Who Owns Your Fingerprint? You Don’t.

One man decided to go to the Capitol to do something about it.

All across Oregon, employers use high-tech tools to track their workers.

Companies from Gresham pizza parlors to data centers in the Columbia River Gorge employ what are called "biometric" security measures: fingerprint scanners, facial recognition software, hand geometry readers, iris scanners and even devices that track employees' gaits or typing speed.

Such tools allow employers to trace their workers' access to financial and health data, proprietary secrets or high-value equipment such as computer servers. Sometimes, the scanners are just used to track employees' whereabouts: where they are within the office or even the country.

But in Oregon, there are no laws governing the collection, use and retention of biometric data.

This void scares the hell out of Chris Dresel.

One year ago, Dresel, 39, who works as an IT manager for the Centennial school system in Gresham, learned the district wanted to adopt a digital tool that would require employees to clock in and out using their fingerprints.

"They got a cheap fingerprint time clock from Amazon," Dresel says. "The instructions were in Chinese. And it was clear there was no encryption."

Dresel is a Navy veteran who served as a nuclear technician aboard the aircraft carrier USS Enterprise. He was aware of fears that Chinese tech companies were stealing Americans' data.

He determined fingerprint readers were easy to hack.

"I can't let my co-workers touch this," Dresel recalls thinking. "Those fingerprints could easily go back to China."

In congressional testimony last year, FBI Director Christopher Wray highlighted the threat Chinese intelligence-gathering poses.

"One of the things we're trying to do is view the China threat as not just a whole-of-government threat, but a whole-of-society threat," Wray said. "And I think it's going to take a whole-of-society response by us."

Dresel could see the risk—not just for a small public school district, but for any place employees might work in the future. Their fingerprints would essentially provide hackers with office keys.

"You may think, 'No big deal,'" he says, "but all of sudden, the Chinese have access to something they shouldn't have."

Dresel's alarm might sound like something out of a Tom Clancy novel. Experts say it's not.

"That is very much a valid concern," says Matt Erickson, executive director of the Chicago-based Digital Privacy Alliance. "We are in the middle of a cyberwar with China—and everybody is on the front line."

In December of last year, the credit-reporting company Experian (which had suffered a massive security breach of its own) highlighted the value and vulnerability of biometrics.

"We've already seen the theft of biometric data," Experian noted, citing the 2015 theft of 5 million fingerprints from a federal agency. "As use of biometric authentication grows, so does the risk of biometrics becoming a target and a tool for cybercriminals."

Biometrics allow companies to strengthen their security measures: They provide another level of authentication beyond PINs and passwords.

But biometrics also present extraordinary risks. As Dresel discovered, the technology is accessible to everyone, but the unique physical characteristics biometrics capture are themselves often insecure. Who really has access to the data—and what happens to it when an employee or customer moves on? In many cases, nobody knows.

In Oregon workplaces, no one is even asking. "Biometrics privacy regulations remain in their infancy," says Saul Hubbard, spokesman for the state Bureau of Labor and Industries, which regulates Oregon employers. "They aren't something that BOLI has yet had to enforce."

Dresel persuaded Centennial to abandon the fingerprint scanner. But he realized every employee in Oregon was vulnerable to the same misguided approach his employer had taken.

That's when he decided to go to Salem.

When Dresel determined last May that something needed to be done about regulating biometrics, he sent an email expressing his worries to his state senator, Laurie Monnes Anderson (D-Gresham).

Monnes Anderson, 73, is less famous than her cousin, Simpsons creator Matt Groening, but she's an institution in Gresham, which she's represented in Salem since 2000.

Monnes Anderson was intrigued.

"You are hearing in the media of all these data breaches and how people's information is used inappropriately," Monnes Anderson says. "What Chris said just made sense. I felt strongly we needed to get this on people's radar."

In June 2018, Monnes Anderson's staff contacted Dresel for more information. He hadn't really expected to hear from her. "I was blown away," he says.

By December of last year, Monnes Anderson had taken Dresel's ideas, worked with Legislative Counsel and produced a draft of what would become Senate Bill 284.

Dresel, who is married, with a son and three dogs, likes to hike, raft and fish and build electronic gadgets in his spare time. He's a big Portland Timbers fan and had never been to the state Capitol, let alone met a legislator or lobbyist.

But on Jan. 31, he drove his Prius to Salem, hoping to persuade lawmakers to pass a new law to govern Oregon employers' collection and use of biometrics.

He was going up against the interests of the most powerful corporations in America today—Google, Facebook and Amazon, all of which have lobbied against the regulation of biometric data in other states.

The 22-foot gilded pioneer atop the Capitol dome in Salem symbolizes the independent spirit of Oregon's citizen Legislature. But, in reality, Dresel was entering a world where special interests wield infinitely more clout than a network administrator from east Multnomah County.

"The legislative process is dominated by the people who are in the Capitol every day," says former Senate Majority Leader Diane Rosenbaum (D-Portland). "The average person doesn't have that kind of resources."

