Wendy's Faces Lawsuit For Unlawfully Collecting Employee Fingerprints

An anonymous reader quotes a report from ZDNet: A class-action lawsuit has been filed in Illinois against fast food restaurant chain Wendy's accusing the company of breaking state laws in regards to the way it stores and handles employee fingerprints. The complaint is centered around Wendy's practice of using biometric clocks that scan employees' fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems.

Plaintiffs, represented by former Wendy's employees Martinique Owens and Amelia Garcia, claim that Wendy's breaks state law -- the Illinois Biometric Information Privacy Act (BIPA) -- because the company does not make employees aware of how it handles their data. More specifically, the lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA, and nor does it obtain a written release from employees with explicit consent to obtain and handle the fingerprints in the first place. Wendy's also doesn't provide a publicly available retention schedule and guidelines for permanently destroying employees' fingerprints after they leave the company, plaintiffs said. [The plaintiffs also claim that Wendy's sends this data to a third-party without their consent.]

Paranoid BS

[Anonymous Coward]

These locks don't store fingerprints, just a sensor hash. Useless for identification, works reasonably well with a limited amount of users.

Re: Paranoid BS

[Anonymous Coward]

from experience, they work poorly, eg folks stand by the clock for several minutes trying to get it to recognize their print

Re: Paranoid BS

[Lothsahn]

Then you haven't used modern, good quality biometric devices.

Biometric sensors from 10-15 years ago absolutely worked terribly. Modern ones perform very well, and have a much better experience. 10-15 years ago, the industry had 10-20% of the population that could not reliably use fingerprint readers due to temperature, humidity, worn fingerprints, skin color, no fingerprints, and many other factors. Now, we have between .1-1% of the population that cannot use the devices, and <1% of the biometric operations fail. We have had numerous people use modern sensors that were blown away at how well they operate compared to prior generations.

Lumidigm has an excellent such sensor. Check out a video of it here: https://www.youtube.com/watch?... [youtube.com]

That video is not just a marketing gimmick. They absolutely work as shown in the video.

Note: I work in the biometric industry, but not on Wendy's time clocks.

Re:

[Lothsahn]

I'm pretty sure it was an older terminal. Like another poster said, the product lifecycle for devices like clocks is on the order of 10-15 years for replacement, so your device could have been 10-20 year old tech.

Most likely it was a poor capacitive sensor, or poorly written code using the sensor. How the sensor is used affects the experience greatly.

Re:

[Lothsahn]

I'm not trying to make you comfortable with Wendys or not. I'm just sharing data about how biometrics work, and how much better they are than sensors from the past.

I did a writeup on fingerprint hashes here, including reversability: https://slashdot.org/comments.... [slashdot.org]

Failure rate is, like I said, <1% of operations (a failure is 3 attempts to unlock that fail in a row). The vast majority of rejects are due to the user not consistently placing their finger on the sensor--the actual image area of the

Re:

[Lothsahn]

I have not worked with the S7, so I can't speak to the quality of that device. Keep in mind that in cell phones, the thickness of the sensor is a primary consideration, and it does impact other factors of the device, including cost and performance.

Re:

[torkus]

Have you used an iPhone or Samsung Galaxy in the last ~5 years? They've sold 100's of millions of these and the vast majority of people use fingerprint unlock.

Those readers are almost definitely dated equipment. Modern readers are far, far faster and more reliable.

Re:Paranoid BS

[Lothsahn]

A break in the chain IS possible. If someone gains access to the device, they could issue commands to retrieve the raw biometric data from the device and offload it. Most biometric sensors have API calls both to receive the template (hash) or the fingerprint image (raw data). If you get remote code execution on the device, employee fingerprints could be stolen by simply calling the API to retrieve the raw data.

Reversing the template to obtain the original fingerprint is simply not possible. That would be equivalent to saying "I have the md5 of a file, so if I find a weakness in md5, I can get the original file back!" To understand why this statement is untrue, let's talk about hashes and how they're broken.

