By: George Daoud

On its surface, facial recognition software does not seem threatening.  After all, many people use it to unlock their latest iPhone.  In fact, in the hands of law enforcement and federal agencies, it can be used to track and apprehend criminal suspects or victims of crimes.  Companies like Clearview AI, for example, produce facial recognition software that they claim is created for just that purpose.  

The Clearview AI concept is relatively simple.  They provide law enforcement with a tool to upload someone’s picture onto their software, then, the algorithm does the rest.  Through online scraping, the algorithm searches Facebook, Twitter, Google, Instagram, LinkedIn, and endless other web sources, to identify a host of information about the selected person within seconds.  This information can include address, place of work, friends, recent travel, and arrest records.  Needless to say, the usefulness of this type of technology is apparent for certain law enforcement and surveillance purposes, but the question is where to draw the line in terms of privacy.

To further this privacy dilemma, Clearview AI’s entire client list was recently exposed in a massive data breach. This discovery shed light on the fact that Clearview had not only sold its technology to more than 2,200 law enforcement organizations, government agencies, and security companies around the world, but that some of these entities were not law enforcement at all. Well known companies like, Macy’s, Kohl’s, Walmart, and the NBA to name a few, were amongst the Clearview clients that were found to be regularly using the software.  Furthermore, it was discovered that Clearview’s founders gave potential investors and friends free access to the technology, escalating the public unease that already existed.

How Does It Work? 

Facial recognition software is a type of artificial intelligence (AI) that uses ‘machine learning’ and more specifically ‘deep learning’ methods to operate.  Deep learning in AI involves digital algorithms that function similarly to a human brain, and analyze information using artificial neural networks. These neural networks are composed of interconnected neurons, like a brain, that break down and analyze data. Moreover, each neural network is composed of layers, namely an input, hidden, and output layer.  The hidden layer is where an AI algorithm does the majority of its computing.  In order for facial recognition software to function at its maximum potential, it requires a multitude of hidden layers which require more data points to provide greater accuracy and more efficient results.  In these hidden layers, however, is where companies, like Clearview AI, focus their development, and where the public concern for privacy protections lies.

            Since the hidden layers of facial recognition algorithms require more data to be accurate, everyday individuals, and those wrongly suspected, could be subject to massive invasions of privacy through digital data mining.  This not only brings the possibility of Fourth Amendment unreasonable searches and seizures violations into the forefront, but also highlights the level of scrutiny that should be given to personal digital information in the eyes of the law.

Carpenter Concerns

In the 2018 Supreme Court case, Carpenter v. U.S., the Court decided that the warrantless acquisition of a person’s cell-cite information by law enforcement was an unconstitutional search in violation of the Fourth Amendment.  Furthermore, the Court made the distinction between when privacy should and should not be expected.  They deemed that digital cell-cite information given to a third party, like a phone company, and acquired by police, was only pseudo-voluntary.  Therefore, the owner of the information does not have a genuine choice in terms of allowing third-party access.  This pseudo-voluntariness, according to the Court, leads a reasonable person to have a higher expectation of privacy for their information.  If a reasonable person does not think that their digital information would be subject to regular scrutiny by a third-party, then their privacy expectation is inviolable by law enforcement.  That being said, where does that leave a company like Clearview AI?

More Questions Than Answers…

            The crux of the problem with current facial recognition software, is that, unlike in Carpenter, the information that is utilized by law enforcement will not likely hold the same privacy weight in a court of law.  This is mainly due to the fact that the information used, is publicly available and is voluntarily provided to third parties. When one creates an online profile and purposefully puts their digital footprint on the web, the expectation for privacy is assumed to be lessened.  As a result, the liability that companies and law enforcement agencies will face, when using facial recognition to track people, will be drastically reduced. This has the potential to not only increase its unfettered usage in both the private and public sector, but also to incentivize future developers to push the boundaries.  How much and what type of information can be mined and utilized by an algorithm’s hidden layers are open to interpretation.  The only concern companies have right now is getting the most accurate results.  The question is though, who watches the watchmen?    

There is no doubt that there are benefits to facial recognition software, especially in the context of law enforcement.  However, when private companies and individuals can peek into the lives of anyone through a picture, protection at the cost of privacy may not be as good as it sounds. 

Sources: 

Kashmir Hill, The Secretive Company That Might End Privacy as We Know It, The New York Times (Jan. 18, 2020), https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html.

Ben Gilbert, Clearview AI Scraped Billions of Photos from Social Media to Build a Facial Recognition App That Can ID Anyone — Here’s Everything You Need to Know About the Mysterious Company, Business Insider(Mar. 6, 2020),https://www.businessinsider.com/what-is-clearview-ai-controversial-facial-recognition-startup-2020-3#then-in-march-another-new-york-times-piece-on-the-company-revealed-another-stunning-detail-the-companys-founders-casually-gave-access-to-the-software-to-potential-investors-and-friends-who-immediately-abused-it-6.

Peter Margulies, Surveillance By Algorithm: The NSA, Computerized Intelligence Collection, and Human Rights, Fla. L. Rev. (July 2016), https://scholarship.law.ufl.edu/cgi/viewcontent.cgi?article=1321&context=flr.

Carpenter v. United States, 138 S. Ct. 2206 (2018).

