Anything You Say May Be Used Against You: Corporate Voiceprint Tactics Trigger Latest Privacy & Security Concerns

By Shruti Panchavati*

“We raid speech for its semantic meaning, and then discard the voice like detritus leftovers.”[1]

I. Introduction

Work is being done to integrate various biometrics into mobile devices, but the human voice is a natural choice for businesses because public attention on voiceprinting is shockingly low.  For instance, it came as no surprise when privacy concerns began to take form even as Apple unveiled its fingerprint scanner on the newest iPhone 5S;[2] lawmakers and advocates declared it a hacker’s “treasure trove.”[3]  And yet, despite its obvious functional similarities, Apple’s voiceprint scanner “Siri” has received little public scrutiny, suggesting a widespread misunderstanding about the human voice, one that mobile giants have been quick to market.[4]  The result is chilling: in the absence of legal and regulatory guidelines these corporations could be on their way to creating the largest name to voice database, without even trying.

An increasing number of mobile companies are combining voiceprint technology with broad privacy policies to gain an unfettered right to collect, store, and use an individual’s data for an indefinite period of time.  This Article examines Apple’s voiceprint policy and argues that modern-day remedial strategies have failed to protect users’ privacy and security.  In response, states should adopt and implement California’s Right to Know Act, which would allow users to access and track their digital footprint.  Part II of this Article highlights the sweeping implications of corporate voiceprinting.  Part III exposes the wide-reaching privacy and security implications in Apple’s ill named “Privacy” Policy.  Part IV recommends a practical, effective solution that balances the privacy concerns of the user against the commercial interests of the mobile industry.

II. An Audible Signature

Voiceprinting (also referred to as “voice biometrics”) creates a mathematical representation of the sound, pattern, pitch, and rhythm of an individual’s voice, which can then be used for any number of purposes, such as recognition or identification.[5]  The technology has the distinct advantage of basing authentication on an intrinsic human characteristic—the human voice.  It is our audible signature and, just as no two fingerprints are alike, no two voices are alike.[6]  It is also a powerful guide to the speaker’s most terrifyingly intimate details.[7]  With just a few words, the voice can reveal an individual’s gender, age, height, health, emotional state, sexual orientation, race, social class, education, and relationship to the person being spoken.[8]  It is a remarkably rich resource that is largely taken for granted, in part, because of the spread of mobile devices.

Mobile technology appears to have dissociated the voice from the body, lulling the public into a false sense of security about corporate voiceprinting.  To see its implications, consider that financial service organizations have already implemented voice biometrics to allow users to check account balances, make payments, track transactions simply using their voice.[9]  Additionally, governments across the globe are investing in voice biometrics that would allow them to tuck away millions of voiceprints for surveillance and law enforcement.[10]  Indeed, the human voice is now more valuable than any password or PIN number and widespread corporate collection, storage, and use of our audible signatures raises grave privacy and security concerns, begging the question: can mobile companies be trusted to handle this technology responsibly?

III. Unraveling Apple’s Voiceprint Policy

On October 4, 2011, Apple unveiled the iPhone 4S with Siri, a built-in interactive personal assistant.[11]  While it was not the first foray into speech-recognition technology,[12] it is the most popular and, after only five months of availability, the iPhone 4S sold about 15.4 million units.[13]  It is undoubtedly a remarkable technological achievement, but combined with its overbroad Privacy Policy, it can have many unforeseeable consequences for innocent users.

Apple’s iOS7 Software Licensing Agreement, in relevant part, notes that, “[w]hen you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text and to process your requests.”[14]  In other words, anything said to Siri is recorded and sent to the company’s data farm in North Carolina, where Apple converts the spoken words into a digital code.[15]  Not mentioned in the Privacy Policy is that the company assigns each user a randomized number and, as voice files from Siri requests are received, the data is assigned to that number.[16]  After six months, Apple then “disassociates” the user number from the voice clip, but maintains records of these disassociated files for up to eighteen months for “testing and product improvement purposes.”[17]  However, it remains unclear what Apple really does when it “dissociates” these files or what it means to use user voiceprints for “testing and product improvement purposes.”  Moreover, without any regulatory oversight, there is no guarantee that Apple ever actually deletes these records after eighteen months or at all.

Siri’s Privacy Policy further states that “[b]y using Siri or Dictation, you agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing, and use of this information, including [the user’s] voice input and User Data, to provide and improve Siri, Dictation, and dictation functionality in other Apple products and services.”[18]  This information collected includes “all types of data associated with your verbal commands and may also include audio recordings, transcripts of what [is] said, and related diagnostic data.”[19]  What Apple is referring to here is a voiceprint, so by signing the licensing agreement, a user consents to the company’s collection, storage, and use of their voice biometric data.  Additionally, Apple gives itself the right to share this data with any of its unnamed partners and subsidiaries without notice or cause and for an indefinite period of time.

It may be argued that Apple and other like companies know better than to misuse user information because it would be poor public relations strategy.  There is no evidence to prove that corporations are currently exploiting their position.[20]  However, the problem remains that no one—users, lawmakers, privacy advocates, or politicians—knows what is happening behind closed doors and Apple is not saying either way.[21]  Personal data economy has become a largely elusive and highly lucrative world and, as always, real concern in privacy and security is not what is happening, but what could happen.

