Illinois Senate President Don Harmon told public radio talk show host Brian Mackey in late June that some of the most prominent business association leaders had “punched us in the nose” after Senate Democrats devised what he called a “good faith solution” to solve problems created by the state’s super-controversial Biometric Information Privacy Act.
Harmon also claimed the Senate Democratic proposal that the business groups attacked was “very friendly to the business community that has been asking for these changes.”
Companies routinely collect biometric data like facial recognition and fingerprint scans. But in Illinois that’s illegal, unless the companies first obtain informed consent. Lots of lawsuits have been filed as a result, and businesses want relief.
The Illinois Supreme Court all but begged the General Assembly earlier this spring to take another look at the law in its ruling against the White Castle company. That ruling could ultimately cost the burger chain as much as $17 billion for collecting employee fingerprint scans.
The Illinois Retail Merchants Association, the Illinois Manufacturers’ Association and the Illinois Chamber of Commerce held a press conference with other business leaders near the originally scheduled end of the spring legislative session to denounce the Senate Democrats’ proposal in no uncertain terms.
IMA President and CEO Mark Denzler, who has not exactly been known for vitriol, claimed the proposal would make the problem even worse. The legislation, Denzler claimed, “will only increase abuse of this law by trial attorneys” who have filed thousands of claims under the statute.
The three business groups either refused to respond to Harmon’s comments, or, in one case, didn’t respond at all.
Senate President Pro Tempore Bill Cunningham, who helped lead the negotiations and is also not generally known for his temper, said he was even more upset than Harmon after the business groups’ press conference.
He said he reached out to them, and said the Democrats were “trying to draft a pro-business piece of legislation,” and since they claimed the bill would make matters worse, he and the Senate Democrats decided to not run any bill during the spring session and maintain the status quo.
The Supreme Court ruled that the legislative intent of BIPA was to penalize each and every collection of employee biometric information. With large numbers of White Castle employees being scanned several times a day for five years, “that’s how we ended up with a $17 billion” penalty, Cunningham said.
The Democratic proposal would’ve specifically changed the law to base the penalty on the number of employees, not the number of scans. But they also increased the penalty from $1,000 to $1,500, which the business groups denounced as well.
Opponents of the BIPA law claim the original state statute has little to nothing to do with the real world. The idea behind the law is to protect people against having their biometric data stored and even traded without their knowledge or permission. After all, an online password can be changed after a data hack, but people can’t just change their fingerprints to protect their identities.
All true, the critics say, but the fingerprints that are used to verify timecards, etc., aren’t kept or stored after they are scanned. Instead, the fingerprints are immediately converted into a set of numbers using a proprietary algorithm.
“The only biometric information utilized by employers to identify employees is an encrypted string of numbers, systemically created as a result of the mathematical algorithm,” according to a white paper released last week by Littler, a pro-employer law firm. “There is no biometric identifier being stored or disseminated,” and, therefore, “it is virtually impossible to reverse engineer an employee’s original fingerprint.”
Cunningham said he heard a theory from a Republican lawmaker that the business groups have been told by the corporate defense bar that they’re confident they can get the state law overturned by the U.S. Supreme Court, so there was no reason to settle for a compromise at the state level.
“I have no idea if that’s true or not,” Cunningham said, “But it’s a better explanation than I can come up with.”
Another person close to the issue said the Senate Dems ordered the handful of people involved with the talks to not communicate with anyone outside the room. The business groups, this person claimed, weren’t experts on the topic, so it wasn’t until the actual legislation surfaced when experienced business lawyers could see what was going on, and that’s when everything fell apart.
Cunningham said while they took input from others, the “big lobbying groups” were what they were most concerned with.
- Suburban Mom - Monday, Jul 10, 23 @ 8:56 am:
I will say it every time this comes up: Smart businesses are looking for ways to comply with BIPA, not overturn it. Similar laws are coming in a variety of states, and the EU is going to be stricter. Moreover, biometrics have much lower accuracy rates than claimed, and every available system has known problems with disproportionately giving false negatives to members of particular genders, races, or disability groups.
Stop courting discrimination lawsuits because someone told you fingerprint timeclocks are cool, and stop investing time and money into systems that are increasingly regulated or banned.