A hash reduces a large data input to a small output, which can be used to verify that the input has not been altered (accidentally or maliciously). Except in extremely rare cases (small, known input sizes), hashing always causes such loss of data that the original file cannot be reconstructed.

A cryptographically secure hash adds one extra property. A cryptographically secure hash is engineered so it is difficult or "impossible" to create a different input that hashes to the same output. When hashes (like md5) are "broken", that means that we've devised a way to generate a series of inputs that resolves to the same hash--not that we can reconstruct the original input. In fact, once broken, we can generate a number of inputs that resolve to the same hash, and the original could be any one of them (or potentially another one we have not yet generated)!

Biometric templates are essentially non-cryptographic hashes. They are simply a measurement of the relative position and orientation between minutae (see here: http://www.uh.edu/engines/fing... [uh.edu] for a description of what minutae are). Because they are not cryptographic, if you have a fingerprint template, it is absolutely possible to reconstruct a fingerprint that will match and score well against the template--that is, you could generate a spoof that would be accepted in the fingerprint reader. However, it would NOT be possible to reconstruct the original fingerprint, as too much data has been lost to reconstruct the original fingerprint.

I agree with the privacy concerns of biometric devices. It takes only one hack on such a device for your unchangeable biometric data to be stolen, forever. But if you need a person's fingerprint, the attack vectors aren't on the template data, they're on the device to obtain the raw image. Alternatively, if you had a fingerprint and a large data of stolen templates, you could likely identify a single or small set of individuals that had the fingerprint.

Note: I work on the industry on biometric devices, although not the ones that Wendy's uses.

Re: Paranoid BS

[Aristos Mazer]

Fast food joints employ a lot of teens. How many of them will go on to bigger careers? Playing the long game might be interesting for a fast food joint near various prep schools known for churning out senators and CEOs. Get the prints of a minor today; have the prints of a major tomorrow.

Re:

[Sique]

A sensor hash won't work, as hashes have the inherent property, that similar inputs return completely disjunct outputs -- something you exactly don't want with a system that should be statistically good, e.g. have a cut-off where it does no longer consider two patterns similar enough.

Hashes work very well with completely binary data, where exactly one input is correct and all others aren't. Hashes don't work with data where you are looking for similarities, and where a whole bunch of inputs grouped closel

Re: Paranoid BS

[guruevi]

Fingerprints of any sort (like music/sound recognition algorithm) sure do work with hashes.

They're not reversible nor does an image need to be captured, in fingerprint algorithms we look at a variety of places in the image for ridges, sample a number of ridges and their shapes then do a FFT and match against a database (very simplified).

Incomplete fingerprints make matching difficult (unlike the movies) so you have to sample more or ask the user to try again.

Re:

[Anonymous Coward]

The tech angle is the impending doom of biometric data being widely used and completely insecure. However this particular article isn't a great example, it's just an employee notification issue. They aren't storing "biometrics" data actually.

Privacy is dead

[Arzaboa]

For most of history, all but the last few years, when people did something socially unacceptable, it would only be remembered as long as those around them cared to remember. Now, algorithms and databases "remember" every time you didn't act "right."

Do something that is socially acceptable today, but not tomorrow? Its recorded forever to make sure that the record is straight and people know where you stand so that no one makes a mistake about your character.

Unfortunately, the rules that have been applied to computer systems and record systems are now being applied to humans on a mass scale. I think most humans have done something at one time that they would prefer they weren't judged by. Those days are long gone, and the days of mass penalties, and mass shaming are here.

--
1984? No, its 2018.

Re:Privacy is dead

[110010001000]

Exactly. A lot of Millenials will be very unhappy in the near future when they discover this truth. What might be PC and "cool" to post now, might fall out out favor later on.

Re:

[110010001000]

The previous generations will be dead or have already established their lives. The point is that Millennials will be unhappy in the near future when they try to get jobs, loans, etc when it turns out that their posts supporting X are now out of favor.

