What’s interesting here is that the data was not collected secretly per se. White Castle used finger prints to unlock computers and access pay stubs, so employees had to know what was going on. The ruling is that they did not ask for and receive consent from those employees for years. The employee in question had been having her finger print scanned since 2004, and they only asked for consent in 2018.
Which begs the question, if they asked and an employee said “no”, what happens? Are they fired? Banned from register work?
This - if it requires "consent" but not "informed and voluntary consent", the law is worthless and just increases the amount of paperwork.
If an actual alternative has to be provided, that's a very sensible law. Biometrics can't be revoked, and every use puts them at risk, so making sure people aren't forced to let employers collect their biometrics is a good idea.
Edit: If I read it right, the "consent" is required in the pure paperwork sense, unfortunately. That means for employees it only prevents biometrics from being used covertly.
However, it still has value for non-employees, and the "written" aspect is particularly important here. A supermarket for example can't use biometrics to track people for advertising or theft protection purposes, because they'd first need to stop them at the entrance so they can sign a waiver. No cheating out of it with a small sticker "by entering these premises, you consent" in some corner.
White Castle's complaint against "annihilative liability" is more corporate/institutional exceptionalism. Human persons are often completely financially destroyed by civil suits. I don't see any reason why just because it's a corporate person they should be protected from this outcome. If anything it should be more likely against a corporate person who has no real criminal liability.
A death penalty for the company shouldn't involve all those people losing their jobs, it should involve the wiping out of the existing shareholders and the sale of assets at auction to another buyer, who, presumably, would continue to operate the business in a law abiding manner.
Most American companies don’t just run out of money and close the doors with a shrug. Bankruptcy cases involve selling assets (including brands, employment, etc) to other investors.
Original shareholders lose all their money, as the shares are deemed worthless (debt>>assets). Then new investors want to buy the remaining assets and have to pay the government (or other debt-holders) back for the debts (or the “fair market value” of the assets).
There is no guarantee that this process with oust management, but the new owners may not believe in the ability of the old management after they bankrupted a company. Realistically, companies sometimes go into chapter 11 knowing it’s not the end just to restructure debt.
> If White Castle goes out of business and thousands of people lose their jobs, how is that good for society?
Why would they lose their job? White Castle would declare bankruptcy, someone else will buy physical properties and equipment, and I would assume open a new restaurant(s) there.
Justice does require proportionality. But if only the especially rich get proportionality, then it's not really justice, is it?
I agree it wouldn't be fair to White Castle if they were destroyed over this. But I'm not so sure it's particularly unfair when counted on the "workers vs corporations" scoreboard, or the one for "privacy vs exploitation".
Reminds me of the PG&E situation. You can't actually hold them liable for all the fire damage because they'd have to pass it on to rate payers. I'm not even sure if they can specifically raise rates in areas with high fire risk.
PG&E is in an even tougher bind because the fix (burying the lines) might be prohibitively expensive.
This article makes it sound like White Castle was collecting "biometric data" to invade employees' privacy, as if it were using it to track their movement or connect them to potential crimes.
The reality is "use of workers' fingerprints to access pay stubs and company computers". So it set up a fingerprint reader much like the one I use to unlock my MacBook, or sign in at my doctor's office, or open the turnstile at my gym.
I understand that according to Illinois state law this is illegal without consent, and so legally they missed having employees sign a form. But morally/ethically is there really any problem with this? This is just how iPhones and MacBooks work, for example. Really seems like perhaps Illionis state law needs to be updated to reflect the widespread use of fingerprint readers for authentication on computers, tablets and phones.
When you unlock your MacBook you are opting in to unlock the MacBook and you don't need to use it. Also, it is protected by a Secure Enclave and the actual fingerprint isn't stored.
Reading the bill it even points this out.
Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.
Presumably whatever fingerprint reader White Castle used for logins also stored a hash, similar to MacBooks. I don't know of any general-purpose fingerprint readers for authentication that store the original image.
Also I don't see how compromising that hash is a problem in practice, if that ever happened. If it's salted it's worthless, but even if not, I don't know how you'd reasonably physically use it to hack into another fingerprint reader anyways.
That is a huge presumption and, as GP pointed out, the problem is if your fingerprint gets leaked, it's rather difficult to change it. Apple did a great job with TouchID but security experts went all over it trying to poke holes. Most other fingerprint systems don't get anywhere near the same amount of scrutiny. So in an unfortunate turn of fate, Apple's awesome implementation of fingerprint authentication on the iPhone resulted inthe general public being comfortable with fingerprint auth in other places, when they really shouldn't be.
