Biometrics in the Workplace

ryth writes "The Globe and Mail reports that McDonald's Restaurants and a few other companies in Canada have introduced palm-scanning technologies for employees. Workers are now expected to 'sign' in and out using their palm prints to record the exact time of arrival and the identity of the employee. Quoted in the article Jorn Nordmann, president of S.M. Products, was blunt about why he installed a hand scanner at his fish-processing plant in Delta, B.C. 'If you want to control a whole bunch of people, it's the only way to go.' It seems that some of the most underpaid and undervalued workers are starting to be treated no better than the animals they are frying up." Except for the frying part.

Better make sure...

[xSquaredAdmin]

that people wash their hands before coming to work, because if everyone is putting their hand on the scanner, there could definitely be some health issues.

huh?

[selacious]

Check me if I'm wrong Sammy, but I don't see how making employees sign in and out is all that terrible. Would it make people feel better if these employees pushed a button to sign in instead of having their palms scanned?

Is it THAT bad?

[The-Bus]

His 50 employees would often "buddy-punch," meaning that they would punch the time clock for people who had not shown up. "They're typical workers," Mr. Nordmann said. "It's not nice work. You have a lot of turnover. You have them one week, and the next week they're gone. You can't tell the faces any more."

This is a completely valid viewpoint. My main question is how is this an invasion of privacy? I wouldn't have a problem scanning in my hand to check in to work -- but it seems that a lot of people do. I guess letting companies having biometric information could be the beginning of a long and slippery slope, but I can't really see a worst case scenario... someone care to visualize it for me?

In other news, this would meet a lot greater resistance if McDonald's allowed its workers to form unions. The restaurants have some of the worst turnover because the working conditions are abismal and the company squashes any attempts at its workers to form unions. More information can be found in the book Fast Food Nation [amazon.com] which I definitely recommend as a good read -- it goes into worker treatment at both fast food restaurants as well as meat packing plants and the entire fast food industry as a whole, from advertising to production to health issues. I recommend as a read although be warned, you may not want to go back to McDonald's again. I haven't gone back. But that's because their food tastes like crap.

Re:Swipe Card

[McLuke]

I used to work at a McDonalds in a regional area of Victoria, Australia, and even we had electronic clock in/out computers, where you entered and assigned code so they could record and pay you to the exact amount of minutes you worked.

Re:Is it THAT bad?

[anti-tech]

the beginning of a long and slippery slope, but I can't really see a worst case scenario... someone care to visualize it for me?

You have collected electronic data that can now be shared if the employer desires to do so. Imagine a central office that watches the comings/goings of all employees at all McD's in the region. Next step, share the data with law enforcement. Soon you can have a tracking system for everyone that is employed anywhere. Put biometric scanners on hotel rooms, taxis, anywhere that you might use a key and hello Big Brother Police state.

I am not saying that this will happen, but it could, and that is enough to want me to start worrying about my privacy.

So? Punch cards are old hat.

[Baavgai]

I'm not sure what issue taken with this is. Everyone who works a regular job is expected to show up on time and stay the duration of the day. Many jobs have some kind of time card system in place to help monitor this. That the system is more automated and exact would only be of concern to those who wish to cheat the system.

I work for a public utility. We had the hand punch system years ago. ( I always threatened to make a rubber hand, but never got around to it. ) Now we have the finger print reader instead. Overall, it tends to help both sides, since employees can often prove they were on site even if their supervisors weren't sure.

As a side note, biometric data can leak. Our finger print database is intentionally stored at a slightly lower resolution than the federal standard. The reason is that if we kept government quality information, we'd be required to surrender a copy of that information to the government. Now that's scary.

Re:Is it THAT bad?

[tuxette]

My main question is how is this an invasion of privacy? I wouldn't have a problem scanning in my hand to check in to work -- but it seems that a lot of people do. I guess letting companies having biometric information could be the beginning of a long and slippery slope, but I can't really see a worst case scenario... someone care to visualize it for me?

I am one of those who would have a big problem with scanning into work with my palm, fingers, eyeballs, or whatever, unless I worked at a military installation or similar. Biometrics are used under the presumption that an employer will cheat when being clocked in and out. The presumption of guilt. I find that very offensive. I find it very offensive that I have to take the risk of having my biometric data on some database that can at any time be compromised, just becasue some suit thinks his employees are trying to cheat him.

But you (probably) won't loose your hand

[Sycraft-fu]

We have swipe card doors at work. It's nice since it's much more convienent than carrying 50 different keys around since it seems like every lock is keyed differently.

