Slashdot Mirror

← Back to Stories (view on slashdot.org)

Illinois Supreme Court Rules Against Six Flags in Lawsuit Over Fingerprint Scans, Says Actual Harm Unnecessary For Biometric Case (chicagotribune.com)

Posted by msmash on from the how-about-that dept.

The family of a teenager whose fingerprint data was collected in 2014 when he bought a season pass to Six Flags Great America had the right to sue the amusement park company under an Illinois privacy law, the state Supreme Court ruled Friday. Chicago Tribune reports: The case is being closely watched by tech giants such as Facebook, who have pushed back against the Illinois Biometric Information Privacy Act (BIPA). The law requires companies collecting information such as facial, fingerprint and iris scans to obtain prior consent from consumers or employees, detailing how they'll use the data and how long the records will be kept. It also allows private citizens to sue, while other states let only the attorney general bring a lawsuit.

The opinion, which overturns an appeals court ruling in favor of Six Flags, has the potential to effect biometrics lawsuits playing out in courtrooms across the country. The Illinois law is one of the strictest of its kind in the nation and has turned the state into a hotbed of lawsuits over alleged misuses of biometric data. Privacy experts say protecting that type of information is critical because, unlike a credit card or bank account number, it's permanent. The National Law Review adds: In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an "aggrieved" person and be entitled to seek liquidated damages, attorneys fees and costs, and injunctive relief under the Act. Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. To date, no Illinois court has interpreted the meaning of "per violation," but the majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected.

40 of 84 comments (clear)

  1. Good by Geoffrey.landis · · Score: 5, Insightful

    Good.
    A law saying it's illegal to collect such information without consent would be completely worthless you were not allowed to sue the company for violating it.

    --
    http://www.geoffreylandis.com
    1. Re:Good by Anonymous Coward · · Score: 1

      A law saying it's illegal to collect such information without consent would be completely worthless you were not allowed to sue the company for violating it.

      Which, except for all of those other cases which have been decided in favor of corporations saying that you had to prove actual harm to have any merit.

      They're literally been saying in the courts that "sure, this happened, but since you can't prove someone has stolen your identity or your money you have no standing to sue".

    2. Re:Good by torkus · · Score: 2

      You can always sue, but this actually outlines damages much more clearly than most situations. It also (potentially, IANAL) could be filed in small claims court which greatly lowers the bar and avoids paying lawyers buckets of money for a class action.

      My only question though - isn't it extremely simple to just publish the most open set of rules possible about your biometrics and not be on the hook for anything? Six flags isn't a necessary service so they can absolutely refuse your business, and if accepting their biometrics policy is the rules of doing business with them...it sounds comically easy for them to be protected.

      --
      You can get rich if you own a politician, but you have to be rich to buy one in the first place.
    3. Re:Good by rtb61 · · Score: 1

      Damage is a contentious issue in this case because of permanence of intent with regard to damage ie the data was not collected for today it basically was collected forever and hence the damage must reflect all potential damage throughout your life. That kind of damage reflects pretty much any potential, from a criminal using that data to track you down and kill you, or another to use that data to steal you identity, or someone using that data against your interest to manipulate you. That is the real problem, it is not about that harm today but the potential harm out to decades, or for the same number of years the data is collected, basically for you entire life, placing the rest of your entire live in unfair and unnecessary risk.

      So how much risk are you allowed to put other people's lives in to generate a profit, this is what is really being expressed.

      --
      Chaos - everything, everywhere, everywhen
  2. Glad to see this by Anonymous Coward · · Score: 3, Interesting

    I have a pass at that very Six Flags, and I have to fight almost every time to not do the fingerprint scan. This ruling may change that.

  3. Fingerprints now by Lucas123 · · Score: 2

    A hair and saliva sample later.

    Seriously, why would anyone have thought this was a good idea?

    1. Re:Fingerprints now by MightyYar · · Score: 2

      Wanna bet they don't actually store the fingerprint, but instead something akin to a hash?

