Illinois Supreme Court Rules Against Six Flags in Lawsuit Over Fingerprint Scans, Says Actual Harm Unnecessary For Biometric Case (chicagotribune.com) 84
The family of a teenager whose fingerprint data was collected in 2014 when he bought a season pass to Six Flags Great America had the right to sue the amusement park company under an Illinois privacy law, the state Supreme Court ruled Friday. Chicago Tribune reports: The case is being closely watched by tech giants such as Facebook, who have pushed back against the Illinois Biometric Information Privacy Act (BIPA). The law requires companies collecting information such as facial, fingerprint and iris scans to obtain prior consent from consumers or employees, detailing how they'll use the data and how long the records will be kept. It also allows private citizens to sue, while other states let only the attorney general bring a lawsuit.
The opinion, which overturns an appeals court ruling in favor of Six Flags, has the potential to effect biometrics lawsuits playing out in courtrooms across the country. The Illinois law is one of the strictest of its kind in the nation and has turned the state into a hotbed of lawsuits over alleged misuses of biometric data. Privacy experts say protecting that type of information is critical because, unlike a credit card or bank account number, it's permanent. The National Law Review adds: In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an "aggrieved" person and be entitled to seek liquidated damages, attorneys fees and costs, and injunctive relief under the Act. Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. To date, no Illinois court has interpreted the meaning of "per violation," but the majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected.
The opinion, which overturns an appeals court ruling in favor of Six Flags, has the potential to effect biometrics lawsuits playing out in courtrooms across the country. The Illinois law is one of the strictest of its kind in the nation and has turned the state into a hotbed of lawsuits over alleged misuses of biometric data. Privacy experts say protecting that type of information is critical because, unlike a credit card or bank account number, it's permanent. The National Law Review adds: In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an "aggrieved" person and be entitled to seek liquidated damages, attorneys fees and costs, and injunctive relief under the Act. Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. To date, no Illinois court has interpreted the meaning of "per violation," but the majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected.
Good (Score:5, Insightful)
Good.
A law saying it's illegal to collect such information without consent would be completely worthless you were not allowed to sue the company for violating it.
Re: (Score:2)
What constitutional grounds would justify SCOTUS hearing such a case regarding Illinois state law?
Re: (Score:2)
Supremacy clause and the 10th Amendment being basically ignored.
Re: (Score:2)
The 10th Amendment says exactly that the States can do this.
Supremacy clause always has let States make stricter rules, additional rules. There has to be a Federal Statute that directly contradicts the State law in the first place, you can't just wave your hands and say that something isn't allowed in Federal courts and have that mean it isn't allowed in State courts. Supremacy clause resolves conflicts between State and Federal law, it doesn't contradict the 10th Amendment.
Re: (Score:1)
This assertion is being challenged and you can go right around it if state law touches interstate commerce. Sorry, you don't understand how this works. The 10th is not the only law and you didn't interpret it properly.
The fact that 6-flags is a multi-state company alone probably is enough to get around this notion of yours that states can do whatever they want.
Re: (Score:2)
The 10th Amendment says exactly that the States can do this.
The 10th Amendment is routinely ignored by justices on both the left and right.
If the 10th Amendment were interpreted literally, most of the federal government would have to be dismantled.
Re: (Score:2)
No, that's if the 10th Amendment was interpreted in an insane and inconsistent manner, as explained to you on AM radio.
If it is just, the thing that has existed for 250+ years, then no, it would literally just be the status quo.
The 10th Amendment is why California has stricter air standards than the Federal government. It has always been this way.
Belief that the 10th Amendment contradicts the existence of the Federal Government is just stupid-sauce that defeats itself; surely the founding fathers didn't thi
Re: (Score:1)
What constitutional grounds would justify SCOTUS hearing such a case regarding Illinois state law?
"constitutional grounds"?
The Supremes operate on nothing but "muh feels" these days, bucko!
Maybe it's important to somebody's understanding of their place in the universe ... that's apparently enough to strike down laws these days.
Re: (Score:2)
hopefully that trend will start to reverse as we get more Justices who actually believe that words have meanings at the time they are spoken and the meaning of a sentence doesn't change over time because it means what it was intended to mean, not what you want it to mean today.
Of course the SCOTUS has always picked cases based on the perception that the case actually has a valid constitutional issue that is important and unresolved. So it might not help much in which cases they decide to pick up. It should
Re:Conservative lifetime appointments say otherwis (Score:4, Insightful)
Photography is protected by the first amendment as affirmed by federal courts.
