Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy The Courts Businesses United States Technology

Wendy's Faces Lawsuit For Unlawfully Collecting Employee Fingerprints (zdnet.com) 127

An anonymous reader quotes a report from ZDNet: A class-action lawsuit has been filed in Illinois against fast food restaurant chain Wendy's accusing the company of breaking state laws in regards to the way it stores and handles employee fingerprints. The complaint is centered around Wendy's practice of using biometric clocks that scan employees' fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems.

Plaintiffs, represented by former Wendy's employees Martinique Owens and Amelia Garcia, claim that Wendy's breaks state law -- the Illinois Biometric Information Privacy Act (BIPA) -- because the company does not make employees aware of how it handles their data. More specifically, the lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA, and nor does it obtain a written release from employees with explicit consent to obtain and handle the fingerprints in the first place. Wendy's also doesn't provide a publicly available retention schedule and guidelines for permanently destroying employees' fingerprints after they leave the company, plaintiffs said. [The plaintiffs also claim that Wendy's sends this data to a third-party without their consent.]

This discussion has been archived. No new comments can be posted.

Wendy's Faces Lawsuit For Unlawfully Collecting Employee Fingerprints

Comments Filter:
  • Paranoid BS (Score:2, Informative)

    by Anonymous Coward

    These locks don't store fingerprints, just a sensor hash. Useless for identification, works reasonably well with a limited amount of users.

    • by Anonymous Coward

      from experience, they work poorly, eg folks stand by the clock for several minutes trying to get it to recognize their print

      • Re: Paranoid BS (Score:5, Informative)

        by Lothsahn ( 221388 ) <Lothsahn@@@SPAM_ ... tardsgooglmailcm> on Sunday September 23, 2018 @05:37PM (#57365436)
        Then you haven't used modern, good quality biometric devices.

        Biometric sensors from 10-15 years ago absolutely worked terribly. Modern ones perform very well, and have a much better experience. 10-15 years ago, the industry had 10-20% of the population that could not reliably use fingerprint readers due to temperature, humidity, worn fingerprints, skin color, no fingerprints, and many other factors. Now, we have between .1-1% of the population that cannot use the devices, and <1% of the biometric operations fail. We have had numerous people use modern sensors that were blown away at how well they operate compared to prior generations.

        Lumidigm has an excellent such sensor. Check out a video of it here: https://www.youtube.com/watch?... [youtube.com]

        That video is not just a marketing gimmick. They absolutely work as shown in the video.

        Note: I work in the biometric industry, but not on Wendy's time clocks.
      • by torkus ( 1133985 )

        Have you used an iPhone or Samsung Galaxy in the last ~5 years? They've sold 100's of millions of these and the vast majority of people use fingerprint unlock.

        Those readers are almost definitely dated equipment. Modern readers are far, far faster and more reliable.

    • by Sique ( 173459 )
      A sensor hash won't work, as hashes have the inherent property, that similar inputs return completely disjunct outputs -- something you exactly don't want with a system that should be statistically good, e.g. have a cut-off where it does no longer consider two patterns similar enough.

      Hashes work very well with completely binary data, where exactly one input is correct and all others aren't. Hashes don't work with data where you are looking for similarities, and where a whole bunch of inputs grouped closel

      • Fingerprints of any sort (like music/sound recognition algorithm) sure do work with hashes.

        They're not reversible nor does an image need to be captured, in fingerprint algorithms we look at a variety of places in the image for ridges, sample a number of ridges and their shapes then do a FFT and match against a database (very simplified).

        Incomplete fingerprints make matching difficult (unlike the movies) so you have to sample more or ask the user to try again.

  • Privacy is dead (Score:5, Insightful)

    by Arzaboa ( 2804779 ) on Sunday September 23, 2018 @03:49PM (#57365108)

    For most of history, all but the last few years, when people did something socially unacceptable, it would only be remembered as long as those around them cared to remember. Now, algorithms and databases "remember" every time you didn't act "right."

    Do something that is socially acceptable today, but not tomorrow? Its recorded forever to make sure that the record is straight and people know where you stand so that no one makes a mistake about your character.

