Slashdot Mirror
Wendy's Faces Lawsuit For Unlawfully Collecting Employee Fingerprints (zdnet.com)
An anonymous reader quotes a report from ZDNet: A class-action lawsuit has been filed in Illinois against fast food restaurant chain Wendy's accusing the company of breaking state laws in regards to the way it stores and handles employee fingerprints. The complaint is centered around Wendy's practice of using biometric clocks that scan employees' fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems.
Plaintiffs, represented by former Wendy's employees Martinique Owens and Amelia Garcia, claim that Wendy's breaks state law -- the Illinois Biometric Information Privacy Act (BIPA) -- because the company does not make employees aware of how it handles their data. More specifically, the lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA, and nor does it obtain a written release from employees with explicit consent to obtain and handle the fingerprints in the first place. Wendy's also doesn't provide a publicly available retention schedule and guidelines for permanently destroying employees' fingerprints after they leave the company, plaintiffs said. [The plaintiffs also claim that Wendy's sends this data to a third-party without their consent.]
Plaintiffs, represented by former Wendy's employees Martinique Owens and Amelia Garcia, claim that Wendy's breaks state law -- the Illinois Biometric Information Privacy Act (BIPA) -- because the company does not make employees aware of how it handles their data. More specifically, the lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA, and nor does it obtain a written release from employees with explicit consent to obtain and handle the fingerprints in the first place. Wendy's also doesn't provide a publicly available retention schedule and guidelines for permanently destroying employees' fingerprints after they leave the company, plaintiffs said. [The plaintiffs also claim that Wendy's sends this data to a third-party without their consent.]
These locks don't store fingerprints, just a sensor hash. Useless for identification, works reasonably well with a limited amount of users.
I'm going to coin a new word: "Ameritard"
An American citizen who demonstrates how mentally retarded they are by posting poorly thought out rants on the internet about how unconstitutional every law they don't like is.
I'm assuming this AC has had their drivers license revoked and owe child support payments. Therefore those laws must be bad.
For most of history, all but the last few years, when people did something socially unacceptable, it would only be remembered as long as those around them cared to remember. Now, algorithms and databases "remember" every time you didn't act "right."
Do something that is socially acceptable today, but not tomorrow? Its recorded forever to make sure that the record is straight and people know where you stand so that no one makes a mistake about your character.
Unfortunately, the rules that have been applied to computer systems and record systems are now being applied to humans on a mass scale. I think most humans have done something at one time that they would prefer they weren't judged by. Those days are long gone, and the days of mass penalties, and mass shaming are here.
--
1984? No, its 2018.
The tech angle is the impending doom of biometric data being widely used and completely insecure. However this particular article isn't a great example, it's just an employee notification issue. They aren't storing "biometrics" data actually.
Clase action, that's the one where lawyers get millions, the original handful of plaintiffs get about $30,000, and all the other class action members get a free fries coupon for their next Wendy's trip, right?
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
So the government can store my fingerprints forever but Wendy's can't sore them through my consent for something that is actually useful? Sounds like lawyer trolling.
I object to power without constructive purpose. --Spock
Of course they had a reason. More profit, laziness, fight fraud, whatever. Having a reason does not exempt you from the law.
Restaurant employees clock each other in/out all the time. This is a basic accounting control that works in both the company's and the employee's interest.
I object to power without constructive purpose. --Spock
There is a simple solution that is to record the fingerprint encrypted in the employee card.
To use it, you have to put the card in the machine and put your finger on the reader. Both must match to valid the operation.
Like that, the company doesn't need to store your fingerprint anywhere and the employee "keeps his fingerprint with him".
"...guidelines for permanently destroying employees' fingerprints after they leave the company"
I assume they mean destroying the RECORDS of employees' fingerprints...sounds rather cruel & unusual to destroy the actual fingerprints. Would they use acid to burn them off employees' fingers?
It sounds great, but badges get lost all the time. You did mention "encrypted in the card", but the question is how. Each device would have to have the decryption key, which is a weak point in the attack and means that all devices have to support this mechanism. Do they keys get rotated? How often? How do you rotate the keys when the badges are, by definition, offline. How do you rotate the keys given that many devices can only read (not program) cards? What happens if the encryption algorithm is found to be weak? Re-issue all cards? You have to visit every employee, take their picture (and fingerprint) and create a new badge. Then you have to replace all the copiers, access control systems, and all other devices that rely on the badges.
