You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Rosenbach v. Six Flags

Whether an individual whose biometric data has been unlawfully collected in violation of the Illinois Biometric Information Privacy Act has a cause of action
  • Unanimous Decision in Illinois Supreme Court Ensures Strict Limits on Biometric Data Collection: The Illinois Supreme Court ruled today in Rosenbach v. Six Flags, a case about a state privacy law that protects biometric data. Parents sued the theme park after it collected a child's fingerprints, charging a violation of the Illinois biometric privacy law. The theme park claimed that it was necessary to show some additional harm, but the Illinois Court held that when companies violate the law, "the injury is real and significant." EPIC filed a "friend of the court" brief in the case, arguing that the biometric privacy law "imposes clear responsibilities on companies that collect biometric identifiers" and that if these provisions are "not enforced, the statute's subsequent provisions are of little consequence." EPIC has long advocated for strict limits on use of biometric data. EPIC also filed an amicus brief the OPM data breach, a case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case. (Jan. 25, 2019)
  • EPIC Urges Illinois Supreme Court to Uphold Strict Limits on Biometric Data Collection: EPIC has filed an amicus brief with the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp, about the collection of a child's biometric data in violation of the Illinois Biometric Information Privacy Act. EPIC explained that the Illinois biometric law "imposes clear responsibilities on companies that collect biometric identifiers" and said the company had failed to comply with the state law. EPIC made clear that "collection is the threshold safeguard in privacy law" and if corresponding provisions are "not enforced, the statute’s subsequent provisions are of little consequence." EPIC first identified the risk of collecting biometric data from children entering amusement parks in a 2005 report "Theme Parks and Your Privacy." The state of Illinois adopted the nation's first biometric privacy law in 2008. EPIC has long advocated for strict limits on use of biometric data. EPIC also routinely submits amicus briefs, including in the recent OPM data breach case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case. (Jul. 5, 2018)
  • More top news »
  • EPIC, Coalition Calls for Surveillance Reforms in Response to DOJ Surveillance of Congress and Reporters » (Jun. 18, 2021)
    In a coalition letter, EPIC and more than twenty civil society groups called for reforms to surveillance statutes authorizing collection of sensitive information and gag orders. The letter follows recent revelations that the Department of Justice spied on members of Congress and the press by collecting their communications and issued gag orders to hide that surveillance. The coalition also called for a thorough investigation by Congress and the DOJ. EPIC recently endorsed a bill to stop government use of facial recognition and other biometric surveillance tools.
  • Senator Markey Introduces Bill to Ban Face Surveillance » (Jun. 15, 2021)
    Senator Edward J. Markey (D-Mass.), along with Senators Merkley, Sanders, Warren, and Wyden, as well as Congresswomen Jayapal, Pressley, and Tlaib today introduced legislation to stop government use of biometric surveillance, including facial recognition tools. The Facial Recognition and Biometric Technology Moratorium Act prohibits the use of facial recognition and other biometric technologies by federal agencies, including Customs and Border Protection. "Facial recognition poses a significant threat to our democracy and privacy," said Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC). "Facial recognition technology has been shown time and time again to be biased, inaccurate, and disproportionately harmful to people of color. The Facial Recognition and Biometric Technology Moratorium Act of 2021 would effectively ban law enforcement use of this dangerous technology. EPIC is proud to support it.” EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition has gathered support from over 100 organizations and experts from more than 30 countries. Recently, in an open letter EPIC and a coalition of more than 175 civil society organizations and prominent individuals called for "an outright ban on uses of facial recognition and remote biometric recognition technologies that enable mass surveillance and discriminatory targeted surveillance."

  • Biden Administration Abandons DHS Plans to Expand Biometric Collection » (May. 11, 2021)
    According to a news report, the Biden Administration plans to rescind a proposed rule to massively expand the collection of biometric information from immigrants. The rule, proposed towards the end of the Trump Administration, would have granted the Department of Homeland Security broad authority to collect biometric data from immigrants and their families and associates. The rule would have enabled the collecting of palm prints, iris images, voiceprints, DNA, and images for facial recognition regardless of age. In comments to the Department of Homeland Security, EPIC opposed the rule and urged the agency to rescind the proposed rule. EPIC argued that DHS']s broad authorization to collect biometrics was incompatible with the Department's Fair Information Practice Principle. EPIC also specifically called on the agency to suspend the use of facial recognition technology. Last year, EPIC, joined by over 40 organizations called for the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.
  • EPIC, Coalition Urge DHS to Rescind CBP's Proposed Biometrics Rulemaking » (Mar. 10, 2021)
    In a letter to Secretary of Homeland Security Alejandro Mayorkas, EPIC and a coalition of civil rights, civil liberties, immigrant's rights, technology, and privacy organizations urged the agency to rescind a Notice of Proposed Rulemaking massively expanding Customs and Border Protection's (CBP's) use of biometrics, and to suspend the use of facial recognition across DHS. The NPRM was originally issued November 19, 2020 and re-published on February 9, 2021 in a sign that DHS and the Biden Administration intend to go forward with the rulemaking. EPIC submitted comments on the original NPRM, urging CBP to suspend its use of facial recognition, or in the alternative use only 1:1 face comparison. Earlier, EPIC voiced opposition to a broader DHS rulemaking authorizing widespread use of biometrics, including facial recognition, throughout the agency.
  • EPIC, Coalition Call on Biden Administration to Abandon "Virtual Border Wall," Invest in Migrant Communities » (Feb. 25, 2021)
    In letter to the Biden administration, EPIC and a coalition of 40 privacy, immigration, and civil liberties organizations urged the administration to abandon the proposed U.S. Citizenship Act of 2021 as an extension of the Trump administration's border policy. The proposed legislation would direct DHS to deploy a bevy of biometric and other surveillance technologies at points of entry and along the southern border. The letter describes how such technologies endanger the lives of migrants by pushing them onto more dangerous travel routes. The use of surveillance technologies at the border inevitably extends into the interior, where they are deployed against protesters, communities of color, and indigenous peoples. EPIC recently urged DHS to rescind a proposed rule increasing the agency's collection of biometric information.
  • EPIC, Coalition Urge NYPD to Limit Use of Surveillance Technologies and Disclose More Information on Their Use » (Feb. 25, 2021)
    In comments to the New York Police Department, EPIC called for meaningful limits on the use of mass surveillance technologies including facial recognition, airplanes and drones, automated license plate readers, and social media monitoring tools. EPIC also joined with privacy and civil liberties advocates and academics in coalition comments urging the NYPD to make a good faith effort to meet the requirements of the Public Oversight of Surveillance Technologies (POST) Act. The POST Act requires the NYPD to publish impact statements and use policies for 36 surveillance technologies. The Department's draft policies fail to disclose necessary information including detailed data storage, retention, and auditing practices, do not name the vendors of these technologies, and gloss over systemic racial discrimination in the use of these technologies with boilerplate language. The disclosures illuminate the use of technologies by the NYPD that enable mass surveillance and have extensive documented risks of bias and inaccuracy. EPIC leads a campaign to Ban Face Surveillance, and through the Public Voice coalition gathered support from over 100 organizations and experts from more than 30 countries.
  • EPIC Urges NIST to Adopt Privacy-Protective Standards for Federal ID Cards » (Feb. 2, 2021)
    In comments responding to the National Institute of Standards and Technology's draft Federal Information Processing Standards for personal identity verification (ID cards and digital identity verification), EPIC urged the agency to adopt more privacy protective technology for federal employees and contractors. EPIC drew upon expertise from the Advisory Board for these comments. EPIC recently urged the Department of Homeland Security to suspend a new counterintelligence system of records which will collect biometric information. EPIC previously urged the Department of Transportation to provide more privacy protections for federal employees in the Insider Threat database.
  • Hamburg DPA Deems Clearview AI's Biometric Photo database Illegal, Orders a Partial Deletion of Profile » (Jan. 28, 2021)
    The Hamburg Data Protection Authority has ruled that Clearview AI’s searchable database of biometric profiles is illegal under the EU’s GDPR and ordered the U.S. company to delete the claimant’s biometric profile. Clearview AI scrapes photos from websites to create a searchable database of biometric profiles. The database, which is marketed to private companies and U.S. law enforcement, contains over 3 billion images gathered from websites and social media. The claimant submitted a complaint to the Hamburg DPA after discovering that Clearview AI had added his biometric profile to the searchable database without his knowledge or consent. The DPA ordered Clearview to delete the mathematical hash values representing his profile but did not order Clearview to delete his captured photos. The DPA’s narrow order protects only the individual complainant because it is not a pan-European order banning the collection of any EU resident’s photos. The DPA decided that Clearview AI must comply with the GDPR, yet this narrow order places a burden on Europeans to have their profiles removed from the database. EPIC has long opposed systems like Clearview AI, filing an amicus brief before the 9th Circuit defending an individual's right to sue companies who violate BIPA and other privacy laws, submitting FOIA requests with several government agencies that use Clearview AI technology, and urgingthe Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.
  • EPIC to Maryland Legislators: Enact Biometric Privacy Law » (Jan. 27, 2021)

