White Castle collecting burger slingers' fingerprints looks like a $17B mistake American burger-slinging giant White Castle is almost certainly regretting its decisions about employee monitoring after the Illinois Supreme Court Friday issued an opinion opening the fast "food" corp up to potentially billions in fines. In what we imagine was a gut-wrenching decision for White Castle's legal team, the court …
"In court, White Castle argued that it was only on the hook for the first instance in which it collected its workers' fingerprints..."
If you murder lots of people, does only the first time count?
If you commit lots of robberies, does only the first time count, even if you rob the same person?
If you collect lots of biometric information, does only the first time count, even if repeatedly from the group of people?
Generally the law sees repeats of an offence as separate offences, hence the use of 'n counts of x' in offence summaries.
There is something rotten about a company which feels the need to continually collect data like employee fingerprints for years and years. It shows a key difference in thinking between the USA and the EU.
In another article (https://www.theregister.com/2023/02/17/adequacy_decision_us_data_transfer/) I argued that the USA could not see the wood for the trees. This continual collection of fingerprints is an example of this, and it is also an example of why the USA cannot be trusted with the data of EU citizens. What is wrong with the USA?
I think you are confusing murdering lots of people and murdering the same person lots and lots of times. One is multiple crimes, one is double jeopardy.
The article different really say what they did with the data (if anything) and I would envisage only the first scan was the collection and the rest were simply deleted..
-- In each case they USED the biometric for some purpose. --
Great! What was it?
THIS
The case, brought by an Illinois woman who began working at White Castle in 2004, involves the use of workers' fingerprints to access pay stubs and company computers, which she said were implemented shortly after she joined.
is as near as I can get to anything, neither of which seem overly nefarious. Also OK from 2004 until ????. So what changed? Money chasing lawyers?
Swap "murder" for "attempted murder" then.
Is stabbing someone once a week for a few years multiple counts of attempted murder, or just the one?
The entire point of these laws is to make it annihilative liability. Otherwise fines become a cost of doing business and the corporation simply adjusts their prices to account for them.
So yes, make it the full whack and wind 'em up. Another business will take over, that's competition.
I think you are confusing murdering lots of people and murdering the same person lots and lots of times. One is multiple crimes, one is double jeopardy.
Double jeopardy would be murding the same person lots of times, at the same time.
If I punch you in the face every day for 10 years is that one assault or many?
Had only a single instance counted it would make a mockery of the entire law, the company has been flouting it for 10 years, it wasn't an innocent mistake, it was a flagrent disregard.
The article different really say what they did with the data (if anything) and I would envisage only the first scan was the collection and the rest were simply deleted..
And? Are you suggesting the law shouldn't apply?? The only influence that should have is on the final judgement. (It sounds like it was done through lazyness rather than malice).
I don't think White Castle should be plunged into bankrupcy because of lazyness, but also, you don't get to ignore the law for 10 years and walk away with a slap on the wrist.
I know your presidents are kind of setting the precident that it's okay 'if you didn't mean it', but once you start having that as your justice system then you're screwed. (You can use intent to weigh the sentance, but you lot do seem to be veering towards 'they're rich and didn't really mean it....').
Using the limited anount of information in the article lets play narrative for a new starter
HR droid: When you get paid you can access your pay stubby putting your finger here.
New worker: OK
Supervisor: This is your computer, you access it by putting your finger here after you've trained it
New worker: OK
What seems to be being asked for is more along the lines of:
HR droid: When you get paid you can access your pay stubby putting your finger here. Is that OK with you, if so please sign here, if not I'm sorry but we won't be able to pay you
New worker: OK, where do I sign
Supervisor: This is your computer, you access it by putting your finger here after you've trained it. Is that OK with you, if so please sign here, if not I'm sorry but you won't be able to do the job you have been employed to do and will be fired.
New worker: OK, where do I sign
It looks like the only bit really missing is the "please sign here"
And murdering a person can only be done once.
You can attempt to murder a person many times and be prosecuted many times.
You can steal from someone many times and be prosecuted many times.
But you can only cut off someones fingers and use them for burger meat only once, see, somethings have only a way to prosecute once, and some have many. Some have an affect on the person you are doing it do that makes it impossible to do again.
If they were taking these people fingerprints and then burning them off at the end so they no longer had any, they could not be accused of taking and using them multiple times (they could use them multiple times if they stored them), so they would then have committed 2 crimes, one related to taking the fingerprints and another that caused harm to them which meant they couldn't do the first one ever again.