IV. Recommendation & Conclusion

With the widespread use of voiceprint technology in mobile phones, it is no surprise that companies, such as Apple, have digital portfolios on each user.  Banning voice biometric technology is not a desired option and admittedly companies do need some information about a user and his or her preferences to operate applications, such as Siri, efficiently.[22]  However, present-day remedies do not provide sufficient protections against corporate intrusions and data thefts.[23]

In the face of this dilemma, California’s “Right to Know” Act sets an unprecedented level of corporate transparency that gives users the right to access and track their own private data.[24]  Specifically, the Act requires that “any business that holds a customer’s personal information to disclose it within 30 days of that customer’s request. Adding to this, names and contact information of all third parties with which the business has shared that customer’s data with during the previous 12 months must also be disclosed.”[25]  Additionally, if the company refuses disclosure, the user has the legal right to bring a civil claim, forcing them to comply with the law.[26]  The Act mimics the right to access data that is already available to residents in Europe, proving that big technology giants, such as Apple, already have the procedures in place to respond.[27]  As more and more companies continue to implement efficient strategies to facilitate the process, the Act will not only have introduced corporate transparency into the digital age, but will likely have also made it the norm.

It may be argued that the Right to Know Act is too modest and does not actually give users the right to correct or delete their personal data.  These are certainly important considerations down the road and, in a perfect world, users would have full and complete control of all of their information.  However, it may be a long time, if ever, before that robust privacy and security strategies can be implemented.  In the meantime, the Right to Know Act is an important first step in putting privacy and security back in the hands of the user.

 


*J.D. Candidate, University of Illinois College of Law, expected 2015.  B.S. Psychology with Neuroscience Option, Pennsylvania State University, 2012.  I am grateful to the editors of the Journal of Law, Technology, and Policy for their advice and insight on this piece.

[1] Anne Karpf, The Human Voice: How this Extraordinary Instrument Reveals Essential Clues About Who We Are 13 (Bloomsbury USA, 1st ed. 2006).

[2] Chenda Ngak, Should You Fear Apple’s Fingerprint Scanner?, CBS News (Sept. 24, 2013, 10:12 AM), http://www.cbsnews.com/news/should-you-fear-apples-fingerprint-scanner/.

[3] Charlie Osborne, iPhone Fingerprint Scanner Sparks Privacy Worries, CNET (Sept. 17, 2013, 9:55AM), http://news.cnet.com/8301-13579_3-57603298-37/iphone-fingerprint-scanner-sparks-privacy-worries/.

[4] See Kevin C. Tofel, How to Enable Experimental “OK Google” Voice Recognition on your Chromebook, Gigaom (Nov. 21, 2013, 8:33 AM), http://gigaom.com/2013/11/21/how-to-enable-experimental-ok-google-voice-recognition-on-your-chromebook/ (noting that Google Voice is already a popular feature on the Android smartphone and Chrome).

[5] Authentify, Voice Biometric Authentication, http://www.authentify.com/solutions/voice_biometrics.html (last visited Sep. 15, 2014).

[6] See id. (“A voice biometric or ‘voice print,’ is as unique to an individual as a palm or finger print.”).

[7] Karpf, supra note 1, at 10–11.

[8] Id.

[9] Omar Zaibak, 3 Banks Using Voice Biometrics for Security and Authentication, Voice Trust (Mar. 24, 2014), http://www.voicetrust.com/blog/voice-biometrics-banking/.

[10] Noel Brinkerhoff, Governments Begin to Build Voice Print Databases, All Gov (Oct. 6, 2012), http://www.allgov.com/news/top-stories/governments-begin-to-build-voice-print-databases-121006?news=845876.

[11] Press Release, Apple Launches iPhone 4S, iOS 5 & iCloud (Oct. 4, 2011), available at http://www.apple.com/pr/library/2011/10/04Apple-Launches-iPhone-4S-iOS-5-iCloud.html.

[12] Bernadette Johnson, How Siri Works, HowStuffWorks, http://electronics.howstuffworks.com/gadgets/high-tech-gadgets/siri1.htm (last visited Sep. 15, 2014).

[13] Id.

[14] iOS Software License Agreement, Apple, available at http://www.apple.com/legal/sla/docs/iOS7.pdf (last visited Sep. 15, 2014) (emphasis original).

[15] John W. Mashni & Nicholas M. Oertel, Does Apple’s Siri Records and Store Everything You Say?, Technology Law Blog (July 17, 2012), www.michiganitlaw.com/Apple-Siri-Record-Store-Everything-You-Say.

[16] Eric Slivka, Anonymized Siri Voice Clips Stored by Apple for Up to Two Years, MacRumors (Apr. 19, 2013, 6:42 AM), www.macrumors.com/2013/04/19/anonymized-siri-voice-clips-stored-by-apple-for-up-to-two-years/.

[17] Id.

[18] iOS Software License Agreement, supra note 14.

[19] John Weaver, Siri is My Client: A First Look at Artificial Intelligence and Legal Issues, N.H. B. J., Winter 2012, at 6 available at https://www.nhbar.org/uploads/pdf/BJ-Winter2012-Vol52-No4-Pg6.pdf.

[20] See Matthew Panzarino, Apple Says It Has Never Worked With NSA To Create iPhone Backdoors, Is Unaware of Alleged DROPOUT JEEP Snooping Program, Tech Crunch (Dec. 31, 2013), http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ (indicating that Apple denied creating any iPhone “backdoors” for the National Security Agency that would allow NSA to monitor Apple’s users).

[21] Barbara Ortutay, Apple Privacy Concerns: Experts Slam Apple Over ‘Locationgate,’ The Huffington Post (June 28, 2011), http://www.huffingtonpost.com/tag/apple-privacy-concerns.

[22] iOS Software License Agreement, supra note 14.

[23] Australian Associated Press, Facebook Gave Government Information on Hundreds of Australian Users, The Guardian (Aug. 28, 2013, 2:41 AM) http://www.theguardian.com/technology/2013/aug/28/facebook-australia-user-data-requests (noting the failure of a claim by an Austrian law student, who invoked a “habeas data” right by demanding Facebook data).

