biometric – Techdirt (original) (raw)
Recent Case Highlights How Age Verification Laws May Directly Conflict With Biometric Privacy Laws
from the privacy-nightmare dept
California passed the California Age-Appropriate Design Code (AADC) nominally to protect children’s privacy, but at the same time, the AADC requires businesses to do an age “assurance” of all their users, children and adults alike. (Age “assurance” requires the business to distinguish children from adults, but the methodology to implement has many of the same characteristics as age verification–it just needs to be less precise for anyone who isn’t around the age of majority. I’ll treat the two as equivalent).
Doing age assurance/age verification raises substantial privacy risks. There are several ways of doing it, but the two primary options for quick results are (1) requiring consumers to submit government-issued documents, or (2) requiring consumers to submit to face scans that allow the algorithms to estimate the consumer’s age.
[Note: the differences between the two techniques may be legally inconsequential, because a service may want a confirmation that the person presenting the government documents is the person requesting access, which may essentially require a review of their face as well.]
But, are face scans really an option for age verification, or will it conflict with other privacy laws? In particular, face scanning seemingly directly conflict with biometric privacy laws, such as Illinois’ BIPA, which provide substantial restrictions on the collection, use, and retention of biometric information. (California’s Privacy Rights Act, CPRA, which the AADC supplements, also provides substantial protections for biometric information, which is classified as “sensitive” information). If a business purports to comply with the CA AADC by using face scans for age assurance, will that business simultaneously violate BIPA and other biometric privacy laws?
Today’s case doesn’t answer the question, but boy, it’s a red flag.
The court summarizes BIPA Sec. 15(b):
Section 15(b) of the Act deals with informed consent and prohibits private entities from collecting, capturing, or otherwise obtaining a person’s biometric identifiers or information without the person’s informed written consent. In other words, the collection of biometric identifiers or information is barred unless the collector first informs the person “in writing of the specific purpose and length of term for which the data is being collected, stored, and used” and “receives a written release” from the person or his legally authorized representative
Right away, you probably spotted three potential issues:
- The presentation of a “written release” slows down the process. I’ve explained how slowing down access to a website can constitute an unconstitutional barrier to content.
- Will an online clickthrough agreement satisfy the “written release” requirement? Per E-SIGN, the answer should be yes, but standard requirements for online contract formation are increasingly demanding more effort from consumers to signal their assent. In all likelihood, BIPA consent would require, at minimum, a two-click process to proceed. (Click 1 = consent to the BIPA disclosures. Click 2 = proceeding to the next step).
- Can minors consent on their own behalf? Usually contracts with minors are voidable by the minor, but even then, other courts have required the contracting process to be clear enough for minors to understand. That’s no easy feat when it relates to complicated and sensitive disclosures, such as those seeking consent to engage in biometric data collection. This raises the possibility that at least some minors can never consent to face scans on their own behalf, in which case it will be impossible to comply with BIPA with respect to those minors (and services won’t know which consumers are unable to self-consent until after they do the age assessment #InfiniteLoop).
[Another possible tension is whether the business can retain face scans, even with BIPA consent, in order to show that each user was authenticated if challenged in the future, or if the face scans need to be deleted immediately, regardless of consent, to comply with privacy concerns in the age verification law.]
The primary defendant at issue, Binance, is a cryptocurrency exchange. (There are two Binance entities at issue here, BCM and BAM, but BCM drops out of the case for lack of jurisdiction). Users creating an account had to go through an identity verification process run by Jumio. The court describes the process:
Jumio’s software…required taking images of a user’s driver’s license or other photo identification, along with a “selfie” of the user to capture, analyze and compare biometric data of the user’s facial features….
During the account creation process, Kuklinski entered his personal information, including his name, birthdate and home address. He was also prompted to review and accept a “Self-Directed Custodial Account Agreement” for an entity known as Prime Trust, LLC that had no reference to collection of any biometric data. Kuklinski was then prompted to take a photograph of his driver’s license or other state identification card. After submitting his driver’s license photo, Kuklinski was prompted to take a photograph of his face with the language popping up “Capture your Face” and “Center your face in the frame and follow the on-screen instructions.” When his face was close enough and positioned correctly within the provided oval, the screen flashed “Scanning completed.” The next screen stated, “Analyzing biometric data,” “Uploading your documents”, and “This should only take a couple of seconds, depending on your network connectivity.”
