Legislature(2011 - 2012)BELTZ 105 (TSBldg)
03/28/2011 01:30 PM Senate JUDICIARY
| Audio | Topic |
|---|---|
| Start | |
| SB98 | |
| SB15 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| += | SB 98 | TELECONFERENCED | |
| + | SB 15 | TELECONFERENCED | |
| + | TELECONFERENCED |
SB 98-BIOMETRIC INFORMATION FOR ID
1:35:53 PM
CHAIR FRENCH announced the consideration of SB 98 and asked for
a motion to adopt the work draft committee substitute (CS).
SENATOR WIELECHOWSKI moved to adopt CS for SB 98, labeled 27-
LS0661\D, as the working document.
CHAIR FRENCH objected for discussion purposes.
1:36:19 PM
MICHAEL CAULFIELD, staff to Senator Wielechowski, sponsor of SB
98 said version D is substantially different than the State
Affairs version B. The proposed new Sec. 18.14.010 now requires
a person who is collecting biometric information to specify a
specific purpose when they ask for documented consent to collect
the information. Unless the person's biometric information was
needed for a specific authorized law enforcement, security, or
fraud-prevention purpose, the person can revoke that consent at
any time.
Sec. 18.14.020 pertains to the disclosure of biometric
information. It states that the collector of the information
will not disclose, distribute, or transfer the data to anyone
other than organizations that are specifically in service to
hold biometric information.
CHAIR FRENCH referenced page 2, line 5, and asked who "a
contractor" references.
MR. CAULFIELD replied it references a person or the agent of the
entity that authenticates the identity of the person who is
providing the biometric information.
Sec. 18.14.030 deals with the sale of biometric information. It
states that a person cannot sell biometric information unless
the storage entity is acquired by another storage entity. For
example, LexisNexis bought out ChoicePoint.
CHAIR FRENCH asked for confirmation that no one could buy or
sell his biometric data by itself but the agency that collected
the data could be bought and sold.
MR. CAULFIELD answered yes.
Sec. 18.14.040 sets time limits on how long biometric
information can be stored. Biometric information will be removed
upon request of the individual or when the original reason for
the collection is no longer necessary. The collecting entity has
30 days to notify the storage entity and 120 days for the
storage entity to delete the data.
1:39:58 PM
Sec. 18.14.050 says the biometric information cannot be used for
marketing or general surveillance purposes, but it may be used
for specific authorized security or fraud prevention purposes.
Sec 18.14.060 states that the company or organization that is
storing data will do so in a safe and secure manner.
Sec 18.14.070 is a private right to action. It is substantially
the same as the previous version except it now includes the word
"knowingly" to ensure the party at fault is the one responsible.
Sec 18.14.080 and Sec 18.14.090 deal with exemptions and
definitions. They are unchanged from the previous bill version.
1:41:24 PM
SENATOR WIELECHOWSKI said most of concerns that were raised
centered on security issues related to the alternate
identification section, and he decided to remove that section in
order to move forward with the bill. To offset that change he
tightened other provisions to increase the security of the
information that's collected. Hopefully this will help the bill
to gain broader support.
1:42:47 PM
CHRISTOPHER OSWALD, Director, State Government Affairs,
LexisNexis, Reed Elsevier Inc., explained that the LexisNexis
True ID product is an identity verification and biometric
authentication solution that is designed to verify identities
and face-to-face transactions. These applications help their
clients fight fraudulent enrollment and access to controlled
systems.
LexisNexis Risk Solutions is the repository for biometric data,
not the owner. Therefore, they don't sell the data and they
don't use it beyond the original purpose for which it was given.
This data is held in a secured database in two U.S. locations
and domestic customers' data is never transferred outside the
U.S.
MR. OSWALD stated that the current version of SB 98 strikes a
balance that allows the legitimate commercial use of biometric
technology while protecting the privacy interests of the
individual.
1:46:36 PM
SENATOR PASKVAN asked what specific types of biometric data
LexisNexis Risk Solutions collects.
MR. OSWALD replied they collect the information that their
customers give them. Right now that's generally limited to
fingerprint scans, but in the future it could include voiceprint
and other biometric solutions.
SENATOR PASKVAN asked how often LexisNexis Risk Solutions uses
fingerprints to confirm that someone took a particular test.
MR. OSWALD explained that they hold the initial fingerprint scan
in reserve as a template in order to verify a print compared to
that template. Electronic verification can be done as often as
the entity seeking the solution requires; this can be in real
time or in batches at the end of the day or the end of the week.
SENATOR PASKVAN asked, if someone comes to take a test and gives
a fingerprint for ID, what do you compare that biometric data
against and how did you get the information in the first place?
MR. OSWALD explained that LexisNexis needs to have an initial
fingerprint scan on file. It's at that point that the individual
is given notice that their biometric data is being collected and
he/she can choose to consent or not. LexisNexis is the matching
service and can authenticate that person's identity against that
original fingerprint.
1:50:16 PM
TERESA JENNINGS, Managing Director, State Government Affairs,
Reed Elsevier Inc., compared the large amount of information
that LexisNexis holds to a bank vault and a safe deposit box.
LexisNexis is a repository for a great deal of information just
as a bank vault holds a great deal of money, but they can only
verify information about a person's identity based on what the
client gives to LexisNexis. That information is secure like a
safe deposit box and can only be accessed by the individual who
put the information into the box. An individual's information
never gets co-mingled with the rest of the information that
LexisNexis holds.