Most of the 2,800 or so bills introduced this legislative session are championed by powerful organizations, crafted by high-priced lawyers and shepherded through the Capitol by savvy lobbyists with long-standing connections to legislators.

"I would say fewer than 5 percent of bills come from individuals," says Greg Chaimov, formerly the Legislature's top legal counsel. Few such bills get a hearing, and only a small fraction of those pass. "In terms of resources and knowledge," Chaimov adds, "the deck is stacked against regular citizens."

Dresel didn't care.

"Up to that point, I had never been involved in the political process, but my boss wanted to implement this crazy fingerprint reader," Dresel recalls. "I said, 'There needs to be a law against this.'"

Monnes Anderson says she assumed her bill would generate opposition, but she remained optimistic.

"I know industry doesn't want any barriers on what they can do," Monnes Anderson says. "I love our capitalistic society, but we are so focused on making money, we're not paying attention to the rights of consumers like we should."

As Senate president pro tem and chairwoman of the Senate Health Care Committee, Monnes Anderson wields significant clout in the Capitol.

She approached state Sen. Kathleen Taylor (D-Portland), chairwoman of the Senate Workforce Committee, and asked Taylor to grant SB 284 a public hearing.

Even though many bills never get a hearing, Taylor was interested. "She said, 'Hey, I like this,'" Monnes Anderson recalls.

SB 284 would prohibit employers from collecting any biometric data from employees, except fingerprints needed for background checks.

On Jan. 31, Dresel decided to make a day of it in Salem. Dressed in a maroon windbreaker and black Navy cap, he explored the Capitol. He loved the grandeur and architecture but was less impressed by "the lack of security for the most important building in Oregon."

After testifying about his concerns with biometrics, Dresel answered several questions from lawmakers. His remarks appeared to resonate with Taylor, the chairwoman, and other members of the committee.

Sen. Jeff Golden (D-Ashland) said he had formed an impression that biometrics could be the solution to many problems, such as lost or forgotten passwords. "But that all presumes [biometrics] are not stealable," Golden added, "and that theft isn't a real problem."

Following Dresel in the public hearing came the lobbyist representing big tech.

Nels Johnson, 36, lobbies for Thorn Run Partners, whose stable of clients includes municipalities such as the city of Gresham, nonprofits such as Renewable Northwest and corporations such as Uber and AT&T.

Johnson earned his law degree across the street from the Capitol at Willamette University and is as much of a political insider as Dresel is an outsider.

He's the son of former state Rep. Mark Johnson (R-Hood River), who later led the state's largest business lobby, Oregon Business & Industry.

Johnson is what's called a contract lobbyist; rather than working on salary for one employer, he represents a variety of clients, who pay Thorn Run a monthly retainer. There are currently 1,143 registered lobbyists in Salem, about 13 for each one of the 90 lawmakers. State senators and representatives come and go, but lobbyists may stay in the building for decades.

"My job is to provide information to people," Johnson says. "Legislators only have one or two staffers, so it's hard for them to know about every bill that comes in front of them."

Johnson came before Taylor's committee that day for one reason: to kill Dresel's bill.

"It's exponentially easier to kill a bill," Johnson says, "than to pass one."

When he saw SB 284 pop up on the schedule, Johnson let Monnes Anderson know prior to the public hearing that tech companies didn't like it.

In his testimony, Johnson called the bill "overly broad" and warned it would lead to "unintended consequences." He said that contrary to endangering employees' data, biometric identifiers, used in conjunction with passwords, could enhance security, because that combination is difficult to fake.

Johnson illustrated ways in which the bill went too far—the Portland Trail Blazers, he told lawmakers, would not be allowed to hook players up to machines to test their heart rates or body fat if the bill passed.

When the lobbyist concluded his testimony, Monnes Anderson pushed to keep the bill alive.

"All of us, including the tech industry, need to look at how [companies] are using our information," Monnes Anderson said to Johnson. "If you could meet with my constituent now outside, I would appreciate that."

The Capitol measures 400 feet from end to end. On the ground floor, much of that length is given to one long corridor, lined with hearing rooms on one side and the state's longest couch on the other. It is there that much of the real business of the Legislature—whispered asides, brief chats and horse trading—gets done.

Dresel waited for Johnson outside Hearing Room D with some preconceived notions.

"I pay attention to politics," says Dresel, a registered Democrat and vice president of his local in the Oregon School Employees Association. "I do my own research. When lobbyists run things, that makes me sick. I guess I thought of lobbyists as vultures, the scum of the earth."

Contrary to his expectations, Dresel says he found Johnson reasonable. But the lobbyist's charm didn't change their fundamental disagreement.

Johnson told Dresel in the hallway it would be risky for Oregon to establish a strict law prohibiting the collection of biometric data when other states hadn't considered the issue and no federal standards existed.

Dresel disagreed, but the men arranged to meet a couple of weeks later at Monnes Anderson's district office in Gresham City Hall.

There, Johnson says, he made it clear that a wide variety of tech interests believed the bill was deeply flawed. Without powerful backing to counterbalance that opposition, Monnes Anderson knew her bill was toast.