Re:

[AmiMoJo]

Fortunately the EU has a solution to that... At least for EU citizens who want to be forgotten by Google.

Re:

[Opportunist]

The only ones that will be bitten by this are the millennials. Me, as a GenXer, I already have made my mark. I can point to a track record of successes and if you don't want to hire me over something I posted online at some point in time, go ahead, then someone else gets me. Your loss. The generation after them will be wary of posting anything stupid and un-PC (or maybe even anything at all) online because they will see what's going on. Sure, you'll have a few loudmouth idiots like in every generation, but

Re:

[cascadingstylesheet]

Exactly. A lot of Millenials will be very unhappy in the near future when they discover this truth. What might be PC and "cool" to post now, might fall out out favor later on.

Yep.

Twenty years from now - if that long - suddenly if you don't support a man "marrying" a goat, you'll be a horrible "hater", as bad as a racist, beyond the pale.

If not that, it will be something else equally as ludicrous.

The millenials, now on the wrong side of the equation, will appeal to logic, reason, or failing that, just to the fact that the rules changed like five minutes ago, but it will be all for naught. Their "hateful" position will be there in the social media archives, for all to see.

(Unl

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

You're also the one that will be asked to stay longer when shit hits the fan and needs to be done. I prefer to come late, that way this fate can't hit me.

Re:

[Anonymous Coward]

Only if you did not adhere to the expert consensus of tech experts on slashdot from the early 2000's when this was still the tech news site. Don't use logins if you don't have to. Don't share personal info. Never use your real name. Don't bow to pressure which is against your own interests.

Be invisible online. You lose nothing not worth losing.

Re:

[techno-vampire]

Now, algorithms and databases "remember" every time you didn't act "right."

No, algorithms don't "remember" anything. An algorithm [wikipedia.org] is a method of solving a problem that meets certain criteria, including always coming up with the right answer as long as the input is correct and always completing in a finite amount of time. Either learn what the jargon you're throwing around means, or turn in your geek card.

Re:

[Arzaboa]

In the context of what I was saying. Memory is memory. In this example, algorithm's get the information in memory and present them to the system via automated reasoning [wikipedia.org].

--
“Memories warm you up from the inside. But they also tear you apart.” -- Haruki Murakami

Re: Why did Wendy's do this?

[Anonymous Coward]

Of course they had a reason. More profit, laziness, fight fraud, whatever. Having a reason does not exempt you from the law.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

When you pay peanuts, you get chimps. When you pay minimum wage, you can't threaten me with firing me. I mean, well, you can, but it's kinda toothless.

Classy

[Impy the Impiuos Imp]

Clase action, that's the one where lawyers get millions, the original handful of plaintiffs get about $30,000, and all the other class action members get a free fries coupon for their next Wendy's trip, right?

Re:

[Anonymous Coward]

As opposed to force arbitration where each employee's lawyer has to re-research the whole case because the previous ones are sealed, the employer gets to rotate through arbitrators until one rules for them, and the arbitrator knows if he rules for the employer he'll be hired for all the other cases.

Re:

[Actually, I do RTFA]

As opposed to the lawyers, the original platiffs and the other class action members all getting nothing because it's not with the ~$10,000 lawsuit against all of Wendy's lawyers? If the employees hadn't agreed that all legal disputes could be resolved via arbitration (by a judge Wendy's selects and pays for)

Simply record the fingerprint in the employee card

[flood78]

There is a simple solution that is to record the fingerprint encrypted in the employee card.
To use it, you have to put the card in the machine and put your finger on the reader. Both must match to valid the operation.
Like that, the company doesn't need to store your fingerprint anywhere and the employee "keeps his fingerprint with him".