This also assumes that you have programmable cards at all. While some proximity formats do have a read/write data (mifare, for instance), many others do not (HID Proxpoint, Indala, etc). Magstripe and barcode store very little data, so encoding a fingerprint would be infeasible. If you did, a barcode can be easily photographed unless it's an IR barcode. We've already established that switching card formats is very expensive, so you want to avoid that if possible.
That said, biometrics on the employee's card does present an excellent legal advantage. By never storing the employee's template, the company can reasonably assert that if the badge is lost, it's the employee's fault, and thus they're not liable. I would not be surprised if this approach gains traction, given the penalties of GDPR. However, given how often items are lost, I really don't think it's a good solution.
In short, security is hard.
-=Lothsahn=-
If they're doing something sensible like combining an employee number (entered) plus a fingerprint or handprint/finger length measurement for authentication, this sounds like it could be resolved very easily - possibly with process changes, possibly just with documentation of what is/isn't collected and stored and for how long.
fencepost
just a little off
That is a great idea, if there is some way to reliably generate a fixed hash or code from a fingerprint. Unfortunately, I don't know of a way to reliably do this, as minor changes to the finger placement (or elasticity of the skin) can create variations in the minutae. But if some scheme can be derived to generate a fixed code for a finger reliably, that code could be used an encryption key, and then the card could simply store encrypted data.
That would be sweet, but I'm not aware of the tech currently being available to do that.
-=Lothsahn=-
I know a case where the man was known not to be the father before both the birth and the divorce. He still had to pay both child support and alimony (the father absconded.) Many judges make foul decisions.
Contribute to civilization: ari.aynrand.org/donate
When an employer asks me for fingerprints or a background check or a drug test, I cheerfully say to the HR person "Sure, I'll be happy to take the same drug test that the CEO has taken! After all my position in the company isn't as sensitive to company security, but it's still worth some validation."
For some reason the HR department is unable to show me the test that the CEO has taken. Or the background check or the credit check or the fingerprints. The CEO seems to have no application on file or references listed or job history. The CEO seems to have been exempt from any employment requirements. Fortunately, this experience has already made clear that this is not a company that I want to be part of, so I move on.
Should a company executive, who is paid well, who has extensive benefits, and who has the ability to skim thousand$ from the company be exempt from the indignities that a minimum wage worker has to suffer?
...omphaloskepsis often...
If you take on fatherhood, even if not the biological parent, you take on that responsibility. The judge probably did the right thing. Hopefully the biological father pays too.
But only that they store it in a wrong way.
That's what's wrong here.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We call that the "secret ingredient".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Finger on the reader? FFS, I work in a highly sensitive area and even I was never asked to hand over my prints.
Most likely 'cause we know how easily fingerprint readers can be fooled, but that's not the point...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
When you pay peanuts, you get chimps. When you pay minimum wage, you can't threaten me with firing me. I mean, well, you can, but it's kinda toothless.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Wendy is not actually doing anything wrong, but lacking documentation and other paperwork.
bickerdyke
No, the judge did the wrong thing. If your wife gets pregnant and you're not the father, and you rightfully divorce her because of that, you have no business getting held accountable for two other people's actions ever. Any law that says different is unconstututional, and hopefully with the returning of constitutionality and downgrading of emotion in our court system maybe men will finally get some justice.
Being tricked into acting like a father or, (gasp) acting like a human being around kids should not obligate you to take responsibility for something you did not do.
It is just a money grab from people who think they should be paid for $15.00 an hour for being lazy, ignorant, bad employees doing a job anyone can do and that can be automated out of existence for $12.00 per hour.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
The lawsuit says Wendyâ(TM)s never obtained proper consent. The rules for consent are pretty straightforward in the Illinois law.
If you can be forced to pay child support despite not being the father, abstinence is not going to help you...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Failure to immediately pay up $30,000 on command resulted in his drivers license being suspended, losing his job, and being unable to pay the insane $30,000 in a timely fashion.
Your friend had a terrible lawyer. Payment plans can be arranged, and apparently his lawyer didn't bother to try.
That's the theory, but in practice, courts have tapped people for child support when they were just a sperm donor, or when they never signed anything and were flat out told the child wasn't theirs. The courts are also known for demanding child support payments from people who simply don't have the money and never did. Even though if they had married the woman and lived as a family unit, they still wouldn't have the money but would qualify for assistance.
That's the theory, but in practice, courts have tapped people for child support when they were just a sperm donor
That would be the "skipped town" version in my post. At least according to Texas's laws where that happened. Once.
or when they never signed anything and were flat out told the child wasn't theirs
That's another case of "skipped town". Or if you're talking about a state/country where the dad doesn't sign the birth certificate, there are other ways they consider you to have taken on the mantle of Dad. Signing a birth certificate was just the shortest-to-type example.