    EPIC Senior Counsel Jeramie Scott testified today to Senate and House Committees of the Maryland General Assembly in support of legislation protecting biometric information privacy. HB218 and SB16 are modeled after the Illinois Biometric Information Privacy Act (BIPA). Passed in 2008, BIPA has been referred to as one of the most effective and important privacy laws in America. "Unlike a password or account number, a person’s biometrics cannot be changed if they are compromised," EPIC told the Committees. EPIC stressed the importance of strong enforcement measures in privacy laws, particularly a private right of action. EPIC also submitted a recent case study on the Illinois law written by EPIC Advisory Board member Woody Hartzog. EPIC previously filed an amicus brief in Rosenbach v. Six Flags, where the Illinois Supreme Court unanimously decided that consumers can sue companies that violate the state's biometric privacy law. [Watch the hearing]

  • EPIC Urges DHS to Suspend New Counterintelligence Records System » (Jan. 13, 2021)
    EPIC submitted comments to the Department of Homeland Security in response to a system of records notice and proposed exemptions from Privacy Act requirements for a new counterintelligence records system. DHS's proposed records system would permit nearly limitless collection of sensitive personal information and unchecked disclosure of that information to state, local and international agencies, and to private companies. DHS's proposed exemptions would eliminate all individual rights under the Privacy Act and exempt DHS from basic Privacy Act requirements, including limiting data collection to necessary information. EPIC recently insisted that DHS rescind a proposed expansion of the use of biometrics, including facial recognition, across the agency.
  • EPIC Urges CBP to Halt Use of Facial Recognition for Biometric Entry/Exit » (Dec. 21, 2020)
    EPIC submitted comments to U.S. Customs and Border Protection (CBP) in response to a Notice of Proposed Rulemaking that would drastically expand CBP’s use of facial recognition at airports and land border crossings. EPIC urged the agency to stop using facial recognition to identify travelers. EPIC criticized CBP’s implementation of Biometric Entry/Exit for the agency's failure to even follow its own Fair Information Practice Principles. EPIC recently insisted that DHS rescind a proposed expansion of the use of biometrics, including facial recognition, across the agency. Earlier this year, an EPIC-led coalition called on the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.
  • EPIC Urges Advisory Council to Address Privacy Risks of DHS’s Use of Biometrics » (Dec. 11, 2020)

    In response to a report by the Homeland Security Advisory Council’s Biometric Subcommittee, EPIC urged the Council to table the report until they can address the privacy and civil liberties implications of the Department of Homeland Security’s collection and use of biometrics in full. The Biometric Subcommittee was tasked with examining DHS use and collection of biometrics. The Subcommittee’s report failed to address a rule proposed in September that would broadly expand DHS use of biometrics. EPIC previously argued that the proposed rule, giving DHS broad authorization for biometric collection, was incompatible with the department's Fair Information Practice Principles.