    Unfortunately, the rules that have been applied to computer systems and record systems are now being applied to humans on a mass scale. I think most humans have done something at one time that they would prefer they weren't judged by. Those days are long gone, and the days of mass penalties, and mass shaming are here.

    --
    1984? No, its 2018.

    • Re:Privacy is dead (Score:4, Interesting)

      by 110010001000 ( 697113 ) on Sunday September 23, 2018 @04:00PM (#57365150) Homepage Journal
      Exactly. A lot of Millenials will be very unhappy in the near future when they discover this truth. What might be PC and "cool" to post now, might fall out out favor later on.
      • Exactly. A lot of Millenials will be very unhappy in the near future when they discover this truth. What might be PC and "cool" to post now, might fall out out favor later on.

        Yep.

        Twenty years from now - if that long - suddenly if you don't support a man "marrying" a goat, you'll be a horrible "hater", as bad as a racist, beyond the pale.

        If not that, it will be something else equally as ludicrous.

        The millenials, now on the wrong side of the equation, will appeal to logic, reason, or failing that, just to the fact that the rules changed like five minutes ago, but it will be all for naught. Their "hateful" position will be there in the social media archives, for all to see.

        (Unl

    • by Anonymous Coward

      Only if you did not adhere to the expert consensus of tech experts on slashdot from the early 2000's when this was still the tech news site. Don't use logins if you don't have to. Don't share personal info. Never use your real name. Don't bow to pressure which is against your own interests.

      Be invisible online. You lose nothing not worth losing.

    • Now, algorithms and databases "remember" every time you didn't act "right."

      No, algorithms don't "remember" anything. An algorithm [wikipedia.org] is a method of solving a problem that meets certain criteria, including always coming up with the right answer as long as the input is correct and always completing in a finite amount of time. Either learn what the jargon you're throwing around means, or turn in your geek card.
      • In the context of what I was saying. Memory is memory. In this example, algorithm's get the information in memory and present them to the system via automated reasoning [wikipedia.org].

        --
        “Memories warm you up from the inside. But they also tear you apart.” -- Haruki Murakami

  • Classy (Score:5, Informative)

    by Impy the Impiuos Imp ( 442658 ) on Sunday September 23, 2018 @04:29PM (#57365218) Journal

    Clase action, that's the one where lawyers get millions, the original handful of plaintiffs get about $30,000, and all the other class action members get a free fries coupon for their next Wendy's trip, right?

    • by Anonymous Coward

      As opposed to force arbitration where each employee's lawyer has to re-research the whole case because the previous ones are sealed, the employer gets to rotate through arbitrators until one rules for them, and the arbitrator knows if he rules for the employer he'll be hired for all the other cases.

    • As opposed to the lawyers, the original platiffs and the other class action members all getting nothing because it's not with the ~$10,000 lawsuit against all of Wendy's lawyers? If the employees hadn't agreed that all legal disputes could be resolved via arbitration (by a judge Wendy's selects and pays for)

  • by flood78 ( 2511510 ) on Sunday September 23, 2018 @04:52PM (#57365304)

    There is a simple solution that is to record the fingerprint encrypted in the employee card.
    To use it, you have to put the card in the machine and put your finger on the reader. Both must match to valid the operation.
    Like that, the company doesn't need to store your fingerprint anywhere and the employee "keeps his fingerprint with him".

    • It sounds great, but badges get lost all the time. You did mention "encrypted in the card", but the question is how. Each device would have to have the decryption key, which is a weak point in the attack and means that all devices have to support this mechanism. Do they keys get rotated? How often? How do you rotate the keys when the badges are, by definition, offline. How do you rotate the keys given that many devices can only read (not program) cards? What happens if the encryption algorithm is found to be weak? Re-issue all cards? You have to visit every employee, take their picture (and fingerprint) and create a new badge. Then you have to replace all the copiers, access control systems, and all other devices that rely on the badges.

      This also assumes that you have programmable cards at all. While some proximity formats do have a read/write data (mifare, for instance), many others do not (HID Proxpoint, Indala, etc). Magstripe and barcode store very little data, so encoding a fingerprint would be infeasible. If you did, a barcode can be easily photographed unless it's an IR barcode. We've already established that switching card formats is very expensive, so you want to avoid that if possible.