The courts are also known for demanding child support payments from people who simply don't have the money and never did
Income is always taken into account. Tax returns are pulled as part of the process. And a change in income is grounds for modifying child support payments. When most claim they "don't have the money", they mean they don't want to curtail their other spending in order to make payments.
Father: "I'd have to sell my boat to pay this!!". Court: "Ok, go do that. Just like you'd sell your boat to support your kid if you were still married".
You dig at all at the horror stories and you find it's something like this, or that they didn't want to bother having the court modify their support if their income changed.
I've done work for a lot of clients for areas that I would not really consider "highly" sensitive, and yet have had to be fingerprinted at least 4 times: For work at a bank, at a credit card company, at a school system, and at an airport. It might be more sensitive if I were a software engineer working on code, but I'm a mechanical engineer working on the HVAC, plumbing, fire protection, etc.
It's becoming more and more usual to have to provide fingerprints for a background check. The only place that I actually need to put my finger on a fingerprint reader is the airport, though. And half the time it doesn't let me in, resulting in the TSA agent saying "Try again", "Let me clean the sensor", or "Use the other hand".
BTW, the fingerprints taken for the background check are completely separate from the "fingerprints" stored in the access control system for the readers.
That would be the "skipped town" version in my post. At least according to Texas's laws where that happened. Once.
Skipping town implies knowingly ducking a responsibility and in the process affirmatively surrendering the right to be a parent. A man specifically told the child isn't theirs hasn't skipped town except in the sophistry of a court playing pin the tail on the donkey.
A sperm donor was never to be considered the father, it is a simple act that is meant to help couples to have a child where presumably they, not the donor, actually act to create the child and be the responsible parents. There are 49 states other than Texas and it has happened there as well. More pin the tail on the donkey.
There certainly are cases where an actual father knowingly skips town and there are cases where the father actually can afford the support and is just trying to weasel out, but there are plenty of cases where the courts willfully assume that with facts not in evidence just to save the state a few bucks. Those cases don't end up with the child well supported, they just save the state a few bucks and jail men (possibly the father, possibly not) who don't happen to have the money..
Skipping town implies knowingly ducking a responsibility
To quote myself, "skipping town before the woman even knows she's pregnant"
It's kinda hard to duck a responsibility that you can not possibly know you have.
and in the process affirmatively surrendering the right to be a parent
That doesn't exist. You can surrender your right to visitation and/or custody. You can not surrender your responsibility for child support.
A sperm donor was never to be considered the father
Texas law says he is, because there's no carve-out in the law about biological fathers for sperm donors. The extra kicker is the woman and her wife moved to Texas after having the kid, so even a "don't donate sperm in Texas" plan would have not gotten him around responsibility.
And again, you are conflating the two ways you can end up being responsible for child support:
1) Provide the sperm that becomes a child.
2) Act as the father to a child, regardless of whether or not you provided the sperm.
Those two are independent. You do not have to do both to be responsible for child support.
but there are plenty of cases where the courts willfully assume that with facts not in evidence just to save the state a few bucks
[Citation Required]
There's lots and lots of cases where dad didn't want to change his spending, and thus "could not afford" the payments. And he will complain quite loudly that the evil judge is forcing him to pay more than he can afford, leading to claims such as yours.
Break out your 1040 and/or paystub, show you can't actually afford it, and the payment is reduced.
It's kinda hard to duck a responsibility that you can not possibly know you have.
That's my point. Why use a term with a negative connotation when it doesn't apply? Perhaps to shift blame?
Texas law says he is, because there's no carve-out in the law about biological fathers for sperm donors. The extra kicker is the woman and her wife moved to Texas after having the kid, so even a "don't donate sperm in Texas" plan would have not gotten him around responsibility.
And there's the wrong. Best bet, don't try to do a good deed as you will surely be punished for it. Even if the law you are under at the time says you're safe.
As for your item, 2, in other words fall victim to fraud, the court perpetuates the fraud.
You sound like you're agreeing with me but don't want to. As I said, it's pin the tail on the donkey.
The lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA,
lol, why would the US have laws about storing of personal data? Sounds like commyinism..! Hopefully dear leader Trump can get some legislation through to release business from these onerous chains. Then back to the main priority - making the US a one party state through takeover of the supreme court. C'mon guys you can do it. Don't disappoint Vlad.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
I expect we will see roasts about this on Twitter from @Wendys soon.