UNIDIR, The Weaponization of Increasingly Autonomous Technologies: Artificial Intelligence a Primer for CCW Delegates, U.N. Docs.No. 8 (2018).  

By: Robert Baurley

By the start of 2020, the Nintendo Company sold approximately 46.79 million units of their “Nintendo Switch” gaming consoles, worldwide.^[i]Arguably, one of the reasons behind the Switch’s success derives from Nintendo’s inclusion of previously published games, on their new mobile gaming device.^[ii]This feature allowed Nintendo to not only expand their video-game library, but also encourage new users to purchase their systems through the option to play familiar games found on older game consoles of competitors. 

This marketing and business strategy, leaves many customers questioning Nintendo’s pricing policies regarding older— “remastered”—video games. For example, Bethesda Studios’ iconic role-playing video game, The Elder Scrolls V: Skyrim was originally released in 2011, since then, Bethesda Studios offered remastered versions of the game on other “next generation game consoles”, including the Playstation 4 and the Xbox One. Today, a remastered copy of Skyrim can be purchased on the Playstation 4 and Xbox One for $39.99 each.^[iii]The exact same remastered game is now available on the Nintendo Switch for a price of $59.99.^[iv]

The natural—and seemingly unjust—frustration associated with Nintendo’s remastered game titles is easily explained. When Nintendo created (and patented) their Nintendo Switch gaming console designs, they also created a proprietary gaming card. Their creation of this new proprietary gaming card platform has now artificially increased the price of Nintendo videogames.^[v]These prices are accurately described as artificial, not only because of the mere fact that that game is the exact same version that can be played on Sony or Microsoft game consoles, but also because the problem was directly created by Nintendo themselves. 

Often coined “the Nintendo Tax,” this increased price for Nintendo games has left customers hoping for change in 2020. One area where Nintendo has decided to meet customers’ needs, is by allowing the integration of third-party memory cards to the Nintendo Switch’s operating system.^[vi]However, Nintendo’s continued direct control over their intellectual property (when it comes to creating game cartridges or system improvements) and unwavering global sales, likely indicates that the Nintendo Tax will continue for as long as the company can collect “taxes” from Switch customers.

So, what does this mean for the future of the Nintendo Switch? Most likely, the Switch will continue to create a niche placement as a mobile gaming console that operates at a higher price point for consumers. Aside from cheaper console options (Nintendo Switch Lite),^[vii]Nintendo’s games will continue to cost customers more to play, in the long run.

Hopefully, overtime Nintendo will loosen the reigns on their proprietary game cards and storage systems. But as of yet, that remains unlikely with an extremely profitable yearly sales model. 

---

^[i]Erik Kain, The Nintendo Switch Has Now Sold More Units Than the Super NES, Forbes, (Jan. 2, 2020),https://www.forbes.com/sites/erikkain/2020/01/02/the-nintendo-switch-has-now-sold-more-units-than-the-super-nes/#2278557946cd.

^[ii]Chad Sapieha, Nintendo Switch: The Good, the Bad and the Pricey, postmedia breaking news(Jan. 13, 2017), https://business.financialpost.com/technology/gaming/nintendo-switch-the-good-the-bad-and-the-pricey.

^[iii]Sony Computer Entertainment, https://store.playstation.com/en-us/product/UP1003-CUSA05333_00-SKYRIMHDFULLGAME?emcid=se-pi-225351; Microsoft, https://www.microsoft.com/en-us/p/the-elder-scrolls-v-skyrim-special-edition/BQ1W1T1FC14W?activetab=pivot:overviewtab.

^[iv]Nintendo Co. Ltd., https://www.nintendo.com/games/detail/the-elder-scrolls-v-skyrim-switch/

^[v]Matthew Humphries, Cartridges Mean Switch Games Will Always Cost More, ziff Davis media Inc., (Mar. 13, 2017),https://www.pcmag.com/news/cartridges-mean-switch-games-will-always-cost-more.

^[vi]Matthew Humphries, Nintendo Switch-Branded Micro SD Cards Launching, ziff Davis media Inc., (Jan. 30, 2017), https://www.pcmag.com/news/nintendo-switch-branded-micro-sd-cards-launching. 

^[vii]Scott Stein, Be Happy with the Nintendo Switch You’ve Got, Because You’re Not Getting a New One This Year, CNET Networks Inc., (Mar. 1, 2020), https://www.cnet.com/news/be-happy-with-the-nintendo-switch-youve-got-because-youre-not-getting-a-new-one-this-year/.

By: Monique Witter

We live in a generation where millennials are constantly finding innovative and creative ways to contribute to society through entrepreneurship. Some even go as far as applying for trademark protection through the U.S. Patent and Trademark Office (USPTO). However, the same protection they think will protect their business may be what actually ends it. 

The USPTO introduced a new rule requiring all trademark applications to include an email address for the applicant and the applicant lawyer. Like other contact information, the applicant’s information will be published on USPTO’s public database website. Trademark owners are opposed to this rule. The rule has led to digital versions of scam letters to plague brand owners. The USPTO reason for implementing this rule is to further digitize trademark proceedings to ensure that the agency can still email applicants if they are no longer represented by their attorney. However, trademark lawyers have reacted negatively to this rule. Lawyers have seen their clients get hit with a deluge of scam letters aimed at duping trademark owners into paying fake fees. The mailing address used for those letters are pulled from the same database in which the USPTO will now feature email address.

