why aren’t all employers covered? Governmental employers such as the City of Chicago and Cook County currently use biometric scans, but aren’t liable at all under BIPA. It could be because this is about fleecing private industries for drummed up fears about privacy rather than protecting people. The trial lawyers just couldn’t get legislators to put tax funded governmental agencies to be on the hook the same way they did with the White Castles of the world.


  9. - Suburban Mom - Monday, Jul 10, 23 @ 9:51 am:

    ===Seems like a stretch.===

    Sadly, it isn’t. Although my grossest “fingerprint security workaround” story is some criminals who cut the fingerprint owner’s finger off. But a lot of these fingerprint timeclocks are trivially easy hack or break … simply spraying a fine mist of water at them can be enough to make them re-read the prior fingerprint.

    You can make a really great fake fingerprint with 2 hours of work and a 3D printer. My library’s media lab has all the tools I’d need to recreate my own fingerprint, hand it to a friend, and have them punch my timeclock for me with my fake finger. I don’t even have to BUY anything, I can just go to my local library.

    A lot of the commercially-available iris scanners can be fooled with a high-quality color photograph that you can print at your local FedEx/Kinko’s.

    People think it’s good security technology because of the CSI effect, but it’s really, really not. The provide poor security AND they expose people’s biometric data to bad actors. There’s not really an upside.


  10. - Homebody - Monday, Jul 10, 23 @ 10:18 am:

    Statutory damages are always tricky. It is very easy for them to either be too low (making it a cost of doing business) or run the risk of being too high (destroying a defendant for innocent, but illegal, mistakes). But doing “actual damages” means people can get away with breaking the law all the time so long as no one is hurt, and that doesn’t foster a culture of compliance the way that statutory damages can.

    The whole thing is a mess, definitely. I’m supportive of the intent of BIPA, to better control how personal information is safeguarded and shared. And I’m supportive of the idea of penalties that actually dissuade bad behavior. But I am also glad I’m not the guy who has to negotiate any changes to the Act.


  11. - TheInvisibleMan - Monday, Jul 10, 23 @ 10:22 am:

    “Governmental employers […] currently use biometric scans ”

    They should be covered.

    There are plenty of calls, including in these threads, stating how BIPA should be strengthened. For me, strengthening the law means it applies to everyone including govt.

    But that also starts to touch on the house of cards that is govt immunity, and how it permeates through a lot of govt. I don’t think govt was excluded from BIPA by design, I think it was excluded as a secondary effect of how immunity is structured in existing law, and BIPA simply follows that.

    I would imagine those in govt like that some think it’s all a planned fleecing orchestration between trial lawyers and govt. It keeps the discussion of govt immunity for these same transgressions off the table, when it really should be the main topic.

    Instead, the discussion is mostly centered on how the law can be weakened for businesses.


  12. - Leap Day William - Monday, Jul 10, 23 @ 11:07 am:

    Then why aren’t all employers covered? Governmental employers such as the City of Chicago and Cook County currently use biometric scans, but aren’t liable at all under BIPA. It could be because this is about fleecing private industries for drummed up fears about privacy rather than protecting people. The trial lawyers just couldn’t get legislators to put tax funded governmental agencies to be on the hook the same way they did with the White Castles of the world.

    I can’t speak for why governmental employers aren’t liable under BIPA. You should probably take that up with your legislator and not some semi-anonymous commenter on a political blog. I fully believe they should be liable under BIPA, so this isn’t quite the “gotcha” moment you might have been hoping for.

    As for “drummed up fears”, when you find the technology that allows someone to reset their fingerprint as easily as their password, I’ll take your comment seriously. Until then, as you see from the technology that exists *today*, these are very founded fears. I’ll leave you with this article from 2021 showing how to beat several commercially available fingerprint scanners with $5 of supplies: https://www.pcmag.com/news/hacking-fingerprints-is-actually-pretty-easy-and-cheap


  13. - Hannibal Lecter - Monday, Jul 10, 23 @ 11:34 am:

    === I fully believe they should be liable under BIPA, so this isn’t quite the “gotcha” moment you might have been hoping for. ===

    Not trying to get a gotcha moment - just trying to show the inconsistency and hypocrisy of those pounding their fists on the table screaming about employee protections. For the record, I do not think these huge penalties should apply to the government either.


  14. - Just Me 2 - Monday, Jul 10, 23 @ 12:26 pm:

    Classic Illinois. A group of politicians and their staff assume they know all their is to know, and are perfectly comfortable “leading.”


  15. - Union thug - Monday, Jul 10, 23 @ 1:38 pm:

    “it is virtually impossible to reverse engineer an employee’s original fingerprint.”

    Not that long ago it was claimed blockyran could not be hacked. But it’s happened more then aa few times


  16. - lloyd - Monday, Jul 10, 23 @ 10:17 pm:

    https://capitolfax.com/2023/05/22/fingerprint-vendors-locksmiths-say-their-bipa-exemption-doesnt-actually-exempt-them/


Sorry, comments for this post are now closed.


* Reader comments closed for the holidays
* And the winners are…
* SUBSCRIBERS ONLY - Update to previous editions
* Isabel’s afternoon roundup
* Report: Far-right Illinois billionaires may have skirted immigration rules
* Question of the day: Golden Horseshoe Awards (Updated)
* Energy Storage Brings Cheaper Electricity, Greater Reliability
* Open thread
* Isabel’s morning briefing
* SUBSCRIBERS ONLY - Today's edition of Capitol Fax (use all CAPS in password)
* Live coverage
* Selected press releases (Live updates)
* Yesterday's stories

Support CapitolFax.com
Visit our advertisers...

...............

...............

...............

...............

...............

...............

...............


Loading


Main Menu
Home
Illinois
YouTube
Pundit rankings
Obama
Subscriber Content
Durbin
Burris
Blagojevich Trial
Advertising
Updated Posts
Polls

Archives
December 2024
November 2024
October 2024
September 2024
August 2024
July 2024
June 2024
May 2024
April 2024
March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004

Blog*Spot Archives
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005

Syndication

RSS Feed 2.0
Comments RSS 2.0




Hosted by MCS SUBSCRIBE to Capitol Fax Advertise Here Mobile Version Contact Rich Miller