Photography in public, where there is no expectation of privacy, for noncommercial purposes is protected. Most people would not consider a fingerprint scanner to be collecting public information.
The collection of facial biometrics can be defended based on that.
Quite likely. But they didn't scan the kid's face. They scanned his fingerprints. Most people would consider that a greater impingement on privacy.
Furthermore, the collection of fingerprints can be argued to be a form of photography.
Maybe. But that is the point of this ruling: they have to make that argument in court. They can't just have the case dismissed with a lack of standing argument. The court didn't say the plaintiff win, just that the case can proceed.
Six Flags may also argue that they didn't store the fingerprint, but only a hash. Since there are many ways to generate a hash, and not every hash is unique, they could argue a hash is not "personally identifying information". Not sure if the court would agree.
Re: (Score:1)
Which, except for all of those other cases which have been decided in favor of corporations saying that you had to prove actual harm to have any merit.
They're literally been saying in the courts that "sure, this happened, but since you can't prove someone has stolen your identity or your money you have no standing to sue".
Re: (Score:3)
You can always sue, but this actually outlines damages much more clearly than most situations. It also (potentially, IANAL) could be filed in small claims court which greatly lowers the bar and avoids paying lawyers buckets of money for a class action.
My only question though - isn't it extremely simple to just publish the most open set of rules possible about your biometrics and not be on the hook for anything? Six flags isn't a necessary service so they can absolutely refuse your business, and if accepti
Re: (Score:2)
Damage is a contentious issue in this case because of permanence of intent with regard to damage ie the data was not collected for today it basically was collected forever and hence the damage must reflect all potential damage throughout your life. That kind of damage reflects pretty much any potential, from a criminal using that data to track you down and kill you, or another to use that data to steal you identity, or someone using that data against your interest to manipulate you. That is the real problem
Glad to see this (Score:3, Interesting)
I have a pass at that very Six Flags, and I have to fight almost every time to not do the fingerprint scan. This ruling may change that.
Fingerprints now (Score:3)
A hair and saliva sample later.
Seriously, why would anyone have thought this was a good idea?
Re: (Score:3)
Wanna bet they don't actually store the fingerprint, but instead something akin to a hash?
Re:Fingerprints now (Score:4, Interesting)
Re:Fingerprints now (Score:4, Insightful)
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
For this purpose, it's good enough. Look at how Disney does it: you have a fingerprint scanner. If it fails, they come over with an iPad and take a picture of your face. From that point forward, your picture comes up on the little turnstile reader so that the attendant can make sure it is really you. Thus they cut down pass sharing to a maximum of one single transfer and... mission accomplished.
Re: (Score:2)
No, they don't - and that's my point... the "fingerprint" is just a hash. If the hash is proper, they cannot recreate your fingerprint. They can only confirm that the reader created a hash that matches the one you have on file.
As for the face... I mean you are walking around the park with cameras all over the damn place. 7/11 has your face when you buy gas. We've long since moved on from "OMG they have your picture!"
Re: (Score:2)
If the hash is used in common-tech systems you can just re-use the hash.
If anyone is using hashes without salt, that's their problem.
It's just a dumb idea to use a security regime to try to provide convenience it was never meant for generally.
I'm not sure I follow. Disney was having a problem where people would buy an (for example) 8-day pass, use 4 days, and then sell the remainder of the pass. They don't need perfect security, they only need to make this practice less likely. Fingerprints are fairly quick and fairly accurate. They add a little bit of time at the gate, but not as much as the back-check/security so it is acceptable in terms of flow rate. For honest people with a bad fi
Here are the details. (Score:5, Informative)
The mother of the kid purchased season pass, for the kid, at Six Flags.
The kid, age 14, went to six flags and picked up his ticket and at that time was fingerprinted, per standard policy for season tickets.
Mother sued six flags since she had not given premission and him being a minor.
Various courts have tossed it back and forth on the bases that the mother could show no type of injury.
This time the Illinois Supreme Court ruled against six flags. The reason being that the state law does not require them to sure injury.
Re:Here are the details. (Score:5, Informative)
Re: (Score:3)
isn't a photograph biometric information? Or is the law specific about it's definition?
Re: (Score:2)
isn't a photograph biometric information? Or is the law specific about it's definition?
That's a fair and interesting question.
From a practical point of view the photo they take and print on the pass is poor quality, black and white (barely even gray scale), and low resolution, so I doubt it is has much practical biometric value
I have no idea on the legal distinction between a photo and a fingerprint scan. As an aside, by entering a Six Flags park (as well as the other major amusement part chains) you usually also agree to be photographed and used in marketing materials. This kind of pho
Re: (Score:3)
As far as this case goes, I believe you've got it. The state law requires the parent's affirmative permission to fingerprint a minor. They didn't have that.