This rule has invoked a furious reactions from other U.S. trademark counsels. U.S. trademark counsel claims that the USPTO is not considering the privacy of its users, especially in light of new data protection and privacy laws in California (California Consumer Privacy Act) and the European Union (General Data Protection Regulation). According to attorney Stacy J. Grossman, “I appreciate the trademark office’s efforts to prevent fraud, and its need to have necessary information to contact trademark owners. However, I don’t understand why this information has to be published in a public database, and why the failure to include a proper email address could cause a trademark applicant to lose its filing date.”

            Attorney Peter J, Riebling reiterates these issues by noting that the issue is more problematic for well-known public figures. “We have heard from numerous counsels overseas who represent celebrity clients, who are genuinely concerned about the privacy aspects, and the extra burden of having to file a petition to the director of the USPTO for a special waiver of the rule. Yes, a petition may be filed to redact the applicant’s email address in the TSDR documents tab in an ‘extraordinary situation’. And yes, an applicant being a celebrity – and the related privacy and safety concerns – will likely qualify as an extraordinary situation to waive the rule as allowed under TMEP (Trademark Manual of Examining Procedure) §1708. But is not every applicant a ‘celebrity’ in some way or form, if even in their own mind?  What is the legal test the director will use for who is and not a celebrity? Where is the line?”

            In response to the criticism, the USPTO will allow for trademark applicants to create a “unique” email address for dealing with the agency. The new filing released by the USPTO stated “to avoid receiving unsolicited communications at a personal or business email address, applicants and registrants may wish to create an email address specifically for communication and correspondence related to their trademark filings at the USPTO.” The USPTO responded to stakeholders’ concerns regarding the potential for misuse of owner email addresses and for owners represented by attorneys. 

The USPTO responded “in order to address these concerns, and balance them against the need for contact information concerning registrations, the USPTO is reissuing the examination guide. The USPTO is continuing to explore additional improvements, including potentially masking email addresses, and will provide notice of any such system updates in the future.” 

Bill Donahue, After Backlash, USPTO Trying To Hide TM Email Addresses, Law 360, (February 11, 2020), https://advance.lexis.com/document/?pdmfid=1000516&crid=10e9a042-caaf-4c2f-9f2e71e5cf73873a&pddocfullpath=%2Fshared%2Fdocument%2Flegalnews%2Furn%3AcontentItem%3A5Y7J-SBN1-F30T-B05R-00000-00&pddocid=urn%3AcontentItem%3A5Y7J-SBN1-F30T-B05R-00000 00&pdcontentcomponentid=122080&pdteaserkey=sr5&pditab=allpods&ecomp=spnqk&earg=sr5&prid=adad6bc3-12f4-4c9d-b0ee-1130ec9833c1.

 Liz Brodzinski, IP Alert | USPTO Trademark Rule Changes: Electronic Filing, Email Addresses and More, (February 20, 2020) https://bannerwitcoff.com/ip-alert-uspto-trademark-rule-changes-electronic-filing-email-addresses-and-more/.

Tim Lince, USPTO urged to halt applicant email requirement following revolt by trademark attorneys, (February 10, 2020), https://www.worldtrademarkreview.com/governmentpolicy/uspto-urged-halt-applicant-email-requirement-following-revolt-trademark.

 

 

By: Dejaih Johnson

Medicine is rapidly approaching a time where robots will perform surgeries autonomously. From minimally invasive surgery to emergency response and medical robotics, robotically assisted surgeries now represent one of the fastest growing sectors in the medical devices industry. The introduction of these robotic medical devices has made medical operations much more efficient and effective. Surgeons have reported quicker recovery times, less pain, and less blood loss when using a robotic medical device. Though these devices have the capacity to greatly improve the practice of medicine, their usage is not without issue. Over the past twenty years, robotic surgeries have resulted in more than 144 deaths, 1391 injuries, and 8061 device malfunctions. 

Lack of regulation in this area raises many regulatory, ethical, and legal issues. In the European Union (EU), for example, they have yet to establish a clear regulatory framework. Under the Medical Devices Directive, the EU classifies these devices as “Class IIb medical devices”. This means that surgical robots are regulated in the same category as scissors and scalpels. Additionally, the EU does not recognize separate qualifications for surgeons. This approach has proven problematic since surgeons using medical robots require special skills different from that of regular surgeons, such as the ability to control the robot’s manipulators. EU manufacturers are required to seek a certificate for each medical device they wish to sell, but the process is not specific to robotically assisted surgeries. 

On the other hand, the United States has taken a bit of a different approach. Currently, the Food and Drug Administration (FDA) regulates robots as medical devices. The issue, however, lies in the fact that the FDA can regulate them only as medical devices since the FDA lacks the authority to regulate the practice of medicine. Presently, robotic devices in the United States are only used under the supervision of surgeons. For example, surgeons enter calculations and program decisions into their robotically assisted surgical devices. But the United States has failed to fully develop an appropriate regulatory scheme to address this unique issue.

