24 Hour Fitness and biometric data
Should 24-Hour Fitness have your Biometric Information?
Riddle: What do the 1980′s, Karate Kid, your fingerprint, and 24 Hour Fitness have in common?
Answer: Capitalism, testosterone… and anything but consumer privacy.
Think 1980’s – no, not the Wall Street 80’s with Michael Douglas, or the Whip It electro punk 80’s – more the Karate Kid 80’s, a time when the testosterone driven, steroid freaks got the girls, bullied kids at recess, and came up with the dimmest oneliners… ever.
Some context. Last Saturday, I watched Stanford beat up Wake Forest with some buddies. A group of Arizona Wildcat fans watched the Iowa – Arizona game. On occasion, the Cats fans would banter with my Stanford buddies, “Did you even go to Stanford…? Well, you must still be a virgin.” Then silence. Well hello Mr. 80′s, how we’ve missed you, I thought.
I felt bad for them. Not for my buddies, all of whom were over 40 and not virgins, but for all the kids who were forced to ride with the 80’s hold-over bully on the short bus to school. The banter continued until game’s end, when one of his buddies bellowed, “24 Hour Fitness!” while flexing. Ah yes, we unwittingly bantered with 24 Hour Fitness employees, and for that, I am a little embarrassed. There went thirty minutes of my life I will never get back.
This morning, I went to my local 24 Hour and was greeted with the new fingerprint scanner. For those who don’t know, 24 Hour is replacing the membership card swipe for a process that has more steps and takes longer. On entry, members enter their phone number into the keypad and then press their fingertip onto the scanner. Given my skeptical nature, I thought, Should I trust Mr. 80′s with my fingerprint?
One of the managers assured me the scan was not “biometric” and that it did not record and store my fingerprint. Instead, it images the fingertip and ties the image with different fingerprint patterns to my phone number, and wha-la, all the identity with half the biometric. In droves, fitness fans came in the door and opted into the supposed “non-biometric” biometric ID. She assured me members can opt out, but they will be forced to check in behind the more “sheik,” privacy giver-uppers after the next 90 days.
Biometric defined. A quick Google search led to a definition on Reuters: “the use of physical … characteristics unique to an individual, such as a finger or palm print… to identify people.” (Reuters, 2010). A recent article, “Biometric Security: Fingerprint check-in tried at 24 Hour Fitness,” specifically talks about the system. The article reads:
“The system doesn’t actually store fingerprints of the type that could be compared to latent prints from a crime scene, officials say. The machines, made by MorphoTrak of Alexandria, Va., map out unique points within the ridges of a finger, then convert that information into a binary code – ones and zeroes – that is encrypted…
Two privacy experts… said consumers should be certain that biometric scans taken at places like 24 Hour Fitness are stored securely and not used for any other purpose.”
Where are the “not quite fingerprints” stored?
To explain, MorphoTrak convinced 24 Hour to use their biometric scanning tools and database. MorphoTrak is part of Morpho, a defense contractor. This company recently changed its name from Sagem Sécurité. Morpho (Sagem) is owned by the Safran Group, a world leader specializing in Aerospace, Defense, and Security, based in France. In fact, all the companies are French. Safran calls itself the world’s “#1 of biometrics fingerprint database[s]” with surveillance aircraft, iris scanners and much, much more.
The answer: the database is French-owned, and it’s the largest in the world. God only knows where the data is stored. Here, like in Karate Kid, there is always a little guy out there looking to take down the big man on campus. Hackers are always breaching security systems of companies. We rarely hear about half the cases. While the company’s claim is that the prints cannot be reverse engineered by hackers, the information stored on the database can be sold to the highest bidder. Does it matter whether the bidder is a corporation or government? I could see insurance companies wanting the data along with corporations wanting to keep group premiums low. “Who actually works out and how often?”
MophoTrak calls fears of the system “irrational.”
I say granting consent based erroneous information is irresponsible (and possibly illegal). Unfortunately, employees of 24 Hour are soliciting consent through misinformation. They claim the reason for the change is convenience… Oh, and it also cuts down on the cost of taking member photos and mailing out membership cards. Last year the number of cards issued to new members was 1.9 million. So, should you trust Mr. 80’s with your biometric information, or, rather, employees who think the 40 Year Old Virgin was a documentary of Stanford grads? Um, no.