You leak your fingerprints everywhere you go on every surface you touch. Fingerprints are highly convenient but they have never been an especially secure mechanism for locking devices.
But, and here is the important part, those 'leaked fingerprints' in the wild are not digitally preserved. It would actually take some effort to preserve on a scene. The comparison is not apt.
I'm not sure that this is true with 15+ MP cameras shipping even on burner phones. I've been amazed what can be extracted from a photo of a dinner table at 20MP.
Yeah it just seems like a bad idea. It's like we never got over how cool it is that fingerprints can be a unique identifier, and we jut assume it must be a good one.
The point is that reader has those preserved and stored somewhere, while fingerprints that a person just leaves about by going about their day are not. Just the fact that they are stored is an issue. Note, this is a response to the original question of 'pfft, a person leaves fingerprints all the time anyway'.
A fingerprint reader doesn't need to store your fingerprint, it needs to store a hash sufficient to distinguish it from other people who are likely to try to unlock it.
nb iPhone Face ID has additional protections, like each scanner using a different random physical pattern so hashes can't even be transferred across devices.
Distinction without a difference. My argument is that fingerprint is digitally preserved; not that it is an exact replica of a fingerprint. If it only compares a hash, it is still a biometric record and that hash has to be somewhere to be compared against ( which itself opens an interesting can of worms depending on the implementation although I do have some level expectation from Apple engineers that it was not botched ). You seem to be too focused on technical implementation and relative security of a given solution.
In other words, I am willing to buy an argument that Apple's implementation is better than some other implementations out there, but it does not apply to this case, because it was not Apple's Face ID that we are discussing.
> Also I don't see how compromising that hash is a problem in practice, if that ever happened. If it's salted it's worthless, but even if not, I don't know how you'd reasonably physically use it to hack into another fingerprint reader anyways.
If an attacker had a fingerprint and wanted to figure out who it belonged to, they could hash it and compare the hash against a database of leaked names and hashes. Salting doesn't prevent this, unless the hash is intentionally slow, in which case the attacker would merely be slowed down.
Also, how much entropy is in a fingerprint anyways? If it's low, an attacker could generate every possible fingerprint and hash it to build a mapping from hash to actual fingerprint.
Since humans only get one set of fingerprints for life, fingerprints should only be stored and compared on secure enclaves on your own devices (like iPhones). It's way too risky otherwise.
>Since humans only get one set of fingerprints for life, fingerprints should only be stored and compared on secure enclaves on your own devices (like iPhones). It's way too risky otherwise.
This exactly!! QFT!
No biometrics should ever be used for shared or public devices! Biometrics are fine for personal devices that are always with us, and not shared by others, especially anyone outside our family/household.
I've made my peace with biometrics as far as unlocking my phone via fingerprint. My threat model is such that a fingerprint lock is often safer than pecking in a long password. (Because I'm often surrounded by shoulder surfers.)
So yeah, if a restaurant is forcing employees to scan fingerprints (or retinas or DNA or saliva or what have you) on public or shared devices for purposes of clocking in, or payroll, or whatever, then that is wrong and a perversion of biometric authentication. The company would be much better served by a correct application of security techniques.
And yes, if this means going back to passwords for awhile, then so be it. Passwords are a good first-line auth measure for shared devices that are not open to the public (let's assume that this restaurant's devices were only physically accessible by employees in the back office or something.)
Another idea is to let the employees authenticate using their smartphone. My bank has something set up with this. You install a smartphone app, it authenticates you, and it vouches when you set foot in the bank so that the teller already has your account pulled up. Then, in terms of biometric locking for the smartphone, knock yourself out; the company has no need to collect the data, just interface to an app.
You’re assuming a lot here. Most IOT security is on shaky ground. They probably went with the cheapest vendor too. There isn’t a compromise reported but I’m willing to bet that whatever was implemented was very insecure.
If the fingerprint worked across multiple computers, they did store the fingerprint. Maybe it wasn't an image, but it would need to be informative enough to distinguish between multiple employees. Embedded fingerprint readers only provide a matches user/doesn't match user result.
There’s no technical reason why they couldn’t share hashes across devices. It might be specific to a particular model of scanner but presumably they’re buying a lot of a standard model.
> Presumably whatever fingerprint reader White Castle used for logins also stored a hash, similar to MacBooks.