Allegedly, none of the Binance or Jumio legal documents make the BIPA-required disclosures.
The court rejects Binance’s (BAM) motion to dismiss:
- Financial institution. BIPA doesn’t apply to a GLBA-regulated financial institution, but Binance isn’t one of those.
- Choice of Law. BAM is based in California, so it argued CA law should apply. The court says no because CA law would foreclose the BIPA claim, plus some acts may have occurred in Illinois. Note: as a CA company, BAM will almost certainly need to comply with the CA AADC.
- Extraterritorial Application. “Kuklinski is an Illinois resident, and…BIPA was enacted to protect the rights of Illinois residents. Moreover, Kuklinski alleges that he downloaded the BAM application and created the BAM account while he was in Illinois.”
- Inadequate Pleading. BAM claimed the complaint lumped together BAM, BCM, and Jumio. The court says BIPA doesn’t have any heightened pleading standards.
- Unjust Enrichment. The court says this is linked to the BIPA claim.
Jumio’s motion to dismiss also goes nowhere:
- Retention Policy. Jumio says it now has a retention policy, but the court says that it may have been adopted too late and may not be sufficient,
- Prior Settlement. Jumio already settled a BIPA case, but the court says that only could protect Jumio before June 23, 2019.
- First Amendment. The court says the First Amendment argument against BIPA was rejected in Sosa v. Onfido and that decision was persuasive.
[The Sosa v. Onfido case also involved face-scanning identity verification for the service OfferUp. I wonder if the court would conduct the constitutional analysis differently if the defendant argued it had to engage with biometric information in order to comply with a different law, like the AADC?]
The court properly notes that this was only a motion to dismiss; defendants could still win later. Yet, this ruling highlights a few key issues:
1. If California requires age assurance and Illinois bans the primary methods of age assurance, there may be an inter-state conflict of laws that ought to support a Dormant Commerce Clause challenge. Plus, other states beyond Illinois have adopted their own unique biometric privacy laws, so interstate businesses are going to run into a state patchwork problem where it may be difficult or impossible to comply with all of the different laws.
2. More states are imposing age assurance/age verification requirements, including Utah and likely Arkansas. Often, like the CA AADC, those laws don’t specify how the assurance/verification should be done, leaving it to businesses to figure it out. But the legislatures’ silence on the process truly reflects their ignorance–the legislatures have no idea what technology will work to satisfy their requirements. It seems obvious that legislatures shouldn’t adopt requirements when they don’t know if and how they can be satisfied–or if satisfying the law will cause a different legal violation. Adopting a requirement that may be unfulfillable is legislative malpractice and ought to be evidence that the legislature lacked a rational basis for the law because they didn’t do even minimal diligence.
3. The clear tension between the CA AADC and biometric privacy is another indicator that the CA legislature lied to the public when it claimed the law would enhance children’s privacy.
4. I remain shocked by how many privacy policy experts and lawyers remain publicly quiet about age verification laws, or even tacitly support them, despite the OBVIOUS and SIGNIFICANT privacy problems they create. If you care about privacy, you should be extremely worried about the tsunami of age verification requirements being embraced around the country/globe. The invasiveness of those requirements could overwhelm and functionally moot most other efforts to protect consumer privacy.
5. Mandatory online age verification laws were universally struck down as unconstitutional in the 1990s and early 2000s. Legislatures are adopting them anyway, essentially ignoring the significant adverse caselaw. We are about to have a high-stakes society-wide reconciliation about this tension. Are online age verification requirements still unconstitutional 25 years later, or has something changed in the interim that makes them newly constitutional? The answer to that question will have an enormous impact on the future of the Internet. If the age verification requirements are now constitutional despite the legacy caselaw, legislatures will ensure that we are exposed to major privacy invasions everywhere we go on the Internet–and the countermoves of consumers and businesses will radically reshape the Internet, almost certainly for the worse.
Reposted with permission from Eric Goldman’s Technology & Marketing Law Blog.