[24] Rainey Reitman, New California “Right to Know” Act would Let Consumers Find out who has their Personal Data—and Get a Copy of it, Electronic Frontier Foundation (Apr. 2, 2013), https://www.eff.org/deeplinks/2013/04/new-california-right-know-act-would-let-consumers-find-out-who-has-their-personal.

[25] Assembly Bill, 14 California Legislature 1291, (2013), available at http://leginfo.ca.gov/pub/1314/bill/asm/ab_12511300/ab_1291_bill_20130222_introduced.pdf.

[26] Id.

[27] Reitman, supra note 24.

Putting a Stop to New-Age Revenge: In the Age of Twitter, Instagram and Snapchat, Privacy Is Still Fundamental

By Michael Wester*

I. Introduction

In 2009, Florida resident Holly Jacobs had been dating a guy for several years when the relationship suddenly ended.[1]  Following the breakup, her ex-boyfriend posted naked photos of her online.[2]  Within days, the photos went viral, and the intimate images were posted on as many as 100,000 sites.[3]  As a result of the posting, Holly Jacobs was pressured to quit her job, forced to change her name, and suffered emotional stress and anxiety.[4]

In response, Ms. Jacobs filed a lawsuit against her ex-boyfriend alleging that he posted naked pictures of her online without her consent.[5]  However, despite the damage he caused, Holly Jacobs’s ex faced no criminal punishment for his actions.[6]  Unfortunately, the state of Florida does not have a law that prohibits such action, so Ms. Jacobs eventually had no choice but to drop her case.[7]

Holly Jacobs was a victim of revenge pornography, and like so many other victims of revenge pornography, she did not get justice.  Revenge pornography is a subset of non-consensual pornography that significantly impedes an individual’s fundamental right to privacy.[8]  Often, the victims provide the explicit photos or videos to a dating partner consensually, but do not consent to the photo being shared publicly.  In other cases, the images are taken without the consent of the partner.  The intimate images are then uploaded to the Internet where they can then be spread to anyone who has Internet access.  Over the last several years, the number of non-consensual pornography websites has increased annually.[9]

Recently, a study surveyed more than 1,000 American adults and found that sixty-eight percent of them had shared intimate messages or photos from their cellphones.[10]  Of these 1,000 adults, more than ninety of the respondents said an ex had threatened to post risqué photos online.[11]  Of those ninety respondents, more than fifty of them claimed the threat was carried out.[12]  Once these intimate images or videos reach the Internet abyss, it becomes almost impossible to take them all down.[13] Unfortunately, only six states—Alaska, California, Idaho, New Jersey, Utah, and Wisconsin—have legislation that criminalizes non-consensual pornography.[14]

Presently, no federal law exists to protect victims from this abuse.  Instead, the Communications Decency Act actually shields internet service providers and website owners from civil liability that might result when a third party places material on their website.[15]  Further, because of the Communications Decency Act’s existence, the only current way to stop the spread of revenge pornography is by punishing the source—the individuals posting the images to the websites—through state law.[16]  Although a federal law is preferable because these state laws have limited jurisdiction,[17] state laws have indeed attained some success.[18]

This Article aims to spread awareness of these abhorrent occurrences of revenge pornography and pleads that states across the country pass criminal laws that can finally put a stop to them.  Yet, this Article also warns that any state passing such a law will be walking a tightrope between protecting revenge pornography victims and violating constitutional rights to free speech.  To facilitate the discussion, Part II of this Article provides a brief overview of non-consensual pornography and the problems it causes.  Part III promotes criminal punishment for those engaging in revenge pornography.  Finally, Part IV implores state governments to pass legislation that criminalizes the intentional disclosure of sexually explicit images without consent.  Additionally, Part IV discusses the four necessary elements of a model law.

II. Background

Non-consensual pornography, including revenge pornography, is not a new phenomenon.  It can be traced back to the 1980s, when Hustler, a pornographic magazine, started a monthly feature that urged subscribers to submit explicit female images for the next issue.[19]  Many times, the women were either oblivious to the fact the pictures were even taken or entirely unaware they were submitted.[20]  Accompanying the photos was usually a fake biography, consisting of made-up hobbies, sexual fantasies, and interesting facts.[21]  Several women sued the magazine for publishing their photos without their consent, but few, if any, were successful in obtaining justice.[22]

With the advancement of technology, the ability to take and disseminate non-consensual pornography has significantly increased.  Today, dozens of websites exist that receive and then distribute non-consensual intimate images.  Frequently, these websites allow the material to upload anonymously.[23]  Often, however, the victims are not so lucky and do not remain anonymous.  Just like with Hustler’s monthly feature, on some websites anonymous posters are encouraged to share the women’s personal information, including their personal Facebook pages, phone numbers, email addresses, workplaces, and home addresses.[24]  The release of this information can put the victims’ safety in danger.

As the material circulates the Internet, victims are exposed to a range of sexual propositions, stalking, and harassment.[25]  In some cases, victims have reported losing jobs and educational opportunities as a result of this material spreading to people close to their lives.[26]  Often, release of these explicit images causes extreme emotional distress, anxiety, and psychological trauma.[27]  Sadly, their release has even led several victims to commit suicide.[28]

In most cases, attempting to have the material removed from the Internet proves unsuccessful.[29]  Moreover, trying to take down the material is painstaking and expensive.[30]  The intimate photos almost instantaneously circulate the web, and the sites are constantly morphing, which makes it almost impossible to chase down every website on which the material has been posted.  For example, Is Anyone Up, one notorious non-consensual porn site, received over 30 million page views of thousands of ex-girlfriends before it was finally shut down after months of pursuit by victims.[31]   In spite of these victims’ efforts, the website immediately reopened elsewhere under a different name and IP address.[32]

III. Criminal Versus Civil Punishment

Criminal laws are necessary to combat non-consensual pornography because tort law and copyright law are insufficient.  As tort law and copyright law exist currently, they provide no real relief to these victims.[33]  As stated by Mary Anne Franks, the foremost expert on revenge pornography and a professor at the University of Miami School of Law, although civil remedies sometimes help the victims, such civil remedies are not enough.[34]  Rather, because the damage to their lives is so great, the victims just wish these photos had never been released.