Presumably they would have checked if their policy was legal before implementing it too. The problem is that they haven't really earned the presumption of diligence in this matter.
I may have missed this. Were they storing hashes of images or points of images- or were they storing the original image? Any platform worth its salt would hash and salt the fingerprint data and it'd be worthless elsewhere as other systems would have different hashes.
This feels like pearl clutching to me. While it's probably technically true that having your fingerprint leaked increases your risk of identity theft by some non-zero amount, in the overwhelming majority of the cases it's effectively zero, because for the overwhelming majority of people the only place they have their fingerprints enrolled is on their phones. In the event you somehow acquire stolen fingerprint image data, it will be very difficult to use those to perform identity theft at mass scale, because you need physical access to phones.
>and is likely to withdraw from biometric-facilitated transactions.
What "biometric-facilitated transactions" are these? Aside from fingerprint unlock on phones, I'm struggling to come up with cases where fingerprints are used to secure sensitive information.
> What "biometric-facilitated transactions" are these? Aside from fingerprint unlock on phones, I'm struggling to come up with cases where fingerprints are used to secure sensitive information.
Phones have become people's defacto computing device, that they link to all kinds of personal, private, and governmental accounts. Medicare, councils, state accounts, bank details, taxes, private chats, private images and videos, work accounts, work documents, work chats, group memberships, on and on. Think of any sensitive information possible, someone is storing it on their phone. Most people have their phone as the center of their information technology worlds.
If access to that isn't concerning then there isn't much else that could change your mind I don't think.
My claim isn't that your phone doesn't contain sensitive information, or that a stolen fingerprint image can be used to unlock your phone, it's that the attack is very unlikely to be carried out, scales poorly (you need physical access to the phone), and there are a dozen other ways of obtaining the same result (ie. lifting the fingerprint off the phone or a nearby object). It's not as simple as hacking into the HR system's fingerprint database and you get all the employees' dickpicks at your fingertips.
It would work the other way around I think, steal someone's phone then look it up on the database. But you're right, it's not the vector I would be most worried about either.
> Most people have their phone as the center of their information technology worlds.
Those people are foolish. Putting all your eggs in one basket and then whining about the consequences is a sign of bad character. Besides that it’s pretty irrelevant to the topic at hand, which is whether fingerprint readers are an acceptable means of securing digital transactions. In fact you seem to be suggesting they are, by proxy.
Any one of those accounts is sensitive, even if you just had one it should be protected. But also, in matters of policy we don't really care about someone's character, we care about how it impacts everyone.
Since everyone has a phone now, that means technologically illiterate people are using them for whatever their authority figures tell them to. They trust those entities, and perhaps they shouldn't, but that is the reality. Any policy that doesn't cater for the reality is bad policy.
Smoking is a historical example, at one point doctors, movie stars and media all told you smoking was good for you. Now, decades later, health policy has to take into account that people smoke. Maybe one day down the line there will be regulation on companies as to how they influence people to use their devices, but for now we accept that people put sensitive info on their phones.
I disagree with you in principle, just because the phone is the only avenue that has so far made use of fingerprint biometric data doesn’t mean it won’t be used more in the future. (It seems to be used here for paystubs, so it is possibly getting more reach currently). Looking at it from a tightening of cybersecurity perspective it would make sense if people thought to add it as a second factor.
“The building isn’t on fire currently so there’s no need to move the gas can away from the fireplace.” Isn’t a compelling argument.
If you're out to frame someone for a crime, I have a feeling that you're not going to stop just because you can't buy the victim's fingerprint on darknet markets. You can follow the person around and lift fingerprints off objects that he touched, for instance.
"Do you realize how easy it is to get a person’s fingerprints?"
Very easy. Though, it's more difficult to get a specific person's fingerprints. Frankly, this is a terrible argument. Fingerprints require an escalation from the digital world to the physical.
Physical security keys are great for exactly this reason. If you want my account, you must break into my home. That fundamentally changes an attacker's calculus.
It's optional on the devices you mention. It's not a requirement. In the court case, there was no way for an employee to opt out, short of quitting.
My company (about 2,000 employees) issues iPhones to its employees. You are given a choice of face scanning or fingerprint scanning device. You do not have to use either method: you can choose a suitably long PIN, instead.
If you choose to use biometric access, HR send your a 15-page document to sign, and you have to take an online course about biometric privacy.
I think if more companies did that, society wouldn't be so casual with giving away their biometric data.