However, just like with keys, and even more frequently, people forget their card. I have a cube near the door to our room and I'm ALWAYS getting up to let someone in that forgot their card. No big deal, since it's just door access. Someone else can let them in or they can borrow a card. Bigger deal if it is needed to clock in, means they have to go back home.

Personally, I'd really like to see biometrics more. It'd just hard to loose. For high security areas/things you need other authentication, of course (like a passocde and/or keycard) in addtion but for most things a simple print is good enough. I've lost my wallet, I've lost my keys, but I've never lost my hand.

It can be profitable

[Ich Bin Zu]

We installed a fingerscanning device a couple of years ago for signing in and out of work. The system works by allowing a person to be late at for work or going out early for up to 7 hours per month. After that, we penalize their salary for every extra minute after the 7 hours. Since then, we have covered the cost of the devices from all the salary penalities.

Firsthand Experience

[N8F8]

It wan't biometrics but it wasa so-called "smart card". In the early 90's I was stationed aboard the USS Enterprise when the Navy decided to test a smartcard system. A small strip on your ID card contained identifying information. We were required to swipe as we came and left the worplace. Afer the first month big brother handed our reports by division what the average hours spent per week wer. Afterthe second month they were identifying to the workcenter level. Before it got to the per-person level the system came to an abrupt end. I'm pretty sure some phonecalls to elected officials got the program sidelined. You really don't know how little you matter to your employer till they consider you litte more than a tiny statistic.

Want to be Subversive?

[fuzzybunny]

I've peripherally dealt with a few biometric identification systems deployments, and there are three major factors to consider:

-False positives (%)
-False negatives (%)
-Acceptance

The first two are objectively measurable over time. The latter covers peoples' reluctance to, say, put a DNA probe in their mouth, or put their eye to a retinal scanner for fear of catching pinkeye, or whatnot.

Biometrics themselves can be used to _identify_ someone, but relying on them as a catch-all solution to _authenticate_ is lame (authentication is performed by a combination of what you know, what you have, or what you are--think ATM card + PIN code.) Biometric systems are, under certain circumstances, a good complement to another ID mechanism, no different, for example, than using a GSM card for your mobile phone.

That said, I don't like biometric systems for something like timesheet checking. Aside from the fact that it's undignified and ham-handed (looks great on powerpoint!) there is the danger of non-repudiation in the case of a false positive. Most technical types understand this concet, but do you really think your average manager will believe Joe Frycook that he was present, if for some reason the handprint scanner had a glitch?

The other thing I take issue with is the possibility of a leak or misuse of sensitive data. A time card or ID is a physical object, usually limited to a specific use. However, if an employer has, say, a perfect thumbprint scan of mine, what's stopping him from sharing it? From using it in other, less legitimate areas (hiring a private security firm to check my laptop to see if I'm letting my girlfriend use it, whatever.) Sound paranoid?

It bugs me to see responses along the lines of "if you've nothing to hide, why are you concerned?" I'm concerned because, first, I'm a bit of a naive idealist and believe that people should be treated like human beings, not innately distrusted. And second, I've seen some fairly catastrophic examples of what can go wrong with any technology.

That said, there's a sociological theory that every human being has an innate tendency to want to sabotage authority in some small way--riding the bus without a ticket, cheating on their taxes, etc. My own insignificant little tactics involve trying to make factor #3, acceptance, lower for biometric ID systems--sneeze on eyeball scanners, smear boogers on hand readers, stick gum on camera lenses, whatever.

A few years ago, some German state had to hire private security guards to watch speed cameras, because the locals were taking shotguns to 'em. Cost them a lot of money, and sent a bit of a signal. I'm no anarchist, but occasionally the yay-biometrics mob could use a bit of the same medicine.

Re:But you (probably) won't loose your hand

[whovian]

The thing that bugs me is the dipshits whom you *don't* know who apparently forget their keycards and hover around the door waiting to sneak in behind someone else. Friends and spouses of employees do this all the time. What's the point of having a keycarded door if not only do people let others in but people can expect to be let in eventually?

If not a biometric device, there could be a real person sitting at every entrance to help eliminate this nonsense. Of course you'd have to pay them enough to encourage them to care, but then the employee has to ask himself whether it's worth it.