Scholars from varying disciplines have weighed in on the question of how to regulate this practice. One approach, developed by Guang-Zhong Yang, takes into account the uniqueness of medical robotics: the varying levels of autonomy at which the device may operate. As the level of autonomy increases, more stringent regulations and additional requirements would apply. Yang proposes six levels of autonomy for medical robotics, with accompanying levels of regulation and procedure for each. The six levels would break down as follows:

Level 0 – No autonomy: Includes tele-operated robots or prosthetic devices that respond to and follow the user’s command; may also include a surgical robot with motion scaling. 

Level 1 – Robot assistance: Robot provides some mechanical guidance or assistance during a task while the human has continuous control of the system (e.g., surgical robots with virtual fixtures and lower-limb devices with balance control). 

Level 2 – Task autonomy: Robot is autonomous for specific tasks initiated by a human. Operator has discrete, rather than continuous, control of the system (e.g., suturing where the surgeon indicates where a running suture should be placed, and the robot performs the task autonomously while the surgeon monitors and intervenes as needed). 

Level 3 – Conditional autonomy: System generates task strategies but relies on the human to select from among different strategies or to approve an autonomously selected strategy. Robot can perform a task without close oversight (e.g., where active lower-limb prosthetic device can sense the wearer’s desire to move and adjusts automatically without any direct attention from the wearer). 

Level 4 – High autonomy: Robot can make medical decisions but under the supervision of a qualified doctor (e.g., robotic resident who performs the surgery under the supervision of an attending surgeon). 

Level 5 – Full autonomy: No human needed; robot can perform an entire surgery. 

In addition to taking into account the varying levels of autonomy, manufacturers of the device would have to seek licensing and certification from the hospital. The upside of this would be that the framework allows regulators to establish a forward-thinking approach to the robotic medical devices. 

As technology advances faster than regulation, regulators must determine an appropriate framework to address the myriad of issues. Even in the uncertainty, however, it still remains there must be a response to the influx of regulatory, ethical, and legal questions raised. 

References:

Damini Kunwar, Robotic Surgeries Need Regulatory Attention(Jan. 8, 2020), The Regulatory Review, https://www.theregreview.org/2020/01/08/kunwar-robotic-surgeries-need-regulatory-attention/.

Guang-Zhong Yang, et al., Medical robotics – Regulatory, ethical, and legal considerations for increasing levels of autonomy(Mar. 15, 2017), Science Robotics, http://robotics.tch.harvard.edu/publications/pdfs/yang2017medical.pdf.

By: Nolan Hale

Everyone likely has been affected by the cruel disease known as Alzheimer’s. Alzheimer’s is the sixth-leading cause of death in the U.S and according to the Alzheimer’s Association, 5.8 million Americans are living with the Alzheimer’s disease. 

Like many families, my family watched the steady decline of a wonderful human being who we lost too young. My grandmother had the disease when she was in her early 70’s. I remember there being many hurdles that my family had to overcome, like getting the proper treatment and competent nursing home care. While I was young, I remember the stress on the faces of my family members up until the very end. My grandma is one of millions who go through this nightmare and researchers have been trying to find answers. Unfortunately, there have been new developments that are not so promising. 

Last Monday, the Banner Alzheimer’s Institute in Phoenix released the results of a study of people who are destined to develop Alzheimer’s at a young age because of rare gene flaws. The study involved 200 people in the United States and Europe. Unfortunately, the results were a disappointment for scientists. The drugs failed to prevent or slow mental decline of the people who inherited rare gene flaws. Each person had a genetic mutation that almost guaranteed Alzheimer’s in your 30’s to 50’s. While these people account for 1% of Alzheimer’s cases, their brains are similar to those who develop the disease at a later age.

The numbers surrounding Alzheimer’s are staggering and there are many reasons to lose hope. Behind these numbers is something that people seem to forget – the caregivers. According to the Alzheimer’s Association, more than 16 million Americans provide unpaid care for people with Alzheimer’s or dementia. Additionally, these caregivers provide an estimated 18.5 billion hours of care valued at $234 billion.

Is there any hope left? I am sure many of you are wondering. Meet Jack and Beverly Blackard. Jack has been battling Alzheimer’s since 2019. They live in Clarksville, Tennessee and Beverly has been Jack’s full-time caregiver. The Alzheimer’s Association is pushing to pass a three-year policy program that would provide state funded home care and delivered meals for caregivers. Jack and Beverly are advocates for passing the bill by meeting lawmakers and telling their story. Some assembly members are taking notice.  Assembly members Cecilia Aguiar-Curry (D-Winters) and Monique Limón (D- Santa Barbara) introduced Assembly Bill 2047 and Assembly Bill 2048, flanked on the floor of the State Assembly. The bills provide seniors, providers, and caregivers with the tools they need to recognize and plan for an Alzheimer’s diagnosis. Other lawmakers are taking notice and many hope that the bills will take steam. However, like trying to find a cure for Alzheimer’s, passing a bill of this magnitude will take a long time. In the meantime, families should be aware of their options.

According to Karl Steinberg, a California geriatrician, “If you’ve got the resources, where you’ve got family and paid caregivers at home, you’re all set.” However, he states that if you are living in a facility, you are likely to die in the facility. Many Americans have turned to dementia directives created in recent years. The Advance Directives are growing in demand because a patient can refuse oral assisted feeding when they are in an advanced state of dementia and cannot make decisions. It is controversial because terminally ill patients will likely die within two weeks after refusing food and water. The directives drafted in New York and Washington State have drawn hundreds of users. 