  • EPIC Opposes DHS's Plans to Broadly Expand Biometric Collection » (Oct. 14, 2020)
    In comments to the Department of Homeland Security and U.S. Citizenship and Immigration Services, EPIC urged the agency to rescind a proposed rule to broadly permit DHS to collect biometric from immigrants, their families, and associates. DHS's rule would enable the collection of palm prints, iris images, voiceprints, DNA, and images for facial recognition. EPIC argued that DHS's broad authorization of biometric collection was incompatible with the department's Fair Information Practice Principles. EPIC also specifically called on the agency to suspend the use of facial recognition technology. EPIC previously urged DHS to extend the comment period on this NPRM from 30 days to a standard 60-days for major rulemakings. EPIC consistently opposes biometric collection at DHS. In April EPIC urged DHS to narrow both the use and Privacy Act exemptions for its Insider Threat Database linking biometrics to personal information. Earlier this year, EPIC, joined by over 40 organizations called for the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.
  • EPIC Urges DHS to Extend Comment Period on Massive Expansion of Biometric Data Collection » (Oct. 1, 2020)
    In a letter to the Department of Homeland Security, EPIC urged DHS to provide the standard 60-day comment period for a notice of proposed rulemaking authorizing DHS to expand its biometric data collection practices. DHS would be able to collect finger/palm prints, images for facial recognition, DNA, iris images, and voiceprints from a broad swath of the population, including millions of citizens. The proposed rule would subject immigrants to "continuous vetting" surveillance up-to and even past the time they obtain citizenship. In 2018 EPIC urged CBP to suspend its biometric entry/exit program. EPIC currently leads a campaign to Ban Face Surveillance.
  • CBP Failed to Protect Sensitive Biometric Information in Test of Facial Recognition Program » (Sep. 24, 2020)
    In a new report, the Inspector General for the Department of Homeland Security found that Customs and Border Protection failed to safeguard pictures of travelers obtained for a facial recognition pilot program, the Biometric Entry-Exit Program. The pictures were exposed in a data breach of a CBP subcontractor, Perceptics, LLC. OIG found that the CBP failed to undertake sufficient information security practices to prevent Perceptics from obtaining the data. At least 17 of the images were ultimately released on the dark web. EPIC leads an ongoing campaign to Ban Face Surveillance. In 2018, EPIC urged CBP to suspend its Biometric Entry-Exit Program. EPIC previously obtained documents on that program through a FOIA lawsuit.
  • Professors Hartzog and Richards: Clearview AI Gets Privacy and First Amendment Wrong » (Sep. 14, 2020)
    In a recent Boston Globe op-ed Professors Woody Hartzog, an EPIC Advisory Board member, and Neil Richards assert that Clearview AI's claim of a First Amendment right to scrape, analyze, and disseminate publicly available photos is a threat to privacy that misunderstands the right to free speech. Clearview AI's claim is a response to a lawsuit filed under Illinois' Biometric Information Privacy Act (BIPA) challenging the company’s collection of photos and sale of facial recognition services. EPIC filed an amicus brief before the 9th Circuit defending an individual's right to sue companies who violate BIPA and other privacy laws. Recently EPIC filed FOIA requests with several government agencies revealed as users of Clearview AI technology. Earlier this year, EPIC and over 40 organizations urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.
  • GAO Report: CBP Needs to Address Privacy Issues with Facial Recognition Deployment » (Sep. 3, 2020)
    A report by the Government Accountability Office found that Customs and Border Protection needs to address privacy issues with the agency's deployment of facial recognition technology at ports of entry. CBP currently deploys facial recognition at 27 airports as part of their Biometric Entry-Exit Program. The GAO found that CBP has not provided adequate privacy notices or information on opting out of facial recognition to the public. Additionally, the agency has failed to implement a plan to audit privacy compliance by airline partners involved in the program. EPIC has previously explained to Congress and the CBP that its Biometric Entry-Exit program unfairly burdens travelers exercising their rights to opt-out of facial recognition. EPIC has called on Congress to suspend facial recognition at airports and earlier this year urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.
  • Amazon Claims 'Halo' Device Will Monitor User's Voice for 'Emotional Well-Being' » (Sep. 1, 2020)
    Despite the exceptional privacy risks of biometric data collection and opaque, unproven algorithms, Amazon last week unveiled Halo, a wearable device that purports to measure "tone" and "emotional well-being" based on a user's voice. According to Amazon, the device "uses machine learning to analyze energy and positivity in a customer's voice so they can better understand how they may sound to others[.]" The device also monitors physical activity, assigns a sleep score, and can scan a user's body to estimate body fat percentage and weight. In recent years, Amazon has come under fire for its development of biased and inaccurate facial surveillance tools, its marketing of home surveillance camera Ring, and its controversial partnerships with law enforcement agencies. Last year, EPIC filed a Federal Trade Commission complaint against Hirevue, an AI hiring tool that claims to evaluate "cognitive ability," "psychological traits," and "emotional intelligence" based on videos of job candidates. EPIC has long advocated for algorithmic transparency and the adoption of the Universal Guidelines for AI.
  • Bill to Ban Face Surveillance Introduced in Congress » (Jun. 25, 2020)
    Senator Edward J. Markey (D-Mass.), along with Senator Jeff Merkley (D-Ore.), Congresswoman Pramila Jayapal (WA-07) and Congresswoman Ayanna Pressley (MA-07) today introduced legislation to stop government use of biometric surveillance, including facial recognition tools. The Facial Recognition and Biometric Technology Moratorium Act prohibits the use of facial recognition and other biometric technologies by federal agencies, including Customs and Border Protection. “The use of face surveillance technology needs to end. Face surveillance violates Americans’ right to privacy, treats all individuals as suspicious, and threatens First Amendment-protected rights,” said Caitriona Fitzgerald, EPIC Interim Associate Director and Policy Director. “The technology has been shown time and time again to be biased and inaccurate, frequently misidentifying people of color. EPIC has repeatedly called for a moratorium on the use of face surveillance and the Facial Recognition and Biometric Technology Moratorium Act of 2020 would stop the use of this dangerous technology. EPIC is proud to support it.” EPIC recently settled a Freedom of Information Act lawsuit against Customs and Border Protection regarding the agency's "alternative screening procedures" to determine whether travelers are able to to opt-out of facial recognition at airports. EPIC has launched a campaign to Ban Face Surveillance. Previously, EPIC and a coalition urged the Privacy and Civil Liberties Oversight Board to suspend the use of face surveillance systems across the federal government. And last year, the Public Voice coalition called for a global moratorium on face surveillance.
  • DHS Proposes Database to Link Biometric Data, EPIC will Oppose » (Apr. 1, 2020)
    The Department of Homeland Security has published a Systems of Record Notice for the "Enterprise Biometric Administrative Records." The DHS seeks to link personal data in the IDENT biometric database to unique machine-generated identifiers. IDENT contains personal data on both U.S. citizens and non-U.S. persons.The IDENT database is tied to biometric databases maintained by the FBI, the Department of Defense, and the State Department. DHS also announced a Notice of Proposed Rulemaking that proposes to exempt the Enterprise Biometric Administrative Records database from many of the protections of the Privacy Act. EPIC is currently pursuing a Freedom of Information lawsuit against the State Department for information about the disclosure of personal biometric data to other federal agencies. Public comments on the Enterprise Biometric Administrative Records System of Record Notice or Notice of Proposed Rulemaking are due April 10 and April 15 respectively. EPIC will urge the DHS to suspend the project. And if the agency goes forward, EPIC will urge the agency to comply with all of the requirements of the federal Privacy Act.
  • In FOIA Case, EPIC Obtains Details on State Department's Facial Recognition Program » (Feb. 19, 2020)
    In response to EPIC's Freedom on Information Act lawsuit, EPIC v. State, the State Department has provided EPIC with several agency agreements concerning State Department facial recognition program. The Consular Consolidated Database contains millions of images from visa and passport applicants, which other federal agencies are now accessing for purposes unrelated to the processing of visa and passport application. The State Department agreements include the Labor, Interior, and Defense Departments. Several of the documents EPIC obtained concealed the name of the federal agency accessing the State Department database. In a related EPIC FOIA lawsuit, EPIC obtained documents concerning Customs and Border Protection use of images from the State Department.
  • Supreme Court Declines to Review Facebook Face Scan Case » (Jan. 21, 2020)
    The U.S. Supreme Court will leave in place a decision that allows lawsuits against Facebook for the unlawful collection of facial images. In Patel v. Facebook, the Ninth Circuit held that that an Illinois biometrics law protects "concrete privacy interests" and that violations of the law "pose a material risk of harm to those privacy interests." EPIC filed an amicus brief in the case, arguing that users can sue companies that violate rights protected by privacy laws. EPIC has long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition. EPIC recently launched a campaign and resource page to ban face surveillance.
  • CBP Drops Airport Face Scanning Proposal » (Dec. 5, 2019)
    Customs and Border Protection has removed its proposal to require U.S. citizens to undergo mandatory face recognition at airports, following widespread protest. Currently, only foreign nationals are required to undergo facial screening at airports. According to a CBP spokesperson, the agency has "no current plans to require U.S. citizens to provide photographs upon entry and exit from the United States," and that it "intends to have the planned regulatory action...removed from the unified agenda next time its published." Senator Ed Markey previously blasted CBP's proposal. After CBP reversed its proposed plan, Senator Markey stated "we cannot take our right to privacy for granted. Americans still need protection from facial recognition technology..." and that the planned to introduce legislation to ban biometric surveillance. EPIC is pursuing a lawsuit to uncover documents about the opt-out procedures in CBP's Biometric Entry-Exit program. Congress has explained to Congress and the agency that its Biometric Entry-Exit program unfairly burdens travelers exercising their rights to opt-out of biometric identification. EPIC recently launched a global campaign calling for a moratorium on the use of face recognition for mass surveillance.
  • Facebook Asks Supreme Court to Review Face Scan Decision » (Dec. 5, 2019)