They didn't do that, they took their fingerprints over and over again and used them over and over again, so multiple offenses.
Is there a difference in the meaning of "double jeopardy" between the USA and the UK? In the UK, it refers to the State not being able to try a person for the same crime again after an acquittal by a jury. There was some fuss about this a few years ago when the rule against it was relaxed if new evidence, e.g. DNA, came to light after the case was heard. The way you are using it seems to be referring to multiple counts - tricky in the example of murder of the same person, but very easy with repeated acts - so is that the correct use in the USA?
They suffered by having a right granted to them by the Illinois legislature violated. That's all that's necessary for a finding adverse to the defendant in this action.
Anything beyond that is irrelevant to the case, and your introduction of the question is disingenuous or foolish.
The robbery analogy also doesn't stand up since nothing was actually taken. Its a bit more like plagiarism or ripping a CD/DVD or recording a programme from OTA TV to watch later.
However, for a bit of fun since others are talking about murdering a person several times consider: a robber breaks into your house and steals your TV, a diamond bracelet and your favourite saucepan. Is that one count of burglary or three? Now consider the same thief breaking in on three separate occasions and stealing the same items.
Here in the UK, criminals can and often do ask for 'other offences to be taken into consideration' so that they can't subsequently be charged for them on a case-by-case basis. It's particularly common in cases of theft and burglary. Here in the UK (again) when such admitted crimes are taken into consideration, or whenever a criminal is found guilty of multiple crimes, the usual outcome is that the multiple sentences are carried out 'concurrently' and not consecutively. Thus, a criminal serves only one year, say, instead of twenty, when found guilty of twenty crimes, although each one would have accrued a year in its own right.
So yes indeed, here in the UK at least, the answer to the question "If you commit lots of robberies, does only the first time count, even if you rob the same person?" is a resounding 'yes'.
"So yes indeed, here in the UK at least, the answer to the question "If you commit lots of robberies, does only the first time count, even if you rob the same person?" is a resounding 'yes'."
While true, sentencing guidelines allow the judge to increase the sentence based on those TICs. The criminal gets less than if later charged for additional sentences but usually more than for just one. eg say 1 year sentence for 1 burglary, but the sentence range is 1-5 years and s/he gets 2 or 3 years for the additional TICs instead of a year or 2 for each in later convictions. Admitting to those TICs is taken as a good thing too in the eyes of the court, ie pleading guilty usually gains the criminal a lower sentence than a not guilty plea and the full-on court case.
If you put my name and my fingerprints into your database, that’s the damage done. Doing it hundred times (my name, my fingerprint) more doesn’t make much difference.
Comparing to the “murders”: 100 murders is 100 times worse than one. But stabbing the same person through the heart 100 times instead of once doesn’t matter much. Dead is dead.
Doing it hundred times (my name, my fingerprint) more doesn’t make much difference.
Whether you feel there's additional damage is irrelevant to the case. What the law says is what matters.
In this case, White Castle repeatedly, frequently, and knowingly violated the law. The Illinois Supreme Court has just issued a finding that all those violations were, in fact, violations. That's establishing precedent for interpreting the law. Whether each violation significantly increased the actual harm done wasn't the question at hand.
I also disagree with your evaluation, because repetition creates a moral hazard (it normalizes the practice) and potential for abuse (if the fingerprint-reading terminals are compromised at a later date, for example). But, again, that doesn't matter, from a legal point of view.
If they were using fingerprints for user verification then yes only the first one counts. You enrole and verify the person once, hash (encrypt) the fingerprint and then each time you authenticate an individual it reads the fingerprint, hashes it and compares it with the stored fingerprint, so yes the read and stored it once and then just read and compared after that and wouldn't have had to keep the subsequent verification images........unless of course they needed an audit trail for security purposes.....
But in Germany, the estate agents charge so much from both the buyer and seller that they only need to sell one or two houses a year to keep them in shiny new BMWs...
We've had agents insist on seeing bank account details before they'd make a viewing appointment, and we've told them where to shove it. They give a very definite impression that actually being an agent and selling something is really disturbing their peace of mind.
Yes. Last year we stopped looking at houses through one estate agent (Oulsnam) after we discovered they wanted ID from us. First, the very idea was repugnant, and their Data Protection statement was not confidence-inspiring. We did manage the first viewing without "papers please" due to a cockup on their part. When I asked the seller if they'd had many viewings, they said "No", so I asked if they thought the ID requirement was putting people off. They said "What ID requirement?"...