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Fingerprints now by b0s0z0ku · · Score: 3, Interesting

      The point of the Six Flags thing isn't high security, it's to make sharing season passes marginally more difficult.

    3. Re:Fingerprints now by b0s0z0ku · · Score: 3, Insightful

      But an RFID badge can be used by someone with a similar face; fingerprints make this more difficult. I see Six Flags' point, but it's also a stupid way go about things -- they might gain a bit of revenue from people not sharing badges, but they'll lose on public goodwill. Not to mention that people who share season badges might otherwise not go. Even if they don't pay for their visit, they'll probably still buy food, drinks, and whatever else isn't included in a badge.

    4. Re:Fingerprints now by MightyYar · · Score: 1

      For this purpose, it's good enough. Look at how Disney does it: you have a fingerprint scanner. If it fails, they come over with an iPad and take a picture of your face. From that point forward, your picture comes up on the little turnstile reader so that the attendant can make sure it is really you. Thus they cut down pass sharing to a maximum of one single transfer and... mission accomplished.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    5. Re:Fingerprints now by b0s0z0ku · · Score: 2

      You'd presumably "borrow" both the ID and the badge to get in, especially if it's shared among family.

    6. Re:Fingerprints now by MightyYar · · Score: 1

      No, they don't - and that's my point... the "fingerprint" is just a hash. If the hash is proper, they cannot recreate your fingerprint. They can only confirm that the reader created a hash that matches the one you have on file.

      As for the face... I mean you are walking around the park with cameras all over the damn place. 7/11 has your face when you buy gas. We've long since moved on from "OMG they have your picture!"

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    7. Re:Fingerprints now by MightyYar · · Score: 1

      If the hash is used in common-tech systems you can just re-use the hash.

      If anyone is using hashes without salt, that's their problem.

      It's just a dumb idea to use a security regime to try to provide convenience it was never meant for generally.

      I'm not sure I follow. Disney was having a problem where people would buy an (for example) 8-day pass, use 4 days, and then sell the remainder of the pass. They don't need perfect security, they only need to make this practice less likely. Fingerprints are fairly quick and fairly accurate. They add a little bit of time at the gate, but not as much as the back-check/security so it is acceptable in terms of flow rate. For honest people with a bad fingerprint, it's no big deal - you just wait until they take your picture. Could it be more secure? Absolutely? Does it work well enough to discourage the old practice they were trying to stomp out? Yes.

      before we have proper controls in place

      I don't exactly have a lot of trust in Disney to have our interests at heart, but I don't have that confidence about the government either. Right now the government in my state (PA) requires fingerprints if you want to work with kids. Not a hash of fingerprints - your actual fingerprints. I don't worry that Disney's hashes will leak and people will use them on similar unsalted systems. I do worry that the entire government fingerprint database will leak and people will use my actual fingerprint as they would a stolen social security number.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  4. Re:Conservative lifetime appointments say otherwis by dfghjk · · Score: 1

    What constitutional grounds would justify SCOTUS hearing such a case regarding Illinois state law?

  5. Here are the details. by will_die · · Score: 5, Informative

    That article sure left lots of questions unanswered, anyhow here are the details
    The mother of the kid purchased season pass, for the kid, at Six Flags.
    The kid, age 14, went to six flags and picked up his ticket and at that time was fingerprinted, per standard policy for season tickets.
    Mother sued six flags since she had not given premission and him being a minor.
    Various courts have tossed it back and forth on the bases that the mother could show no type of injury.
    This time the Illinois Supreme Court ruled against six flags. The reason being that the state law does not require them to sure injury.

    1. Re:Here are the details. by Nkwe · · Score: 4, Informative

      As a season pass holder at Six Flags, you can opt out of the fingerprint scanner. You have to ask for a pass with a picture when you process your season pass. You may have to escalate your request to a manager. I am a pass holder and have opted out every year since they added the scanners. That being said, the kid in this story may not have known he had this option and being a minor may not have been capable of making such a decision (to opt out.) I am not disputing that there is a case here, but the fingerprinting process isn't actually "mandatory" at Six Flags.

