One U.S. state stands out in restricting corporate use of biometrics: Illinois By Reuters
By Michael Berens
ST. LOUIS (Reuters) – When night fell, a clerk at a bustling 24-hour MotoMart flipped a switch from behind the counter.
Doorway sealed by electromagnetic locks. A window sign, now illuminated in red, warned “facial recognition technology in use” and directed customers to “look up at the camera.”
On this recent weeknight, a woman who wanted cigarettes was locked out. After being confused at first she realized she must remove her medical mask. After her unobstructed facial image was scanned into a store computer, then screened against the company’s photo archives of previous customers convicted of store-related crimes, the doors clicked open.
This screening, which is illegal under some of the most stringent privacy laws in America, took place just a few miles from her, in Illinois. Private companies must obtain written consent before stockpiling facial images or any biometric identifier – fingerprints, palms, eyes and voice.
The contrast speaks to America’s digital privacy divide. Illinois and two other U.S. States are on the one hand, while several others require public disclosures or consent to biometric screening. Other parts of the United States, including Missouri are on the other side. There, private sector usages are almost always unrestricted.
Illinois’ law prohibits private sector companies and institutions from collecting biometric data from unsuspecting citizens in the state or online, no matter where the business is based. The data cannot be transferred, sold or traded. Unlike any other state, citizens can sue for alleged violations, which has sparked hundreds of David-and-Goliath legal battles against some of the world’s most powerful companies.
A Reuters analysis of almost 750 Illinois class-action and individual lawsuits filed since 2015 revealed that there is ample evidence to suggest private companies have collected, tagged, and categorized biometric information gleaned from millions without consent or disclosure. The majority of suits were filed after 2019, when the Illinois Supreme Court ruled that plaintiffs didn’t have to prove harm in order to recover damages.
Privacy advocates say that this rapid, unchecked expansion of tracking technology has made it easier for individuals to be targeted by identity theft and other discriminatory acts. Unlike a credit card or driver license, a person’s biometric data is unique and cannot be changed or replaced.
Thomas Sawyer is a former St. Louis police officer and said the MotoMart system was designed to safeguard privacy. It has tamperproof software which prohibits any owner from exchanging or importating biometric data. He co-founded Blue Line Technology, LLC, which created the store’s face recognition system, with a group of former and active law enforcement officers.
“We want people to know they are being watched,” he said. “That’s why we have signs and a flashing light.”
Court records show that many companies use biometric systems to track employee and student performance or monitor customers in order to develop marketing and sales strategies. The suits detail how companies or institutions allegedly used a fingerprint database of amusement park visitors, including children, to look for signs of ticket fraud; examined college students’ eye movements and typing cadence for signs of cheating; and monitored employee interactions – whom they talked to and for how long – and frequency of their bathroom breaks.
Also, cases are pending against Amazon.com Inc (NASDAQ), Apple Inc(NASDAQ:) & Alphabet Inc’s Google. According to the suit, the food chain was accused of listening to some customers at drive-thru to monitor purchasing patterns. The four companies remain subject to complaints. The four companies declined to comment.
In court papers, Amazon, Apple and Google denied any violation of Illinois’ law, maintaining that privacy disclosures were provided to all users. Also in court filings, McDonald’s disputed the accusations against the company and asserted that voice data was used for training purposes and “not to identify individual speakers.”
If a company is found to have violated Illinois law, citizens can collect civil penalties up to $5,000 per violation compounded by the number of people affected and days involved. Enforcement is not handled by any state agency.
Some corporations have chosen to settle for huge sums. Facebook (NASDAQ:), settled last year for $650m following allegations that it had collected facial photographs of millions without consent. Earlier this year, Tik Tok’s China-based parent ByteDance settled for $92 involving similar allegations. Reuters asked neither company to comment nor did they acknowledge wrongdoing.
More than half of the pending cases involve regional and local businesses. Jack Lavin is chief executive officer of Chicagoland Chamber of Commerce and the president of Chicagoland Chamber of Commerce. He said that even though violations were not measurable, any court settlement or verdict could cause financial ruin and layoffs.