I challenged one company for their data collection policy and they said it was on their website. It was the one for using the website that categorically started they wouldn't collect the data they were asking for!
I'm not sure if the seller has any liability for agents illegally prescreening if they pass that information onwards (I know in reality they will never be charged)
"Good to see some are being taken to task over their total failing to follow the law."
Yes, but this isn't law enforcement, the justice system or the regulators doing something. This is individuals kicking up a stink, gaining publicity, forming class actions etc.
"The case, brought by an Illinois woman...". So not even a case of reporting it to the authorities to start the action. She had to actually bring her own case to court before the legal system actually took notice. So how much else is going where people have neither the funds or ability to start an "action" and are being ignored when reporting it?
Went to a birthday party for someone in the office at a local pub. This one is part of a brewery owned chain and there was food provided. Certain items were okay but not everything and for some the next day was pure evil. You didn’t want to be too far from the toilet just in case.
Various people said they’d experienced the same thing and after checking found out what each of us had eaten. If you didn’t eat the deep fried batter covered items namely the courgette fries or the mozzarella sticks then you were fine. We reckoned that those items were more grease than batter and courgette/mozzarella. We vowed never to go back to that pub [chain] again.
If there were multiple people having the same illness from eating certain foods, you really ought have reported that to whatever the local equivalent of Trading Standards, Food Standards Agency or local council department responsible for food sellers. Just being greasy doesn't usually cause the shits. That's most likely some variant of food poisoning.
The department you’re looking for is the Environmental Health dept, and I’ll try not to be too graphic here. We did consider contacting out local EH, but we spoke first to one of the people present at the party. She is a mate of the birthday bloke, a doctor and she said it wasn’t food poisoning or likely to be a bug, she’d also eaten the aforementioned foods. She said the symptoms would be different if it had been food poisoning, norovirus etc. She reassured us it was just the extreme amount of grease that caused the waste to leave the body so easily, and the large amount of flatulence.
It wasn’t to quote Richard Hammond the “brown rain” that he always seemed to suffer from on foreign Top Gear road trips. Just that when you went to the toilet you didn’t need to exert yourself at all.
"Environmental Health dept,"
Thanks! I was having a brain fart and for the life of me could not remember the department name and wasn't making the assumption you were in the UK either.
And ta for the fuller explanation of what happened despite the almost "too much detail" :-)))
White Castle is a Whitey's, a common term in and around Chicago. Slider is a very small sandwich, resembles a hamburger. They are steamed, and not far from a turd. There are far too many good taco joints near Chicago to bother with that crap...
I was trying to defend hamburgers...
"The name originated in the 1940s, when sailors in the U.S. Navy would refer to mini-burgers as "sliders" because of their extreme greasiness. In just one or two bites, the burger would just slide right down! The slider was first created at White Castle, a popular American fast food chain restaurant."
And according to my dad, said burgers continued their entire journey in the same manner.
limited liability only relates the liability of the owners in relation to debts the company may have. It's nothing to do with the company liability to illegal or criminal actions. At best, it might partially protect the owners from bankruptcy inducing levels of fines, but that depends on the why the fines were levied and if the court decides the owners may be personally responsible.
The usual system is a PIN but that could be borrowed by someone else. An ID card that can be swiped or reed by near field is also a possibility.
There seems to be a nasty Luddite undercurrent that suggests that anything "technology" is fair game for anything destructive. Its a bit silly because your signature is a biometric marker -- its analyzed, stored and checked in exactly the same way as a thumbprint (and, come to think of it, a face). So if prints as ID are outlawed than just about any other form of ID is outlawed.
The system likely doesn't store prints as prints, either. They're just a series of numbers which describe notable features on the print (signature or face).
PNGs and JPGs are also "just series of numbers". However, given when the White Castles system was put in place, I'm going to guess it stored far less than everyone seems to be assuming. More likely (but not certain) it was only scanning maybe seven points of data for each fingerprint, hashing those & storing them. The hash was then used to unlock things & was likely no more complex than a PIN. No image of the actual fingerprint was stored and the whole thing probably sat inside a mostly standalone vendor supplied turnkey P4 or maybe Core 2 Duo box similar to the cardkey systems of the era.
A signature is NOT a biometric marker and handwriting analysis is not admissible as evidence because it's hokum.