Filed Under: aadc, ab 2273, age assurance, age verification, biometric, biometric privacy, bipa, california, illinois, privacy
Companies: binance, jumio
Indian Supreme Court Rules Aadhaar Does Not Violate Privacy Rights, But Places Limits On Its Use
from the mixed-result dept
Techdirt wrote recently about what seems to be yet another problem with India’s massive Aadhaar biometric identity system. Alongside these specific security issues, there is the larger question of whether Aadhaar as a whole is a violation of Indian citizens’ fundamental privacy rights. That question was made all the more pertinent in the light of the country’s Supreme Court ruling last year that “Privacy is the constitutional core of human dignity.” It led many to hope that the same court would strike down Aadhaar completely following constitutional challenges to the project. However, in a mixed result for both privacy organizations and Aadhaar proponents, India’s Supreme Court has handed down a judgment that the identity system does not fundamentally violate privacy rights, but that its use must be strictly circumscribed. As The New York Times explains:
The five-judge panel limited the use of the program, called Aadhaar, to the distribution of certain benefits. It struck down the government’s use of the system for unrelated issues like identifying students taking school exams. The court also said that private companies like banks and cellphone providers could not require users to prove their identities with Aadhaar.
The majority opinion of the court said that an Indian’s Aadhaar identity was unique and “unparalleled” and empowered marginalized people, such as those who are illiterate.
The decision affects everything from government welfare programs, such as food aid and pensions, to private businesses, which have used the digital ID as a fast, efficient way to verify customers’ identities. Some states, such as Andhra Pradesh, had also planned to integrate the ID system into far-reaching surveillance programs, raising the specter of widespread government spying.
In essence, the Supreme Court seems to have felt that although Aadhaar’s problems were undeniable, its advantages, particularly for India’s poorest citizens, outweighed those concerns. However, its ruling also sought to limit function creep by stipulating that Aadhaar’s compulsory use had to be restricted to the original aim of distributing government benefits. Although that seems a reasonable compromise, it may not be quite as clear-cut as it seems. The Guardian writes that it still may be possible to use Aadhaar for commercial purposes:
Sharad Sharma, the co-founder of a Bangalore-based technology think tank which has worked closely with Aadhaar’s administrators, said Wednesday’s judgment did not totally eliminate that vision for the future of the scheme, but that private use of Aadhaar details would now need to be voluntary.
“Nothing has been said [by the court] about voluntary usage and nothing has been said about regulating bodies mandating it for services,” Sharma said. “So access to private parties for voluntary use is permitted.”
That looks to be a potentially large loophole in the Supreme Court’s attempt to keep the benefits of Aadhaar while stopping it turning into a compulsory identity system for accessing all government and business services. No doubt in the coming years we will see companies exploring just how far they can go in demanding a “voluntary” use of Aadhaar, as well as legal action by privacy advocates trying to stop them from doing so.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: aadhaar, biometric, id, identification, india, privacy
Videos From Wearable Cameras Contain Natural Biometric Markers That Can Eliminate Anonymity
from the motion-pictures dept
Video evidence figures quite frequently here on Techdirt, because moving pictures of incidents are generally compelling and incontrovertible. That’s true even if they are released anonymously to protect the person recording the event from retribution. But new research suggests that videos from wearable cameras have embedded within them natural biometric markers (via New Scientist):
> Egocentric cameras are being worn by an increasing number of users, among them many security forces worldwide. GoPro cameras already penetrated the mass market, and Google Glass may follow soon. As head-worn cameras do not capture the face and body of the wearer, it may seem that the anonymity of the wearer can be preserved even when the video is publicly distributed. We show that motion features in egocentric video provide biometric information, and the identity of the user can be determined quite reliably from a few seconds of video.
The paper describing the work also points out some consequences of this result:
> Egocentric video biometrics can prevent theft of wearable cameras by locking the camera when worn by people other than the owner. In video sharing services, this Biometric measure can help to locate automatically all videos shot by the same user. An important message in this paper is that people should be aware that sharing egocentric video will compromise their anonymity.