Biometrics can be bad but a primarily benign

[Chanc_Gorkon]

First off, your employer has a right to track your hours. This is a good thing so long as they don't start nickel, diming and whining when your a minute or two late. Biometrics would also be a good thing when combined with your credit card. Pretty hard to fake a handprint or thumbprint. Biometrics could also prevent us sysadmins from constantly resetting passwords. If we used a thumbprint for the pasword, it would be hard to duplicate and hard for users sharing signons (my biggest beef now).

BTW, Fast food isn't the only place the beef about being a minute or two late. I once worked for Meijer, a family owned chain of gorcery/superstores and they would chew you out whenever your one minute late into or out of work, breaks and lunches. I don't know if tehy stil do this, but when I worked, Meijer had a saying...the run for 1. They wanted to have only 1 percent overhead. That meant you sold a lot of damaged goods (at a SLIGHLTLY reduced price) as long as the packaging wasn't mangled too bad. I thought it was nuts and eventually they did drop it realizing it was impossible to do this. Nickel and diming employees regarding their time is just counterproductive and will result in you loosing a employee who may have just had a bad commute or a bad morning wrestling with the kids and is normally on time and a very good worker. I ain't saying you should not punish repeat offenders or even defining a standard, but if someone is late say once in 3 months, I think that is pretty good! Another thing that could be done is for every minute your late, you stay over that many minutes. Also, use overlapping schedules. If you schedule so tight that you can't afford to have people that are late, that's YOUR problem, not your employee's.

Yes, it is a privacy violation

[gillbates]

IIRC, a law was recently passed which allows the FBI to collect a business' records without a subpeona. Which means that if your employer has your fingerprints, so does the FBI.

Someone could very easily lose their anonymity by simply working for the wrong employer. The Burlington Northern example is a case in point - IIRC, employees were forced to undergo mandatory genetic testing; those with a genetic tendency toward carpal tunnel syndrome were fired. Now the FBI has access to the genetic information for every one of BN's employees who was tested.

To be honest, the confidentiality promises a company makes mean nothing. Every company has a disclaimer stating that they will divulge information to comply with law enforcement and some (such as Ebay) make it a point to market this service to law enforcement.

Our lives are no longer private. If it is in a company database somewhere, the FBI now has access to it. The only safe option is to not turn over information you don't want the government to have to anyone, for any reason.

That's very nice but..

[fille]

I remember that a Belgian athlete (judo) could not enter the Olympic village at the Atlanta (?) games because he had injured his hand and it was swollen. The palm recognition thing refused to grant him access.. :-(

Because we all know cows often use retna scans.

[Libertarian_Geek]

Yep, that's right, not just coyotes and sheepdogs.
Seriously, I know with timecards, there's the problem of getting someone else to clock you in. Not many better ways to prevent this than biometrics. Michael needs to manage people sometime, maybe he'll figure this out. Let me explain:
You see, the old trick is come in early and clock you and your friend in. Leave early, then your friend clocks both of you out. The company looses productivity, increases prices, passes the cost on to the customer. Everytime someone cheats a company, the company doesn't pay the cost, the customer does. Biometric scans would prevent this as well as keeping recently fired employees out.

Don't be so quick..

[Raven42rac]

Don't be so quick to jump the gun on this one. Expecting people to be honest is somehow less than human? What about the honest guys who see everyone else ripping off the system, while he has a clear conscience? This will only validate those of us in society who play by the rules, and hopefully stop those who do break the rules. The only problem I would have with such a system would be if it linked up to government databases, or something like that. I would not be surprised given "security" companies' stances lately of profits over privacy. This practice would also, inadvertantly, be able to defeat fraud by management, like cutting people's hours. Most of the time, technology should not be needed, because all you need to do is have communication in place between all members of management. Example "why is Joe-Bob still clocked in?" "he shouldn't be, he left at noon".

6bucks + this = bad service

[TechBCEternity]

minimum wage in BC is currently $6CDN or 2.6 pounds for the "training wage" for the first 500h(?). You get people on the bus handing out flyers for the site 6buckssucks.com [6buckssucks.com]. One thing that factories have learned is that people have a higher moral when they don't have to use punch cards. Now this probably won't give much better results than punch cards but I'd think that the moral result would be even worse.

now you could argue that hey if they're working at McD's they're probably tranisitory and often with no experience. Sure it'll help with bad employees but it'll also get rid of the good employees a lot faster.

I sounds like they're getting the shaft twice for working at McD's. The difference is that at the fish processing plant they meantion the wage is upto $21ph CDN or 9.1 pounds. He's worried about the bottom line. McD's looses more in left over food than they would in having employees coming 15min late.

either way it sounds like the use of biometrics in vancouver bars to Tracking Patrons [slashdot.org].... Go Canada and for anyone having to go through this process, rub jelly on your hands and you'll get a lot of faults in hand reads. The more the faults occur, the more managers will get pissed off that 30min a day or longer is spent getting the machine to work.

