Wednesday, 14 January 2004
The Winnipeg Sun reports that McDonald's has confirmed that it is using biometrics in a payroll application in about half its restaurants in that city. Instead of punching time cards when they start and finish their shifts, employees run their hands past fingerprint and palm scanners. The devices are plugged directly into the company's computerized payroll system, which records the employee's working hours. The efficiency gains are obvious: "At McDonald's, the scanners are connected to the payroll department and save on paperwork, [McDonald's spokesman Ron] Christianson said. They also free managers from record keeping and get them out working with staff and the public, he added." Unfortunately, the restauranteur has failed to think through the privacy implications of this pilot program.
McDonald's does pay lip service to privacy: "Christianson said McDonald's will only use the prints for the stated purpose and has educated workers about its privacy policies and hired a privacy manager. There have been no complaints from Winnipeg workers about the time clock alternative." However, McDonald's does not appear to have subscribed to the best practices written by the BioPrivacy Initiative or any other published set of best practices. (Despite its name, the BioPrivacy Initiative is a biometrics industry trade group, not a privacy advocate.)
For example, McDonald's does not appear to have clearly and bindingly defined the scope of its biometric program. It is using biometrics solely for payroll purposes right now, but nothing would stop it from expanding the program to encompass other purposes tomorrow. A company spokesman's apology is little consolation for a long-gone former employee who falls victim to identity theft down the line. There is no indication that McDonald's is storing its employees' biometric templates separately from their other personally-identifying information, such as names and addresses. Christianson does not say anything about independent auditing of the company's biometric applications. Most importantly, there does not appear to be any ability for employees to control the use of their biometric data, nor does there seem to be any meaningful alternative for those who would prefer to opt out of the program.
In McDonald's defense, my sole source of knowledge of its biometrics program is the press, and this may simply be a case of newspapers oversimplifying the situation and failing to report all the facts. I have been surprised like that before. Unfortunately, this does not "smell" like such a case.