We are incredibly casual about giving away our biometric data - most societies don't constantly wear face masks (with obvious exceptions for women in the middle east), the past few years excepted. Gloves aren't that common either. You leave your face and your fingerprints everywhere, if anyone is looking. They're just not, typically, because it doesn't matter.
That's silly since there are no biometric privacy risks to enrolling in Touch ID (it doesn't save images or let anyone view them). Otherwise you'd have to take a class after buying a phone.
I don't work in tech. Yet it has always seemed obvious to me that, since biometrics cannot be changed, they are a "username" at best, not a "password". So why are they treated like the reverse so often?
Your password is just to prove that you are using your username. You really don't need a password, if you have perfectly honest users or a fool proof way of preventing people from using usernames that aren't theirs.
I doubt either of those will ever exist which is why passwords and other MFA techniques will always be necessary. But I don't think that addresses that biometrics are more suited to identification rather than authentication...
There are plenty of places where quick and easy authentication is important, and some amount of hard to fake is desirable, but it's not important enough for a strong password. Fingerprint readers are harder to fool than a 4-digit pin and unique enough that a mid-large group of people won't have any confusion.
Fast food sign-in is the perfect low-stakes use of fingerprints. There's some real baggage from when they were harder to gather and how they're used in law enforcement as to why they're considered sensitive, but they're really not. Getting the law and society to agree will take some time, though, and there's a ton of reactionary forces trying to hype up the threat.
yup, see every action scene where the hero subdues the guard standing in front of a biometrically secured door, then uses the knocked-out guard's hand to open the door
It's fine if they can't be changed if they're difficult to read or recreate.
In public, biometric auth is better than passcode auth for this reason, because other people (or security cameras) can watch you enter a passcode on your phone.
Besides, fingerprints can be changed. With a blowtorch.
True, but there's also the fact that you can be "compelled" to provide your fingerprint more easily than a passcode. The blowtorch seems a bit drastic!
1. Biometrics can't be revoked, so if your gym leaks your fingerprint images (linked to your name), that's a mistake that in practice simply cannot be fixed. You just can't use that finger for sensitive biometrics ever again. People should not be forced to take the risk.
2. It's hard to distinguish between biometric surveillance and "good" uses of biometrics, and they can fluently blend into each other. The law draws a rather clear line and has to enforce it.
Should a company be allowed to use biometrics to make sure you don't let your brother sub in for you? Preventing fraud like that is a noble goal, but how far do we want to allow pervasive biometric surveillance to go? Should stadium owners be allowed to ban people? Should they be allowed to ban all employees of a law firm they don't like? Should they be allowed to surveil everyone's faces with a biometric system for this purpose?
The lines between "perfectly reasonable" to "Black Mirror dystopia" are fluent, and the way there consists of many steps that individually seem reasonable (preventing crime is good, right?) and yet the outcome is something we don't want. This is why the law exists, this is why it also hits some "legitimate" uses, and this is why consent (if implemented meaningfully, in the voluntary, GDPR style sense, not in the "you have to sign here or you will be excluded from normal life" sense) is such a powerful tool: It generally lets the harmless stuff happen and prevents the dystopia.
> Biometrics can't be revoked, so if your gym leaks your fingerprint images (linked to your name), that's a mistake that in practice simply cannot be fixed. You just can't use that finger for sensitive biometrics ever again. People should not be forced to take the risk.
Fingerprint scanner systems don’t store photos of your fingerprint. They store information that can be used to match against your fingerprint within their own system, but they can’t be used to reconstruct your fingerprint.
Many fingerprint scanners are just optical and just return an image of the finger, and it is up to the implementation of the security software as to whether or not that image is converted to a hash and/or disposed of securely. And just like password hashes, some fingerprint hashes can be broken.
This is what I found on my laptop when I got the fingerprint reader working: The scanner was surprisingly low-resolution (92x62px), and nothing like the "5000ppi super secure" scanner I was expecting... The driver would get a scan from the reader and the driver passed that scan on to whatever was asking for a scan. Not so secure.
Regardless fingerprints are really bad for security because they can be detached from the finger or recreated from things you touch. They are probably slightly better than nothing, but with such low resolution, I suspect that if we let 100 random people try to unlock my laptop with their finger... someone would get in... but I could be wrong.
I don't really think there's such thing as a "good" or "bad" authentication factor. The suitability of an authentication scheme is entirely dependent on the requirements of the problem one is trying to solve.
For identifying a fast food worker at a cash register, they are (functionally, not legally or morally) a good fit for the problem, because they are hard for a coworker to replicate, and not likely to lose. For applications in which you need to protect against high skilled attackers, they're not as great.
a) the data can often be used to recreate a fake fingerprint that isn't identical but will be accepted, sometimes even by systems from different vendors
b) what they actually store varies, and I'm sure some systems do just store the picture (your passport does, for example), some likely don't store it in the database but happen to have a temp folder somewhere with everything they scanned, and some claim they don't store it and then store it under advanced military-grade 512 bit RSA encryption with the key stored next to the images.
The software quality of biometrics systems is among the worst I've seen. Worse even than embedded/IOT stuff.
> the data can often be used to recreate a fake fingerprint that isn't identical but will be accepted, sometimes even by systems from different vendors
The architecture of this system, in which fingerprints are captured at a local terminal and transmitted to a third party vendor over the network, is explicitly a source of added liability due to how the law is written, where disclosure to a third party is its own separate offense.
Well, my current job required my fingerprints for security check ( which in this case was reasonable; I have too much access to crap as is ), but, not completely unlike non-competes, I am not sure this is a reasonable request to ask of your burger flippers. It is a little extra bad, because this group is even less likely to complain, because 1: they are young and don't know any better 2: they are likely to be paid peanuts 3: their need of a job overrides any other consideration
All three indicates a type of person that should be protected from random idiocy of an employer. It is not often that I praise IL for anything, but the biometric law is one of those few instances.
it didn’t make sense to me that every swipe is considered a collection by the court, only enrollment is collecting the fingerprint, the other swipes are making comparisons, not collecting new data.
This isnt about fingerprints. This is about a large corporation not reading a law. This is about recklessly adopting a new business practice without first consulting basic legal advice. The big numbers will get knocked down eventually but they are going to be rightfully on the hook for millions.
Honestly it's pretty easy to see this fall through the cracks. Because it's one of 50 sets of state law, and it's entirely non-obvious that there would be a law around fingerprint readers in the workplace at all.
The IT person who decided to adopt it would have needed it to occur to them to check with legal. And I can imagine that for most people it wouldn't occur to them. Any more than you'd think to check with legal about whether a password should require at least one punctuation character.
I'm not defending White Castle here but neither do I think it's anywhere close to "reckless". I think it was just a normal day to day IT decision that nobody thought anything of.
In other words, there was probably no criminal intent here nor recklessness. Just ignorance of a relatively unknown statute, that sure you should pay a reasonable fine for. Not a big deal.
I knew about the biometric law. I’ve worked in places that collect biometric data. It’s your job to know these things when you do this work. At the very least, that law makes an appearance on HN regularly.
No law is truly obscure anyways. because they’re all written down for your corporate lawyers to check when you start business. White Castle operates in many states with over 100 years of corporate history. The idea that they couldn’t be bothered to check the laws of all the states they operate in before making changes is not only foolish but if true illustrates a greater sense of recklessness. If you operate in Illinois, you should check the laws in Illinois.
But you understand that it's easy to imagine nobody was aware of doing "biometric work", and that it's something corporate lawyers would easily never be alerted to and never become aware of on their own.
Like I said, an IT guy decides to install fingerprint access for computer access for franchises nationwide. They're not an expert on biometric security, they just thought it was a good idea.
As laws go, this one is not exactly common knowledge. Even corporate lawyers in a state aren't aware of every statute in every area of law -- they have specific areas of expertise. Hiring a biometric security lawyer is not something you do unless you know you have a reason to, if you're just a fast food company. It's not like lawyers review every tiny action by every single employee and contractor. It's easy to see how things like this slip through the cracks.
The only excuse they have is the fingerprint scanners were installed before the law.
If an IT guy is making a change to accessing payroll that affects 10k employees… it’s corporate lawyer time. I would never touch a payroll system or related (eg time tracking) without labor lawyers at a minimum. This wasn’t a casual IT guy plugging a usb fingerprint sensor into a computer in the break room of a mom and pop sandwich shop. It was across an entire national chain and they were transmitting and storing prints with multiple third parties. They totally had contracts reviewed and lawyers involved already.
By now (maybe not in 2008) everyone should know that if you touch personal data or god forbid medical/biometric at all you should get a privacy lawyer review. It’s 2023 and even Facebook asks for consent. At my previous job we’d schedule a lawyer call before started logging new data or updating schemas in a database. Only takes 15 minutes to explain, and a business day for preliminary research on the lawyers part.
White Castle started requiring consent in 2018 co-timed to when a major employer in the state was sued for the using fingerprints for payroll. So someone must be paying attention to something, just not soon enough.
Well, if it met the legal definition for recklessness then the leadership would be sued by the shareholders. That isn't this. This is reckless as in not-smart rather than per se. They will have to pay a price so that lawyers for a thousand other companies can walk into the next board meeting to say "See, I told you and I was right about that fingerprint thing last year!" They will be punished, but the courts will not allow this to destroy the company.
They should. Big business means you front the costs to do proper business. if you make billions and cannot do your legals....too bad. that money will be theirs soon
While it's certainly not Google, White Castle had 2019 revenue of $720 million, and has around 10,000 employees. A little more than just a "sandwich shop".
No, really, it is just a sandwich shop. All those shops could be sold off to pay a fine for this violation. We need to stop thinking a corporate entity and/or brand image deserve to be protected from the consequences of lawbreaking. This is the misperception that makes white collar crime, which is often several orders of magnitude more damaging in monetary value than street crime, published far less than the size of the crime would suggest.
This is a weird one to me. To not consent to having your fingerprint scanned yet continuously doing so seems questionable. To do something for years without issue and then sue long after the fact doesn’t feel like justice.
It feels to me that providing your print to begin with without coercion fulfills consent. I understand that the need to keep one’s job can be seen as coercion but I am confident the percentage of employees that actually objected at the time was negligible.
>It feels to me that providing your print to begin with without coercion fulfills consent. I understand that the need to keep one’s job can be seen as coercion but I am confident the percentage of employees that actually objected at the time was negligible.
This comes across as a pretty privileged take. For many fast-food workers, a few things are true:
* They have no money or other job opportunities
* They have a legal requirement to work (parole, child support, rehab)
* The local franchise operator is influential and owns multiple franchises
* Already owed pay (and already spent pay) are locked behind these barriers
* The average fast food worker doesn't have education or resources to challenge them
It absolutely is coercion, and another arm of corporatism.
Have I got news for you, poor people are people. They’re not the hapless imbeciles you make them out to be, they are just as capable as you and I, and they have just as much access to information as you and I.
We live in a literal world of plenty for unskilled jobs. They exist everywhere and they are screaming for workers. We literally don’t have enough unskilled workers to fulfill the need.
If you can work fast food you can work in a shop, you can deliver packages. The person who HAS TO work at White Castle or they die simply does not exist. Figment of the imagination.
Way to double down on your biases. I assure you these people do exist. Work in a shop? What shop doesn't require skills? Deliver packages? Usually need a drivers license, no criminal background.
Not everywhere is San Francisco. When you get to rural IL, there's not endless jobs. There's hardly any. Many people working fast food need the flexible schedule, or can't speak English well, or any other of a multitude of other reasons. Also, the complaint is from 2008, not this temporary strange job market that has recently developed.
If what you say is true, and it's so easy to find gainful employment elsewhere, why is anyone working at these places to begin with?
He’s right, you’re infantilizing then and removing any agency on their behalf. I’ve worked minimum wage jobs and around unskilled labor for half my life and I guarantee you that they’re people too and can make their own decisions.
One, I'm not even the person who made those claims. Two, I have also worked minimum wage jobs and believe that I too am a person with agency. And three, noting that people have different levels of privilege is not denying them humanity or agency.
Indeed, privilege-based analysis is often used to get recognized as human groups that are often treated as less than that.
I strongly disagree. This presumes that the employee is a free agent able to decline - this is rarely unambiguously true in the US economy, particularly for service workers. Employees may also have extremely limited negotiating power and be forced to accept a "shrink wrapped" contract.
Reasons the employees might not consent but still go through with the fingerprinting.
- Every other employer mysteriously started doing the same thing as their owned by the same franchise owner and/or their friends.
- There are no other employers.
- You live paycheck to paycheck and can't just quit a job.
- Commuting to a different site would increase your gas bill.
- The extra .25 that BK pays is necessary for you to live.
That's all speculation and frankly has nothing to do with whether White Castle violated the law or the spirit of the law. Either way, I can't agree. If everything a potential employer requires you to work there is considered to be "under duress" then we've got bigger problems on our hands. Namely, lots of slaves in the US.
If these employees are receiving any sort of public benefit, or become involved in some legal claim, or basically just need to prove their income to someone, they will absolutely require pay stubs. If they're not able to come up with proof of income, they could be denied Medicaid, Social Security, Section 8 housing assistance, SNAP "food stamps", WIC, TANF, or all sorts of other benefits that they would be entitled to, if only they could prove that they're earning a legitimate income from their employer who is required to provide pay stubs in an accessible fashion (they used to be simply attached to the paper check, or mailed via postal service; how complicated was that?)
>providing your print to begin with without coercion fulfills consent
Informed consent? Absolutely not. People here are arguing that the poor white collar employees and execs of White Castle couldn't possibly be expected to understand the nuances of installing fingerprint readers. So how could minimum wage workers, many of them minors, be expected to understand the issues at play?
Absolutely. There's 0% these employees weren't consenting to fingerprint scans when accessing their paystubs. My question is, if they didn't consent to having their fingerprints collected, how did they have the fingerprint to begin with? I'm not reading anything claiming the employees were held down or that prints were secretly pulled off of surfaces. They very obviously consented. Below are the law in question and the opinion. Dissent is interesting.
My question is what would happen to an employee who refused (as I would) to the collection of their fingerprints. If they'd lose their job, that'd mean they were being subject to coercion and consent was not given.
That's not coercion. If an employer can coerce an employee merely by requiring some compliance actions to remain employed, our legal system has a much bigger problems on its hands than this case.
From the wiki, coercion is distinguished by things like:
> the intent, the willingness to cause harm, the result of the interaction, and the options available to the coerced party
If the intent is to get people to hand over sensitive data knowingly violating the law and putting people at risk because it makes things easier for the company, I think there's a case to be made that it is coercion. White castle employees aren't exactly known for having a ton of "options available" either. I doubt very many employees have dreamed of working there because of their passion for steamed meats or love for the company. Seems like more of a "when I have zero other options" kind of career move to me.
> To do something for years without issue and then sue long after the fact doesn’t feel like justice.
Perhaps the person didn't know Illinois had a biometric privacy law? Imagine you're company has been making you do something you hate for years, then you discover it's illegal. You'd absolutely want to sue, and to have lost that right because you waited is unjustified.
Imagine being in prison and getting raped by some guy in the shower yet you keep taking showers. You adapt to hostile conditions out of neccesity and helplessness.
That's an extreme, but you get the point. When the law says get consent, it clearly means there is none implied by participation. Even if the employee signs a paper on their own volition granting consent, your inability or refusal to obtain that consent makes you a violator of the law because as far as you know and can prove in court, your finger print collection was being done without you specifically knowing about that employee's consent. It is your state of mind and intent that is a violation of the law .
Coercion was never a factor in the law. Even if you wanted your fingerprints taken, you can still sue them for taking it without consent. It is a restriction put into place to enforce a practice.
Another example would be medicine, even if you took medicine knowing possible side effects, the maker of the medicine is still culpable if they don't follow FDA rules.
You can't say consent was implied when the law is telling you a definition of what viable consent is in a specific way. You can't just ignore the law and make excuses or blame the employees. On their part, they only have to prove that fingerprints were taken and consent was not. If you are they can just quit, then the entire point of the law is sl they won't have to and instead punish the company.
Have you ever read a tech site where the articles were generally well-written and insightful? The authors who cannot get jobs with that site need somewhere to work too.
A. The Register has been in decline for a long time. Take a look at their headlines and stories a decade ago, far more interesting and bombastic.
B. The service that shall not be named is probably infiltrating more journalistic output than we think without us noticing. So attractive when you're overworked... (also notice the short paragraphs the article and the service share)
C. As for the lawyers... they don't want "annihilative liability" and are doing everything they can to prevent such an outcome.
I don't have enough information to form strong opinions about this specific case, but
> what White Castle's lawyers described as "annihilative liability"
sounds like something that should very much be on the table more frequently when large companies have repeated egregious violations of law as is alleged here.
This is a common tactic in law suits. Go for the biggest flashiest number, to set the tone. It also helps shareholders be more willing to see a large settlement.
In this case, they’re alleging every finger scan violates consent while White Castle says they should settle with the initial scan violated consent -once per employee.
If the initial suit was for a more modest sum and a more modest allegation, White Castle may never have even considered admitting fault. I agree though, that we need laws with teeth so big companies can’t consider it a cost of doing business. The 17B number could wipe out many businesses entirely. Maybe they should. Chapter 11 protects the economy and jobs by ensuring the organization could still run, just with shareholders losing out.
