10 Nov Amazon Subject of Illinois Biometric Information Privacy Act Lawsuit
Written by: Charles R. Langhorne IV, Esq.
Recently three plaintiffs filed a class-action lawsuit alleging that Amazon violated Illinois’ Biometric Information Privacy Act (“BIPA”), by collecting and storing “voiceprints” without the users’ consent.
Amazon has a software product called Amazon Connect that companies use to run call-centers. One company with whom Amazon has partnered Pindrop Security. Pindrop Security has the capability to create a “voiceprint,” which is essentially a fingerprint based on your voice. Voiceprints are used to authenticate callers by the unique attributes of their voice.
The issue in this case arises from the creation of voiceprints without obtaining callers’ consent. Voiceprints are considered “biometric data” under BIPA, and BIPA requires consent of the data subject prior to collection and processing of such biometric data.
Specifically, the plaintiffs all used a call-center provided by financial services company, John Hancock. When the plaintiffs called the John Hancock support line, they were informed that they no longer needed to enter their security PIN, due to Pindrop’s ability to authenticate their calls based on their voice.
While this sounds like a convenient feature, it has serious security concerns. The lawsuit hones in on one in particular: the lack of security controls offered to callers in the event of a data breach. When using a PIN, if the business suffers a data breach, the caller can simply change their PIN. When a voiceprint is the only means of authentication, and the hacker obtains the voiceprint, there is nothing a caller can do change their voiceprint. This is certainly a problem when a voiceprint is used to authenticate into an account containing sensitive financial information such as John Hancock, but that could be the tip of the iceberg. Pindrop is in the business of making money. It is possible Pindrop provides voice authentication services for many companies with whom an individual may have accounts. If Pindrop were to suffer a data breach, which leads to the loss of a voiceprint, multiple accounts associated with an individual could be compromised, and the individual would have no means of “resetting a password.”