    Facebook has filed a petition asking the Supreme Court to review a decision that allows lawsuits against Facebook for the unlawful collection of facial images. In Patel v. Facebook, the Ninth Circuit held that that an Illinois biometrics law protects "concrete privacy interests" and that violations of the law "pose a material risk of harm to those privacy interests." EPIC filed an amicus brief in the case, arguing that users can sue companies that violate rights protected by privacy laws. EPIC has long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition. EPIC recently launched a campaign and resource page to ban face surveillance.
  • Swiss Sign Convention 108+, 35 Countries Back Privacy Convention » (Nov. 21, 2019)
    This week, Switzerland signed the Modernized International Privacy Convention. With the Swiss signature thirty-five countries now back Convention 108+. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data, algorithmic transparency, enhanced oversight. Non-members of the Council of Europe are able to sign the Convention, and EPIC and consumer groups have long urged the United States to ratify the international Privacy Convention.
  • Congress to Consider Moratorium on Facial Recognition » (Aug. 22, 2019)
    POLITICO reports that House leaders will consider a moratorium on funding facial recognition following a House Oversight Committee hearing on DHS facial recognition programs. Prior to the hearing, EPIC briefed members of the House committee about the entry-exit program at US airports. Air travelers have reported that it is difficult to opt-out and the agency has still not conducted a required rulemaking. Last month, EPIC led a coalition of over 35 organizations urging Congress to halt the use of face recognition on the general public. In a statement in April to the House Appropriations Committee, EPIC recommended that Congress halt the funding for the facial recognition program at TSA, also within the DHS. After a Buzzfeed story featured documents obtained by EPIC about plans to expand facial recognition at airports, Senators Ed Markey (D-MA) and Mike Lee (R-UT) called for the suspension of the program.
  • Federal Appeals Court Says Consumers Can Sue Facebook for Facial Recognition » (Aug. 8, 2019)
    A federal appeals court has ruled that users can sue Facebook for collecting and using their facial images. In Patel v. Facebook, users contend that Facebook violated an Illinois biometric privacy law by creating biometric templates of their faces without their consent. The court found that the Illinois law "protects the plaintiffs' concrete privacy interests" and violations of the law "pose a material risk of harm to those privacy interests." The court cited the common law roots of the right to privacy and also noted that "the Supreme Court has recognized that advances in technology can increase the potential for unreasonable intrusions into personal privacy." EPIC filed an amicus brief in the case, arguing that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC wrote the "Illinois Biometric Information Privacy Act imposes, by statute, legal obligations on companies that choose to collect and store individuals' biometric data." EPIC said that plaintiffs must only "demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Last year, EPIC filed an amicus brief in Rosenbach v. Six Flags, where the Illinois Supreme Court unanimously decided that consumers can sue companies that violate the state's biometric privacy law. EPIC routinely submits briefs in support of consumers' right to sue in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software.
  • Privacy Board to Review Use of Biometrics at Airports, Privacy of Passenger Data, and FBI Surveillance » (Jun. 26, 2019)
    The Privacy and Civil Liberties Oversight Board has announced three new oversight projects. The PCLOB reviews federal agency programs to ensure they do not diminish privacy and civil liberties. The Board said it will review: (1) the use of biometrics, such as facial recognition, in airports; (2) how the FBI queries data collected under the Foreign Intelligence Surveillance Act's Section 702, including searches for US person information called "backdoor searches"; and (3) oversight of passenger identity databases used by airlines. Earlier this year, EPIC sent a statement to the Board urging limits on the government use of facial recognition and and end to backdoor searches. In 2012, EPIC sent a detailed statement to PCLOB outlining priorities for the agency. In 2016, EPIC awarded former PCLOB Board Member Judge Patricia Wald with the EPIC Champion of Freedom Award.
  • EPIC to Congress: Suspend Facial Recognition at Airports » (Jun. 13, 2019)
    Earlier this week, the House Homeland Security Committee held a closed-door roundtable briefing on the use of facial recognition technology by the Department of Homeland Security. The Committee met with privacy and civil liberties advocates, including EPIC Senior Counsel, Jeramie Scott. Mr. Scott highlighted EPIC's Freedom of Information Act work related to the use of face recognition at airports. Documents obtained by EPIC, and featured at Buzzfeed, revealed significant flaws in the technology. EPIC highlighted these problems in comments to the agency and an op-ed. Speaking to Members of Congress, Mr. Scott recommended that the facial recognition program to be suspended, and pointed to the recent breach of photos and other sensitive information collected by the agency.
  • EPIC Sues State Department About Secret Facial Recognition Database » (May. 20, 2019)
    EPIC filed a lawsuit today to compel the State Department to release information about the transfer of facial images, gathered from visa and passport applicants, to other federal agencies. EPIC explained to the federal court in Washington, DC that the Customs and Border agency is now using those images in an unlawful border system. EPIC has called for the suspension of the CBP program. Senators Markey and Lee have also opposed expansion of the CBP program to U.S. citizens. In a related FOIA lawsuit, EPIC obtained documents concerning CBP's facial recognition program. A summary report revealed that the system did not perform operational matching at a "satisfactory" level.
  • EPIC FOIA: Massive DHS Biometric Database Still Lacks a Privacy Impact Assessment » (May. 3, 2019)
    In response to EPIC's Freedom of Information Act request, the Department of Homeland Security confirmed that no privacy impact assessment has been completed for a vast DHS biometric database known as the "Homeland Advanced Recognition Technology." The HART database will include fingerprints, iris scans, and facial images on millions of individuals. The documents EPIC did obtain from DHS consist of privacy threshold reviews that indicate a privacy impact assessment is required and was expected by January 2019. A previous document obtained by EPIC show that the Homeland Advanced Recognition Technology database is part of the facial recognition Biometric Entry/Exit program at US airports.
  • EPIC to TSA: Conduct Rulemaking on Facial Recognition » (Apr. 26, 2019)
    In comments to inform the Transportation Security Administration's 2020 National Strategy, EPIC recommended that TSA to suspend the facial recognition program at US airports. EPIC wrote, "The TSA's use of facial recognition lacks the safeguards necessary for implementation." EPIC has also warned lawmakers and the DHS about the biometric border program that incorporates deploy facial recognition. EPIC has urged the agency to undertake a notice and comment rule making that would provide the public with the opportunity to comment on the controversial program. EPIC successfully required TSA to conduct a rulemaking on its deployment of airport body scanners in EPIC v. DHS. EPIC also recommended that TSA incorporate the Universal Guidelines for Artificial Intelligence, endorsed by over 300 organizations and experts, for AI-based systems.
  • EPIC to Congress: Funding for TSA Facial Recognition Program Must Be Halted » (Apr. 3, 2019)
    EPIC has sent a statement to the House Appropriations Committee regarding the TSA's FY2020 budget request, urging Congress to suspend the "Biometric Entry-Exit" program until privacy safeguards are established. EPIC said Congress should halt funding for TSA's facial recognition program "until CBP establishes proper privacy assessments, policies and procedures, and oversight mechanisms." EPIC recently filed a Freedom of Information Act lawsuit to determine whether travelers are able to to opt-out of facial recognition at airports. According to the CBP, the "alternative screening procedures" allow travelers to provide identification documents, such as a passport, and avoid facial recognition, which "is not mandatory for U.S. citizens." But research by EPIC indicates that CBP has made it increasingly difficult for travelers to opt-out.
  • Buzzfeed: EPIC Docs Reveal Flawed Facial Recognition Program » (Mar. 11, 2019)
    At the start of Sunshine Week, Buzzfeed featured documents obtained by EPIC about a deeply flawed facial recognition program that could impact all U.S. travelers returning to the United States. The documents, released following an EPIC FOIA request, describe the Administration's plan to extend a faulty CBP pilot program to TSA, ICE, and the Coast Guard. Documents previously obtained by EPIC, following a lawsuit against DHS, found similar problems with a facial recognition program at the southern border.
  • Unanimous Decision in Illinois Supreme Court Ensures Strict Limits on Biometric Data Collection » (Jan. 25, 2019)
    The Illinois Supreme Court ruled today in Rosenbach v. Six Flags, a case about a state privacy law that protects biometric data. Parents sued the theme park after it collected a child's fingerprints, charging a violation of the Illinois biometric privacy law. The theme park claimed that it was necessary to show some additional harm, but the Illinois Court held that when companies violate the law, "the injury is real and significant." EPIC filed a "friend of the court" brief in the case, arguing that the biometric privacy law "imposes clear responsibilities on companies that collect biometric identifiers" and that if these provisions are "not enforced, the statute's subsequent provisions are of little consequence." EPIC has long advocated for strict limits on use of biometric data. EPIC also filed an amicus brief the OPM data breach, a case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case.
  • EPIC Amicus: Unlawful Collection of Biometric Data Establishes Standing » (Dec. 18, 2018)
    EPIC has filed an amicus brief in a case concerning Facebook's collection of facial images in violation of the Illinois Biometric Information Privacy Act. In Patel v. Facebook, EPIC argued that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC said that that the legal doctrine of standing "simply requires plaintiffs to demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Earlier in 2018, EPIC filed an amicus brief in Rosenbach v. Six Flags, another case about the Illinois biometric privacy law. EPIC routinely submits briefs in support of standing in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software.
  • EPIC Investigates Airport Facial Recognition Opt-Out Procedures » (Dec. 12, 2018)
    In an urgent FOIA request, EPICis seeking documents from CBP about the procedures for travelers to opt-out of biometric entry/exit program. EPIC found that CBP frequently changes the program without any formal procedures. One consequence is that it is now more difficult for travelers to opt-out of the screening procedure EPIC wrote that "CBP is modifying rules as it is implementing the program," contrary to federal law. Earlier this week, EPIC urged Congress to suspend the program until privacy safeguards and meaningful opt-out procedures are established. In comments to the DHS Data Privacy and Integrity Advisory Committee, EPIC explained the substantial privacy risks of CBP's use of facial recognition technology.
  • EPIC to Congress: Federal Agency Making Up the Rules for Facial Recognition Screening » (Dec. 11, 2018)