Re:Swipe Card

[HMA2000]

The government has no legitimate interest in establishing my identity merely because I stand on a street corner. It is recording information about me and my location which I have not authorized, and which I may not, for a variety of legitimate reasons, want known.

It is called "public" for a reason. When you go out in "public" you give up a certian amount of privacy. That is the way the world works. Next thing you know you'll be telling me the Department of transportation shouldn't be videotaping the roads because those videos may capture somebody in a comprimising position. It's ridiculous.

The issue

[FreeLinux]

The issue with swipe cards, that palm scanners eliminates, is that people often find ways to cheat the system. Certain individuals will get their friends to swipe or clock them in before their arrival at work. This was a very common problem with time clocks where someone would be late for work and they would call and have a coworker clock them in on-time even though the person didn't actually show up for work until an hour later. That's theft. This system prevents that possibillity as they cannot easily fake the palm scan. This saves the company a lot of money that it would otherwise be defrauded of.

I am aware of a very large produce packing company in south Florida that installed a similar system several years ago for tracking employee hours for the mostly migrant pickers and packagers. Prior to this system it was not uncommon for a quarter of the staff to not show up for work at all yet, still collect a paycheck for a full week's work. The companies facilities are very low tech overall, due to the nature of their business so, it was very surprising to see such a high tech time clock there.

In this particular case they used a number of hand scanners that measured the geometry of the persons hand for biometric identification. The company also found that the process of clocking in and out was much faster with this system as it illiminated the search for the time card on the wall and the examination of the timecard after it was punched. With the hand scanner the worker simply placed their hand on the scanner and when the light turned green it meant that they had successfully been identified and they moved on. Instead of taking one or more minutes for an individual to clock in, it now takes less than 15 seconds. This adds up when you start talking about crews in the hundreds.

Re:No kidding

[front]

"Makes it much harder for a company to screw you."

Are you that naive? Palm scanning, or other high-tech "people control" equipment, is brought into a company to benefit the employer mainly and the employee hardly. It is done to keep salary costs low... which benefits the employer mainly.

Clock cards are all well and good. I used one when I was younger and working in a printing factory for a few months. However I sure would not have wanted my employer to have a scan of my hand... fingerprints or palmprints. Why? Well who is going to oversee the records and make sure that they are not handed out to anyone who wants a copy?

Companies have enough info on their staff already... might as well throw in a voiceprint too and the unscrupulous will have a ready made set of IDs.

"Makes it much harder for a company to screw you." is what you said... yet in the article Colin Bennett, a politics professor at the University of Victoria, was quoted as saying "The employees would have little recourse if their information was misused."

Don't try to find the silver lining in that cloud mate.

cheers

front

Re:Low pay always means more control

[Afty0r]

Talking call centers which I know a bit about, it always seems to be the case that the lower you pay someone the more control the employer wants over them.

While what you say is true, the truth is more obvious the other way around:
The less your employers NEED to control you, the more you will get paid
In other words, honest, hard working, exemplary and talented individuals get paid more.

Re:Do you people even know how most of this works?

[Evil Schmoo]

I think the basic point is, if it can identify -- and thus record -- me as an individual, it can be modified to store that information. I, for one, do not ascribe massive malicious intent to the large majority of employers (I used to run my own business, with fantastic employees whom I wish I could have paid more). However, there's no end to the innovative ways in which raw data can, and will, be mined.

Suppose, for instance, that McDonald's Corp. notices that it begins having an unusually high palm reader error rate with a group of franchises near a major urban area ... Houston, for arbitrary purposes. Naturally, Administration will, and should, investigate. Do they have a batch of bad readers? They need to find out.

Now suppose that nothing is found to be wrong with the readers. The only noticeable anomaly is that for certain employees, their palm map seems to be shrinking slightly. Turns out that these employees are losing weight.

Now suppose that news reports begin to surface of an upswing of HIV infections in the Houston area.

So now McDonald's has a serious dilemma. They have an identifiable subgroup of employees who prepare food, who use sharp kitchen implements, who may be infected with HIV. Corporate has no reason to suspect this other than their clock-in reports, but they have to act on it. This is begging for a lawsuit (either for violating the 4th Amendment rights of their employees, or by recklessly endangering the lives of their customers, or for decreasing shareholder value by sitting on the information and doing nothing).