In the first place, biometric means it's data based on measurements or analysis of the subject's body, and NOT their writing style (a learned behavior). Biometric data can be retrieved from a corpse or an uncooperative "subject" but try getting a signature from a dead guy!
"but try getting a signature from a dead guy!"
Trump, and some of his cronies, seemed to think that was quite a significant issue at the last election and caused their "not really defeat, it was really a win" result, even without evidence.
"A signature is NOT a biometric marker and handwriting analysis is not admissible as evidence because it's hokum"
Agreed, and while fingerprints are also hokum, they are often used *and misused*:
It is claimed that no two fingerprints are identical, while failing to mention that the use of finger prints relies on fingerprint identification and that *art* often fails to produce reliable results
https://sites.rutgers.edu/fingerprinting/no-two-finger-prints-are-alike
tl;dr: fingerprints may or may not be unique, but the way they are used as a biometric in practice does not guarantee uniqueness and is also prone to sloppy work and/or limited quality of samples.
In addition, keeping databases of people's biometrics for purposes of identification is of questionable ethics as it affects people's right to privacy. Also, in the hands of private institutions such records are subject to abuse as details can be added to the record with little oversight; that is someone with a petty grudge can add scurrilous claims if there is no oversight. Biometric data currently collected from facial recognition systems is notoriously unsupervised and not subject to any review. Associating such records with biometric data gives them a false sense of reliability beyond the hearsay the records actually are.
--Biometric data can be retrieved from a corpse or an uncooperative "subject" but try getting a signature from a dead guy!--
Well, based on the impression many here seem to have that you can murder the same individual several times I'd say you had a pretty good chance.
What's destructive about asking for permission beforehand?
The law itself was not written for this situation because if you start a job that requires you use biometrics to access a system and you refuse permission then you won't be in the job anymore as you won't be able to do said job. I think the idea was more where companies take the data without your knowledge or permission.
Making biometrics a condition of work is also illegal - it's not voluntary.
If it being "necessary" is a defence, everywhere else uses a card or a pin, hence that defence fails.
I've got a punchcard clock on my wall, it works just as well and has a nice "clunk" sound.
It might be illegal however we know that when you start a new job you have very few rights so a choice must be made. Do you accept it or start looking elsewhere? There isn't really much else you can do.
Do I think that's right or correct? Absolutely not.
As for necessary they could argue it's for security such as access to work premises or to computers. Not so much for work premises but computers are a different matter. Also under GDPR there is a section for processing data for employment but that's currently a very grey area as it clashes with another part on proportionality of said data.
@martinusher
As you note a Pin or ID can be borrowed easily by someone else (and can also easily be changed if that happens)
A signature can be copied (and if you discover that someone is faking your signature you can change your signature)
If someone manages to copy your thumbprint you're kinda screwed as you are generally stuck with that for life.
for logging into a system for work it should be something you have like a swipe card / id card etc and / or (ideally and) something you know like a PIN or password and it should be something that can be changed at short notice by either party should the systems behind them be compromised or the information shared by some other means.
Totally agree - Its just an access system.
What are people after - Do they want to push the laws so that every time your manager validates that its you by looking at your face, they are liable for a 'Facial Recognition' fine.
&^%*& Luddites.
Biometrics (especially finger prints) are a bad choice for an access system. Don't know about others, but leaving your fingerprints around is *easy*. Just order greasy food and a drink at a place where they have real glasses for the beverages.
Been though US immigration in the last few years? You'll be required to provide prints.
Applied for a driver's license in the US? Your thumbprint will be recorded.
Been stopped by the cops in the UK and you don't have any ID on you? A thumbprint will do just fine, sir.
There is an art to signature recognition. Mechanisms for recognizing signatures are still subject to patents but they exist. I've used them. My medical provider users them.
Incidentally, ID cards carry biometric information. In its most elementary form its your picture. The picture will be stylized, it will be against a plain background and not include optional items like hats. If the picture is being taken by the Federal Government then it will be a slightly turned head that clearly shows the left ear.
Simple way to tell if an identification identity for a minor task is invasive - remember that a password, PIN, 2FA fob can all be changed. You cannot change your fingerprints or face. The risk of breach/damage to the end user is too high for the reason the invasive technology is being used.
Regardless, the key here is active consent. None was gained, it was just enforced.
That is not active consent. That is forced consent.
