Patchwork: Addressing Inconsistencies in Biometric Privacy Regulation.

• Author: Perez, Elisa Cardano

TABLE OF CONTENTS I. INTRODUCTION 28 II. BACKGROUND 30 A. Understanding Biometrics 30 1. What Are Biometrics and Biometric Systems? 30 2. Placing Biometrics in Context: Uses and Privacy Implications 31 B. Statutes Governing The Protection 35 of Biometric Information 1. An International Comprehensive Framework 35 2. Federal Legislation in The United States 36 3. State Legislative Framework in the United States 37 III. ANALYSIS 44 A. Inadequacies In Current Biometric Regimes 44 in the United States 1. Narrow Definitions of "Biometric Identifiers" Create Inconsistent Protection Across States and Do Not Account for The Rapid Growth of Biometric Identification Technology 44 2. The Consent System's Value Exchange Does Not Provide Control To Consumers 46 3. Force of The Right to Private Action Is Diminished by Article III Standing Challenges 48 4. The Right of Erasure Provides Greater Autonomy to Individuals Over Their Data 50 B. A Federal Legislative Solution 51 IV. CONCLUSION 53 I. INTRODUCTION

Imagine you are walking into a supermarket. As you walk around the aisles trying to find your favorite chocolate bar, you are unaware that the store's video camera is tracking you. The camera's facial recognition software is used to verify whether you match a criminal database. You exit the store and smoke a cigarette, throwing it into the trash. The cigarette bounces off the rim and hits the ground. A few weeks later, the city square has plastered your face on the billboards of an ad campaign. The cigarette you left on that sidewalk contained some of your DNA and was used to reconstruct your face. This type of campaign was recently employed in Hong Kong to bring awareness to the city's littering problem and shame those who litter. (1) Your DNA was matched with data from the web of commercial firms that collect, share, and sell information. Here, your DNA was matched with the footage from the supermarket that collected your facial template. The matching process facilitated the full reconstruction of your face by the advertisers. These billboards are located all over the city and are equipped with sensors that simultaneously assess the billboards' viewers. These sensors are capable of tracking how long each viewer spends looking at the advertisements, as well as the emotional response of the viewer, by tracking cardiac rhythms and brain waves.

Your phone's notification reminds you about the date that you have planned. A new dating application (2) which matches users based on their DNA compatibility found your perfect match and you must impress that perfect match. Unfortunately, the fingerprint reader of your phone is broken, disabling you from paying at the restaurant through your banking application. You approach an outdated ATM for cash, insert your card into the ATM slot, and verify your identity through facial recognition cameras as a security measure instead of a PIN. The balance has surprisingly decreased. The facial recognition ATM took notice of the campaign, automatically charging you a $200 fine for littering. Anonymity is a luxury in this seemingly dystopian society.

The scenario portrayed above may seem improbable and unimaginable, but it isn't far off from the data privacy concerns of keeping up with the rapid pace of technology governing our newly digitized world. Information, just like time, is money, especially in a world where companies collect and trade on our data points. Biological information gives consumers the ability to secure their information in a way they perceive to be the safest. After all, who could replicate your face or fingertips? The reality of biometric security is that once it is hacked, the information becomes irreplaceable. You can change your credit card number the way you can change your hair color but changing your fingerprint or facial composition--while not impossible--may come at a heftier price. For example, Mr. Kumaran from Malaysia, who secured his car through a fingerprint recognition system, had his index finger cut off by robbers to steal his car. (3) Individuals today have become numb to the habit of using information for "security," and most individuals are not aware of how much information is collected or stored by private firms. Businesses are using biometric information in ways never seen before. These uses range from the use of infrared facial scanners to map out your face for temperature checks, to using facial recognition for confirming restaurant orders or to ensure you are not a criminal. (4)

To maintain some legitimacy and control over our information, more stringent regulation is needed to provide the public with more control over the unwarranted collection, use, and aggregation of biometric information, ensuring that stronger guidelines are in place for companies to follow. The current patchwork of legislation in the United States regarding the collection and use of biometric data is inadequate for both consumers and corporations due to the inconsistencies in the definition of biometric identifiers, the thresholds for consent to collect and use data, the enforcement mechanisms, and the limited access to erase collected data for the public. This Note introduces the problems underlying several of the current legislative regimes governing biometric data in the United States, using them as an analytical framework for a lessons-learned approach for future legislation. Congress should pass a law that enables companies and citizens alike to have consistent protection and consistently applied laws, emphasizing the principle of individual control over information and delineating boundaries for companies to operate within.

Part II, Section A explains the way that biometric technology operates and is used as an identity authenticator. It provides a foundational understanding of the various uses of biometric technology in both the public and private sectors, and explains what individuals lose when they release their private biometric information. Section B describes the different "patches" of legislation in the state and federal systems in the United States, and it introduces the European Union's General Data Privacy Regulation (GDPR), one of the most comprehensive data protection regimes to date. Part II, Section A analyzes the inadequacies of the current statutory framework. It centers the discussion on four main elements: definition of biometric identifiers, consent for collection and use, the right to private action, and the right to data erasure. Section B proposes a federal framework for legislation using a lessons-learned approach, suggesting that the legislation provide for greater control for individuals and include a more consistent regulatory scheme for firms who operate in this field.

2. BACKGROUND

   1. Understanding Biometrics

      1. What Are Biometrics and Biometric Systems?

         Biometrics refers to the field of methods employed to identify or recognize individuals based on their biological characteristics. (5) These biological characteristics are unique to each human being because they are often innate and immutable. (6) They can be measured by physiological (7) traits, such as a fingerprint, face, or iris, (8) and by behavioral traits that can be recognized by "the way one walks, speaks, writes, or interacts with a computer," (9) which could be subject to change throughout one's lifetime. Advances in biometric studies have rendered the use of cardiac rhythm (ECG) and electrical activities from the brain (EEG) as possible methods for identification. (10) These modalities for biometric identification remain understudied, but the development of combining methods as a process for identification (11) only continues to evolve as more technology becomes available and as interest in this market grows.

         Biometric data is collected and processed using a biometric system. A biometric system works when a sensor captures a biometric trait, extracts that trait's representative feature, and creates a template of that trait that will be stored in the biometric system. (12) Later on, a similar process unfolds to ensure that an input of a trait converted into a template entered will match the previously system-registered template. (13) The biometric sensor captures the trait, extracts the representative feature, and compares this new template with the previously created and stored template. (14) These "extractable" characteristics that create templates can be derived from varying sources through different technologies. (15)

         Legislation typically defines the term "biometric identifiers" as the extractable biometric characteristics used to create the templates that are used and stored within biometric systems. (16) As mentioned, these extractable features can range from faces and irises to cardiac rhythms as new methods of identification are explored. (17) This definition informs corporations of the boundary for collection, use, sale, and extraction of individual biometric features, and what amount of information individuals can expect to be protected.

      2. Placing Biometrics in Context: Uses and Privacy Implications

         1. Uses of Biometric Information

            The breadth of the biometrics market is exemplified through both public and private sector uses. Governments extensively use biometrics for security purposes in law enforcement and immigration control through fingerprinting, (18) and only continue to expand their use. In the United States, the Pentagon developed a laser technology known as the Jetson, which maps cardiac signatures to identify individuals from a distance. (19) Governmental use is evolving to include digital forms of ID that facilitate the provision of services. In India, the Aadhar digital ID system is a digital identification number combined with biometric features, such as iris scans, (20) that can be used to validate a citizen's identity by banking institutions, employers, and the government when providing subsidies to its citizens. (21) Russia recently approved a...