NYC again considers banning biometric tech for businesses, residential buildings
The New York City Council considered two pieces of legislation during an oversight hearing on Monday that would ban businesses like music venues, theaters and supermarkets from using biometric recognition technology to identify customers, and ban the tech in residential buildings.
The proposed local laws are reiterations of bills heard by the council’s Committee on Technology last year that would have also put restrictions on the use of biometric surveillance and data collection across the city. But Council Member Shahana Hanif, the prime sponsor of the legislation to ban businesses from using the tech, said renewed concerns — including the impact of collecting biometric data, the security stored data and the role of the city’s Cyber Command and Office of Technology and Innovation in leading that effort — make passing the laws all the more urgent.
“Since this bill was heard last session, there have been countless developments that have made this the passage of this bill more urgent than ever, including wrongful arrests and data leaks — but the event that stands out the most to me is the Federal Trade Commission’s finding in December that the pharmacy chain RiteAid used facial recognition technology to falsely and disproportionately identify thousands of people of color and women as likely shoplifters, including those right here in New York City,” Hanif said during the hearing.
Kelly Moan, the city’s chief information security officer and head of the New York City Cyber Command, testified before the committee about the initiatives her office has launched for city agencies to address the concerns about the risks to collecting sensitive data, such as biometrics. She said her office also collaborates with the city’s critical infrastructure partners, which are mainly private entities, such as banks, hospitals and utilities, to conduct trainings for protecting the data they collect and hold.
“Having strong partnerships in place prior to an incident across many different sectors are essential, and cybersecurity is a team sport and New York City Cyber Command is only one part of that team,” Moan said.
Moan said that the legislation regarding the use of biometric technology in residential buildings falls outside of the city’s Office of Technology and Innovation’s purview, but said the proposal to ban businesses from using biometrics explicitly excludes government agencies that use or collect biometric data.
“While OTI is unable to take a position on these bills, we want to underscore the administration’s commitment to work with city council and ensure that the proper balance of privacy and public safety within emerging technology,” she said.
Council Member Jennifer Gutierrez, who chairs the technology committee, said the committee was disappointed in Moan’s inability to provide specific information about actions her office’s takes to protect city and critical infrastructure systems. Several committee members said that while they understood the need for confidentiality regarding certain security details, the lack of substantive responses was concerning.
Jake Parker, spokesperson for the Security Industry Association — a nonprofit trade association of companies that offer security and safety products and services throughout the U.S., including biometric technologies — also testified that completely banning biometric technology would do more harm than good.
Parker said the city could use biometric technologies and prioritize security, law and ethics, and take care not to discriminate. He pointed to how commonly used the technology has become over the last year since the City Council considered measures to ban it, including in sports arenas, concert venues and some express checkout lanes at grocery stores.
“As drafted, Int. No. 217 would simply outlaw most uses of biometric technologies by businesses and consumers regardless of the purpose or whether it is part of a service requested or agreed to by an individual,” Parker’s testimony reads. “This would (1) rob consumers of the choice to use more secure and convenient methods to verify their identity and (2) dictate unnecessary limitations on methods New Yorkers can use to protect themselves and their property.”
Parker also noted that biometric laws could potentially devastate small businesses, pointing to laws in other states with a private right of action, like the Illinois Biometric
Data Protection Act, which is similar to New York’s legislation.
New York’s law specifies that businesses that need biometric technology to carry out core functions — such as custom running shoe store that runs gait analysis on its customers with their permission — would be permitted to do so. But businesses that collect biometric data would be required to protect it and publish policies on its use.
“Implementations of that [biometric technology] are completely voluntary, so you’re basically just taking something away that they’re using for convenience and in greater security,” Parker told StateScoop.
