Yesterday, I testified (by remote communications) in the Alaska House of Representatives’ Health and Social Services Committee, which is considering a bill to heavily regulate the collection and use of biometrics. The bill is inspired by a man who was denied entry into the CPA exam when he refused to have his fingerprints scanned for that purpose. You can read more about his campaign at the PrivacyNOWalaska.org site.
I’m entirely sympathetic to his concerns about potential overcollection of biometrics in digital form, and what may happen to biometric data after it is collected. As I said in my testimony, “a digital record of a biometric can be stored indefinitely, copied an infinite number of times, and transmitted around the globe at the speed of light. This creates security and privacy concerns cutting against the use of machine-biometrics.” On the other hand, the CPA exam apparently has a problem with imposter fraud and faux test-takers who go simply to memorize questions and sell them on a test-prep black market.
Unfortunately, the bill is not callibrated to balance the competing interests at stake. It would create a “notice and consent” regime for biometrics collection, an idea that has failed to produce privacy protection in other areas. It would require massive and expensive re-tooling of data systems to provide consumers a right to amend or revoke their permission to use biometrics or order destruction of biometric data. And it would flatly outlaw marketing that uses biometric information—not just the stuff we learned to be spooked about in the film Minority Report, but knowingly agreed-to tailoring of discounts at the grocery store if we used a biometrically-secured payment system, for example.
I urged the Alaska legislators to ensure that biometrics collectors account for and prevent potential harm to Alaskans when they design and use their systems, but not to constrain biometrics so much that their security benefits never materialize.
There are a number of things Alaska and other states could do to help society callibrate the use of biometrics. They could ensure that biometrics collectors are liable and subject to jurisdiction in the state of collection when contract violations and harms arise from the use or misuse of biometric data.
Alaska could also establish that there is no “third-party doctrine” under its state constitution. A person sharing data under contractual or regulatory protections should maintain his or her search-and-seizure rights in that data. The government should not be able to access such data—though shared—without proper suspicion, warrants, and subpoenas.
Alaska has rejected the REAL ID Act, and it could do more to prevent the emergence of national identity systems by rejecting any E-Verify mandate. I encouraged the Alaskans to follow the lead of New Hampshire and bar state identity data from being shared with any national ID system.
The root of the problem in Alaska, though, may be the accountancy cartel. This is an area I know precious little about, but it appears that you must take the CPA exam to act as an accountant in the state. This positions the administrators of the CPA exam to make unreasonable, privacy-invasive demands for biometric data on a take-it-or-leave-it basis.
Oh what a tangled web we weave, when first we practise to … restrict the right to earn a living!
My testimony starts with a primer on biometrics. We have much to learn yet about biometric technologies, their uses, and their consequences. Banning them would deny the public many benefits. Using them promiscuously would have many costs.