Having your biometric data processed is not a necessity to getting your payslips. There's billions of people, the majority in fact, that get them without such tech invasion.
Therefore, you need consent to use such a system (at least, that's what the law being discussed here says. Same as numerous other data protection and privacy laws around the world).
Forced consent is not actually consent.
As far as I recall, various "Taxation Authorities" (state sponsored stand-over operations) have NO PROBLEM with annihilative liability. Pay up everything you have and whatever you might have AND you're in the clink. If they are judged guilty, and they incur the liability, then they should "go down".
What was the signature sometimes seen "I'll believe that corporations are people when Texas executes one" on the internet? Well, we might just see a version of this in action.
Anyone that's eaten there will agree there won't be a big loss if they go out of business.
Same for Krystal's, Wendy's, McDonald's, Burger King, and all the other joints that serve a minimum of food with a maximum of rudeness.
It's interesting to see the attitude extended towards their employees. It might explain the attitude exhibited by their employees.
Quite possibly. In fact, the only real loss is to the employees. Who will all lose their jobs, when this century-old family business shutters.
The market niche will transition from a 400 restaurant chain to the 40000 restaurant chains of BK and Micky Ds. It’s the ultimate victory for megacorp America. Who do you think financed the case?
Do you really think it was 17yr old Staci the night burger flipper, who was so outraged by them taking her fingerprint….that she took out her phone to send a DM to a top-flight Noo Yawk City law firm; unlocking her phone with her fingerprint in the process because that’s the way all phones unlock.
Digital Rights protection. We are so worn down about complete lack of, or actually the exploitation of our US personal data, it's a joke. T-Mobile, again and again. My Home Depot letter blaming criminals for their massive 2014 hack was pinned to my cloth cubicle wall while working in US DOD in Jan 2015. June the same year we were all informed that not only our, but family's birthdates, SSN, etc. were stolen. Oops, sorry! Until there are real monies being paid, our fscking politicians will continue bending us over so they get campaign money and make corporate friends. I can only Not give away personal info to counter. And yes, flame back. However, in the US it's increasingly difficult unless you want only broadcast TV and burner phones. Accountability isn't. Sad.
Playing devil's advocate for a minute:
...on subsequent scans you could argue it's not being "collected", there are a few pertinent ephemeral data points that are being compared with what's already been collected. That's certainly the argument I'd be making if I was their lawyer.
You could also easily argue that any "damage" to the privacy of individuals is only "inflicted" during the enrollment process, there's no further "damage" even if they swipe 10,000 times over the next 5 years, in terms of collecting additional data, so the arguments that it's multiple offences against each individual really shouldn't hold.
Personally, don't see anything wrong with it being used as an access method, so long as people are given the option to opt out and use an alternative login process, and the data being stored is not in a format that can be abused for anything other than access to the company's systems.
"use the fingerprint scanner or lose your job" that is the issue.
Is it? I see no evidence of that from the report (though it may have been in court submissions).
The issue as I read the article is that the documentation allowing legal collection of biometrics was not completed until 2018 which is not the same as employees volunteering (or not) their fingerprints for sign on. The whole case is that it wasn't done according to the law until 2018.
If you use commodity fingerprint readers with commodity software and it happens to be or become a popular system then miscreants gaining access to that database of fingerprint hashes could probably find a way to inject the hashes into other systems using the same h/w & s/w to gain access as that person.
Fortunately, as yet, there are not that many occasions where a person is expected to use a fingerprint scan for access to system so it's unlikely they will beusing the same type of system at multiple locations/organisations. In effect, it's currently security by obscurity, which we all know is not good security.
Do you think that a *burger joint* is really going to have commissioned some complex fingerprint IT system? Not even BK or Mickey D, but a family business that’s been around a century and barely understands email?
All they will have done is bought an Android tablet for each location, secured it to the front desk, and got its employees to dib their thumbprint on it to unlock it.
Set up one user account per burger flipper at the front desk, and bingo you’ve got a “biometric database”. where each employee who unlocks the pad to clock in and access the till, has an unforgeable and non-repudiable means to ensure that their employer knows who was at the till.
That’s literally all we’re talking about. A damn off-the-shelf Android tablet, set up to do what it does every day in a hundred million households. And some carpetbagger has used this to blackmail a perfectly normal business into bankruptcy. Beneath contempt.