    EPIC has sent a statement to the Senate Judiciary Committee for an oversight hearing of Customs and Border Protection. EPIC cited frequent changes CBP has made to the opt-out procedures for the biometric entry/exit program. "Without legal authority or the opportunity for public comment, CBP is making up the rules as it rolls out the program," EPIC said. EPIC urged the Committee to suspend the screening program until privacy safeguards and meaningful opt-out procedures are established. Last week, EPIC warned Customs and Border Protection about facial recognition technology and urged the DHS Privacy committee to end the program.
  • Indian Supreme Court Imposes New Limits on National Identity System » (Sep. 26, 2018)
    In a ruling today, the Indian Supreme Court imposed new limits on Aadhar, India's national biometric identification system. The Court found the system did not violate the Indian constitution, but struck down a section of the law permitting private entities to demand Aadhar to verify identity. Aadhar can no longer be mandatory to register for education, open a bank account, or obtain a cell phone connection. However, the state-issued number may still be required for purposes related to government funds, including filing an income tax. The Court also struck down an exception authorizing disclosure of Aadhar data for national security purposes. The Court encouraged the state to establish a "a robust statutory regime" for data protection "in near future." The dissent would have held Aadhar unconstitutional. The biometric system "violates essential norms pertaining to informational privacy, self-determination and data protection," the dissent states, and "dignity of individuals cannot be made to depend on algorithms or probabilities." Last year, India's Supreme Court ruled that privacy is a fundamental right under the Indian Constitution. EPIC has also backed comprehensive privacy legislation in comments to the Indian government, and urged creation of a private right of action and breach notification requirement.
  • EPIC Urges DHS To Abandon Privacy Act Exemptions for New Biometric Database » (Aug. 31, 2018)
    In comments to the Department of Homeland Security, EPIC urged the agency to withdraw proposed Privacy Act exemptions that would reduce privacy safeguards in the federal government. The Immigration Biometric and Background Check database will contain personal data on U.S. and non-U.S. citizens. DHS has proposed to exempt the database from several Privacy Act protections, including ensuring that records are accurate, timely, and complete. DHS also claims numerous “routine uses” that allow the agency to disseminate the data to law enforcement and intelligence agencies. EPIC has urged strict compliance with Privacy Act obligations and warned that inaccurate, insecure, and overbroad government databases threaten both privacy and national security.
  • EPIC Urges Suspension of Biometric Entry/Exit Program » (Jul. 25, 2018)
    In comments to Customs and Border Protection, EPIC urged the agency to suspend the Biometric Entry/Exit Program. EPIC argued that less privacy-invasive alternatives should be considered and that the program should not move forward until Congress has passed regulations implementing safeguards for the use of biometrics. CBP solicited comments about the collection of biometrics, based on facial recognition, from people in vehicles crossing the border. EPIC said that such an expansion could quickly lead to a program of mass surveillance. In EPIC v. CBP, EPIC has sued the agency for details about the program. A report EPIC obtained in the lawsuit showed that facial recognition at a pedestrian border failed to perform at a "satisfactory" level.
  • EPIC Urges Illinois Supreme Court to Uphold Strict Limits on Biometric Data Collection » (Jul. 5, 2018)
    EPIC has filed an amicus brief with the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp, about the collection of a child's biometric data in violation of the Illinois Biometric Information Privacy Act. EPIC explained that the Illinois biometric law "imposes clear responsibilities on companies that collect biometric identifiers" and said the company had failed to comply with the state law. EPIC made clear that "collection is the threshold safeguard in privacy law" and if corresponding provisions are "not enforced, the statute’s subsequent provisions are of little consequence." EPIC first identified the risk of collecting biometric data from children entering amusement parks in a 2005 report "Theme Parks and Your Privacy." The state of Illinois adopted the nation's first biometric privacy law in 2008. EPIC has long advocated for strict limits on use of biometric data. EPIC also routinely submits amicus briefs, including in the recent OPM data breach case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case.
  • EPIC Pursues Privacy Impact Assessments for Proposed DHS Biometric Database » (Jun. 18, 2018)
    EPIC has submitted an urgent Freedom of Information Act request to the Department of Homeland Security seeking the Privacy Impact Assessment for the "Homeland Advanced Recognition Technology," a proposed system that will integrate biometric identifiers across the federal government. HART would replace IDENT, which now contains biometric records on over 220 million unique individuals. In 2015 a breach at the Office of Personnel Management compromised 22 m records, including 5 m digitized fingerprints. It appears that Homeland Security failed to complete the Privacy Assessment prior to launching HART. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that stores personally identifiable information. In EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year.
  • Senators Urge DHS to Address Concerns Over Facial Recognition at Airports; Conduct Public Rule-Making » (May. 11, 2018)
    In a letter to DHS Secretary Kirstjen Nielson, Senators Edward Markey (D-MA) and Mike Lee (R-UT) urged the agency to promptly conduct a public rulemaking on the agency's biometric exit program prior to any expansion of the program. The program, currently implemented in nine U.S. airports, requires travelers on departing international flights to submit to facial recognition identification. The Senators requested that DHS determine the accuracy of the technique and the procedures for collecting passenger data. EPIC is currently pursuing documents about the biometric exit program, but documents EPIC obtained about a related program that tested iris and facial recognition scanning at the border revealed that the technology did not perform operational matching at a "satisfactory" level. An earlier EPIC lawsuit against the DHS led to the removal of backscatter x-ray devices — "body scanners" — at US airports.
  • EPIC to Congress: Enhanced Surveillance at Border Will Impact Rights of U.S. Citizens » (Apr. 24, 2018)
    EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing with the Commissioner of Customs and Border Protection. EPIC urged the Committee to ask the CBP Commissioner about the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC is currently seeking records from the federal agency concerning the accuracy of facial recognition. EPIC also recommended the Committee examine how CBP will comply with state laws prohibiting warrantless aerial surveillance when deploying drones at the border. As a result of an earlier FOIA lawsuit, EPIC found that the CBP is deploying drones with facial recognition technology without warrant authority.
  • EPIC FOIA: EPIC Obtains FBI Policy for Disseminating Biometric Info » (Mar. 22, 2018)
    Through a Freedom of Information Act request, EPIC has obtained the FBI’s “Policy for Biometric Information Sharing with Domestic and International Agencies.” The documents EPIC obtained also contain details of the United States’ agreement with Iraq to exchange biometric data, including to not subject the information to any dissemination restrictions of the US or Iraq. The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification” system, which includes facial IDs gathered from international conflicts. In 2007, EPIC, Privacy International, and Human Rights Watch warned the Secretary of Defense that the “system of biometric identification contravene international privacy standards and could lead to further reprisals and killings.” EPIC noted in 2010 "President Obama’s address on the end of the combat mission in Iraq has left open the question of what will happen to the massive biometric databases on Iraqis, assembled by the United States, during the course of the conflict."
  • Court Rules that Users have Standing to Sue Facebook about Facial Recognition » (Feb. 27, 2018)
    The Northern District of California has ruled that Facebook users have standing to pursue a class action challenging Facebook's use of facial recognition software. The court said that the Illinois Biometric Information Privacy Act requires plaintiffs only to show that Facebook has unlawfully collected their biometric data without their consent. Facebook sought to dismiss the suit by arguing that the Supreme Court's decision in Spokeo v. Robins required the plaintiffs to show additional harm. EPIC submitted a friend-of-the-court brief in Spokeo, arguing that courts should not second-guess privacy laws. The Ninth Circuit Court of Appeals recently agreed with EPIC that internet users have standing when a company has disclosed their personal information in violation of the Video Privacy Protection Act.
  • EPIC Urges Congress to Suspend Facial Recognition At US Airports » (Feb. 26, 2018)
    EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC previously pursued a significant lawsuit against the TSA that led to the removal of x-ray body scanners from US airports. EPIC is currently seeking records from Customs and Border Protection concerning the accuracy of facial recognition.
  • Republican DACA Bill Would Expand Use of Drones, Biometrics » (Feb. 21, 2018)
    The Secure and Succeed Act (S. Amdt. 1959 to H.R. 2579), sponsored by several Republican Senators, would link DACA with hi-tech border surveillance. Customs and Border Protection would use facial recognition and other biometric technologies to inspect travelers, both US citizens and non-citizens, at airports. The bill also establishes "Operation Phalanx" that instructs the Department of Defense—a military agency—to use drones for domestic surveillance. EPIC has pursued many FOIA cases on border surveillance involving biometrics, drones, and airport body scanners, In a statement to Congress, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens."
  • EPIC Urges FBI to Limit Fingerprint-Based Background Checks » (Jan. 9, 2018)
    In response to a request for comments, EPIC has urged the FBI to expand its use of name-based — rather than fingerprint-based — background checks for noncriminal purposes, such as employment. The FBI currently uses fingerprints, stored in the Next Generation Identification (NGI) database, to conduct non-criminal background checks. "Names checks" were only conducted for individuals whose fingerprints failed the NGI matching requirements. EPIC told the FBI that the "name-based background check accomplishes the same purpose as the fingerprint-based background check without requiring the collection of sensitive biometric information." EPIC has opposed the expansion of the NGI system for non-law enforcement purposes. EPIC has also pursued a series of Freedom of Information Act requests to assess the reliability of the NGI system.
  • EPIC FOIA: Report Reveals Failure of Border Biometric Matching Program » (Dec. 18, 2017)
    Through a Freedom of Information Act lawsuit, EPIC has obtained a report from Custom and Border Protection, which evaluated iris imaging and facial recognition scans for border control. The "Southwest Border Pedestrian Field Test" reveals that the agency program does not perform operational matching at a "satisfactory" level. In a statement to Congress earlier this year, EPIC warned that biometric identification techniques are unreliable and lack proper privacy safeguards. EPIC is pursuing related documents for the use of biometrics at airports. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA (concerning body scanner modifications) and EPIC v. DHS (concerning full body scanner radiation risks).