States must prevent this intimate material from surfacing online in the first place.  Their best weapon is to criminalize the action.  Some proponents argue that non-consensual pornography should be criminalized because, in many ways, it is an act of sexual use without consent, analogous to sexual assault.[35]  More importantly, though, by criminalizing non-consensual pornography, states can ensure all victims receive justice.

Civil litigation places enormous financial burdens on victims.[36]  Private individuals have immense determination to seek justice but are often without the means to do so.  In non-consensual pornography cases, in particular, only the victims who can afford lawyers and private detectives to chase down every source are the ones who receive some relief.[37]  Frequently, the websites that victims must sue possess the financial resources to slow the investigation process and stop the pursuit.[38]  Criminalizing non-consensual pornography could help alleviate the burden placed on victims.

IV. Plea for New State Laws

This Article recommends that states pass criminal laws specifically tailored to stopping revenge pornography.  Any such state law should define non-consensual pornography as the “posting or publishing to the public of a sexually explicit image without consent.”  Several states currently recognize broader voyeurism laws, which prohibit the non-consensual recording and distribution of sexually explicit images of another person,[39] but these laws are often insufficient to sustain allegations in revenge pornography cases.[40]  The voyeurism laws remain insufficient because they do not protect those who consented to being recorded but did not consent to the distribution of those images, nor those who recorded the images themselves but did not consent to the distribution.  To truly combat non-consensual pornography, there are four elements that every law should contain.

First, a model law should define “explicit images.”  These images should be defined as photographs, film, videotapes, recordings, or any other reproduction of the image of another person, whose intimate parts[41] are exposed or who is engaged in an act of sexual contact.  Second, it should define the “posting” or “publishing” of the intimate images to the public.[42]  “Publishing” should be defined as the disclosing, selling, providing, transferring, distributing, circulating, disseminating, presenting, exhibiting, advertising, manufacturing, or offering of the explicit images to a public forum.[43]

Third, the law should define “consent” as contextual.  Just because the photography or videoing occurs consensually in the privacy of the home does not mean that a partner has consented to put it on the Internet.  As stated by Professor Mary Anne Franks, “sharing a nude picture with another implies limited consent similar to other business transactions.”[44]  As she told the Huffington Post, “[i]f you give your credit card to a waiter, you aren’t giving him permission to buy a yacht.”[45]  It is imperative that any law punishes the abuse of this limited consent, because the violation of this consent is in many ways more detrimental than the violation of consent in a business transaction.  In this case, it is not business and money on the line, but rather an individual’s privacy and personal security.  To establish this context, a form of a reasonable man standard is recommended.  In Franks’ example, a reasonable man, as a waiter, would not take a credit card from a customer and buy a yacht.  Likewise, in a non-consensual pornography context, a reasonable man would not take intimate photos from an ex and release them onto the Internet for the whole world to see, without the ex’s permission.

Finally, each state should add exceptions for individuals to whom the law does not apply.  For example, in Wisconsin, the law does not apply to parents, guardians, or a provider of Internet access.[46]  Additionally, Wisconsin established an “Anthony Weiner”[47] exception, which excludes from the law, “[a] person who posts or publishes a private representation that is newsworthy or of public importance,”[48] based on the idea that individuals who have placed themselves in the public eye have a significantly diminished privacy interest.[49]  As another example, New Jersey has an exemption for law enforcement officers in connection with a criminal prosecution.[50]

V. Conclusion

States must be proactive instead of reactive.  New Jersey, in 2004, became the first state to pass an anti-revenge porn law after a Rutgers University student killed himself.[51]  The law was the first of its kind and made it a felony for any person to disclose sexually explicit photographs or images of another person without that person’s consent.[52]  Nevertheless, one victim had to lose his life before the law was passed.  Clearly, states cannot wait a second longer to pass a law prohibiting non-consensual pornography.

Wisconsin, Idaho, and Utah passed laws relating to this issue in 2014.[53]  New York, Maryland, and Illinois comprise some of the thirteen states currently considering passing some form of non-consensual porn legislation.[54]  Additionally, Representative Jackie Speier of the United States House of Representatives announced she intends to introduce a federal bill, drafted by Professor Mary Anne Franks, criminalizing revenge pornography in the next few months.[55]  Although a stride in the right direction, many believe Representative Speier’s bill will not pass on a federal level.[56] Consequently, strong state criminal legislation is necessary so that this destructive and inexcusable form of sexual exploitation is prevented and punished.

How many more people must be harmed before legislators around the country wake up and protect their constituents? Advances must be made to shield victims, like Holly Jacobs, from the grave harms associated with the distribution of non-consensual pornography.

 


*J.D. Candidate, University of Illinois College of Law, expected 2015.  B.A. 2012, Saint Louis University.  I would like to thank everyone who helped me in the writing of this Article with suggestions and comments, including Angelica Nizio and Andrew Lewis, editors of the Journal of Law, Technology, and Policy, and Kristen Sweat.

[1] Beth Stebner, “I’m Tired of Hiding”: Revenge-Porn Victim Speaks out over her Abuse After Claims Ex Posted Explicit Photos of her Online, Daily News (May 3, 2013, 12:05 PM), http://www.nydailynews.com/news/national/revenge-porn-victim-speaks-article-1.1334147.