- TheInvisibleMan - Monday, Jul 10, 23 @ 9:14 am:
“penalize each and every collection of employee biometric information.”
Yes, that’s the designed intention.
We’re dancing around the obvious solution. Stop collecting biometric data.
I’d argue that the penalty has to be severe, because even with these penalties there is still pushback to continue to allow this biometric collection. That continued existence of this attitude shows why the law is still important, not why it needs to be made weaker.
“it is virtually impossible to reverse engineer an employee’s original fingerprint.”
And it is literally impossible to reverse engineer it if it isn’t collected.”
What happens when someone attaches a skimmer onto one of these devices. The intended device might not store the data, but it opens the door for other devices to.
The underlying issue is employers are trying to offload the risk of timecard fraud from a small amount of employees, and place that risk fully onto all of the employees instead of keeping that risk internalized to the business where it belongs.
Strengthen the law even more. Increase the penalties and continue to call out this attempted transfer of business risk onto the backs of employees.
- Rich Miller - Monday, Jul 10, 23 @ 9:23 am:
===What happens when someone attaches a skimmer===
Seems like a stretch.
- Leap Day William - Monday, Jul 10, 23 @ 9:26 am:
This is one of the most laughable things I think I’ve read. Having done IT consulting work in a past life, I can all but assure you that “proprietary algorithms” mean the bare minimum and are continually compromised. Equifax was entrusted with all of our credit information and protected it using “proprietary algorithms” and “state of the art systems.” Yet, they let part of that “state of the art system” fail for *10 MONTHS*, and also failed to patch their systems once acritical vulnerability was discovered for MONTHS, while hackers pulled all that supposedly safe data down from May to July 2017.
Do you think a company like White Castle is going to somehow be MORE diligent about patching their hardware across hundreds of locations around the country?
“Virtually impossible” isn’t impossible and as Rich noted an online password can be changed after a data hack, but people can’t just change their fingerprints to protect their identities. Once that data IS in the hands of nefarious actors, all they have is time to go through and continually slam that dataset until it cracks and coughs up the requisite data and it gets sold on the dark web or falls into the hand of a foreign government (as is the current theory on what happened with Equifax). It won’t happen tomorrow, but it will happen eventually.
I’ve said it before, and I’ll repeat it every time: If your trust in your employees is so low you have to use immutable biometric data to verify that it is indeed them punching in for their barely above minimum wage burger flipping job, that’s very much a *you* problem, and sounds like a failure of corporate culture from the top down. Maybe the IMA and the Chamber of Commerce should look into what causes their members to be so poorly run that they are willing to risk the digital lives of their employees to save a few bucks on buddy punches and other time card fraud.
- Leap Day William - Monday, Jul 10, 23 @ 9:31 am:
Not as much of a stretch as we’d all like to think. It’s been kicking around in data security circles since 2016: https://www.sciencedirect.com/science/article/abs/pii/S096947651630145X
- Hannibal Lecter - Monday, Jul 10, 23 @ 9:32 am:
BIPA is a terrible law that was designed by the Plaintiff’s bar to allow for huge penalties/attorneys fees for minimal, if not nominal, damages. That’s the real problem with the law. I have never seen a bigger example of killing a fly with an elephant gun than BIPA.
- TheInvisibleMan - Monday, Jul 10, 23 @ 9:34 am:
“Seems like a stretch.”
It’s almost the main impetus behind the creation of the law.
This security article is 7 years old.
“The security outfit has found at least 12 sellers offering skimmers capable of stealing victims’ fingerprints.”
https://www.finextra.com/newsarticle/29518/new-atm-skimmers-steal-fingerprints
- Hannibal Lecter - Monday, Jul 10, 23 @ 9:39 am:
=== I’ve said it before, and I’ll repeat it every time: If your trust in your employees is so low you have to use immutable biometric data to verify that it is indeed them punching in for their barely above minimum wage burger flipping job, that’s very much a *you* problem, and sounds like a failure of corporate culture from the top down. ===
Then why aren’t all employers covered? Governmental employers such as the City of Chicago and Cook County currently use biometric scans, but aren’t liable at all under BIPA. It could be because this is about fleecing private industries for drummed up fears about privacy rather than protecting people. The trial lawyers just couldn’t get legislators to put tax funded governmental agencies to be on the hook the same way they did with the White Castles of the world.