    2. Re:Here are the details. by CrimsonAvenger · · Score: 1

      The reason being that the state law does not require them to sure injury.

      Hmm, wonder if the same logic would apply to someone suing the State of Illinois over collecting biometric information for Driver's License? Yes, height, weight, picture are "biometric info" used to identify the user....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    3. Re:Here are the details. by fish_in_the_c · · Score: 2

      isn't a photograph biometric information? Or is the law specific about it's definition?

      --
      âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
    4. Re:Here are the details. by will_die · · Score: 3, Interesting

      The law specifically states that biometric info does not include "physical descriptions such as height, weight, hair color, or eye color".
      Also states and the federal government are very good at putting a phrase such as "Person is consenting for the collection of this data. If the data is not provided it will affect how quickly the government provides the service requested."

    5. Re:Here are the details. by Nkwe · · Score: 1

      isn't a photograph biometric information? Or is the law specific about it's definition?

      That's a fair and interesting question.

      From a practical point of view the photo they take and print on the pass is poor quality, black and white (barely even gray scale), and low resolution, so I doubt it is has much practical biometric value

      I have no idea on the legal distinction between a photo and a fingerprint scan. As an aside, by entering a Six Flags park (as well as the other major amusement part chains) you usually also agree to be photographed and used in marketing materials. This kind of photo isn't tied to your identity, but in theory could be used to track guest movements in the park. Some parks are offering free WIFI and have an App for you phone - which of course allows them to track your movements in the park (but not via biometrics)

    6. Re:Here are the details. by sjames · · Score: 2

      As far as this case goes, I believe you've got it. The state law requires the parent's affirmative permission to fingerprint a minor. They didn't have that.

      The part the State Supreme court was hearing was Six Flag's claim that there were no actual damages, so no ability to sue. The verdict was that the law includes a presumptive damage of $1000 so the mother need not show actual damage to sue.

    7. Re:Here are the details. by sjames · · Score: 1

      They might still run into trouble if a 16 year old gets a driver's license.

    8. Re:Here are the details. by Wolfrider · · Score: 1

      --There is NO WAY that an AMUSEMENT PARK should be requiring fingerprint scans or other biometric data (besides a picture ID.) What the hell were they thinking??

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
  6. Re:Conservative lifetime appointments say otherwis by jgtg32a · · Score: 1

    Supremacy clause and the 10th Amendment being basically ignored.

  7. Re:Conservative lifetime appointments say otherwis by Aighearach · · Score: 1

    The 10th Amendment says exactly that the States can do this.

    Supremacy clause always has let States make stricter rules, additional rules. There has to be a Federal Statute that directly contradicts the State law in the first place, you can't just wave your hands and say that something isn't allowed in Federal courts and have that mean it isn't allowed in State courts. Supremacy clause resolves conflicts between State and Federal law, it doesn't contradict the 10th Amendment.

  8. Re:Aren't they scanning for known pedophiles? by b0s0z0ku · · Score: 1

    Highly unlikely: I don't think they have a direct line to the FBI fingerprint database, and their fingerprint hash doesn't allow for reconstruction of the print. For this to work, they'd have to use the same hashing system that the FBI uses to make their prints searchable.

    Besides, people can still buy a day pass without being fingerprinted, so this doesn't actually help in this respect. Even if they were doing this, privacy should trump absolute safety -- the worst things are often done for the cheeeeeldren.

  9. so? by fish_in_the_c · · Score: 1

    Can i someone in Illinois sue google for allowing google photo to identify there face in a picture they didn't upload?

    --
    âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
  10. Re:Derp derp derp by jm007 · · Score: 1

    Purchasing the passes is you granting them consent

    reminds me of that game we'd play in jr high on friends/little brothers.... we'd barely whisper something like "say 'huh'/'what' if you want me to punch you in the arm"

    of course, being barely audible, the little brother would say "huh?" and we'd then proceed to punch him in the arm stating that he asked for it cuz he said 'huh'

    it was an 'agreement' done in bad faith then and it's the same thing here

  11. You have zero privacy anyway. Get over it? by grep+-v+'.*'+* · · Score: 3, Insightful

    Scott McNealy: You have zero privacy anyway. Get over it.

    If Privacy is really dead, then Scott should publish his Name, Address, Account Numbers and passwords, location schedule, and DNA profile and always keep them all current. Until then, it's NOT.

    It's one thing to lose my credit card number. Annoying, but I can get another. Same for my throw-away online accounts.

    It's slightly harder for more important accounts, like my slashdot account -- I'd lose all my Karma standing and have to start over! Other accounts are the same: VERY annoying but not Earth shattering.

    Getting doxed - the info used to be in the physical phone book, but now it's easy to tie "a fact" to "someone" and "know where they live." Now bother becomes heightened senses if not outright fear, and possibly having to actually uproot and move. Across the street, across town, across the country.

    Now you lose my name and reputation with Identity Theft. Inverse doxing, I'm still me but so is someone ELSE. I _COULD_ change my name, but I don't want to. And it's Hell trying to prove what's actually you and what isn't.

    FINALLY, you lose my biometrics? Movie hacker: "Computer: 'Override.' We're in." I _CAN'T_ change those, period. At all.

    Just because I have nothing to hide doesn't mean that I want you to see.

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  12. Re:Conservative lifetime appointments say otherwis by fish_in_the_c · · Score: 1

    hopefully that trend will start to reverse as we get more Justices who actually believe that words have meanings at the time they are spoken and the meaning of a sentence doesn't change over time because it means what it was intended to mean, not what you want it to mean today.

    Of course the SCOTUS has always picked cases based on the perception that the case actually has a valid constitutional issue that is important and unresolved. So it might not help much in which cases they decide to pick up. It should help in the consistency of their decisions however.

    --
    âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
  13. Re:Conservative lifetime appointments say otherwis by Anonymous Coward · · Score: 1

    This assertion is being challenged and you can go right around it if state law touches interstate commerce. Sorry, you don't understand how this works. The 10th is not the only law and you didn't interpret it properly.

    The fact that 6-flags is a multi-state company alone probably is enough to get around this notion of yours that states can do whatever they want.

  14. Re:Derp derp derp by fish_in_the_c · · Score: 1

    well, if you don't want to be identified, reasonably they don't want to do business with you. Basically the reason they collect this info is because they don't accept you r possession of the ticket as proof you are who you claim to be. It is an anti counterfeit, anti scam measure that they wouldn't implement unless they thought it saved them money. I'm all for a law saying they have to tell you what they collect and what they do with it so you can consent, however, there is no reason to expect them to sell things to people who don't consent. ( is that part of this law?)

    --
    âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
  15. Re:Conservative lifetime appointments say otherwis by ShanghaiBill · · Score: 1

    The 10th Amendment says exactly that the States can do this.

    The 10th Amendment is routinely ignored by justices on both the left and right.

    If the 10th Amendment were interpreted literally, most of the federal government would have to be dismantled.

  16. Re:Conservative lifetime appointments say otherwis by ShanghaiBill · · Score: 3, Insightful

    Photography is protected by the first amendment as affirmed by federal courts.

    Photography in public, where there is no expectation of privacy, for noncommercial purposes is protected. Most people would not consider a fingerprint scanner to be collecting public information.

    The collection of facial biometrics can be defended based on that.

    Quite likely. But they didn't scan the kid's face. They scanned his fingerprints. Most people would consider that a greater impingement on privacy.

    Furthermore, the collection of fingerprints can be argued to be a form of photography.

    Maybe. But that is the point of this ruling: they have to make that argument in court. They can't just have the case dismissed with a lack of standing argument. The court didn't say the plaintiff win, just that the case can proceed.

    Six Flags may also argue that they didn't store the fingerprint, but only a hash. Since there are many ways to generate a hash, and not every hash is unique, they could argue a hash is not "personally identifying information". Not sure if the court would agree.

  17. Re:Aren't they scanning for known pedophiles? by b0s0z0ku · · Score: 1

    The US is a litigious society. If it's for the cheeeeeeldreen, parks will start doing it just to avoid liability. The idea of a law or court judgement is that, if they're actively forbidden from doing so, violating people's privacy won't become an "industry best practice," and they can't be sued for failing to fingerprint.

  18. Re:That's not realistic. by b0s0z0ku · · Score: 2

    I'd suspect that most "sharing" happens between family members. I also suspect that it's not permitted unless you pay up for a family pass.

  19. Washington State has privacy rights too by WillAffleckUW · · Score: 1

    In our State Constitution.

    As does the entire nation of Canada.

    And most of the EU.

    Ooh, going to be a lot of suits.

    --
    -- Tigger warning: This post may contain tiggers! --
  20. Everyone wants privacy and we all hide something by jbn-o · · Score: 1

    If Privacy is really dead, then Scott should publish his Name, Address, Account Numbers and passwords, location schedule, and DNA profile and always keep them all current. Until then, it's NOT.

    I understand your larger point, and I quite agree that anyone who claims they don't care about privacy is lying, but you'll understand if I don't want someone else's choices determining the value of my privacy. I say privacy matters to us all even if someone claims otherwise (as glib sycophants on /. sometimes claim without challenge or evidence).

    Just because I have nothing to hide doesn't mean that I want you to see.

    Actually, everyone has something to hide. And that's not even the strongest reason why we all need privacy.

    Glenn Greenwald was discussing privacy with Noam Chomsky and Ed Snowden and Greenwald brought up his email account just to put the lie to people who argue that they have nothing to hide (around 29m37s). He tells them to email him the credentials of every account they have—not just the nice accounts like work, email, bank, and phone, he said—all of the accounts including the accounts people keep secret from their spouses and significant others. He tells them he intends to snoop around on those accounts to see what they've been doing, and so that he can become their impostor. After all, if they have nothing to hide then they have nothing to fear by telling him what they're really up to.

    The result? Greenwald said:

    To this day, not a single person has taken me up on this offer. I check that email account really frequently and it is a very lonely and desolate place. And the reason is because we really understand instinctively, without this abstract debate, why privacy is so critical. We are social animals: we have a need for other people to know and see what we're doing, which is why we post things about ourselves online. But we also have a need to do things without other people watching because when other people are watching what you're doing, you're much more likely to engage in decision making that is the byproduct of societal orthodoxies or external expectations and not a byproduct of your own agency and independence.

    This also gets into why privacy matters most—a far stronger reason to value privacy both in the abstract and in one's own life is that "Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance." as Bruce Schneier points out in an essay he posted:

    We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need.

    --
    Digital Citizen
  21. What's the big deal about fingerprints? by GuB-42 · · Score: 1

    As it is commonly pointed out on Slashdot, fingerprints are usernames, not passwords.
    So what if an amusement park uses them? They are less privacy invading than a simple picture, and very convenient.
    The ones who should be sued are not companies who collect them but the ones who use them for reasons others than checking your physical presence. The way Six Flags uses them is exactly how they are meant to be used.
    Of course, they are still personal data but why focus specifically on fingerprints when they are not too different from your full name or birth date.

  22. Re:Conservative lifetime appointments say otherwis by Aighearach · · Score: 1

    No, that's if the 10th Amendment was interpreted in an insane and inconsistent manner, as explained to you on AM radio.

    If it is just, the thing that has existed for 250+ years, then no, it would literally just be the status quo.

    The 10th Amendment is why California has stricter air standards than the Federal government. It has always been this way.

    Belief that the 10th Amendment contradicts the existence of the Federal Government is just stupid-sauce that defeats itself; surely the founding fathers didn't think those few words invalidated the rest of the words, so why do you think so? Stupid sauce.