      That said, biometrics on the employee's card does present an excellent legal advantage. By never storing the employee's template, the company can reasonably assert that if the badge is lost, it's the employee's fault, and thus they're not liable. I would not be surprised if this approach gains traction, given the penalties of GDPR. However, given how often items are lost, I really don't think it's a good solution.

      In short, security is hard.
    • Finger on the reader? FFS, I work in a highly sensitive area and even I was never asked to hand over my prints.

      Most likely 'cause we know how easily fingerprint readers can be fooled, but that's not the point...

      • by jbengt ( 874751 )
        I've done work for a lot of clients for areas that I would not really consider "highly" sensitive, and yet have had to be fingerprinted at least 4 times: For work at a bank, at a credit card company, at a school system, and at an airport. It might be more sensitive if I were a software engineer working on code, but I'm a mechanical engineer working on the HVAC, plumbing, fire protection, etc.
        It's becoming more and more usual to have to provide fingerprints for a background check. The only place that I a
  • "...guidelines for permanently destroying employees' fingerprints after they leave the company"

    I assume they mean destroying the RECORDS of employees' fingerprints...sounds rather cruel & unusual to destroy the actual fingerprints. Would they use acid to burn them off employees' fingers?

  • If they're doing something sensible like combining an employee number (entered) plus a fingerprint or handprint/finger length measurement for authentication, this sounds like it could be resolved very easily - possibly with process changes, possibly just with documentation of what is/isn't collected and stored and for how long.
  • When an employer asks me for fingerprints or a background check or a drug test, I cheerfully say to the HR person "Sure, I'll be happy to take the same drug test that the CEO has taken! After all my position in the company isn't as sensitive to company security, but it's still worth some validation."

    For some reason the HR department is unable to show me the test that the CEO has taken. Or the background check or the credit check or the fingerprints. The CEO seems to have no application on file or references listed or job history. The CEO seems to have been exempt from any employment requirements. Fortunately, this experience has already made clear that this is not a company that I want to be part of, so I move on.

    Should a company executive, who is paid well, who has extensive benefits, and who has the ability to skim thousand$ from the company be exempt from the indignities that a minimum wage worker has to suffer?

    • by Anonymous Coward

      Well I applaud your approach and it is definitely a good thing to do.

      But there is also an inherent flaw in the whole "right to work" mentality which is that lower class people are no more "free" to pursue any job they please than if they were prevented by law from doing so. The reality of their lives means that their choices are limited and so to blithely say to them "well if you don't like what your current employer does, get another job" is like saying "if you don't like the quality of the air in your ar

    • by nasch ( 598556 )

      Have you actually found companies willing to share information on their CEO with a non-employee?

    • HIPAA is going to cover the results of the CEO's drug test. You want them to break privacy laws for you in order to show just how much you value privacy?

    • Um, if this post was intended as sarcasm ignore the following...

      If not, all I can say is, wow, where to begin? I'm surprised you haven't been flamed for this, as it reeks of both self-importance and naivete.

      If this were true, I'm also betting you often hear the HR person cheerfully tell you in response, "As you've declined I'll say good day" and show you the door.

      Companies are free to set conditions of employment as long as they don't violate laws. Background checks and drug tests are common as c
  • by Opportunist ( 166417 ) on Monday September 24, 2018 @01:53AM (#57366318)

    But only that they store it in a wrong way.

    That's what's wrong here.

  • Wendy is not actually doing anything wrong, but lacking documentation and other paperwork.

  • It is just a money grab from people who think they should be paid for $15.00 an hour for being lazy, ignorant, bad employees doing a job anyone can do and that can be automated out of existence for $12.00 per hour.
  • The lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA,

    lol, why would the US have laws about storing of personal data? Sounds like commyinism..! Hopefully dear leader Trump can get some legislation through to release business from these onerous chains. Then back to the main priority - making the US a one party state through takeover of the supreme court. C'mon guys you can do it. Don't disappoint Vlad.

  • I expect we will see roasts about this on Twitter from @Wendys soon.

Keep up the good work! But please don't ask me to help.

Working...