CHAIR FRENCH asked how he, as a person taking the bar exam,
would be identified by his fingerprint.
MS. JENNINGS replied your fingerprint will be scanned each time
you enter the exam room. The issue has been that individuals
will leave the exam and another individual comes in and finishes
the test or steals the test questions. She noted that this
version of the bill provides a mechanism for the individual to
get their information deleted from the system if they no longer
need their identity to be authenticated.
1:54:52 PM
CHAIR FRENCH asked who makes sure it's really him who puts his
fingerprint down the very first time.
MS. JENNINGS replied that would be their client. They determine
the information they want in order to verify a person's
identity. This could include a driver's license or passport. We
don't establish what goes into that safe deposit box, she
stated. We simply hold that information and the client tells us
when to destroy it or give it back.
SENATOR PASKVAN asked the cumulative number of fingerprints they
have in storage in the U.S. in any format.
MS. JENNINGS replied they have about one million records from 86
countries stored in their U.S. facilities, but she doesn't know
the breakdown by country.
MR. OSWALD concurred. He added that these countries believe that
the U.S. and the LexisNexis security system is the best in the
world.
1:57:03 PM
TIMOTHY J. PEARSON, representing himself, stated that he is
testifying in opposition to the proposed changes to SB 98.
First, Sec. 18.14.010(b) addresses biometric data but it doesn't
provide any alternate forms of identification. Second, Sec.
18.14.[050] creates a timed-out opt-out system that requires
individuals to trust that the collector and the collectors
contractor will remove or destroy the biometric data.
ChoicePoint in 2006 was fined $10 million in civil penalties and
$5 million for customer redress for data security breach charges
by the Federal Trade Commission (FTC). The personal financial
records of more than 163,000 customers in its database were
compromised and at least 800 cases of identity theft occurred.
Third, collecting biometric data is a poor security practice;
once a person's fingerprints are stolen they'll have to live
with the issues associated with a compromised identity forever.
Security experts recommend using other techniques like
multifactor authentication to establish database, computer, and
building security.
Eleven days ago the New York Times reported that RSA, the
Security Division of EMC, suffered a sophisticated data breach
potentially compromising computer security products widely used
by corporations and governments. This is relevant in that Sec.
18.14.[070] provides that a collector and contractor can store
biometric information using encryption but encrypted security is
false security. The only way to protect biometric data is not to
collect it. He urged the committee to return to the language in
the State Affairs version, which provides for alternative forms
of identification. That will really protect the privacy rights
of Alaskans
2:02:57 PM
JASON GIAIMO, Net Gain Business Consultants, said it's absurd to
say that a passport isn't adequate security to prove
identification to take a test. The fact that you can travel the
world on a U.S. passport but you can't sit at a computer
terminal to take a test because it's not adequate ID is silly.
The issue of requiring fingerprints to sit for the bar exam came
up in Canada and was ruled illegal under Canadian privacy laws.
There's no reason to mandate collection of employees'
fingerprints for security purposes and it would be very risky as
a policy in Alaska, he stated.
MR. GIAIMO said the changes in the current version effectively
take out all real assurances that Alaskan's data will be
protected after it's collected. He urged the committee to put
real protection for Alaskans back in the bill by reinserting the
provision about exemption from fingerprinting for ID for
individuals who present a U.S. passport and driver's license.
2:07:53 PM
HORST POEPPERL, Chief Executive Officer, Borealis Broadband,
said he's been an IT specialist his entire career and is well
versed in IT, data communication, and data storage. The purpose
behind this bill, he said, is to prevent the collection of
biometric data in the first place. Trying to regulate its use
after it's has been collected doesn't work. He asked why, if
other IDs are used to verify the initial fingerprint, you need
the fingerprint in the first place. Any data that's kept is at
risk, which is demonstrated by the fact that breaches occur
every day. The best protection against these breaches is to not
collect the data.
Data can also be intercepted, he said, regardless of whether or
not it's encrypted. Anyone with reasonable knowledge in data
communication can intercept queries that are transmitted across
the Internet. Right now information about spending habits,
shopping habits, online habits, income, expenses, personal
preferences, and where you travel is available. With a thousand
dollar printer and an image manipulation program, it's extremely
easy to lift and use a fingerprint for whatever purpose. Forget
about removing this data once it's hit the Internet or is in
someone's database because it's almost impossible to verify that
it's gone. The best way to enhance security is to maintain
privacy, dignity and rights.
2:14:00 PM
CHAIR FRENCH asked Ms. Jennings if she'd say that it's not her
company that wants the fingerprints, it's their clients that
want them.
MS. JENNINGS confirmed she would say that; their clients set the
standards for verifying individuals for a particular purpose and
LexisNexis holds the information for the client. She reiterated
that LexisNexis completely destroys the information when
directed to do so.
SENATOR PASKVAN commented that it's over-inclusive under Alaska
privacy laws to require every Alaskan who wants to take a test
to consent to fingerprinting because certain companies have
chosen this means to target professional test takers. A
distinction should be made between job-specific requirements and
proof of one's identity, he said.
CHAIR FRENCH observed that the companies who want the
fingerprints to verify identity didn't enter the debate today.
2:16:49 PM
CHAIR FRENCH announced he would hold SB 98 in committee.
| Document Name | Date/Time | Subjects |
|---|