  • EPIC Urges Senate to Block Biometric Collection At US Airports » (Sep. 28, 2017)
    EPIC has sent a statement to the Senate Commerce Committee following a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing and regulated use of biometrics in US airports, often targeting US citizens. EPIC previous pursued a significant lawsuit against the TSA to limit the use of body scanners. EPIC is currently seeking records from Customs and Border Protection concerning the agency's use of facial recognition for a biometric entry/exit program at airports. EPIC has also objected to a proposal to increase the collection of biometric data for the TSA Pre-Check program.
  • NGOs to Meet with Privacy Commissioners at Public Voice Event in Hong Kong » (Sep. 19, 2017)
    The Public Voice will host an event with NGOs and Privacy Commissioners at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. "Emerging Privacy Issues: A Dialogue Between NGOs & DPAs" will address emerging privacy issues, including biometric identification, Algorithmic transparency, border surveillance, the India privacy decision, and implementation of the GDPR. Speakers include Chairman Isabelle Falque-Pterrotin of the CNIL and Article 29 Working Party, Commissioner John Edwards of New Zealand, and Director Eduardo Bertoni of Argentina. Also participating will be representatives of Access Now, EPIC, GP Digital, Privacy International, and the World Privacy Forum. The Public Voice, established in 1996, facilitates public participation in decisions concerning the future of the Internet.
  • EPIC Obtains Final Report on "Face ePassport Air Entry Experiment" » (Sep. 8, 2017)
    As the result of a Freedom of Information Act request, EPIC has obtained a report on the use of face recognition on travelers entering the United States at Dulles Airport. The report was obtained after EPIC filed a lawsuit against Customs and Border Protection for documents about the agency's biometric entry/exit program, expedited by Executive Order 13769. As the report was heavily redacted, EPIC's FOIA lawsuit is ongoing. In a statement to the House Homeland Security Committee earlier this year, EPIC warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA, concerning airport body screening.
  • Supreme Court of India Rules Privacy is a Fundamental Right » (Aug. 24, 2017)
    India's Supreme Court has ruled that privacy is a fundamental right under the Indian Constitution. In a unanimous ruling, the Court explained the "right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution." The Court also recognized that "Informational privacy is a facet of the right to privacy" and modern privacy risks are caused by both the public and private sector. The ruling may impact significant cases pending in India, including a challenge to Aadhaar, India's massive biometric identification system, and WhatsApp's privacy policy change. In 2009 NGOs and privacy experts set out the Madrid Privacy Declaration, which affirmed privacy as a fundamental human right. In 2010, EPIC urged the US Supreme Court to recognize the right of "informational privacy." EPIC explained that the Whalen decision and a famous German census case, "influenced international privacy jurisprudence, resulting in the widespread recognition of the right to informational privacy." EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world.
  • EPIC to Congress: Examine Facial Recognition Surveillance at the Border » (Jul. 24, 2017)
    EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on "Technology's Role on Securing the Border." EPIC alerted the Committee to EPIC's recent FOIA lawsuit about the federal government's deployment of a biometric "entry/exit tracking system," including at US airports. A recent Executive Order on immigration will push forward the biometric identification system, and will include citizens returning to the U.S. EPIC has warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC noted that the federal agency pursuing the border identification program is also deploying drones, and should comply with state laws and a 2015 Presidential Memorandum that limit drone surveillance.
  • EPIC Files FOIA Lawsuit Over Border Biometrics, Expanded Tracking » (Jul. 20, 2017)
    EPIC has filed a FOIA lawsuit against Customs and Border Protection for information about the agency’s deployment of a biometric entry/exit tracking system, including at US airports. Trump's recent Executive Order regarding immigration ordered the expedited implementation of a biometric entry/exit tracking system, which will include U.S. citizens. Biometric techniques, including facial recognition, lack proper privacy safeguards. EPIC previously sued the FBI over the Bureau’s Next Generation Identification database, which contains face prints, fingerprints, and other biometrics of millions of Americans. EPIC's lawsuit against the FBI revealed that biometric identification is often inaccurate.
  • EPIC Urges TSA to Consider Alternative to Biometric Collection » (Jul. 5, 2017)
    In comments to the Transportation Security Administration, EPIC urged the agency to consider alternatives to expanding the collection of biometric identifiers for the TSA Pre-Check application. EPIC explained the potential for biometric identifiers to be used for purposes other than determining eligibility for Pre-Check and the substantial personal privacy risks for applicants if the databases associated with Pre-Check were compromised. EPIC also proposed privacy enhancing alternatives, such as limiting the storage of biometric identifiers or providing information on how to have information removed from databases associated with Pre-Check. EPIC routinely highlights the risks of large, overbroad government databases and the privacy risks inherent in the collection of biometric information.
  • EPIC Urges Senate Committee to Investigate FBI's Massive Biometric Database » (May. 1, 2017)
    EPIC has sent a statement to the Senate Judiciary Committee for an upcoming FBI oversight hearing. EPIC urged the Committee to investigate the FBI's Next Generation Identification system, a massive biometric database. EPIC has sought to ensure that the FBI database complies fully with the federal Privacy Act which the Bureau has opposed. EPIC explained to the Senate Committee that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." In a leading FOIA lawsuit, EPIC v. FBI, EPIC also uncovered documents which revealed high error rates in the biometric system. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.
  • EPIC Joins Coalition to Urge FOIA Compliance on Immigration Enforcement » (Apr. 25, 2017)
    EPIC joined a coalition of civil society organizations to urge the Immigration and Customs Enforcement to comply with the Freedom of Information Act. The letter to DHS Secretary Kelly calls upon the federal agency to "fully disclose information on immigration enforcement cooperation between federal and non-federal law enforcement agencies." EPIC previously received documents through a Freedom of Information Act Request about DHS's immigration enforcement practices. The documents obtained by EPIC detail the "Priorities Enforcement Program," a controversial program that relied on biometric data collection for immigration enforcement.
  • EPIC Urges House Oversight Committee to Explore FBI's Use of Biometric Data » (Mar. 21, 2017)
    EPIC has sent a letter to the House Committee on Oversight concerning "Law Enforcement's Use of Facial Recognition Technology." EPIC urged the Committee to investigate the FBI's Next Generation Identification program. EPIC explained that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." The FBI biometric database is one of the largest in the world, but the FBI has opposed privacy safeguards that EPIC supported. The Bureau proposed to exempt the database from Privacy Act protections. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.
  • Data Protection Experts Recommend New protections for Biometric Identification Online » (Mar. 17, 2017)
    The International Working Group on Data Protection in Telecommunications adopted new recommendations to improve the privacy and security of biometric identification online. The Berlin-based Working Group includes Data Protection Authorities and experts who work together to address emerging privacy challenges. The "Working Paper on Biometrics in Online Authentication )" explains that “biometrics in online authentication offers one possibility to address some of the shortcomings” of conventional online passwords, but the “data protection and privacy risks” must be considered. Among their recommendations, the experts urge policymakers to support for “[p]roactive privacy tools,” and contend biometric authentication should “remai[n] an active choice by the user and not a condition of use.” EPIC will host the 61st meeting of the International Working Group in Washington DC in April 2017.
  • EPIC FOIA: EPIC Seeks Information about Airport Eye Scans of U.S. Travelers » (Mar. 2, 2017)
    EPIC has filed an urgent FOIA request with U.S. Customs and Border Protection for details of eye scans conducted on U.S. citizens traveling internationally. The CBP has long been testing biometric identification of travelers, including U.S. citizens, and a recent report indicates U.S. citizens were subject to eye scans before traveling abroad. EPIC seeks public disclosure of the details of CBP policies for scanning U.S. citizen irises and retinas upon entry or exit to the U.S. EPIC makes frequent use of the Freedom of Information Act. As the result of a FOIA lawsuit, EPIC recently obtained several memorandum of understanding regarding the transfer of biometric identifiers between the FBI and DOD. Last month, EPIC also prevailed in EPIC v. FBI, a FOIA lawsuit public release of the FBI's privacy assessments.
  • EPIC FOIA: EPIC Obtains FBI-DoD Biometric Data Plans » (Jan. 30, 2017)
    Through a Freedom of Information Act lawsuit, EPIC has obtained several memorandum of understanding regarding the transfer of biometric identifiers between the Federal Bureau of Investigation and the Department of Defense. One of the agreements, which includes the State Department, calls for "a direct conduit for the parties to access databases storing biometric information." Last year, EPIC filed extensive comments scrutinizing the FBI's proposal to remove Privacy Act safeguards from the Bureau's massive biometric database known as "Next Generation Identification." EPIC also lead a coalition effort urging Congress to hold an oversight hearing on the FBI database. The case is EPIC v. FBI, No. 16-2237 (D.D.C. filed Nov. 10, 2016) (Biometric Data Transfer Agreements).
  • Open Government Lawsuits at Near-Record Highs in 2016 » (Dec. 9, 2016)
    Advocates, journalists, and businesses have brought a near-record 512 lawsuits under the Freedom of Information Act in 2016. The findings, complied by for FOIAproject.org by the Transactional Records Access Clearinghouse, show a 35 percent increase in FOIA litigation over the past five years. According to the new report, the lawsuits have covered diverse issues including "private email accounts, national security, immigration, the environment and even Donald Trump." In 2016, EPIC brought FOIA suits for the DOJ's secret inspector general reports, the DOT's drone task force records, and the FBI's biometric data transfer memos.
  • EPIC FOIA: EPIC Obtains Secret Inspector General Reports » (Nov. 21, 2016)
    Through a Freedom of Information Act lawsuit EPIC has obtained nonpublic reports from the Department of Justice's Inspector General. The documents include audits of drug control funds. Another set of documents include audits of other grant programs, as well as a list of information security audits conducted since 2005. EPIC also obtained a previously unpublished audit of a state lab's DNA database. The mission of the DOJ Inspector General is "to detect and deter waste, fraud, abuse, and misconduct in DOJ programs and personnel." EPIC also recently sued the Federal Bureau of Investigation to obtain information on the massive biometric database "Next Generation Identification."