Would you really? Until it’s your favourite independent one of a kind coffee shop where you go in the morning. Put out of business by Starbucks who will, I absolutely promise you, right now be hiring a small army of undercover baristas to see whether any independents within a twenty mile range of each of their shops has dared to use an Android tablet as their barista login. And sue them, of course they will fold immediately.
It’s a recession. Normally in a recession the high street fills with charity shops, but not this time. Did you never ask yourself why? Answers very simple: there’s now so much compliance legislation associated with checking out every individual item of secondhand stuff, charity shops barely break even to fund a donation to a hospital when the goods are given free and it’s staffed by a volunteer. Congratulations, this is the hellscape you voted for.
Have you looked at the list of *who actually gets prosecuted* and run out of business under the GDPR legislation? It’s not the big corporations that you hate so much. It’s the corner shops, the dentists, the local Councils
https://www.enforcementtracker.com/
This “privacy” witch-hunt ends only one way. When compliance with the rivers of everything that requires your attention, needs a compliance department of 5000 people, the only survivors are companies that employ 50,000.
There’s always a bigger fish, willing to pay more to lobby for even more regulation. Did you never think: if all these compliance regulations hurt Amazon so much….why don’t they lobby against it? Every package comes through your door is packaging where they get to print whatever message they like on it. Why aren’t you bombarded by marketing messages from the mega corps about how the EU is taking away your right to pay with one click?
Because they *love it* that’s why. *Love it*.
I'd assumed that a hash of the fingerprint is stored for later recognition of that print
I used to work for a company that made fingerprint readers. We didn't store the actual fingerprint - we stored a one-way hash of the fingerprint and the readers calculated the hash on the fly and sent the hash to the controller for it to authenticate. We also had stuff like 'is it a live finger' detection [1]. Initially we used rs232 to talk to the controllers but, while I was there, upgraded to ethernet.. (there was talk of wifi but it was decided that it was too unreliable and prone to connectivity errors - especially as the readers were fully weather-proof and tended to be in fairly hostile environments..
Any reader that stores and forwards your actual fingerprint is a security nightmare!
[1 When the weather was really cold I'd often fail that test - my fingers go quite white and numb when I get cold..
$17bn for collecting data? ok. If I were Ingram, the *family owner* of this chain since 1921, I would lean back and say “we’re done here”. This is a chain which has never franchised, nor taken on any debt to grow. Nevertheless, they’ve kept nearly 400 restaurants alive for a century. It’s fair to say the family have accumulated a lot of expertise in how to actually run a business that is longterm sustainable.
It’s a private company so it has no publically quoted value, but the chain has a revenue of $700M, under reasonable assumptions of margin might give them $50-100M annual profit. The whole business has not even one billion worth. Even assuming that the $17bn is an inflated aspirational number, there’s no way the business as a business can pay the interest on that. The employees are assuming the management will try…but really, there’s no onus on them to bother. What’s in it for them? The interest bill is higher than the revenue. This scenario is just the management working long hours for the next years to put more money into those guys pockets. Cut it off. Even if you tried to make this work, this is giving a burger-flipper a $100k windfall, for having their fingerprint taken. How many burger flippers do you know, who would continue working as a burger flipper with $100k in their pocket. None, right? So the business is shuttered, either way. It’s a sunk cost now, every minute the owner spends on trying to fix this shitshow is a minute they aren’t getting on with the rest of their own lives. Go to the gym, have a beer, shoot some pool. Don’t give a second thought; the people who did this to the business are the Class Action people, not you, and you can’t affect the past.
Just put a sign on the door in marker pen tomorrow morning saying “Closed. 400 restaurants on sale for $1”, and don’t leave a phone number. If anyone asks where their end- of-month paycheque is, suggest them to call a lawyer to get in on that sweet sweet $17bn action. Because there ain’t no more where that came from.
Relevance: Because only Mickey D’s and KFC will have compliance departments large enough to avoid wrongdoing in this new regulatory overreach environment.
That’s actually what a franchise *is*. They give you an 800-page operating manual. As a franchisee, you follow this paint-by-numbers checklist, do nothing else, and you’ll be ok. Come on, you know who operates Micky Ds. Do they strike you as the sort of people who strive for excellence and lack of food poisoning? Of course not. What they strive for is *taking all the steps necessary to avoid getting sued for it*.
Well over half the value you are now paying for as a Mickey Ds franchisee is them distilling the compliance law down into operating procedure for you.
That’s your future as a consumer, you’re welcome to it.