[2] Memphis Barker, “Revenge Porn” Is No Longer a Niche Activity Which Victimizes Only Celebrities – The Law Must Intervene, Independent (May 19, 2013), http://www.independent.co.uk/voices/comment/revenge-porn-is-no-longer-a-niche-activity-which-victimises-only-celebrities–the-law-must-intervene-8622574.html.

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] Stebner, supra note 1.

[8] Woodrown Hartzog, How to Fight Revenge Porn, Atlantic (May 10, 2013, 1:42 PM), http://www.theatlantic.com/technology/archive/2013/05/how-to-fight-revenge-porn/275759/.

[9] Tristan Hallman, Saying She’s a Victim of Revenge Porn, Dallas Woman Fights to Get Online Images Removed, Dallas News (Feb. 16, 2014, 11:00 PM), http://www.dallasnews.com/news/local-news/20140216-dallas-woman-fights-to-get-explicit-online-images-of-her-removed.ece.

[10] Id.

[11] Id.

[12] Id.

[13] Id.

[14] See Michelle Dean, The Case for Making Revenge Porn a Federal Crime, Gawker (Mar. 27, 2014, 2:45 PM), http://gawker.com/the-case-for-making-revenge-porn-a-federal-crime-1552861507 (noting the different states that have laws that affect revenge porn); Erin Donaghue, Judge Throws Out New York “Revenge Porn” Case, CBS News (Feb. 25, 2014, 4:42 PM), http://www.cbsnews.com/news/judge-throws-out-new-york-revenge-porn-case/ (mentioning the Alaska, California, and New Jersey statutes while discussing New York’s lack of a revenge porn criminal statute). See also State “Revenge Porn” Legislation, Nat’l Conf. St. Legislatures, http://www.ncsl.org/research/telecommunications-and-information-technology/state-revenge-porn-legislation.aspx (last visited May 27, 2014) (listing the states that considered revenge porn legislation in the years 2013 and 2014).

[15] 47 U.S.C. § 230 (2006).

[16] 47 U.S.C. § 230 (2006) (“Nothing in this section shall be construed to prevent any State from enforcing any State law that is consistent with this section. No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.”).

[17] Mary Anne Franks, Why We Need a Federal Criminal Law Response to Revenge Porn, Concurring Opinions (Feb. 15, 2013, http://www.concurringopinions.com/archives/2013/02/why-we-need-a-federal-criminal-law-response-to-revenge-porn.html.

[18] EJ Dickson, Revenge Porn Site Ordered to Pay $385,000 to Victim, Daily Dot (Mar. 20, 2014), http://www.dailydot.com/crime/revenge-porn-verdict-you-got-posted/.

[19] Alexa Tsoulis-Reay, A Brief History of Revenge Porn, N.Y. Mag. (Jul. 21, 2013), http://nymag.com/nymag/features/revenge-porn-2013-7/.

[20] Amanda Levendowski, Our Best Weapon Against Revenge Porn: Copyright Law?, Atlantic (Feb. 4, 2014, 1:03 PM), http://www.theatlantic.com/technology/archive/2014/02/our-best-weapon-against-revenge-porn-copyright-law/283564/.

[21] Id.

[22] Id.

[23] See Women Sue Explicit “Revenge Porn” Site After Jilted Lovers Anonymously Posted Revealing Pictures of Them, Daily Mail (Jan. 25, 2013, 6:22 PM), http://www.dailymail.co.uk/news/article-2268476/Ex-plicit-revenge-porn-site-allowed-jilted-lovers-anonymously-post-revealing-pics-girlfriends-facing-class-action-suit.html (discussing a lawsuit against a website that allows people to anonymously upload revenge porn).

[24] Dickson, supra note 18; Brenton Awa, Hundreds of Local Women Fall Victim to “Revenge Porn”, KITV (Feb. 26, 2014, 11:00 PM), http://www.kitv.com/news /hawaii/hundreds-of-local-women-fall-victim-to-revengeporn/24708622.

[25] Mary Anne Franks, We Need New Laws to Put a Stop to Revenge Porn, Independent (Feb. 23, 2014), http://www.independent.co.uk/voices/ comment/we-need-new-laws-to-put-a-stop-to-revenge-porn-9147620.html.

[26] Id.

[27] Id.

[28] Awa, supra note 24; See Barker, supra note 2 (noting that the New Jersey anti-revenge pornography law was passed after a Rutgers University student killed himself).

[29] Franks, supra note 25.

[30] See Danielle Keats Citron & Mary Anne Franks, Criminalizing Revenge Porn, Wake Forest L. Rev. 5 (forthcoming 2014), available at http://digitalcommons.law.umaryland.edu/cgi/viewcontent.cgi?article=2424 (noting the steep costs associated with revenge porn).

[31] Barker, supra note 2.

[32] Citron & Franks, supra note 30, at 4.

[33] EJ Dickson, Texas Woman Wins Largest Settlement Ever in Revenge Porn Case, Daily Dot (Feb. 28, 2014), http://www.dailydot.com/crime/porn-revenge-law-texas/.

[34] Id.

[35] Franks, supra note 25.

[36] Citron & Franks, supra note 30, at 5.

[37] See Barker, supra note 2 (stating that in Holly Jacobs’ case, she found that only the rich and famous can wield civil laws to effect because they are the only ones that can afford lawyers to chase after all of the sites who have posted the materials).

[38] Id.

[39]See Cynthia J. Najdowski & Meagen M. Hildegrand, The Criminalization of “Revenge Porn”, Am. Psychol. Ass’n (Jan. 2014), http://www.apa.org/monitor/2014/01/jn.aspx (noting that critics state that this is a violation of the right to free speech).