  • EPIC Sues FBI Over Biometric Data Program » (Nov. 14, 2016)
    EPIC has filed a FOIA lawsuit against the Federal Bureau of Investigation for information about the agency's plans to transfer biometric data to the Department of Defense. The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification" system, but the FBI has resisted maintaining privacy safeguards. The Bureau previously proposed to exempt the database from many of the safeguards in the federal Privacy Act, which EPIC opposed. Then EPIC, following a FOIA lawsuit, obtained documents that revealed an error rate up to 20% for facial recognition searches in the FBI database. Now EPIC has filed an open government lawsuit to obtain a secret document that details the transfer of personal data in the FBI system to the Department of Defense. [Press Release]
  • High Court Extends Fourth Amendment Protections to DUI Blood Tests » (Jun. 23, 2016)
    In Birchfield v. North Dakota, the U.S. Supreme Court today held that states cannot criminalize an individual’s refusal to submit to a warrantless blood test. The Court also found that the Fourth Amendment does not allow warrantless blood tests incident to arrest, but does permit warrantless breath tests. In the 2013 case Maryland v. King, EPIC urged the Supreme Court to protect genetic privacy by extending Fourth Amendment protections the collection of DNA from arrestees. In that case, the Supreme Court held that a cheek swab incident to an arrest was permissible.
  • Federal Court Upholds Photo Tagging Suit Against Facebook » (May. 8, 2016)
    A federal judge has rejected Facebook's argument that the company did not violate an Illinois law that requires companies to obtain consent from consumers before collecting biometric data such as a "faceprint." Describing the biometric privacy law, the court said that Facebook's position was "antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology." In 2011, EPIC filed a complaint with the Federal Trade Commission, arguing that the facial identification of users was an unfair and deceptive trade practice. In 2012, EPIC urged the FTC to suspend facial recognition "until adequate safeguards and privacy standards are established." Canada and Europe have since required Facebook to suspend the use of photo tagging.
  • Federal Agencies Seek Comment on Protections for Human Research Subjects » (Sep. 8, 2015)
    The Department of Health and Human Services is seeking public comment on proposed revisions to the "Common Rule," ethical rules regarding biomedical and behavioral research involving human subjects in the United States. The proposal seeks to strengthen requirements for informed consent but would also exempt certain categories of research from administrative review. The Department will accept public comments on the proposed revisions until December 6, 2015. EPIC previously submitted comments to the Department of Health and Human Services, warning that medical privacy standards for deidentification were "gravely inadequate" and urged support for stronger techniques of deidentification. EPIC routinely comments on privacy issues involved in health data.
  • California Court Strikes Down DNA Collection Law » (Dec. 4, 2014)
    A state appeals court in California has struck down a state law that requires collection of DNA from people arrested on felony charges. The California court ruled that DNA collection by a cheek swab is an unreasonable search and seizure prohibited by the state's constitution. "The California DNA Act intrudes too quickly and too deeply into the privacy interests of arrestees," wrote the court. The appeals court also said that the U.S. Supreme Court's ruling in Maryland v. King, which upheld a similar law in Maryland, did not apply in this case because of significant differences between each state's DNA collection laws. EPIC has participated as amicus in several cases concerning the collection of DNA. In Maryland v. King, EPIC argued that the government collection of DNA opens the door to misuse and threatens personal privacy. For more information, see EPIC: Maryland v. King, EPIC: Maryland v. Raines, EPIC: Kohler v Englade, EPIC: US v. Kincade, EPIC: Herring v. US, EPIC: Comments on TSA Biometric Systems, and EPIC: Genetic Privacy.
  • Senate to Hold Homeland Security Oversight Hearing » (Jun. 10, 2014)
    The Senate Judiciary Committee will hold an oversight hearing for the Department of Homeland Security. Secretary Jeh Johnson will testify. EPIC has objected to many of the agency's mass surveillance practices, including the secret profiling of American air travelers, the use of drones for aerial surveillance, the amassing of information on Americans into "fusion centers", and the collection of biometric identifiers. EPIC has also warned that the DHS Chief Privacy Officer has failed to safeguard privacy, a legal obligation for that office. According to the DHS, the number of privacy complaints increased in 2013. EPIC has several Freedom of Information Act case pending against the DHS. In an earlier case, EPIC determined the DHS was monitoring social media and news organizations for criticisms of the agency. Another EPIC case led to the removal of the x-ray backscatter devices from US airports. For more information, see EPIC v. DHS - Social Media Monitoring and EPIC v. DHS (Suspension of Body Scanner Program).
  • Sen. Franken Questions Apple on iPhone Fingerprint Scanning » (Sep. 21, 2013)
    Senator Al Franken has raised questions about the privacy and security implications of the fingerprint reader on Apple's new iPhone 5S. "If someone hacks your password, you can change it—as many times as you want. You can't change your fingerprints," Senator Franken wrote. He also pressed Apple for additional details on the protection available to users against law enforcement access to biometric data. In Congressional testimony, EPIC has previously warned that biometric identifiers will "allow for greater data collection and tracking of individuals." For more information, see EPIC: Biometric Identifiers.
  • EPIC FOIA - DHS Facial Recognition System Lacks Privacy Safeguards » (Aug. 22, 2013)
    In response to an EPIC FOIA request, the Department of Homeland Security has produced documents revealing that the agency has failed to establish privacy safeguards for "BOSS" (the Biometric Optical Surveillance System), an elaborate system for facial recognition and individual identification. The documents obtained by EPIC indicate that none of the agency's contracts or statements of work require any data privacy or security protections for BOSS' design, production, or test implementations. The New York Times reported on EPIC's acquisition of these documents, noting also high failure rates for these systems. EPIC is also pursuing a FOIA lawsuit with the FBI over the agency's development of "Next Generation ID," which, when complete, will be the largest biometric identification database program in the world. For more information, see EPIC: Face Recognition, EPIC: EPIC Opposes DHS Biometric Collection, and EPIC - Biometric Identifiers.
  • EPIC Opposes DHS Biometric Collection » (Jun. 21, 2013)
    EPIC has submitted comments to the Department of Homeland Security, staunchly opposing the agency's border biometric collection, facilitated through the Office of Biometric Identity Management program. Since at least 2004, DHS has collected fingerprint and facial photos from individuals entering the United States. DHS then disseminates this information to DHS agency components, other federal agencies, and "federal, state, and local law enforcement agencies," and the "federal intelligence community." Currently, at least 30,000 individuals from federal, state, and local governments access the data contained obtained by DHS's biometric collection program. DHS shares this biometric data with foreign governments, including Canada, Australia, and the United Kingdom. In its comments, EPIC urged the agency to cease collecting biometric information without proper privacy safeguards in place. Should the agency continue to collect this sensitive information, EPIC recommends that DHS: (1) impose strict information security safeguards on its biometric information collection and limit its dissemination of biometric information; (2) conduct a comprehensive privacy impact assessment on the biometric collection program; (3) grant individuals Privacy Act rights before collecting additional biometric information; and (4) adhere to international privacy standards. For more information, see EPIC: US-VISIT and EPIC: Biometric Identifiers.
  • FBI Performs Massive Virtual Line-up by Searching DMV Photos » (Jun. 17, 2013)
    Through a Freedom of Information Act request, EPIC obtained a number of agreements between the FBI and state DMVs. The agreements allow the FBI to use facial recognition to compare subjects of FBI investigations with the millions of license and identification photos retained by participating state DMVs. EPIC also obtained the Standard Operating Procedure for the program and a Privacy Threshold Analysis that indicated that a Privacy Impact Assessment must be performed, but it is not clear whether one has been completed. EPIC is currently suing the FBI to learn more about its development of a vast biometric identification database. For more information, see EPIC: Face Recognition and EPIC: Biometric Identifiers.
  • EPIC Sues FBI to Obtain Details of Massive Biometric ID Database » (Apr. 8, 2013)
    EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition.
  • US to Retain Biometric Database on Iraqis » (Dec. 21, 2011)
    According to Wired, although the war in Iraq is officially over US Central Command will retain a massive database with retinal scans, thumb prints, religious affiliation, as well as other personal data on millions of Iraqis. In 2007, EPIC, Privacy International, and Human Rights Watch sent a letter to then Secretary of Defense Robert Gates to warn that the collection of biometric data in the region poses a direct risk to human rights and could result in genocidal violence. The Defense Science Board also warned that the database could "become a hit list if it gets in the wrong hands." For more information, see EPIC - "Iraqi Biometric Identification System."
  • EPIC, Coalition Seeks Investigation of New FBI ID Program and "Secure Communities" » (Sep. 26, 2011)
    A coalition of civil liberties and civil rights organizations have asked the Inspector General of the Department of Justice to investigate the FBI's Next Generation Identification program, a "billion-dollar initiative to create the world's largest biometric database." The 70 organizations, including EPIC, have also urged an assessment of "Secure Communities," the mismanaged federal deportation effort. Several states, including Illinois, Massachusetts, and New York, have already withdrawn from the DHS program. For more information, see EPIC - "Secure Communitities."
  • FTC Announces Workshop on Facial Recognition Technology » (Sep. 20, 2011)
    The Federal Trade Commission announced that it will host a workshop on December 8, 2011, on the privacy and security issues raised by the increasing use of facial recognition technology. Facial recognition technology has been used by Facebook to build a secret data base of users’ biometric data and to enable Facebook to automatically tag users in photos. The Army has also used facial recognition technology to collect biometric data from Iraqi and Afghan civilians at checkpoints, workplaces, the sites of attacks, and door-to-door canvasses. EPIC, Privacy International, and Human Rights Watch wrote to the US Secretary Defense in 2007 to warn that the system could lead to reprisals and further killings. Police agencies are also using facial recognition to identity political protesters. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, EPIC: Face Recognition, and EPIC: Iraqi Biometric Identification System.