The part the State Supreme court was hearing was Six Flag's claim that there were no actual damages, so no ability to sue. The verdict was that the law includes a presumptive damage of $1000 so the mother need not show actual damage to sue.
Re: (Score:2)
--There is NO WAY that an AMUSEMENT PARK should be requiring fingerprint scans or other biometric data (besides a picture ID.) What the hell were they thinking??
Re: (Score:2)
Hmm, wonder if the same logic would apply to someone suing the State of Illinois over collecting biometric information for Driver's License? Yes, height, weight, picture are "biometric info" used to identify the user....
Re:Here are the details. (Score:4, Interesting)
Also states and the federal government are very good at putting a phrase such as "Person is consenting for the collection of this data. If the data is not provided it will affect how quickly the government provides the service requested."
Re: (Score:2)
They might still run into trouble if a 16 year old gets a driver's license.
Re: (Score:2)
reminds me of that game we'd play in jr high on friends/little brothers.... we'd barely whisper something like "say 'huh'/'what' if you want me to punch you in the arm"
of course, being barely audible, the little brother would say "huh?" and we'd then proceed to punch him in the arm stating that he asked for it cuz he said 'huh'
it was an 'agreement' done in bad faith then and it's the same thing here
Re: (Score:2)
well, if you don't want to be identified, reasonably they don't want to do business with you. Basically the reason they collect this info is because they don't accept you r possession of the ticket as proof you are who you claim to be. It is an anti counterfeit, anti scam measure that they wouldn't implement unless they thought it saved them money. I'm all for a law saying they have to tell you what they collect and what they do with it so you can consent, however, there is no reason to expect them to se
Re: (Score:2)
Highly unlikely: I don't think they have a direct line to the FBI fingerprint database, and their fingerprint hash doesn't allow for reconstruction of the print. For this to work, they'd have to use the same hashing system that the FBI uses to make their prints searchable.
Besides, people can still buy a day pass without being fingerprinted, so this doesn't actually help in this respect. Even if they were doing this, privacy should trump absolute safety -- the worst things are often done for the cheeeeeldr
Re: (Score:2)
so? (Score:2)
Can i someone in Illinois sue google for allowing google photo to identify there face in a picture they didn't upload?
You have zero privacy anyway. Get over it? (Score:4, Insightful)
Scott McNealy: You have zero privacy anyway. Get over it. [wired.com]
If Privacy is really dead, then Scott should publish his Name, Address, Account Numbers and passwords, location schedule, and DNA profile and always keep them all current. Until then, it's NOT.
It's one thing to lose my credit card number. Annoying, but I can get another. Same for my throw-away online accounts.
It's slightly harder for more important accounts, like my slashdot account -- I'd lose all my Karma standing and have to start over! Other accounts are the same: VERY annoying but not Earth shattering.
Getting doxed - the info used to be in the physical phone book, but now it's easy to tie "a fact" to "someone" and "know where they live." Now bother becomes heightened senses if not outright fear, and possibly having to actually uproot and move. Across the street, across town, across the country.
Now you lose my name and reputation with Identity Theft. Inverse doxing, I'm still me but so is someone ELSE. I _COULD_ change my name, but I don't want to. And it's Hell trying to prove what's actually you and what isn't.
FINALLY, you lose my biometrics? Movie hacker: "Computer: 'Override.' We're in." [networkworld.com] I _CAN'T_ change those, period. At all.
Just because I have nothing to hide doesn't mean that I want you to see.
Everyone wants privacy and we all hide something (Score:2)
I understand your larger point, and I quite agree that anyone who claims they don't care about privacy is lying, but you'll understand if I don't want someone else's choices determining the value of my privacy. I say privacy matters to us all even if someone claims otherwise (as glib sycophants on /. sometimes claim w
Washington State has privacy rights too (Score:2)
In our State Constitution.
As does the entire nation of Canada.
And most of the EU.
Ooh, going to be a lot of suits.
What's the big deal about fingerprints? (Score:2)
As it is commonly pointed out on Slashdot, fingerprints are usernames, not passwords.
So what if an amusement park uses them? They are less privacy invading than a simple picture, and very convenient.
The ones who should be sued are not companies who collect them but the ones who use them for reasons others than checking your physical presence. The way Six Flags uses them is exactly how they are meant to be used.
Of course, they are still personal data but why focus specifically on fingerprints when they are n