[40] Mary Anne Franks, Why we Need a Federal Criminal Law Response to Revenge Porn, Concurring Opinions (Feb. 15, 2013), http://www.concurringopinions.com/archives/2013/02/why-we-need-a-federal-criminal-law-response-to-revenge-porn.html.

[41] See Alaska Stat. § 11.61.120 (2013) (defining “intimate parts” as genitals, anus, or female breast); id.

[42] See N.J. Stat. Ann. § 2C:14-9 (West 2014) (providing an exception for law enforcement officers engaged in the official performance of their duty).

[43] Id.

[44] Jessica Walters, Why “Revenge Porn” Is Legal in 48 States, Avvo Blog (Dec. 4, 2013, 1:57 PM), https://nakedlaw.avvo.com/privacy-2/why-revenge-porn-is-legal-in-48-states.html.

[45] Anne Flaherty, “Revenge Porn” Victims Demand New Laws, Huffington Post (Nov. 15, 2013, 3:35 AM), http://www.huffingtonpost.com/2013/11/15/ revenge-porn-laws_n_4280668.html.

[46] See Wis. Stat. § 942.09 (2013) (stating that parents and guardians are excluded as long as the representation does not cross into child abuse or child pornography and the publication is not for commercial purposes).

[47] See Tracy Connor, Anthony Weiner Admits Sexting Continued After 2011 Resignation from Congress, NBC News (July 24, 2013 3:53 AM), http://www.nbcnews.com/news/other/anthony-weiner-admits-sexting-continued-after-2011-resignation-congress-f6C10721264 (demonstrating how the exception to Wisconsin’s law operates).

[48] Wis. Stat. § 942.09 (2013).

[49] See Corliss v. Walker, 57 Fed. Rep. 434 (1983); see also Rosenfeld v. U.S. Dep’t of Justice, No. C-07-3240 EMC, 2012 WL 710186 at *5 (N.D. Cal. Mar. 5, 2012).

[50] N.J. Stat. Ann. § 2C:14-9 (West 2014).

[51] Barker, supra note 2.

[52] N.J. Stat. Ann. § 2C:14-9 (West 2014).

[53] Michelle Dean, Wisconsin Passes Anti-“Revenge Porn” Law, Gawker (Apr. 9, 2014, 10:00 AM), http://gawker.com/wisconsin-passes-anti-revenge-porn-law-1561101182.

[54] Donaghue, supra note 14.

[55] Steven Nelson, Federal ‘Revenge Porn’ Bill Will Seek to Shrivel Booming Internet Fad, U.S. News (Mar. 26, 2014), http://www.usnews.com/news/articles/ 2014/03/26/federal-revenge-porn-bill-will-seek-to-shrivel-booming-internet-fad.

[56] Liz Halloran, Race to Stop “Revenge Porn” Raises Free Speech Worries, NPR (Mar. 6, 2014, 11:16 AM), http://www.npr.org/blogs/itsallpolitics/2014/03/06/ 286388840/race-to-stop-revenge-porn-raises-free-speech-worries (stating that there are constitutional perils in bills being considered because of the worry of protecting the right to free speech).

RFID in the Employment Context: The Struggle Between Individual Privacy and Corporate Efficiency

By Anna Gotfryd* and Rachel Tenin**

I. Introduction

“Once a new technology rolls over you, if you’re not part of the steamroller, you’re part of the road.”[1]  In this case, Radio Frequency Identification Technology (RFID) is the steamroller, and companies who choose not to adopt this technology are roads.  RFID is a technological advancement that utilizes radio waves to identify objects and people.[2]  Once a RFID tag is near a RFID reader, the tag sends electromagnetic waves to a computer that then become stored as digital data.[3]  Although RFID has been around for over sixty years, it has recently expanded.

II. RFID in Modern Society

Consumers encounter RFID in various forms ranging from toll passes stationed inside their vehicles to microchips implanted in their pets.[4]  Even the Vatican imbeds the chips in identification badges to keep track of clergy and staff with the goal of maintaining the security of private files.[5]  While certainly a valuable and even necessary technology, its expansion has triggered reluctance.  Just over a year ago, a Texas school district was sued after district officials implemented a pilot program using RFID technology to monitor students’ whereabouts on school property in hopes of enhancing safety.[6]  However, privacy-related concerns do not appear to be impeding the anticipated growth of RFID.  The RFID market is expected to triple between 2013 and 2020, from just under $8 billion to more than $23 billion.[7]  RFID is primarily used for inventory management and in corporate supply chains, but in recent years it has gained momentum as an employee tracking technology.

III. RFID as an Employee Tracking Technology

Humans are a corporation’s most valuable resource, and effective management of its resources is of utmost importance to decreasing waste while increasing output.  Thus, companies have begun implementing ways to track employees using RFID.  RFID is a useful tool for many businesses because the chips improve accuracy, efficiency, and productivity.[8]  For example, Bank of America asked ninety workers to wear chipped badges, which recorded their movements and the tone of their conversations.[9]  The data collected demonstrated that the most productive workers were part of close-knit teams.  Implementing the results, Bank of America scheduled group breaks that overrode previous individual breaks and increased workplace productivity by ten percent.

A quick Google search will display dozens of companies that are eager to sell their latest RFID employee tracking products.  One such company, Intelleflex, advertises the sale of RFID badges that track employees and reveal to employers detailed information about their workers such as an employee’s name, location history, photograph, and biometric information.[10]  Perhaps the most intrusive example of RFID use is the human implantation of a microchip.  In 2006, concerns about invasive business practices gained attention after a company in Cincinnati, Ohio announced that it would inject RFID chips into the biceps of willing employees.[11]  While implanting humans with RFID for work-related purposes is considered extreme, many companies have noticed the benefits of RFID technology.

