Biometric identification is an emerging technology that will have a huge impact on security and privacy. Put simply, "biometrics" are any metrics related to human features (fingerprints, retina, voice, face). Biometric technology is already being used in Apple's Touch ID and Face ID technology. The Microsoft Surface also uses facial recognition technology.
Some security professionals consider biometric identification as a better alternative to ID cards, PIN, tokens and pass codes. In theory, only one person has your face, eyes, and fingerprints, they are always with you, they are permanent, and you will never "forget" them.
In the surveillance industry, identification through biometric technology is gaining widespread use to assist with law enforcement. Imagine a situation where the police take your picture to access your driver's licence, insurance information, outstanding warrants, etc.
App developers see profitable uses for biometric identifiers. For example, dating apps could be linked to hardware such as Google Glass or Magic Leap One and used to scan a room using facial recognition for people's voting history, criminal records, social media accounts, etc. You can then tailor your "pick up line" based on what you found on social media.
Hey, aren't you [insert name from facial recognition], we met at [insert place from last vacation posted on social media], you are friends with [insert name from friends list].
The downside is that the technology behind the collection and use of biometric information effectively converts your unique identifiers into digital data (binary language). If your biometric information has been reduced to data that is stored in a biometric database on a company's server, it can be hacked. If hacked, the entire world could have access to your biometric data.
The data stored in a biometric database may be more vulnerable than any other kind of data. You can change passwords, credit card information, and social security numbers. You cannot simply change your fingerprint, retina or face. Once your biometric data is disclosed, there isn’t much you can do to prevent unwanted access to this information.
Illinois is Ahead of the Game
In 2008, Illinois passed the Biometric Information Protection Act which regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and biometric information by private entities.
The Act has resulted in lawsuits related to using employee fingerprints to track work hours, using fingerprint capture for customer access control, and facial recognition for social media (e.g, Facebook and SnapChat).
Recently, the Illinois Supreme Court ruled that you do not need to have suffered damages in order to recover for violations of the Act.
My law partner, Andy Goldstein, wrote a client alert on the topic.
Does Florida Protect Biometric Information
There is only one statute in Florida that explicitly mentions biometrics and it is in the Education Code related to student and parent records. Under section 1002.222, an educational institution may not collect, obtain, or retain biometric information of a student or a parent or sibling of the student.
Interestingly, a law like section 1002.222 that forbids the collection of biometric information might provide the ultimate protection because if an institution cannot collect it, then there isn't a threat of the institution being hacked and inadvertently disclosing biometric data to bad actors. Unfortunately, this law applies only to public educational institutions. It does not apply to the private sector trying to make a profit from your biometric data. Quite frankly, we probably do not want a law like section1002.222 to apply in the private sector because it will stifle innovation in Florida.
Other than section 1002.222, the closest protection Floridians might receive for biometric information is from the Florida Information Protection Act ("FIPA"). But FIPA makes no mention of biometrics and, in fact, states that it does not protect information about an individual that has been made publicly available by a federal, state, or local governmental entity. This is troublesome because our fingerprints and faces are made available to governmental entities on a regular basis. Does this mean that FIPA intentionally disregards protection for biometric information?
At this point, there is no regulation of private entities collecting, using, and exploiting biometric data in Florida.
We are not at a crisis point, but Florida's legislature needs to recognize that while this emerging technology has many benefits, it also presents many significant risks to privacy and security. At the very least, we should have a discussion about how we want to protect biometric data in Florida.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP