SB 98-BIOMETRIC INFORMATION FOR ID  1:35:53 PM CHAIR FRENCH announced the consideration of SB 98 and asked for a motion to adopt the work draft committee substitute (CS). SENATOR WIELECHOWSKI moved to adopt CS for SB 98, labeled 27- LS0661\D, as the working document. CHAIR FRENCH objected for discussion purposes. 1:36:19 PM MICHAEL CAULFIELD, staff to Senator Wielechowski, sponsor of SB 98 said version D is substantially different than the State Affairs version B. The proposed new Sec. 18.14.010 now requires a person who is collecting biometric information to specify a specific purpose when they ask for documented consent to collect the information. Unless the person's biometric information was needed for a specific authorized law enforcement, security, or fraud-prevention purpose, the person can revoke that consent at any time. Sec. 18.14.020 pertains to the disclosure of biometric information. It states that the collector of the information will not disclose, distribute, or transfer the data to anyone other than organizations that are specifically in service to hold biometric information. CHAIR FRENCH referenced page 2, line 5, and asked who "a contractor" references. MR. CAULFIELD replied it references a person or the agent of the entity that authenticates the identity of the person who is providing the biometric information. Sec. 18.14.030 deals with the sale of biometric information. It states that a person cannot sell biometric information unless the storage entity is acquired by another storage entity. For example, LexisNexis bought out ChoicePoint. CHAIR FRENCH asked for confirmation that no one could buy or sell his biometric data by itself but the agency that collected the data could be bought and sold. MR. CAULFIELD answered yes. Sec. 18.14.040 sets time limits on how long biometric information can be stored. Biometric information will be removed upon request of the individual or when the original reason for the collection is no longer necessary. The collecting entity has 30 days to notify the storage entity and 120 days for the storage entity to delete the data. 1:39:58 PM Sec. 18.14.050 says the biometric information cannot be used for marketing or general surveillance purposes, but it may be used for specific authorized security or fraud prevention purposes. Sec 18.14.060 states that the company or organization that is storing data will do so in a safe and secure manner. Sec 18.14.070 is a private right to action. It is substantially the same as the previous version except it now includes the word "knowingly" to ensure the party at fault is the one responsible. Sec 18.14.080 and Sec 18.14.090 deal with exemptions and definitions. They are unchanged from the previous bill version. 1:41:24 PM SENATOR WIELECHOWSKI said most of concerns that were raised centered on security issues related to the alternate identification section, and he decided to remove that section in order to move forward with the bill. To offset that change he tightened other provisions to increase the security of the information that's collected. Hopefully this will help the bill to gain broader support. 1:42:47 PM CHRISTOPHER OSWALD, Director, State Government Affairs, LexisNexis, Reed Elsevier Inc., explained that the LexisNexis True ID product is an identity verification and biometric authentication solution that is designed to verify identities and face-to-face transactions. These applications help their clients fight fraudulent enrollment and access to controlled systems. LexisNexis Risk Solutions is the repository for biometric data, not the owner. Therefore, they don't sell the data and they don't use it beyond the original purpose for which it was given. This data is held in a secured database in two U.S. locations and domestic customers' data is never transferred outside the U.S. MR. OSWALD stated that the current version of SB 98 strikes a balance that allows the legitimate commercial use of biometric technology while protecting the privacy interests of the individual. 1:46:36 PM SENATOR PASKVAN asked what specific types of biometric data LexisNexis Risk Solutions collects. MR. OSWALD replied they collect the information that their customers give them. Right now that's generally limited to fingerprint scans, but in the future it could include voiceprint and other biometric solutions. SENATOR PASKVAN asked how often LexisNexis Risk Solutions uses fingerprints to confirm that someone took a particular test. MR. OSWALD explained that they hold the initial fingerprint scan in reserve as a template in order to verify a print compared to that template. Electronic verification can be done as often as the entity seeking the solution requires; this can be in real time or in batches at the end of the day or the end of the week. SENATOR PASKVAN asked, if someone comes to take a test and gives a fingerprint for ID, what do you compare that biometric data against and how did you get the information in the first place? MR. OSWALD explained that LexisNexis needs to have an initial fingerprint scan on file. It's at that point that the individual is given notice that their biometric data is being collected and he/she can choose to consent or not. LexisNexis is the matching service and can authenticate that person's identity against that original fingerprint. 1:50:16 PM TERESA JENNINGS, Managing Director, State Government Affairs, Reed Elsevier Inc., compared the large amount of information that LexisNexis holds to a bank vault and a safe deposit box. LexisNexis is a repository for a great deal of information just as a bank vault holds a great deal of money, but they can only verify information about a person's identity based on what the client gives to LexisNexis. That information is secure like a safe deposit box and can only be accessed by the individual who put the information into the box. An individual's information never gets co-mingled with the rest of the information that LexisNexis holds. CHAIR FRENCH asked how he, as a person taking the bar exam, would be identified by his fingerprint. MS. JENNINGS replied your fingerprint will be scanned each time you enter the exam room. The issue has been that individuals will leave the exam and another individual comes in and finishes the test or steals the test questions. She noted that this version of the bill provides a mechanism for the individual to get their information deleted from the system if they no longer need their identity to be authenticated. 1:54:52 PM CHAIR FRENCH asked who makes sure it's really him who puts his fingerprint down the very first time. MS. JENNINGS replied that would be their client. They determine the information they want in order to verify a person's identity. This could include a driver's license or passport. We don't establish what goes into that safe deposit box, she stated. We simply hold that information and the client tells us when to destroy it or give it back. SENATOR PASKVAN asked the cumulative number of fingerprints they have in storage in the U.S. in any format. MS. JENNINGS replied they have about one million records from 86 countries stored in their U.S. facilities, but she doesn't know the breakdown by country. MR. OSWALD concurred. He added that these countries believe that the U.S. and the LexisNexis security system is the best in the world. 1:57:03 PM TIMOTHY J. PEARSON, representing himself, stated that he is testifying in opposition to the proposed changes to SB 98. First, Sec. 18.14.010(b) addresses biometric data but it doesn't provide any alternate forms of identification. Second, Sec. 18.14.[050] creates a timed-out opt-out system that requires individuals to trust that the collector and the collectors contractor will remove or destroy the biometric data. ChoicePoint in 2006 was fined $10 million in civil penalties and $5 million for customer redress for data security breach charges by the Federal Trade Commission (FTC). The personal financial records of more than 163,000 customers in its database were compromised and at least 800 cases of identity theft occurred. Third, collecting biometric data is a poor security practice; once a person's fingerprints are stolen they'll have to live with the issues associated with a compromised identity forever. Security experts recommend using other techniques like multifactor authentication to establish database, computer, and building security. Eleven days ago the New York Times reported that RSA, the Security Division of EMC, suffered a sophisticated data breach potentially compromising computer security products widely used by corporations and governments. This is relevant in that Sec. 18.14.[070] provides that a collector and contractor can store biometric information using encryption but encrypted security is false security. The only way to protect biometric data is not to collect it. He urged the committee to return to the language in the State Affairs version, which provides for alternative forms of identification. That will really protect the privacy rights of Alaskans 2:02:57 PM JASON GIAIMO, Net Gain Business Consultants, said it's absurd to say that a passport isn't adequate security to prove identification to take a test. The fact that you can travel the world on a U.S. passport but you can't sit at a computer terminal to take a test because it's not adequate ID is silly. The issue of requiring fingerprints to sit for the bar exam came up in Canada and was ruled illegal under Canadian privacy laws. There's no reason to mandate collection of employees' fingerprints for security purposes and it would be very risky as a policy in Alaska, he stated. MR. GIAIMO said the changes in the current version effectively take out all real assurances that Alaskan's data will be protected after it's collected. He urged the committee to put real protection for Alaskans back in the bill by reinserting the provision about exemption from fingerprinting for ID for individuals who present a U.S. passport and driver's license. 2:07:53 PM HORST POEPPERL, Chief Executive Officer, Borealis Broadband, said he's been an IT specialist his entire career and is well versed in IT, data communication, and data storage. The purpose behind this bill, he said, is to prevent the collection of biometric data in the first place. Trying to regulate its use after it's has been collected doesn't work. He asked why, if other IDs are used to verify the initial fingerprint, you need the fingerprint in the first place. Any data that's kept is at risk, which is demonstrated by the fact that breaches occur every day. The best protection against these breaches is to not collect the data. Data can also be intercepted, he said, regardless of whether or not it's encrypted. Anyone with reasonable knowledge in data communication can intercept queries that are transmitted across the Internet. Right now information about spending habits, shopping habits, online habits, income, expenses, personal preferences, and where you travel is available. With a thousand dollar printer and an image manipulation program, it's extremely easy to lift and use a fingerprint for whatever purpose. Forget about removing this data once it's hit the Internet or is in someone's database because it's almost impossible to verify that it's gone. The best way to enhance security is to maintain privacy, dignity and rights. 2:14:00 PM CHAIR FRENCH asked Ms. Jennings if she'd say that it's not her company that wants the fingerprints, it's their clients that want them. MS. JENNINGS confirmed she would say that; their clients set the standards for verifying individuals for a particular purpose and LexisNexis holds the information for the client. She reiterated that LexisNexis completely destroys the information when directed to do so. SENATOR PASKVAN commented that it's over-inclusive under Alaska privacy laws to require every Alaskan who wants to take a test to consent to fingerprinting because certain companies have chosen this means to target professional test takers. A distinction should be made between job-specific requirements and proof of one's identity, he said. CHAIR FRENCH observed that the companies who want the fingerprints to verify identity didn't enter the debate today. 2:16:49 PM CHAIR FRENCH announced he would hold SB 98 in committee.