People need to be aware that Alzheimer’s can put you in a situation where you can no longer take independent action. There are many different viewpoints as to whether someone should be able to decline medical intervention in advance. Dementia is different for everyone and it may be difficult for doctors to determine when they can no longer make decisions. Some are at home with a caregiver while some are in a facility that may be understaffed and poorly operated. If a doctor does not give food or water because of a directive against the family’s wishes, legal battles could ensue. Where should the doctor draw the line? 

In conclusion, there are many ways to fight Alzheimer’s. The harsh reality is that having Alzheimer’s and caring for one with Alzheimer’s is a long uphill battle. It is best to have a plan in place if you or a loved one is struck with dementia before it is too late. This includes talking with your loved ones about how they would like to be taken care of and financially planning for any disease. There are options like Long term care Medicaid, a special needs trust, and powers of attorney. In the meantime, love your family like Beverly loves Jack – unconditionally and through thick and thin.

JoNel Aleccia,Diagnosed with dementia, she documented her wishes for the end. Then her retirement home said no,Washington Post(Jan. 18, 2020), https://www.washingtonpost.com/health/diagnosed-with-dementia-she-documented-her-wishes-for-the-end-then-her-retirement-home-said-no/2020/01/17/cf63eeaa-3189-11ea-9313-6cba89b1b9fb_story.html.

John Ross,What an Elder Law Attorney Has to Say About Alzheimer’s Disease, cbs19 (Feb. 16, 2020), https://www.cbs19.tv/article/news/health/what-an-elder-law-attorney-has-to-say-about-alzheimers-disease/501-f20f8c29-a4a5-478f-a85c-b2370e2d7bcb.

Assemblymembers Aguiar-Curry and Limón introduce legislative package to tackle Alzheimer’s crisis, Lake County Record-Bee (Feb. 5, 2020), https://www.record-bee.com/2020/02/05/assemblymembers-aguiar-curry-and-limon-introduce-legislative-package-to-tackle-alzheimers-crisis/.

Facts and Figures, Alzheimers Association, https://www.alz.org/alzheimers-dementia/facts-figures (last visited Feb. 18, 2020).

Dementia Advance Directive, End of Life Choices New York,

https://endoflifechoicesny.org/directives/dementia-directive/(last visited Feb. 18, 2020).

Joshua Prestonet al., The Legal Implications of Detecting Alzheimer’s Disease Earlier, AMA Journal of Ethics (Dec. 2016), https://journalofethics.ama-assn.org/article/legal-implications-detecting-alzheimers-disease-earlier/2016-12.

By: Maddie Loewenguth 

In the summer of 2019, after a series of measles outbreaks in New York schools during the previous academic year, a new state law was passed that ended the religious exemption for vaccinations.

Under the new law, Public Health Law Section 2164 and New York Codes, Rules and Regulations Title 10, Subpart 66-1, all children attending public, private or parochial school in New York State must be immune to diphtheria, tetanus, pertussis, measles, mumps, rubella, poliomyelitis, hepatitis B, varicella, and meningococcal in accordance with Advisory Committee on Immunization Practices recommendations. 

In the fall of 2019, all children had to begin getting their vaccines within the first two weeks of classes and complete them by the end of the school year, June 2020. This new law affects about 26,000 New York children who previously obtained religious exemptions. Parents who chose not to vaccinate their children had two options, home school or move out of New York. 

The measles outbreak began in New York City in October of 2018. There were 654 reported cases in New York City and 414 in other parts of the state. The majority of the cases involved unvaccinated children in Hasidic Jewish communities. Dr. Oxibris Barbot, the city’s health commissioner issued a statement that the “best defense against renewed transmission is having a well immunized city.”

The passage of the New York State law took place on June 13^th. New York is now the fifth state following California, Maine, Mississippi and West Virginia, to enact a law requiring children in public schools to be vaccinated and barring all nonmedical exemptions to vaccinations. New York is now considered the state with the strictest policies in the nation. 

Maine’s law does not go into effect until 2021 and makes exceptions for special education students. California, where nonmedical exemptions ended in 2015 allows districts to exempt disabled children. 

All states require children to receive certain vaccinations before entering public school, but every state allows exemptions for children who cannot be vaccinated for medical reasons. There are also states that allow for religious exemptions and for nonreligious exemptions based on personal belief. 

Several states have banned nonmedical exceptions, others have imposed rigorous requirements for parents seeking nonmedical exemptions. For example, in Nebraska, parents must submit “an affidavit signed by a legally authorized representative stating that the immunization conflicts with the tenets and practices of a recognized religious denomination of which the student is a member.” 

Three states also specify that “philosophical arguments” must not be cited as a basis for granting a religious exemption. For example, Alaska law states that “statements indicating philosophical or personal opposition to vaccines will invalidate religious documentation.” 

Parents are advocating on both sides of the issue, those against vaccines, either believe that their children have been injured by previous vaccinations or that it is against their religion to vaccinate their children and are exploring homeschooling options. Parents on the other side are worried about the effect non-vaccinated children will have on the health of their children and are asking schools not to place their children in classrooms with students who have not been vaccinated. 