What a load of bullshit. Illinois' biometrics law was widely publicized, and anyone doing corporate law in Illinois should know about it. This isn't some mysterious tangle of obscure regulations; it's something the managers and execs had no reason not to be aware of from the get-go.
I can understand the charges of transmission (to a third party) but isn't the consent for collection pretty explicitly given by the employee placing their finger upon the scanner? I've definitely seen Schlage HandPunch systems (which scan the 3D structure of the hand to verify the user) at certain public sector buildings in the UK, not for entry but to clock in and out so either there's a big settlement in the works or it can be done legally over here.
It's not valid "consent for collection" when it's under the duress of losing your job if you don't.
Personally, I wouldn't mind that much, except corporate America has a habit of losing its customer data to skr1pt k1ddez Russian state hackers every other week, so I wouldn't feel that it would be safeguarded or treated with care.
It seems like clocking in and out is a much more immediate threat to employment but, re-reading it seems that it was a case of contracts not being updated to meet legislation. I doubt many employees would have refused to sign if the contracts had been updated immediately.
"annihilative liability" happens to human persons all the time in civil cases. It's actually a common outcome even for civil cases that are not that "serious". It should happen to corporate persons too. Especially since none of the people who committed this crime will be held criminally liable due to the corporate structure shielding them from criminal liability.
A billion dollar fine would likely put them out of bussiness. The burger flippers and fry cooks would all lose their jobs. Better to throw the CEO and and the IT manager who approved the idea in jail for 5 or 10 years. That would send a clear message that collecting personal data with out consent is wrong.
- 2004 Employee hired.
- Shortly thereafter, fingerprint system installed, prior to 2008.
- 2008 Illinois law passed (not a US law, a state law. And White Castle does business in 13 states).
- White Castle missed the news (the 12 other states don't have this law).
- 2018 White Castle realized the whoopsie. Has employees sign agreement.
- 2022-2023 A disgruntled employee gets a lawyer on contingency and away this goes.
I don't see where White Castle operated in bad faith. They missed the law when it was new in 2008. But this is not like they secretly installed bio-metric face readers to monitor employees or something like that.
Let's flip this around... How many employees would be screeching if their payroll information was compromised because White Castle did not have adequate security on their payroll system. White Castle tried to do the right thing - secure employee payroll info - but ran afoul of a NEW law where they did not get signed consent from employees first.
Also it seems to me the first time the employee authenticated to the system the fingerprint was "collected". Subsequent authentications and it was simply "verified". And employees knew it happened, this wasn't some sneaky secret leaked by a whistleblower.
Y'all should put your pitchforks away. There are far more grievous corporate transgressions to be chased.
I've read through all the comments and the general tone of a lot of posters is a very nihilistic "Smash it all down", a destructive Ludditism that doesn't seem to have a purpose. Yes, White Castle is a business, yes its family owned and its been around for a long time and its signature product is something a bit like a burger that's called a slider. (I don't live where they operate -- our equivalent would be In-n-Out.)
Honestly I'm appalled by such utter negativity. Although I tend to think of myself as a Grade 'A' cynic, an unreformed leftie and Heaven Only Knows What I'm gobsmacked by the sheer level of vitriol. I suppose most of the readership must be working in some kind of ultra-green whole food collective or something (in which case what on Earth are you doing on this website?).
Based on local experience these types of firms tend to offer close to a living wage to their employees which is why someone might find themselves working for them for many years. Killing them off only benefits the megacorps because they can afford the best -- lawyers, legislators, you name it. Class action lawyers know this which is why this sized privately held company is a prime target, especially if they haven't incorporated and made a web of interlocking companies to lose profits and limit liability. Its not a sin to run a company, in fact our society requires this kind of enterprise to survive since the larger organizations tend to be more focused on what they politely call "financial engineering".
When I was delivering for Amazon most times the customer would explicitly forbid any form of disturbance, especially by doorbell, and usually because the infants and pets had finally achieved peace in the household and the customers would tolerate no disturbance of that uneasy truce. However there was a sizeable contingent that insisted that the doorbell notification be rung, and most especially so if it were the “smart” doorbell security monitor that had already alerted the occupants of the invading presence by SMS delivery of the offending video footage!
I never touched those monitors on the grounds that a) the customer already acknowledged delivery over the loudspeaker, and b) who’s to say these aren’t fingerprint sensors out to gather and investigate my precious biometric data in order to learn all about my criminal past?
I say fuckem.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