Summary

In Rosenbach v. Six Flags Entertainment Corporation, the Plaintiff - the mother of a fourteen-year-old boy - sued Six Flags Entertainment Corporation under the Illinois Biometric Privacy Act (BIPA). Plaintiff alleged that the theme park scanned her son’s fingerprint without obtaining written consent and without properly disclosing the company’s business practices relating to the collection, use, and retention of the fingerprint data. Defendant Six Flags filed a motion to dismiss stating that Plaintiff was not an “aggrieved party” for purposes of BIPA because she had not alleged an “actual injury.” The motion was denied. Defendant then filed a motion for reconsideration. The district court presented questions for appellate review regarding whether a party who had only suffered a violation of the BIPA notice and consent requirements could be “aggrieved.” On appeal, the Illinois Appellate Court answered both questions in the negative. The question now lies before the Supreme Court of Illinois.

Question Presented

Whether a party is considered “aggrieved” under the Illinois Biometric Information Privacy Act who suffers a violation of the Act’s notice and consent requirement when Defendant collected the victim’s fingerprint without obtaining consent.

Background

Factual Background

Plaintiff Stacy Rosenbach is the mother of fourteen-year-old Alexander Rosenbach. Defendant Six Flags Entertainment Corporation (Six Flags) is a corporation that operates an amusement park in Gurnee, IL, called Great America. Plaintiff purchased a season pass online for her son Alexander from Defendant’s Great America amusement park. Six Flags scanned and stored Alexander’s fingerprint during his next visit to the park in order for Alexander to obtain his physical season pass. The fingerprint scan was part of a nationwide policy that Six Flags rolled out in 2014 as a security process for pass holders to enter and exit amusement parks. To get into the amusement park, pass holders had to present their physical pass in addition to scanning their fingerprint. After Six Flags obtained Alexander’s fingerprint, he never returned to the park. The Plaintiff alleges that if she would have known about Six Flags’ fingerprint policy, she would not have purchased the season pass. The mother, who filed the lawsuit as next of friend to her child, alleges that the corporation violated the Biometric Information Privacy Act (BIPA), an Illinois law that restricts corporations’ collection, use, and retention of biometric data, like fingerprints, face and hand scans, eye scans, and voice prints.

Procedural History

In the District Court, the Defendant filed a motion to dismiss stating that Plaintiff was not aggrieved because she had not alleged an “actual injury.” The motion was denied under BIPA. Defendants then filed for a Rule 308(a) certification, arguing that the district court’s denial of their motion to dismiss raised significant legal questions. This motion was also denied. The Defendant then successfully filed a motion for reconsideration. The district court reformulated the prior questions presenting two questions for appellate review. The central inquiry of the District Court was whether a party who had only suffered a violation of the notice and consent requirements of section 15(b) of the Act could be “aggrieved.” Specifically, the District Court’s certified questions addressed whether 1) statutory liquidated damages under Section 20(1) of the Act and 2) injunctive relief authorized under section 20(4) of the Act were appropriate in the context of such violations. Defendant’s requested leave to appeal at the Illinois Appellate Court, which the Illinois Appellate Court granted.

On appeal, the Illinois Appellate Court answered both questions in the negative, finding that an individual who raises a “technical violation of the Act without alleging any injury or adverse effect” is not an “aggrieved” person and may not recover under any of the damage provisions of the Act. However, the court noted that an “injury or adverse effect” does not need to be pecuniary in nature.
The Defendant argued that the Act’s text and purpose, as well as interpretations of the term “aggrieved party” in other statues, suggest that “aggrieved” should be interpreted as requiring “actual harm or adverse consequences.” The Plaintiff maintained that a technical violation of the Act was sufficient. The Illinois Appellate Court looked at the plain meaning of the text since the Act does not define “aggrieved.” Definitions from Black’s Law Dictionary for “aggrieved party” and “aggrieved” reference rights that have been “adversely affected.” The plaintiff argued that the right to privacy was an “adversely affected” right. However, the court dismissed this argument noting that even this interpretation required “an actual injury, adverse effect, or harm in order for the person to be ‘aggrieved.’” The court also examined cases interpreting an “aggrieved party,” determining that more than a technical violation was required for a party to be aggrieved. The Supreme Court of Illinois granted Plaintiff’s petition for leave to appeal.

Legal Background

The Illinois Biometric Privacy Information Act (BIPA) requires a corporation that obtains a person’s biometric information to 1) obtain a “written release” from them prior to collection, 2) to provide them notice that their information is being collected and stored, and 3) to state the duration the information will be collected, stored and used as well as its specific purpose. The law gives a private right of action to anyone “aggrieved” under the statute. Several courts have considered, and disagreed on, the meaning of the term “aggrieved” under BIPA. While some courts have considered a violation of the biometric notice and consent requirements to be a privacy violation that is actionable in itself, other courts have held that an aggrieved party must both allege a technical violation of the law combined with a separate and additional claim of injury.

The Illinois Legislature passed the BIPA in 2008 to protect the “welfare, security, and safety” of Illinois residents by “regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric information.” Seeing the use of biometric identifiers growing, especially in the financial sector, the Illinois Legislature was cognizant that unlike other unique identifiers, biometrics are biologically unique and cannot be changed even if compromised. Furthermore, knowing that the implications of using of biometric identifiers for a commercial purpose is unknown, the Illinois Legislature intended BIPA to address the concerns of a wary public that may be deterred from transactions that require biometric identification.

To combat these worries, BIPA requires a corporation that obtains a person’s biometric information to first obtain a “written release” from the customer or the customer’s representative. The law also requires a corporation that seeks to obtain biometric information from a customer to first provide “in writing” various information: (1) that the biometric information is being “collected;” (2) that the biometric information is being “stored;” (3) the “length of term” that that the biometric information will be collected, stored, and used; and (4) the “specific purpose” for the collection, storage, and use of the information.

EPIC’s Interest

In 2005, EPIC first identified the risk to privacy resulting from the collection of biometric data at amusement parks in the United States. EPIC noted that it is disproportionate and unnecessary for theme parks to collect biometric identifiers from attendees. At the very least, EPIC explained, “Theme park visitors should have knowledge of the practice of collecting fingerprint information so they may act to protect their and their children’s privacy.” EPIC further stated, “Knowing as much as possible whenever personally identifiable information is being collected from you or your family is your best defense. It is not in your privacy interest to fail to ask questions or challenge requests for personally identifiable information. It is important to ask questions and assert your right to protect you and your children’s privacy.”

EPIC has filed many amicus curiae briefs in federal and state courts concerning emerging privacy issues, including a brief in the D.C. Circuit concerning the massive OPM data breach, that included the compromise of 5.1 million fingerprints, precisely the same digital data gathered by Six Flags.

EPIC has long advocated for strict limits on use of biometric data. Biometric data is personally identifiable information that cannot be changed, even if compromised. Improper collection of this information can contribute to identity theft, inaccurate identifications, and infringement on constitutional rights. Strict limits on biometric data is the best practice to prevent abuse.

Legal Documents

Illinois Supreme Court

Illinois Appellate Court for the Second District

Resources:

EPIC Resources

News

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security