The most recent news regarding the NYS immunization battle is the introduction of the HPV vaccine to be added to the mandatory list of vaccines for New York schoolchildren. HPV is associated with many cases of cervical cancer and the rates at which parents are vaccinating their children is dropping. It will be interesting to see if the HPV vaccination bill will pass and be added to the list of mandatory vaccines, as well as what states will follow New York in barring non-medical exemptions.  

Sharon Otterman, Get Vaccinated of Leave School: 26,000 N.Y. Children Face a Choice, New York Times, (Sept. 6. 2019) https://www.nytimes.com/2019/09/03/nyregion/measles-vaccine-exemptions-ny.html.

Leksandra Sandstrom, Amid Measles Outbreak, New York closes religious exemption for vaccinations but most states retain it,Pew Research Center(June 28, 2019). https://www.pewresearch.org/fact-tank/2019/06/28/nearly-all-states-allow-religious-exemptions-for-vaccinations/.

N.Y. Pub. Health Law§ 2164 (Consol. 2019). 

David Robinson, HPV Vaccine Joins NY school immunization battle, (Jan 11, 2020). 

https://www.mpnnow.com/news/20200111/hpv-vaccine-joins-ny-school-immunization-battle.

By: Sehseh K. Sanan

Procedural Due Process is embedded in the Constitution and demands that a person’s life, liberty, and property, are not denied without “notice, opportunity to be heard, and a decision by a neutral decisionmaker.” ^[1]

But what is a neutral decisionmaker? Typically, we would think of a judge or a jury, who is not a party in the case, listening to facts, applying law, and coming out to a decision. But what if the decisionmaker was a computer? Specifically, a computer deciding how long someone should be in jail. 

Right now, and approximately since 2016, courts across the world are beginning to use algorithms to determine sentencing guidelines. ^[2]Prior to using algorithms, in the U.S., judges had to rely on either sentencing guidelines or mandatory sentencing. ^[3]Sentencing Guidelines are provisions published by the Federal Government that go through factors such as “subjective guilt of the defendant and to the harm caused by his facts.” ^[4]Judges are not mandated to follow the Guidelines, but they are required to explain why they are departing from the federal suggestions. ^[5]Under mandatory sentencing, judges are required to impose minimum sentences depending on the charges that the prosecutor brings. ^[6]This is frequently seen in drug or drug-related charges. ^[7]What both of these systems have in common is that they are trying to assess the risk that an offender poses on society and how long they should be incarcerated to right the wrong. 

Figure 1^[8]

Artificial intelligence and algorithms claim to do the same thing as previous systems: assess risk and attempt to deter the offender. ^[9]Algorithms take into consideration factors such as “(1) the likelihood that the defendant will re-offend before trial (“recidivism risk”) and (2) the likelihood the defendant will fail to appear at trial.” While this may seem beneficial from a utilitarian perspective, the rise of algorithm usage has had devastating and long-lasting effects. ^[10]People like Darnell Gates, who served time from 2013 to 2018 for running a car into a house and violently threatening a domestic partner, was deemed high risk and did not even know it. ^[11]Further, as these algorithms are being made by human beings, their innate biases are being built into these algorithms. ^[12]It is no secret that people of color, particularly Black men, are more likely to be subjected to higher sentences. ^[13]

So, where do we go from here? Mandatory sentences are not the answer as they impose higher sentences even for first time offenders. ^[14]The guidelines also have racial biases. ^[15]Personally, if the goal of criminal justice and prisons are to reform offenders, then I think that the criminal justice system should be reformed to match that goal. Prisoners should receive education and a support system that will push them to not reoffend. We as a society could focus on a combination of rehabilitative and restorative justice. ^[16]By focusing on this combination, the troubles and obstacles that offenders find once they leave prison can be alleviated by the support of their community and society. ^[17]Maybe this could lead to a better society. But either way, we should definitely not let computers and algorithms decide. 

---

^[1]Procedural Due Process, Legal Information Institute, Cornell Law School,https://www.law.cornell.edu/wex/procedural_due_process(last visited Feb. 9, 2020).

^[2]Kehl, Danielle, Guo, Priscilla, Kessler, Samuel. Algorithms in the Criminal Justice System: Assessing the Use of Risk Assessments in Sentencing. (July 2017). Responsive Communities. Available at: https://cyber.harvard.edu/ publications/2017/07/Algorithms.

^[3]Federal Sentencing Guidelines, Legal Information Institute, Cornell Law School, https://www.law.cornell.edu/wex/federal_sentencing_guidelines(last visited Feb. 9, 2020); Mandatory Minimums and Sentencing Reform, Criminal Justice Policy Foundation, https://www.cjpf.org/mandatory-minimums(last visited Feb. 9, 2020). 

^[4]Federal Sentencing Guidelines, Legal Information Institute, Cornell Law School, https://www.law.cornell.edu/wex/federal_sentencing_guidelines(last visited Feb. 9, 2020). 

^[5]Id. 

^[6]Mandatory Minimums and Sentencing Reform, Criminal Justice Policy Foundation, https://www.cjpf.org/mandatory-minimums(last visited Feb. 9, 2020).

^[7]Id. 

^[8]Demographic Differences in Sentencing, U.S. Sentencing Comm’n, https://www.ussc.gov/sites/default/files/pdf/research-and-publications/research-publications/2017/20171114_Demographics.pdf(last visited Feb. 9, 2020).