It's not black and white, by any means.

Re:Swipe Card

[HMA2000]

Actually it does. When you go out into public you forfiet many of your rights to privacy. This is why we have concepts like public and private.

A street corner where you are outside on property that is maintained by the taxpayers is public. Your living room is private.

I am not saying you lose all rights to privacy when you go outside but to say it is "an outrage" for someone to take your picture when you go outside is absurd.

Re:Canadian law?

[glesga_kiss]

I'm not very familiar with the new Canadian privacy law, but the article seems to imply that the protection of an individual's personal data only applies to the individual as a consumer, not the individual as an employee

Fortunately, the UK's Data Protection Act doesn't differentiate between the two. You can look up any employer and see exactly what they claim to store.

(With "claim" beinging the operative world here!! I live in the real world)

PS, fingerprint scanners are common-as-muck in Glasgow pubs. Must be an efficency/speed thing... ;-)

Re:Want to be Subversive?

[drinkypoo]

The fingerprint/handprint systems I've seen do not store a scan of your finger. They store the junctions where lines come together as a sort of constellation. As such they are similar to a cryptographic hash, and are really not useful for anything other than identifying your hand/finger/what have you.

Undervalued?!!

[gosand]

It seems that some of the most underpaid and undervalued workers are starting to be treated no better than the animals they are frying up.

I thought this story was about fast-food workers, not teachers. Since when are these people underpaid and undervalued? They may not make very much money, and they may have to work a lot of hours and do mundane tasks, but what VALUE do they really offer to society? Not that they don't deserve respect for the job they perform, but they would not be anywhere in the top 100 undervalued workers. Not every job has the same value in our society. Our society rewards some pretty ridiculous jobs in our society, and rewards some only a fraction of their true value, but fast food workers are not one of those.

Re:Your missing the point

[dgatwood]

Very weak example. As bank security camera could have the same effect, and thus it doesn't matter whether the government has cameras in your example or not. Besides, such flimsy circumstancial evidence would likely not even be enough evidence to convince a grand jury to let the case go to trial. Maximum time in jail before trial in most states is, IIRC, 30 days, which means it would suck, but then you could file a false arrest action against the city, a libel suit against the bank, etc. and retire. That's why this is both unlikely and not a good example.

A better example is the issue of doing something that is morally (but not legally) wrong. You're having an affair with someone across town. The cameras see you and identify you. You have now been placed at the scene. Your wife suspects you and files for a divorce. The records then prove that you were unfaithful and the judge gives her a much bigger settlement.

Another example: you go to a church that prohibits the consumption of alcohol, or better, work for an employer that does. You go to a club to see a band that's playing. Sure, that isn't evidence that you were drinking, but if someone doesn't like you and decides to lie and say that you did... well, they now have a means of obtaining proof that you were there that they otherwise likely would not have had.

Outside a court of law, circumstantial evidence can be very hurtful. If you lost your job over it, sure, there would be lawsuits. Your employer could, however, try to make it sufficiently uncomfortable that you would leave on your own.

And the list goes on.

WHAT?

[strider_starslayer]

I really have to ask 'what?' on this one, as a person who has worked at timeclocked locations and had to carry around a stupid card all the time to check in/out (a card I often misplaced, since it had to be easily removable to swipe), when I read this article I thought to myself 'cool that's a great idea, and nice thing for the employees'. Yet there are dozens of posts about possible security concerns?

If your emplyee wants your fingerprint for some illicit purpose, they can get you to handle a glass object and lift it later. Heck, they could probablly just plain ASK for your fingerprint 'in connection with a series of food store thefts' and you'd hand it over without a second thought (since you diden't steal any food), or perhaps after a second thought, but that thought being 'it's not worth loosing my job over it'.

So if it's that easy to get your fingerprint, what has the instalation of a biometric reader really done? It's made life easier on the emplyees, who no longer have to carry around a stupid card- BUT it's also made life harder on the employees who cheat the system by getting there buddy to clock them in early.

Besides if your so terminally afaraid of your fingerprints being stolen, why don't YOU (the theoritical emplyee of mcdonnalds who dosen't like his hand being scanned) insist on something else being scanned, like your lucky hat, or somesuch. Something tells me they woulden't care, but they might check to make sure you don't get your buddy to check you in a LOT (which they have the right to do). Also I'm sure they woulden't care if you wore a glove during the scan (just make sure you allwase have that glove, and don't go crying to mannagment the day you forget it).