She suggested an informal work group, which would allow all stakeholders to be heard and possibly craft a compromise bill for future sessions. Johnson was receptive. He says he and other tech lobbyists recognized the issue Dresel raised would not go away and the Legislature would have to deal with it—just in a different bill.

"To the degree you can work with people, that's always the goal," Johnson says. "It's in nobody's interest to be adversarial if you don't have to be. Sometimes you can't do that and you go into kill mode."

Rosenbaum, the former Senate Majority leader, says the first catch phrases lobbyists use to kill bills are some variation of the words Johnson used in his Salem testimony: "overly broad" and "unintended consequences."

The third is the dreaded "work group."

That's an exercise in which poorly paid, part-time legislators and well-paid advocates and lobbyists who have plenty of time on their hands convene to hash out their differences.

Dresel says Monnes Anderson cautioned him progress would be difficult. "She told me: 'They are going to try to drag this out as far as they can,'" he recalls. "'They will do anything to stop it from passing.'"

On March 14, Taylor held a brief work session on SB 284. At that point, Monnes Anderson waved a white flag: "It cannot be passed as is," she said.

There were too many objections from companies and groups eager to employ biometrics. Another cyberprivacy bill, the product of an 18-month work group, took priority. Dresel's bill failed to get a hearing before the Judiciary Committee by the March 29 deadline.

That meant it was dead.

Johnson had done his job—for now. "It's a win in the sense that a piece of legislation with pretty profound implications didn't pass," he says. "Making policy is hard and it's nuanced."

Monnes Anderson says SB 284 still has a future—especially, she says, because Sen. Floyd Prozanski (D-Eugene), who chairs the Senate Judiciary Committee, is passionate about data privacy.

"I am confident this bill concept will move forward with all the stakeholders at the table," Monnes Anderson says. "This is an area in which the chair of Judiciary [Prozanski] has a keen interest.  And hopefully, maybe in the 2020 or 2021 session, we will see fruition of my constituent's bill."

For veterans of the legislative process, such as Rosenbaum and Chaimov, it's unsurprising that a bill would fail in its first session. "Any new idea needs two, and often three, sessions to get adopted," Chaimov says. "It just takes time to get all the players involved to get to the point where you've solved everybody's issues."

Rosenbaum notes, for example, that Democrats have been trying to pass a family medical leave bill since winning majorities in 2007 and have yet to succeed. "You never know when the timing is right," she says.

Dresel, however, feels frustrated. "I was trying to champion this bill to help people who don't know anything about biometrics," he says, "and I feel like the state is turning its back."

He fears lawmakers will recognize the risk of unregulated biometric data collection only after a major breach. By then, he says, it may be too late.

"Information that is attached to your body, you can't change," Dresel says. "If your bank account gets hacked, it's a pain but you can fix it. You can get a new account or a new credit card. But if your fingerprint is stored and it gets compromised, you can't change that."

Our Bodies, Our Laws

Even as the collection of biometric data pervades everyday life—think smartphones, gym entrances and home security devices—only three states—Texas (2008), Illinois (2009) and Washington (2017)—have passed laws regulating the collection and storage of such data.

Washington Rep. Jeff Morris (D-Mount Vernon) says it took him three sessions to get his state's bill passed, in large part because of opposition from tech giants that make and use various biometric tools.

Morris says the bill faced determined opposition  from Microsoft and Amazon, both headquartered  in Washington. "Facebook opposed it very actively also," Morris tells WW.

The collection of biometrics is not new in Oregon. For a decade, Oregon Driver & Motor Vehicles Services has used facial recognition software to combat identity theft. (DMV spokesman David House says the agency has millions of photographs in its database, but it is not connected to the internet and therefore secure.)

Facebook uses facial recognition software to tag photos. And Amazon has discussed multibillion-dollar deals for its facial recognition software with the federal government.

A national survey of IT professionals last year found that 62 percent of employers use some form of biometric security.

While such technology is largely unregulated, court decisions are beginning to erode certain practices.

The Illinois Supreme Court recently issued a landmark ruling in what's known as the "Six Flags case," finding that the amusement park chain violated state law there by collecting a 14-year-old boy's thumbprint without proper consent.

Legal analysts cited the ruling as a blow to Facebook and Google, both of which face class action lawsuits for gathering photographs—biometric data—without consent.

A friend-of-the-court brief filed by the American Civil Liberties Union in the Illinois case put the stakes in perspective.

"Without reasonable limits, biometric technologies threaten to enable corporations and law enforcement to pervasively track people's movements and activities in public and private spaces, and risk exposing people to forms of identity theft that are particularly hard to remedy," the ACLU wrote.

Bank accounts and credit cards can be closed and money recovered, but biometric identifiers such as fingerprints are unique—and therefore uniquely valuable.

"What if somebody could move through the world masquerading as you," Matt Erickson of the Digital Privacy Alliance asks, "and there was nothing you could do to stop them?"