^[9]Algorithms in the Criminal Justice System: Pre-Trial Assessment Tools, Electronic Privacy Information Center, https://epic.org/algorithmic-transparency/crim-justice/(last visited Feb. 9, 2020). 

^[10]Cade Metz, Adam Satariano, An Algorithm That Grants Freedom, or Takes It Away, NYTimes, Feb. 6, 2020, https://www.nytimes.com/2020/02/06/technology/predictive-algorithms-crime.html (last visited Feb. 6, 2020).

^[11]Id. 

^[12]Id. 

^[13]Demographic Differences in Sentencing, U.S. Sentencing Comm’n, https://www.ussc.gov/sites/default/files/pdf/research-and-publications/research-publications/2017/20171114_Demographics.pdf(last visited Feb. 9, 2020). 

^[14]Mandatory Minimums and Sentencing Reform, Criminal Justice Policy Foundation, https://www.cjpf.org/mandatory-minimums(last visited Feb. 9, 2020).

^[15]Racial, Ethnic, and Gender Disparities In Federal Sentencing Today, U.S. Sentencing Comm’n, https://www.ussc.gov/sites/default/files/pdf/research-and-publications/research-projects-and-surveys/miscellaneous/15-year-study/chap4.pdf(last visited Feb. 9, 2020). 

^[16]David Best, Pathways to Recovery and Desistance: The Role of the Social Contagion of Hope(2019). 

^[17]Id. 

By: Casey Bessemer

Let’s say that you are online shopping, as millions of Americans do. You go to Amazon.com and pick out a particularly nice doodad and buy it. It gets that sweet, free two-day shipping because you have Amazon Prime and it arrives and it’s the best time. But several weeks later, you learn that Amazon’s database has been hacked into and, to make matters worse, the hackers got away with enough of your personal information to open, and then spend on, several credit cards. How do you solve this problem? Will you sue Amazon for lack of adequate security measures? But where do you bring the suit, the place where Amazon keeps it servers or the place where the cyberattack originated? What if the attack originated from outside the United States, but was routed through several states before attacking Amazon’s servers? Each of these questions would have to be answered in a variety of ways, making the issue even more confusing. 

In 2016, there were approximately 1,093 data breaches that affected more than 3.6 millions files, with attacks predicted to increase as the world uses the internet to store more and more data.^[1]These files contain personal data from various sources, everything from healthcare to social media to consumer websites. About half of Americans “feel that their personal information is less secure than it was five years ago”^[2]and with Facebook founder’s Mark Zuckerberg’s recent testimony at his Senate hearing, I can’t blame them. Sure, there are methods, such as password encryption software, that consumers could use to better protect their personal data on their own end, but these major breaches are occurring within the major companies themselves, within their databases that are supposedly “secure.” Shouldn’t these corporations have to follow the security measures to protect our data? It was a rhetorical question: the answer is yes. 

            In light of this, the United States has yet to enact any sweeping legislation that would relieve the consumer of the confusion of how to prosecute cyber-criminals. Consequently, “the struggle to regulate consumer data shows how lawmakers have largely been unable to turn rage at Silicon Valley’s practices into concrete action.”^[3]The United States does have three key pieces of legislation (the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA)) but these pieces of legislation only cover specific industries, specifically “healthcare organizations, financial institutions, and federal agencies.”^[4]They are of little use to the average consumer. Instead, the average consumer needs laws for a global medium that can be implemented across various jurisdictions with consistent rulings and punishments. 

THE INTERNET IS NOT A SINGULAR PLACE
            First, and perhaps the most obvious, is that the internet is not a singular place. Rather the internet is “a global computer network providing a variety of information and communication facilities, consisting of interconnected networks using standardized communication protocols.”^[5]And the fact that the internet is a “global” medium means that any information gathered by and then stored on the internet is effectively stored around the globe at a single time. Companies and legislations may argue that the data is on servers and the servers are subject to the laws of the jurisdiction that the servers are located in, but when a malicious third party attacks those servers, they do not go travel to the actual servers – they do attack remotely, from any possible location with an internet connection. Since the nature of these attacks can come from any jurisdiction, it stands to reason that they should be punishable within any jurisdiction, regardless of the location of the attackers or the servers themselves. In absence of some global legislation and taskforce, countries will have to rely on their own individual legislation and taskforces. Unfortunately, the United States has no such national privacy legislation. 

STATE BY STATE PROTECTION

            Currently, “federal level security and privacy legislation are lost in a morass of partisan politics and corporate lobbying delays.”^[6]So states have taken the task into their own hands. Currently, “at least 43 states and Puerto Rico [have] introduced or considered close to 300 bills or resolutions that deal significantly with cybersecurity; thirty-one states [have] enacted cybersecurity-related legislation in 2019.”^[7]Now that is a lot of coverage, but not complete coverage. States, being independent jurisdictions and personalities, have chosen different methods of defining what a “cyber attack” means and what punishment is available to any offenders. For example, Nevada, Minnesota, and Maine have specific legislation that “prohibits using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to such,” while California has many more regulations, each targeting a specific goal such as consumer privacy or children.^[8]But some states have yet to address the issue. It is because of this hodgepodge of legislation in different states that a national privacy law makes even more sense: a national security law would impose consistent basis of prosecution and determinable punishments. 