This is silly. They’re being penalized for not adding a legal form to their onboarding.
There’s no real option to say no. Biometric auth is a condition of employment. If you can’t say no it’s not consent.
The punitive judgement would in no way protect citizens from future abuses. It’d just make every company spend more on lawyers.
I don’t disagree with protecting people from having their biometric data collected without consent, I just don’t think another page of incomprehensible legal bullshit in your hiring packet does anything to protect anyone.
Again it’s not consent if you can’t say no. If it’s a condition of employment many vulnerable people cannot say no.
So they implemented the fingerprint system in 2004, but the biometric law was enacted in 2008. Yeah, suddenly they were breaking the new law, but whose job was it to continuously monitor all the state/local laws and ensure compliance? Not every business gets this right and they should not be severely punished when behavior that had been legal for years suddenly became illegal. Obviously White Castle did not intentionally violate the 2008 law when they implemented the system in 2004.
24 Hour Fitness gyms asks for a fingerprint/thumbprint on each visit. Is this not legal?
It doesn't work well for me: I always must make multiple login attempts and inevitably an employee must intervene and approve. I miss their previous system which used a simple bar code.
This raises the question of whether corporate "death penalty" verdicts should be enforced. Corporations are just a collection of assets, as their management will remind you when they are bought and sold (even though they are portrayed as "persons" when "speaking" with money).
This is outlier example, but why should any corporation that created an environmental disaster not pay what a complete liquidation of assets would yield, if that is less than the cost of remediation? Asking for a friend in the railroad business.
I totally love this idea, and would love to be able to think up a way to make it viable. My concern under current law in most countries is that it's just going to lead to the proliferation of the complicated ownership structures like we see today, where the entity operating the assets is completely separate (legally) from the entity owning the assets. Imagine a world where every train and every track is owned by a separate LLC, with complicated usage agreements shared between them, but somehow still all owned by a handful of "blameless" holding companies.
To have a debate about this we really need to add some precision to some of your terms. When you talk about "complete liquidation of assets" there's sort of two things that come to mind, and I'm not 100% sure what you mean.
Option one is what I would call a reorganization: the rights of equity holders are terminated, and creditors (which would include beneficiaries of civil judgements) get some fraction of what they are owed, through a combination of keeping some portion of their existing claims, receiving cash received from selling new stock, and receiving some amount of new stock. Crucially, the business keeps operating when this happens, it's really just reorganizing the capital structure, not doing much to actual business operations.
Option two is a true liquidation: the business stops operating, all of its assets are sold, and the proceeds distributed to creditors and then the corporate entity simply ceases to exist.
The original debate about the "corporate death penalty" arose from how Arthur Anderson was treated in the wake of the Enron scandal. In that case, AA was criminally indicted. A criminal conviction is a huge problem for a public accounting firm, because convicted felons can't be CPAs or audit public companies. Indeed, it was ultimately convicted and barred by the SEC from auditing public companies. But it actually collapsed far before that, basically immediately after the indictment, as all of its clients saw the writing on the wall and dropped them. This was an option 2 liquidation.
Personally, I would only consider an option 2 liquidation the "corporate death penalty". In the case of your friend in the railroad business, it's probably not the socially optimal outcome because you would actually get more money for the victims through an option 1 reorganization than option 2 liquidation. In general that's why option 2 should be sparingly applied: it reduces the resources available to compensate victims, and inflicts collateral damage on employees, vendors, and customers who mostly didn't do anything wrong.
In addition to option 1 and option 2, some people also consider simply indicting a corporation as the "corporate death penalty" because of how in the case of Arthur Anderson, the criminal indictment did pretty much immediately cause option 2. I think that that position is not really consistent with the facts, however. There are at least 54 publicly traded companies that received criminal convictions between 2001 and 2010; 37 of them were still around in 2013, only 5 failed, and of the 5 it doesn't really seem like the conviction had much to do with their demise[0].
Just the costs make the human death penalty hard to justify as "socially optimal" but it's done anyway, despite even the supposed deterrent value being debunked.
In the corporate case it has the positive effect of punishing a management structure that allowed/enabled the injury.
they're so deliciously awful. It's like raw grease with a bit of burger-flavored material between pieces of pure carbs made zesty with sweet pickle-adjacent pucks.
Which begs the question, if they asked and an employee said “no”, what happens? Are they fired? Banned from register work?