On the plus side, this also means that videos from police body-cameras can also be tied to particular officers, which may help to make such evidence less vulnerable to tampering.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: anonymity, biometric, body cameras, wearable cameras
Awesome Stuff: Little Devices That Help You Out
from the make-it-work dept
For this week’s “Awesome Stuff” post I wasn’t necessarily planning a “theme,” but it seemed to mostly work out as one anyway: it’s about three “little” devices that enable you to do more, by changing the way we deal with information in one way or another. This is a pretty exciting space in general, and it’s cool to see projects popping up that explore certain areas that make you wonder why no one had done this before — and then you realize that what’s being done wasn’t really possible until the tech caught up.
- First up, we’ve got the Automatic Link, a tiny device that plugs into your car’s dataport and provides data directly to your smartphone. They even make it into a bit of a game, with a weekly “drive score” that helps you drive smarter to save gas. It has a number of other features as well, including automatically dialing 911 if it senses a serious car accident, and also a car locator feature, so you can always find your car via your smartphone in case you forgot where you parked or if you’re sharing your car with someone else.
For quite some time, the car’s dataport was solely the domain of mechanics, and they’d use it when you went in to find out what the “check engine” light meant. A few devices have come on the market that you can buy to plug in and see what a check engine light means, but that’s their entire purpose, for the most part. The Automatic Link does that too, but it’s almost like a minor feature among all of the other features that make it an interesting device.
This is another one that’s not on Kickstarter, though it feels like it should be, but rather they’re just taking pre-orders directly off their site, for $69.95 (and no service fees). - Next up, we’ve got the HeatMeter, which is a creatively designed device to measure and track the heating usage in your home. There are tons of electricity meters on the market to measure how you use electricity, but heating is a different realm altogether. Most of the attempts to deal with this have been focused on various smart thermostats like the Nest, but the Heatmeter goes right to the source, by attaching to the outside of your furnace or boiler with magnets, and then its sensors actually can detect when the flame turns on and off, sending this bit of info over your home WiFi system to your phone. And, of course, you can track a bunch of info via your smartphone.
Unfortunately, there are just a few days left on this Kickstarter and it looks like it won’t meet its threshold. Looking through the details, this isn’t a huge surprise. Even if the concept is cool, there are a few things that might scare people off. The design of the device itself has a bit of an amateurish feel to it, especially compared to many other Kickstarter projects. I wonder if a redesigned, sleeker, more modern version might pick up some more steam (ditto for their intro video). The second red flag for me is the price. $150 seems pretty high for most people to take a chance on something like this, especially if it’s not entirely clear that it will help you save money. With the Automatic Link above, it makes a good, strong, easy to understand case as to why you’ll save money with the device — and the device is less than half the cost of this one, and seems at least more likely to be in the “I’ll give it a shot” range for many people. And, finally, I wonder if a lot of people wonder how well the Heatmeter actually works. I could see some people wondering just how good a magnetic device you stick to the outside of your furnace will be at accurately tracking heating usage. It may work perfectly, but I could see how skepticism might be an issue, especially at that price (in contrast, again, people understand that the data port in their cars works to provide data). - Finally, we move away from those kinds of sensors to the myIDkey device for tracking all your passwords. This is a little USB dongle that combines voice activation, fingerprint scanning and secure access to all your passwords (it’ll even generate secure ones for you). Oh yeah, and it works with your mobile devices via Bluetooth as well. And, if you lose the device, you can quickly deactivate it over the web — and you can resync a new one via its online storage. The device has an OLED display that will show you the password once you’ve proven that you’re you, and it can include a bit of additional info as well.
The myIDkey has already far surpassed its original funding goal, so this project is definitely moving forward.
There you go. Three interesting new projects that are showing new ways to do more via little devices and information, enabling things that really weren’t possible until just recently — at least not in these kinds of packages.
Filed Under: awesome stuff, biometric, car computers, driving, heating, id, passwords, sensors
Companies: automatic, heatmeter, mysecureid
Israel Trying To Build Biometric Database
from the privacy? dept
Reader Ido alerts us to the news coming out of Israel, that the Senate there has moved forward on a bill that would create a huge biometric database including data on all Israelis, and refusing to provide such data could land anyone a year in jail. As the article notes, there’s a rather loud uproar about this, as many Israelis fear not only for their own privacy and civil liberties, but wonder just how such a database will be abused — either by gov’t officials or by hackers. It sounds like the bill still has a ways to go before becoming law, but this appears to be yet another move by a government to mistakenly assert that taking away people’s privacy somehow makes them more secure.