IV. Where Is RFID Headed?

The inexpensive and discreet nature of RFID has led to a myriad of ways private employers can use RFID technology.  RFID today is applied by businesses with the goal of increasing workplace efficiency through the maintenance of employee attendance records, calculation of overtime, and reduction of tardiness among others.[12]  As RFID usage becomes more commonplace, there is much room for discussion regarding security issues, employees’ rights to privacy, and employers’ rights to workplace organization.

A. The “Magic” of Technology and the “Monster” of Profit Margins: Companies Adopt RFID in Global Business Models

Competition is a driving force in all intersections, and its effects are particularly apparent in the marketplace.  This spring, Disney Parks will be introducing MyMagic+ wristbands that collect mounds of visitor personal data in an effort to better customize visitors’ experiences, market effectively to target audiences, and, of course, to increase sales.[13]  Disney’s inevitable struggle with privacy concerns as they launch this innovative program will be exceptionally informative of the lenient or restrictive direction that the law will take.  Despite the hurdles, “Disney has decided that MyMagic+ is essential.”[14]  Thomas O. Staggs, chairman of Disney Parks and Resorts, recognizes the need for the company to “aggressively weave new technology into its parks—without damaging the sense of nostalgia on which the experience depends—or risk becoming irrelevant to future generations.”[15]

B. The Intersection of Individual Privacy and RFID Application

RFID technology itself does not threaten individual privacy; it is when implemented in invasive and opaque ways that problems arise.  Recently, researchers observed RFID tracking sensors at a Boston hospital to monitor the activity of sixty-seven nurses.[16]  The nurses wore chipped identification badges that measured nurse-to-nurse interactions, the physical activity of the nurses, and nurse-to-patient interactions.  Sociometric Solutions, the company that conducted the study, claims that data analyzed through the tracking of these nurses showed strong relationships between nurses’ behaviors and patients’ overall hospital stay.  Sociometric Solutions suggests that the data retrieved will allow the hospital to better plan their investments, leading to improvements to patient recovery and bottom-line cost reductions.  Hospitals in the United States have also implemented RFID wristbands for their staff members.  The wristbands monitor how well employees wash their hands and even send hand-washing hygiene report cards to the employees.[17]  This technology will allow for companies to organize in ways that improve feedback, interactions, and the ways that individuals work.[18]  RFID technology is extremely beneficial from a business perspective, and the law is struggling to keep up.

V. New Legislation Involving RFID Tracking

The utilization of location tracking tools within the workplace is unprecedented and tasks legislatures with the creation of laws.[19]  So far, the most substantial case law was decided in 2012 in United States v. Jones.  The Supreme Court held that the government’s installation of a GPS device on a defendant’s vehicle with the purpose of monitoring the vehicle’s movements represented a “search” within the meaning of the Fourth Amendment.[20]  The holding is quite narrow, as it only addresses the government’s use of GPS tracking when it constitutes a physical trespass.  This raises questions regarding the nature and the scope of location tracking data within the private sector, leaving states to individually address privacy concerns.

In 2005, California was the first state to adopt legislation that addressed RFID and privacy-related concerns, but it was limited to the use of automated teller machines.[21]  Today, six states prevent unauthorized “skimming” of RFID information.[22]  Four states—Wisconsin, North Dakota, Oklahoma, and California—have taken measures to prevent employers from requiring employees to implant RFID chips in their bodies.[23]  In July 2013, Montana made history as the first state to pass a law restricting state officials from tracking anyone using an electronic device.[24]  In January 2014, an Illinois law disallowed state agencies from using electronic tracking devices on vehicles.[25]

In 2011, the New Hampshire House of Representatives proposed House Bill (HB445), which restricted electronic tracking of individuals.  However, it provided an employer exception, allowing employers to track employees within the confines of an employment relationship during working hours.[26]  HB445 passed in the New Hampshire House of Representatives, but it failed in the Senate.  Last year, the New Hampshire House of Representatives tried again with a 2013 House Bill (HB592).  HB592 provides even more leeway to employers than the original draft.  The later draft expands on employers’ abilities to track their employees in any “work-related functions, during or after working hours, upon reasonable notice to the employee.”[27]  This bill died in chambers, but New Hampshire’s efforts illustrate the struggle of legislatures to find a clear solution, leaving employers lacking clarity about limitations on their ability to track their employees.  With the increasing use of RFID in the employment context, federal and state legislatures will need to construct guidelines and clarifications hastily.

VI. Recommendations

Employer efficacy, created through transparency and openness, will lead to workplace efficiency and an embrace of technology necessary to compete in the marketplace, rather than fear and rejection.  Communication is crucial, particularly when implementing technology that is unfamiliar.  In a case study conducted for RAND Infrastructure, Safety, and Environment, researchers monitored six private-sector companies, in an effort to understand these corporations’ policies for collecting, keeping, and using data obtained by RFID.  Of the companies studied, only one had “[e]xplicit, written policies governing the use of RFID in the workplace. . . .”[28]  All of the companies “ke[pt] the records indefinitely,” rather than adopting a “limited data retention policy. . . .”[29]  Not a single company communicated to its employees that the data on their ID badges was being collected and stored.  Employers should deal with legal uncertainties by explaining to employees the benefits that RFID provides to companies.  Policies that clearly define the scope of an employer’s tracking ability on an employee are best to elicit informed consent.  The idea of informed consent is consistent with fair, ethical information practices and clear guidelines communicating employer expectations.  Informed consent will allow for employee rights that strike the right balance between individual privacy and workplace efficiency.