Re:Simply record the fingerprint in the employee c

[Lothsahn]

It sounds great, but badges get lost all the time. You did mention "encrypted in the card", but the question is how. Each device would have to have the decryption key, which is a weak point in the attack and means that all devices have to support this mechanism. Do they keys get rotated? How often? How do you rotate the keys when the badges are, by definition, offline. How do you rotate the keys given that many devices can only read (not program) cards? What happens if the encryption algorithm is found to be weak? Re-issue all cards? You have to visit every employee, take their picture (and fingerprint) and create a new badge. Then you have to replace all the copiers, access control systems, and all other devices that rely on the badges.

This also assumes that you have programmable cards at all. While some proximity formats do have a read/write data (mifare, for instance), many others do not (HID Proxpoint, Indala, etc). Magstripe and barcode store very little data, so encoding a fingerprint would be infeasible. If you did, a barcode can be easily photographed unless it's an IR barcode. We've already established that switching card formats is very expensive, so you want to avoid that if possible.

That said, biometrics on the employee's card does present an excellent legal advantage. By never storing the employee's template, the company can reasonably assert that if the badge is lost, it's the employee's fault, and thus they're not liable. I would not be surprised if this approach gains traction, given the penalties of GDPR. However, given how often items are lost, I really don't think it's a good solution.

In short, security is hard.

Re:

[Lothsahn]

That is a great idea, if there is some way to reliably generate a fixed hash or code from a fingerprint. Unfortunately, I don't know of a way to reliably do this, as minor changes to the finger placement (or elasticity of the skin) can create variations in the minutae. But if some scheme can be derived to generate a fixed code for a finger reliably, that code could be used an encryption key, and then the card could simply store encrypted data.

That would be sweet, but I'm not aware of the tech currently

Re:

[Opportunist]

Finger on the reader? FFS, I work in a highly sensitive area and even I was never asked to hand over my prints.

Most likely 'cause we know how easily fingerprint readers can be fooled, but that's not the point...

Re:

[jbengt]

I've done work for a lot of clients for areas that I would not really consider "highly" sensitive, and yet have had to be fingerprinted at least 4 times: For work at a bank, at a credit card company, at a school system, and at an airport. It might be more sensitive if I were a software engineer working on code, but I'm a mechanical engineer working on the HVAC, plumbing, fire protection, etc.
It's becoming more and more usual to have to provide fingerprints for a background check. The only place that I a

Re: permanently destroying employees' fingerprints

[Anonymous Coward]

"...guidelines for permanently destroying employees' fingerprints after they leave the company"

I assume they mean destroying the RECORDS of employees' fingerprints...sounds rather cruel & unusual to destroy the actual fingerprints. Would they use acid to burn them off employees' fingers?

Re:

[Opportunist]

We call that the "secret ingredient".

This sounds like easy fix stuff

[Fencepost]

If they're doing something sensible like combining an employee number (entered) plus a fingerprint or handprint/finger length measurement for authentication, this sounds like it could be resolved very easily - possibly with process changes, possibly just with documentation of what is/isn't collected and stored and for how long.

I'll show you mine if you show me yours . . .

[swell]

When an employer asks me for fingerprints or a background check or a drug test, I cheerfully say to the HR person "Sure, I'll be happy to take the same drug test that the CEO has taken! After all my position in the company isn't as sensitive to company security, but it's still worth some validation."

For some reason the HR department is unable to show me the test that the CEO has taken. Or the background check or the credit check or the fingerprints. The CEO seems to have no application on file or references listed or job history. The CEO seems to have been exempt from any employment requirements. Fortunately, this experience has already made clear that this is not a company that I want to be part of, so I move on.

Should a company executive, who is paid well, who has extensive benefits, and who has the ability to skim thousand$ from the company be exempt from the indignities that a minimum wage worker has to suffer?

Re:

[Anonymous Coward]

Well I applaud your approach and it is definitely a good thing to do.

But there is also an inherent flaw in the whole "right to work" mentality which is that lower class people are no more "free" to pursue any job they please than if they were prevented by law from doing so. The reality of their lives means that their choices are limited and so to blithely say to them "well if you don't like what your current employer does, get another job" is like saying "if you don't like the quality of the air in your ar

Re:

[nasch]

Have you actually found companies willing to share information on their CEO with a non-employee?

