Wendy's Faces Lawsuit For Unlawfully Collecting Employee Fingerprints

An anonymous reader quotes a report from ZDNet: A class-action lawsuit has been filed in Illinois against fast food restaurant chain Wendy's accusing the company of breaking state laws in regards to the way it stores and handles employee fingerprints. The complaint is centered around Wendy's practice of using biometric clocks that scan employees' fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems.

Plaintiffs, represented by former Wendy's employees Martinique Owens and Amelia Garcia, claim that Wendy's breaks state law -- the Illinois Biometric Information Privacy Act (BIPA) -- because the company does not make employees aware of how it handles their data. More specifically, the lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA, and nor does it obtain a written release from employees with explicit consent to obtain and handle the fingerprints in the first place. Wendy's also doesn't provide a publicly available retention schedule and guidelines for permanently destroying employees' fingerprints after they leave the company, plaintiffs said. [The plaintiffs also claim that Wendy's sends this data to a third-party without their consent.]

Privacy is dead

[Arzaboa]

For most of history, all but the last few years, when people did something socially unacceptable, it would only be remembered as long as those around them cared to remember. Now, algorithms and databases "remember" every time you didn't act "right."

Do something that is socially acceptable today, but not tomorrow? Its recorded forever to make sure that the record is straight and people know where you stand so that no one makes a mistake about your character.

Unfortunately, the rules that have been applied to computer systems and record systems are now being applied to humans on a mass scale. I think most humans have done something at one time that they would prefer they weren't judged by. Those days are long gone, and the days of mass penalties, and mass shaming are here.

--
1984? No, its 2018.

Re:Privacy is dead

[110010001000]

Exactly. A lot of Millenials will be very unhappy in the near future when they discover this truth. What might be PC and "cool" to post now, might fall out out favor later on.

Classy

[Impy+the+Impiuos+Imp]

Clase action, that's the one where lawyers get millions, the original handful of plaintiffs get about $30,000, and all the other class action members get a free fries coupon for their next Wendy's trip, right?

Simply record the fingerprint in the employee card

[flood78]

There is a simple solution that is to record the fingerprint encrypted in the employee card.
To use it, you have to put the card in the machine and put your finger on the reader. Both must match to valid the operation.
Like that, the company doesn't need to store your fingerprint anywhere and the employee "keeps his fingerprint with him".

Re:Paranoid BS

[Lothsahn]

A break in the chain IS possible. If someone gains access to the device, they could issue commands to retrieve the raw biometric data from the device and offload it. Most biometric sensors have API calls both to receive the template (hash) or the fingerprint image (raw data). If you get remote code execution on the device, employee fingerprints could be stolen by simply calling the API to retrieve the raw data.

Reversing the template to obtain the original fingerprint is simply not possible. That would be equivalent to saying "I have the md5 of a file, so if I find a weakness in md5, I can get the original file back!" To understand why this statement is untrue, let's talk about hashes and how they're broken.

A hash reduces a large data input to a small output, which can be used to verify that the input has not been altered (accidentally or maliciously). Except in extremely rare cases (small, known input sizes), hashing always causes such loss of data that the original file cannot be reconstructed.

A cryptographically secure hash adds one extra property. A cryptographically secure hash is engineered so it is difficult or "impossible" to create a different input that hashes to the same output. When hashes (like md5) are "broken", that means that we've devised a way to generate a series of inputs that resolves to the same hash--not that we can reconstruct the original input. In fact, once broken, we can generate a number of inputs that resolve to the same hash, and the original could be any one of them (or potentially another one we have not yet generated)!

Biometric templates are essentially non-cryptographic hashes. They are simply a measurement of the relative position and orientation between minutae (see here: http://www.uh.edu/engines/fing... for a description of what minutae are). Because they are not cryptographic, if you have a fingerprint template, it is absolutely possible to reconstruct a fingerprint that will match and score well against the template--that is, you could generate a spoof that would be accepted in the fingerprint reader. However, it would NOT be possible to reconstruct the original fingerprint, as too much data has been lost to reconstruct the original fingerprint.

I agree with the privacy concerns of biometric devices. It takes only one hack on such a device for your unchangeable biometric data to be stolen, forever. But if you need a person's fingerprint, the attack vectors aren't on the template data, they're on the device to obtain the raw image. Alternatively, if you had a fingerprint and a large data of stolen templates, you could likely identify a single or small set of individuals that had the fingerprint.

Note: I work on the industry on biometric devices, although not the ones that Wendy's uses.

Re: Paranoid BS

[Lothsahn]

Then you haven't used modern, good quality biometric devices.

Biometric sensors from 10-15 years ago absolutely worked terribly. Modern ones perform very well, and have a much better experience. 10-15 years ago, the industry had 10-20% of the population that could not reliably use fingerprint readers due to temperature, humidity, worn fingerprints, skin color, no fingerprints, and many other factors. Now, we have between .1-1% of the population that cannot use the devices, and <1% of the biometric operations fail. We have had numerous people use modern sensors that were blown away at how well they operate compared to prior generations.

Lumidigm has an excellent such sensor. Check out a video of it here: https://www.youtube.com/watch?...

That video is not just a marketing gimmick. They absolutely work as shown in the video.

Note: I work in the biometric industry, but not on Wendy's time clocks.

Re:Simply record the fingerprint in the employee c

[Lothsahn]

It sounds great, but badges get lost all the time. You did mention "encrypted in the card", but the question is how. Each device would have to have the decryption key, which is a weak point in the attack and means that all devices have to support this mechanism. Do they keys get rotated? How often? How do you rotate the keys when the badges are, by definition, offline. How do you rotate the keys given that many devices can only read (not program) cards? What happens if the encryption algorithm is found to be weak? Re-issue all cards? You have to visit every employee, take their picture (and fingerprint) and create a new badge. Then you have to replace all the copiers, access control systems, and all other devices that rely on the badges.

This also assumes that you have programmable cards at all. While some proximity formats do have a read/write data (mifare, for instance), many others do not (HID Proxpoint, Indala, etc). Magstripe and barcode store very little data, so encoding a fingerprint would be infeasible. If you did, a barcode can be easily photographed unless it's an IR barcode. We've already established that switching card formats is very expensive, so you want to avoid that if possible.

That said, biometrics on the employee's card does present an excellent legal advantage. By never storing the employee's template, the company can reasonably assert that if the badge is lost, it's the employee's fault, and thus they're not liable. I would not be surprised if this approach gains traction, given the penalties of GDPR. However, given how often items are lost, I really don't think it's a good solution.

In short, security is hard.