24 Hour Fitness and biometric data
Should 24-Hour Fitness have your Biometric Information?
Riddle: What do the 1980โฒs, Karate Kid, your fingerprint, and 24 Hour Fitness have in common?
Answer: Capitalism, testosteroneโฆ and anything but consumer privacy.
Think 1980โs โ no, not the Wall Street 80โs with Michael Douglas, or the Whip It electro punk 80โs โ more the Karate Kid 80โs, a time when the testosterone driven, steroid freaks got the girls, bullied kids at recess, and came up with the dimmest oneliners… ever.
Some context. Last Saturday, I watched Stanford beat up Wake Forest with some buddies. A group of Arizona Wildcat fans watched the Iowa โ Arizona game. On occasion, the Cats fans would banter with my Stanford buddies, โDid you even go to Stanfordโฆ? Well, you must still be a virgin.โ Then silence. Well hello Mr. 80โฒs, how weโve missed you, I thought.
I felt bad for them. Not for my buddies, all of whom were over 40 and not virgins, but for all the kids who were forced to ride with the 80’s hold-over bully on the short bus to school. The banter continued until gameโs end, when one of his buddies bellowed, โ24 Hour Fitness!โ while flexing. Ah yes, we unwittingly bantered with 24 Hour Fitness employees, and for that, I am a little embarrassed. There went thirty minutes of my life I will never get back.
This morning, I went to my local 24 Hour and was greeted with the new fingerprint scanner. For those who donโt know, 24 Hour is replacing the membership card swipe for a process that has more steps and takes longer. On entry, members enter their phone number into the keypad and then press their fingertip onto the scanner. Given my skeptical nature, I thought, Should I trust Mr. 80โฒs with my fingerprint?
One of the managers assured me the scan was not โbiometricโ and that it did not record and store my fingerprint. Instead, it images the fingertip and ties the image with different fingerprint patterns to my phone number, and wha-la, all the identity with half the biometric. In droves, fitness fans came in the door and opted into the supposed โnon-biometricโ biometric ID. She assured me members can opt out, but they will be forced to check in behind the more “sheik,” privacy giver-uppers after the next 90 days.
Biometric defined. A quick Google search led to a definition on Reuters: โthe use of physical โฆ characteristics unique to an individual, such as a finger or palm printโฆ to identify people.โ (Reuters, 2010). A recent article, โBiometric Security: Fingerprint check-in tried at 24 Hour Fitness,โ specifically talks about the system. The article reads:
โThe system doesnโt actually store fingerprints of the type that could be compared to latent prints from a crime scene, officials say. The machines, made by MorphoTrak of Alexandria, Va., map out unique points within the ridges of a finger, then convert that information into a binary code โ ones and zeroes โ that is encryptedโฆ
Two privacy expertsโฆ said consumers should be certain that biometric scans taken at places like 24 Hour Fitness are stored securely and not used for any other purpose.โ
Where are the โnot quite fingerprintsโ stored?
To explain, MorphoTrak convinced 24 Hour to use their biometric scanning tools and database. MorphoTrak is part of Morpho, a defense contractor. This company recently changed its name from Sagem Sรฉcuritรฉ. Morpho (Sagem) is owned by the Safran Group, a world leader specializing in Aerospace, Defense, and Security, based in France. In fact, all the companies are French. Safran calls itself the world’s โ#1 of biometrics fingerprint database[s]โ with surveillance aircraft, iris scanners and much, much more.
The answer: the database is French-owned, and itโs the largest in the world. God only knows where the data is stored. Here, like in Karate Kid, there is always a little guy out there looking to take down the big man on campus. Hackers are always breaching security systems of companies. We rarely hear about half the cases. While the companyโs claim is that the prints cannot be reverse engineered by hackers, the information stored on the database can be sold to the highest bidder. Does it matter whether the bidder is a corporation or government? I could see insurance companies wanting the data along with corporations wanting to keep group premiums low. “Who actually works out and how often?”
MophoTrak calls fears of the system โirrational.โ
I say granting consent based erroneous information is irresponsible (and possibly illegal). Unfortunately, employees of 24 Hour are soliciting consent through misinformation. They claim the reason for the change is convenienceโฆ Oh, and it also cuts down on the cost of taking member photos and mailing out membership cards. Last year the number of cards issued to new members was 1.9 million. So, should you trust Mr. 80โs with your biometric information, or, rather, employees who think the 40 Year Old Virgin was a documentary of Stanford grads? Um, no.