Re:

[jeff4747]

HIPAA is going to cover the results of the CEO's drug test. You want them to break privacy laws for you in order to show just how much you value privacy?

Re:

[jeff4747]

Not that the whole story isn't a bit absurd just to make a point, but the grandparent didn't say he wanted to see the results, just that he wanted to see what pre-employment processes the CEO had to complete.

The fact that they took a test (or not) is also covered by HIPAA. HR can say "all employees take this drug test", they can't say "This particular employee took this drug test"

Re:

[coldrestart]

Um, if this post was intended as sarcasm ignore the following...

If not, all I can say is, wow, where to begin? I'm surprised you haven't been flamed for this, as it reeks of both self-importance and naivete.

If this were true, I'm also betting you often hear the HR person cheerfully tell you in response, "As you've declined I'll say good day" and show you the door.

Companies are free to set conditions of employment as long as they don't violate laws. Background checks and drug tests are common as c

The problem is not that they store it

[Opportunist]

But only that they store it in a wrong way.

That's what's wrong here.

In other words..

[bickerdyke]

Wendy is not actually doing anything wrong, but lacking documentation and other paperwork.

Money grab

[DaveV1.0]

It is just a money grab from people who think they should be paid for $15.00 an hour for being lazy, ignorant, bad employees doing a job anyone can do and that can be automated out of existence for $12.00 per hour.

"the lawsuit claims that Wendy's does not inform"

[Maritz]

The lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA,

lol, why would the US have laws about storing of personal data? Sounds like commyinism..! Hopefully dear leader Trump can get some legislation through to release business from these onerous chains. Then back to the main priority - making the US a one party state through takeover of the supreme court. C'mon guys you can do it. Don't disappoint Vlad.

Twitter

[Daralantan]

I expect we will see roasts about this on Twitter from @Wendys soon.

Re:

[viperidaenz]

I'm going to coin a new word: "Ameritard"
An American citizen who demonstrates how mentally retarded they are by posting poorly thought out rants on the internet about how unconstitutional every law they don't like is.

I'm assuming this AC has had their drivers license revoked and owe child support payments. Therefore those laws must be bad.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: This shit is dangerous, but government is wor

[Aristos Mazer]

The lawsuit says Wendyâ(TM)s never obtained proper consent. The rules for consent are pretty straightforward in the Illinois law.

Re:

[jeff4747]

Failure to immediately pay up $30,000 on command resulted in his drivers license being suspended, losing his job, and being unable to pay the insane $30,000 in a timely fashion.

Your friend had a terrible lawyer. Payment plans can be arranged, and apparently his lawyer didn't bother to try.

Re:

[ChrisMaple]

Abstinence is not 100% safe. A woman can get pregnant using a sperm bank, for instance.

Re:

[Bert64]

If you can be forced to pay child support despite not being the father, abstinence is not going to help you...

Re:

[sjames]

Freedom of movement is a natural right. Since in the case of driving, we must also temper that with the safety of others, we may allow for a license indicating that the driver has at least passed a basic safety test and hasn't given reason to believe they've become reckless, but that is all. As soon as you tie the license to anything unrelated to safe operation of the vehicle, you have admitted a back door exception to natural rights without proper discussion.

You might be surprised to learn that when driver

Re:

[jeff4747]

As for child support, if the father is denied the parent child relationship (for example by being told it isn't his), it seems reasonable that the support is null and void. And it is certainly unrelated to the right to freedom of movement.

Child support cases are decided based on what is best for the child. The rights and whims of the parents are secondary. Because the kid is far more important than the parents.