“Illinois law has been weaponized,” he said. “It’s created a cottage industry for suing companies.”
The U.S. Chamber of Commerce’s Institute for Legal Reform labels Illinois a “judicial hell hole.”
FINGERPRINTING AT THE GROCERY STORE
It seemed like an idea out of science fiction: using a fingerprint scanner to buy groceries. But in 2008, a California company swept into Illinois with just such a futuristic online marketing pitch: “Imagine this. When you go to checkout, your finger touches a tiny scanner. Instantly you see a list of your payment accounts on a screen, checking account, credit or debit card … no cards, checks, cash – or hassle.”
Soon after shoppers signed up, the company declared bankruptcy. The company had plans to transfer inventory including its fingerprint database to third parties, according to court filings.
American Civil Liberties Union Illinois chapter jumped into action and sponsored the Illinois Biometric Information and Privacy Act or BIPA. The California company’s fingerprint database was destroyed.
“We aren’t trying to ban technology,” said spokesman Ed Yohnka. “We want to put protections in place to control, manage, inform and obtain consent.”
Only two other states currently enforce comprehensive biometric privacy laws. According to Reuters, Washington and Texas have their compliance regulated by a government agency such as an attorney general. However, both states’ laws are generally viewed as weaker than Illinois’ mandates by privacy advocates; agencies often seek voluntary reform if violations are substantiated. California will adopt more robust privacy protections by 2022. This will restrict how data can be collected, and will create a state regulator agency that focuses on privacy laws for consumers.
Meanwhile, pro-business groups are fighting to modify Illinois’ law.
In January, the Chicago chamber of commerce sponsored legislation to soften financial penalties and eliminate citizens’ right to sue, known in legal parlance as a “private right to action.” The measure failed for lack of support.
‘WE COULD DO ALL KINDS OF STUFF WITH THIS!’
The Missouri MotoMart was the first store in the country to install the surveillance lock-out device created by Blue Line. This firm is one of many nascent American companies that struggle to make it big in the face recognition market. They are primarily small- and medium-sized businesses on a tight budget.
Blue Line was founded in 2015 by Sawyer after he visited Marcos Silva (a former military software programer who is now a St. Louis detective).
“Do you want to see something in my garage?” Sawyer recalled Silva asking.
Silva showed a prototype of a face recognition system. Sawyer said he blurted, “We could do all kinds of stuff with this!”
Today, Blue Line oversees about 50 systems, which cost about $10,000 each, in convenience stores and gas stations in 12 states. Blue Line also helps to validate student identities at a Catholic high school in St. Louis suburbs.
Blue Line faces a constantly changing regulatory landscape. After the Portland city council passed a ban on face recognition in private sectors, a Portland store decided to abandon its system. It does not affect law enforcement and government.
Numerous cities have begun to consider new biometric restrictions. New York City has modeled much its privacy legislation this year on Illinois. Companies are obliged to publically and publicly disclose the use of biometric systems.
Cities should “press pause” on allowing biometric technologies until laws require public transparency and corporate accountability, said Alan Butler, executive director of Wash. D.C.-based Electronic Privacy Information Center.
Without legal safeguards, he said, real-time face recognition systems like the one developed by Blue Line represent a “systemic threat to privacy.”
But Sawyer said he has proof Blue Line’s program works. He presented Reuters a 6-second video from July 2018, at Yakima AM/PM convenience stores in Washington.
At 1:20 a.m., two young men wearing ski masks dashed to the store’s front door. Two young men in ski masks ran to the front door, clutching dark-colored handguns. One man pulled the door handle, locked by Blue Line’s system. The men both turned around and fled.
Kush Hans (the owner of the shop) said that he implemented the Blue Line system after a masked criminal shot and killed a 25 year-old clerk. He was also a relative.
He said that there has not been another robbery since face recognition was installed.
(Michael Berens was based in St. Louis, Chicago. Julie Marquis did the editing