I just updated my Facebook settings to prohibit the software company from conducting facial recognition scans on my photos today due to a notification from Facebook that its software would be analyzing my likeness to automatically recognize me in photos posted on Facebook. This was a coincidence because today I spoke at the American Bar Association’s National Symposium on Technology in Labor and Employment Law on the topic of biometrics in the workplace. As I’ve written about previously, Facebook has been sued for violating Illinois’ Biometric Information Privacy Act (BIPA) for the analysis it performs on individual’s images that are uploaded to Facebook, and indeed other companies are dealing with legal issues arising from Illinois BIPA. This Friday’s Five consists of my five ruminations about biometrics use in the workplace.
1. Technology is developing faster than society’s perceptions of privacy and the law’s ability to keep up.
Technology is quickly developing rapidly on biometric gathering and analysis of the information. As reported today, cameras will likely have the ability to gather data to understand how an individual is feeling and thinking. We are not at the point of a Star Trek type of body scanner to determine in an individual is sick or injured, but it is not inconceivable that this will be possible in the near future. Current technology allows the collection of a lot of biometric information that most of the public probably does not know is possible, such as thermo-images, identification by your “ear print,” heartbeats and possibly EEGs. It raises the key question: is your ear print, heartbeat, heat signature, or EEG signals private information?
2. Only 3 states have legislation regarding the collection and analysis of biometric information of individuals.
A bit surprising to me, all but three states allow for the collection and analysis by employers or consumer companies of biometric information without any type of disclosures or notice to individuals. Illinois, Texas and Washington state have statues that require some type of notice and voluntary consent before biometric information is collected by a private company. There is no restriction regarding law enforcement collection of biometric data.
On one hand it is not private – it is publicly shared and information that can be acquired through very unobtrusive means. There does not have to be any contact (except for the EEG monitoring – which requires probes placed on the scalp) with the individual to obtain this information. Indeed, this information can often be derived through taking a picture, with nothing more complicated than the camera found on most mobile phones.
On the other hand, the technology being developed can gather more intimate information about people beyond their identity. Thermo-images, EEG scans, and carbon dioxide monitors can gather a lot more information than previously imaginable about an individual’s health and mood. As this technology continues to develop, it will be able to derive even more detailed information about people’s health, propensities to become sick, likelihood of having cancer, or maybe even be able to detect cancer.
3. Biometric information is useful in the employment context.
Employers have already been using biometric information to track employees and for security issues, such as permitting access to certain areas based on fingerprint or retinal scans. Employees are able to share passwords very easily to get around password safeguards, but it is harder (but not impossible) for them to share fingerprints or “earprints” (yes, you can be identified by your earprint, which are more reliable than fingerprints).
In the future, employers may be interested in tracking blood pressure, heartbeats, and the general anxiety level of employees for workers’ safety, workers comp claims, and productivity. To the extent the employee asserts some accident or incident occurred on a certain day, it would be useful to have this biometric information for the same time period. While it would be useful, does it violate an employee’s right to privacy? While employees do have a reduced privacy rights a work as long as the employer provides notice to the employee that they may be monitored, California courts have also been clear in holding that employees do not forfeit all privacy rights while at work.
4. If employers collect biometric information, is it simply creating a database that can be used by other third parties?
My libertarian tendencies cause an uneasy feeling in my stomach when realizing the current capabilities with biometric information. This is partly why I opted out of Facebook’s facial recognition setting mentioned above. I believe that many people have a concern that while an individual may consent that a company or an employer may collect and analyze their biometric information, it is unknown about what may happen to this information in the future. This information is an asset that could be acquired by other companies through company purchases or mergers. This would result in the individual’s biometric information being available to third-parties that the individual never anticipated would have access to the information. There are currently no legal safeguards restricting who has access to biometric information, except the couple of states mentioned above that have passed legislation on this issue.
5. Once biometric data is hacked, it may be hard to identify people.
Again, I recognize that employers and companies have legitimate uses for biometric information. However, the type of information that is contained in biometric information under current technology and the information that will be able to be gathered by future technology is critical to an individual’s identity. What if the data is hacked and used by a third-party to steal an individual’s identity? How will one be able to prove that they are who they claim to be if their finger print data base has been changed by a hacker? These are issues that will have to be resolved as this technology and area of the law are developing.