VII. Conclusion

The ever-increasing demands for corporations to exceed their bottom line while competing in a marketplace rapidly adapting to technological advances means that employers should, and in fact must, take advantage of RFID technology in order to merely keep up.  However, the law is unable to match the demands of the market and the advances of technology.  RFID utilization requires a legal remedy.  This technology is being applied to human beings with rights to privacy and non-discrimination.  Corporations ought to be allowed to take advantage of research efforts and maximize workplace efficiency.  However, both parties are entitled to a legal framework setting clear guidelines within which they can operate.  Informed consent is a prerequisite to medical treatment and should necessarily be extended to the employer-employee workplace context.

 


*J.D. Candidate, University of Illinois College of Law, expected 2016. B.A. Sociology, B.A. Communication, summa cum laude, University of Illinois at Urbana-Champaign, 2013. I thank the editors of the Journal of Law, Technology, and Policy for their time and guidance in the creation of this piece.

**J.D. Candidate, University of Illinois College of Law, expected 2016. B.A. History, B.A. Speech Communication, University of Illinois at Urbana-Champaign, 2007. I would like to thank the editors for their time and attention to this piece.

[1] Sherry Kubanyi, New Technology Series: Be Part of the Steamroller—Not Part of the Road, Legaco Express, http://www.legaco.org/blog/new-technology-series-paralegal (last visited Apr. 6, 2014).

[2] What Is RFID?, RFID J., http://www.rfidjournal.com/faq/show?49 (last visited Apr. 6, 2014).

[3] Kristina M. Willingham, Scanning Legislative Efforts: Current RFID Legislation Suffers from Misguided Fears, 11 N.C. Banking Inst. 313, 314 (2007).

[4] All About Radio Frequency Identification (RFID), Nat’l Consumers League http://www.nclnet.org/technology/74-radio-frequency-identification/126-all-about-radio-frequency-identification-rfid (last visited Apr. 6, 2014).

[5] Jake Jones, Vatican To Begin Tracking Clergy and Employees with RFID Cards, Examiner (Dec. 2, 2012), http://www.examiner.com/article/vatican-to-begin-tracking-clergy-and-employees-with-rfid-cards.

[6] A.H. v. Northside Indep. Sch. Dist., 916 F. Supp. 2d 757, 762 (W.D. Tex. 2013).

[7] Pat Toensmeier, Report Predicts Major Growth in RFID Market, ThomasNet News (Oct. 28, 2013), http://www.thomasnet.com/journals/procurement/report-predicts-major-growth-in-rfid-market/.

[8] Marisa Anne Pagnattaro, Getting Under Your Skin-Literally: RFID in the Employment Context, 2008 U. Ill. J.L. Tech., & Pol’y 237, 238.

[9] Rachel Emma Silverman, Tracking Sensors Invade the Workplace: Devices on Workers, Furniture Offer Clues for Boosting Productivity, Wall St. J. (Mar. 7, 2013, 11:42 AM), http://online.wsj.com/news/articles/SB10001424127887324034804578344303429080678.

[10] Personnel Monitoring, Intelleflex, http://www.intelleflex.com/solutions.pm.asp (last visited Apr. 6, 2014).

[11] Citywatcher.com Requires Tagging of Employees, RFID Gazette (Feb. 13, 2006), http://www.rfidgazette.org/2006/02/citywatchercom_.html.

[12] What Is RFID System Attendance Monitoring System?, Biometric System, http://www.biometricsystem.in/Attendance-Recorder.html (last visited Apr. 6, 2014).

[13] Brooks Barnes, At Disney Parks, a Bracelet Meant to Build Loyalty (and Sales), N.Y. Times (Jan. 7, 2013), http://www.nytimes.com/2013/01/07/business/media/at-disney-parks-a-bracelet-meant-to-build-loyalty-and-sales.html.

[14] Id.

[15] Id.

[16] Cases: Nurse Study—Patient Outcomes, Sociometric Solutions, http://www.sociometricsolutions.com/cases.html (last visited Apr. 6, 2014).

[17] Claire Swedberg, IntelligentM Wristband Monitors Hand Hygiene, Vibrates to Provide Staff Alerts, RFID J. (Apr. 1, 2013), http://www.rfidjournal.com/articles/view?10558.

[18] Ben Waber, The Next Big Thing in Big Data: People Analytics, Bloomberg Businessweek (May 16, 2013), http://www.businessweek.com/printer/articles/117040-the-next-big-thing-in-big-data-people-analytics.

[19] Corey A. Ciocchetti, The Eavesdropping Employer: A Twenty-First Century Framework for Employee Monitoring, 48 Am. Bus. L.J. 285, 311 (2011).

[20] United States v. Jones, 132 S. Ct. 945, 947 (2012).

[21] State Statutes Relating to Radio Frequency Identification (RFID) and Privacy, Nat’l Conference State Legislatures (Dec. 20, 2013), http://www.ncsl.org/research/telecommunications-and-information-technology/radio-frequency-identification-rfid-privacy-laws.aspx.

[22] Id.

[23] Id.

[24] Seaborn Larson, Montana the First State To Pass Spy Law, Daily Inter Lake (July 8, 2013, 9:00 PM), http://www.dailyinterlake.com/news/local_montana/article_022211de-e81a-11e2-9d43-0019bb2963f4.html.

[25] H.B. 1199, 98th Gen. Assemb., 381st Sess. (Ill. 2013).

[26] H.B. 445, 2011 Sess. (N.H. 2012).

[27] H.B. 592, 2013 Sess. (N.H. 2013).

[28] Edward Balkovich, Tora K. Bikson & Gordon Bitko, Privacy in the Workplace: Case Studies on the Use of Radio Frequency Identification in Access Cards, Rand, http://www.rand.org/pubs/research_briefs/RB9107/index1.html (last visited Apr. 6, 2014).

[29] Id.