- Suburban Mom - Monday, Jul 10, 23 @ 9:51 am:
===Seems like a stretch.===
Sadly, it isn’t. Although my grossest “fingerprint security workaround” story is some criminals who cut the fingerprint owner’s finger off. But a lot of these fingerprint timeclocks are trivially easy hack or break … simply spraying a fine mist of water at them can be enough to make them re-read the prior fingerprint.
You can make a really great fake fingerprint with 2 hours of work and a 3D printer. My library’s media lab has all the tools I’d need to recreate my own fingerprint, hand it to a friend, and have them punch my timeclock for me with my fake finger. I don’t even have to BUY anything, I can just go to my local library.
A lot of the commercially-available iris scanners can be fooled with a high-quality color photograph that you can print at your local FedEx/Kinko’s.
People think it’s good security technology because of the CSI effect, but it’s really, really not. The provide poor security AND they expose people’s biometric data to bad actors. There’s not really an upside.
- Homebody - Monday, Jul 10, 23 @ 10:18 am:
Statutory damages are always tricky. It is very easy for them to either be too low (making it a cost of doing business) or run the risk of being too high (destroying a defendant for innocent, but illegal, mistakes). But doing “actual damages” means people can get away with breaking the law all the time so long as no one is hurt, and that doesn’t foster a culture of compliance the way that statutory damages can.
The whole thing is a mess, definitely. I’m supportive of the intent of BIPA, to better control how personal information is safeguarded and shared. And I’m supportive of the idea of penalties that actually dissuade bad behavior. But I am also glad I’m not the guy who has to negotiate any changes to the Act.
- TheInvisibleMan - Monday, Jul 10, 23 @ 10:22 am:
“Governmental employers […] currently use biometric scans ”
They should be covered.
There are plenty of calls, including in these threads, stating how BIPA should be strengthened. For me, strengthening the law means it applies to everyone including govt.
But that also starts to touch on the house of cards that is govt immunity, and how it permeates through a lot of govt. I don’t think govt was excluded from BIPA by design, I think it was excluded as a secondary effect of how immunity is structured in existing law, and BIPA simply follows that.
I would imagine those in govt like that some think it’s all a planned fleecing orchestration between trial lawyers and govt. It keeps the discussion of govt immunity for these same transgressions off the table, when it really should be the main topic.
Instead, the discussion is mostly centered on how the law can be weakened for businesses.
- Leap Day William - Monday, Jul 10, 23 @ 11:07 am:
I can’t speak for why governmental employers aren’t liable under BIPA. You should probably take that up with your legislator and not some semi-anonymous commenter on a political blog. I fully believe they should be liable under BIPA, so this isn’t quite the “gotcha” moment you might have been hoping for.
As for “drummed up fears”, when you find the technology that allows someone to reset their fingerprint as easily as their password, I’ll take your comment seriously. Until then, as you see from the technology that exists *today*, these are very founded fears. I’ll leave you with this article from 2021 showing how to beat several commercially available fingerprint scanners with $5 of supplies: https://www.pcmag.com/news/hacking-fingerprints-is-actually-pretty-easy-and-cheap
- Hannibal Lecter - Monday, Jul 10, 23 @ 11:34 am:
=== I fully believe they should be liable under BIPA, so this isn’t quite the “gotcha” moment you might have been hoping for. ===
Not trying to get a gotcha moment - just trying to show the inconsistency and hypocrisy of those pounding their fists on the table screaming about employee protections. For the record, I do not think these huge penalties should apply to the government either.
- Just Me 2 - Monday, Jul 10, 23 @ 12:26 pm:
Classic Illinois. A group of politicians and their staff assume they know all their is to know, and are perfectly comfortable “leading.”
- Union thug - Monday, Jul 10, 23 @ 1:38 pm:
“it is virtually impossible to reverse engineer an employee’s original fingerprint.”
Not that long ago it was claimed blockyran could not be hacked. But it’s happened more then aa few times
- lloyd - Monday, Jul 10, 23 @ 10:17 pm:
https://capitolfax.com/2023/05/22/fingerprint-vendors-locksmiths-say-their-bipa-exemption-doesnt-actually-exempt-them/