It literally does not matter if it is not his biological child. If he took on the responsibility of being "dad" (ie. signed the birth certificate), he gets to pay. Conversely, if he "skips town" before the mother even knows she's pregnant and is later found, he gets to pay. Why? In both cases, it's best for the child to get supp

Re:

[sjames]

That's the theory, but in practice, courts have tapped people for child support when they were just a sperm donor, or when they never signed anything and were flat out told the child wasn't theirs. The courts are also known for demanding child support payments from people who simply don't have the money and never did. Even though if they had married the woman and lived as a family unit, they still wouldn't have the money but would qualify for assistance.

Re:

[jeff4747]

That's the theory, but in practice, courts have tapped people for child support when they were just a sperm donor

That would be the "skipped town" version in my post. At least according to Texas's laws where that happened. Once.

or when they never signed anything and were flat out told the child wasn't theirs

That's another case of "skipped town". Or if you're talking about a state/country where the dad doesn't sign the birth certificate, there are other ways they consider you to have taken on the mantle of Dad. Signing a birth certificate was just the shortest-to-type example.

The courts are also known for demanding child support payments from people who simply don't have the money and never did

Income is always taken into account. Tax returns are pulled as part of the process. And a change in income is grounds

Re:

[sjames]

That would be the "skipped town" version in my post. At least according to Texas's laws where that happened. Once.

Skipping town implies knowingly ducking a responsibility and in the process affirmatively surrendering the right to be a parent. A man specifically told the child isn't theirs hasn't skipped town except in the sophistry of a court playing pin the tail on the donkey.

A sperm donor was never to be considered the father, it is a simple act that is meant to help couples to have a child where presumably they, not the donor, actually act to create the child and be the responsible parents. There are 49 states other

Re:

[jeff4747]

Skipping town implies knowingly ducking a responsibility

To quote myself, "skipping town before the woman even knows she's pregnant"

It's kinda hard to duck a responsibility that you can not possibly know you have.

and in the process affirmatively surrendering the right to be a parent

That doesn't exist. You can surrender your right to visitation and/or custody. You can not surrender your responsibility for child support.

A sperm donor was never to be considered the father

Texas law says he is, because there's no carve-out in the law about biological fathers for sperm donors. The extra kicker is the woman and her wife moved to Texas after having the kid, so even a "don't donate sperm

Re:

[sjames]

It's kinda hard to duck a responsibility that you can not possibly know you have.

That's my point. Why use a term with a negative connotation when it doesn't apply? Perhaps to shift blame?

Texas law says he is, because there's no carve-out in the law about biological fathers for sperm donors. The extra kicker is the woman and her wife moved to Texas after having the kid, so even a "don't donate sperm in Texas" plan would have not gotten him around responsibility.

And there's the wrong. Best bet, don't try to do a good deed as you will surely be punished for it. Even if the law you are under at the time says you're safe.

As for your item, 2, in other words fall victim to fraud, the court perpetuates the fraud.

You sound like you're agreeing with me but don't want to. As I said, it's pin the tail on the donkey.

Re:

[ChrisMaple]

I know a case where the man was known not to be the father before both the birth and the divorce. He still had to pay both child support and alimony (the father absconded.) Many judges make foul decisions.

Re: This shit is dangerous, but government is wors

[Anonymous Coward]

If you take on fatherhood, even if not the biological parent, you take on that responsibility. The judge probably did the right thing. Hopefully the biological father pays too.

Re: This shit is dangerous, but government is wor

[Anonymous Coward]

No, the judge did the wrong thing. If your wife gets pregnant and you're not the father, and you rightfully divorce her because of that, you have no business getting held accountable for two other people's actions ever. Any law that says different is unconstututional, and hopefully with the returning of constitutionality and downgrading of emotion in our court system maybe men will finally get some justice.

Being tricked into acting like a father or, (gasp) acting like a human being around kids should not

Re:

[jeff4747]

It doesn't matter if it was not his biological child. He took on the responsibility of being dad.

Even if he did that under false pretenses, the kid still exists and he still is "dad" to that kid. Punishing the kid for the mother's fraud would be wrong.