CONCLUSION

            Because of the continued reliance and use of the internet as a medium for transactions and storage of personal data, there will eventually come a time where the United States needs to enact a federal statute to completely cover cybercrimes, something akin to the General Data Protection Regulation (GDPR) in Europe. This change must come because the current method of state-by-state regulation creates a mess of legislation that does not completely cover cyber attacks, and because the internet is a global place, the legislation needs to be applicable everywhere. Although lawmakers have said “they wanted a new federal law to protect people’s online privacy,” little to nothing has actually happened.^[9]

---

^[1]A Glance at The United States Cyber Security Laws, https://www.appknox.com/blog/united-states-cyber-security-laws(last viewed Jan. 31, 2020). 

^[2]Aaron Smith, Americans and Cybersecurity, PEW RESEARCH CENTER(Jan. 26, 2017), https://www.pewresearch.org/internet/2017/01/26/americans-and-cybersecurity/.

^[3]David McCabe, Congress and Trump Agreed They Want a National Privacy Law. It is Nowhere in Sight., N.Y. TIMES(Oct. 1, 2019), https://www.nytimes.com/2019/10/01/technology/national-privacy-law.html.

^[4]Supra note 1.

^[5]Internet, Oxford Reference(Jan. 10, 2020), https://www.oxfordreference.com/view/10.1093/oi/authority.20110803100008533.

^[6]Cynthia Brumfield, 11 new state privacy and security laws explained: Is your business ready?, CSO(Aug. 8, 2019), https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html.

^[7]Cybersecurity Legislation 2019, NCSL.COM(Jan. 10, 2020), https://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2019.aspx.

^[8]Id.

^[9]Supranote 3.

By: Erin Kelly

In 1990, the Federal Bureau of Investigations (FBI) developed software to compare DNA samples found at crime scenes against the DNA samples of arrestees. This software, the Combined DNA Index System (CODIS), has over 14.3 million DNA samples stored to its system. In 2013, the Supreme Court of the United States ruled in Maryland v. Kingthat states may collect DNA samples from arrestees without probable cause. However, law enforcement officials have recently used independent, commercial databases to identify suspects in criminal cases.

Ancestry is a company that specializes in commercialized DNA testing to show customers their family trees and their genetic heritage. The company has over sixteen million DNA samples stored in the Ancestry DNA database. A competitor company, 23andMe, has over ten million customers who have purchased a DNA testing kit. Both companies have reported that their customer information is not released to law enforcement officials absent a warrant or subpoena. This is not true of every commercial genealogy database.

After receiving their DNA data test results, customers from companies like Ancestry and 23andMe can upload their DNA data to third party websites to expand their search for familial connections. For example, GEDmatch is free to use and allows individuals to find genetic connections with users from across DNA testing websites, not just the original company they used. In 2018, Joseph James DeAngelo was arrested and charged with thirteen counts of murder committed in California between 1976 and 1986. When searching for suspects in this cold case, law enforcement officials created a profile on GEDmatch with the crime scene DNA. This is only one example of how DNA data from publicly available websites has helped to apprehend criminals.

After news broke about DeAngelo’s arrest and law enforcement’s use of GEDmatch, privacy concerns arose. To address these concerns, GEDmatch altered their terms of service. Previously, the website allowed law enforcement to use its database when investigating a violent crime. However, the website’s terms never defined “violent crime.” GEDmatch’s updated terms created an opt-in agreement, where customers must affirmatively agree to opt-in to automatically be included in future law enforcement searches. Customers who choose not to opt-in still have complete access to GEDmatch’s services.

On the surface, this might seem to address privacy concerns. In practice, these terms only apply to situations in which law enforcement formally requests access to GEDmatch’s database. As with the DeAngelo case, law enforcement officials may still create a profile on the website using the crime scene DNA. This provides complete access to the website’s DNA database. In December 2019, a forensic genomics company, Verogen, purchased GEDmatch. According to its website, Verogen works to improve the field of forensic science through technological advances. Verogen announced that “GEDmatch’s terms of service will not change, with respect to the use, purposes of processing, and disclosures of user data.” Verogen has previously worked with the FBI to create DNA profiles for the National DNA Index System, combining federal, state, and local forensic contributions. Therefore, GEDmatch users will likely not experience more privacy protection in the wake of the Verogen takeover.

            If law enforcement officials are able to make a profile with crime scene DNA, like in the DeAngelo case, are they also able to access the more popular Ancestry or 23andMe? These websites operate differently. Individuals gain access to their online profile only after purchasing a DNA test kit from one of these websites and sending in the completed kit. Therefore, unlike other websites, law enforcement officials cannot upload DNA samples collected from crime scenes. This does not necessarily mean the data is secure. These companies are not health care providers, therefore, the Health Insurance Portability and Accountability Act (HIPPA) does not apply. HIPPA is a federal law that ensures the privacy of health data. Subpoenas seeking the release of medical records are usually insufficient to release genetic information protected by HIPPA.

            As science and technology advance, legislatures try to keep up. In January 2020, Senator Susan Lee introduced a bill before Maryland’s General Assembly, requiring the State’s Attorney to make a disclosure to criminal defendants if “forensic genetic genealogical DNA analysis and search” is used during the case investigation. The disclosure is limited to cases where publicly available open databases and consumer genealogy services are used by law enforcement. The bill has support from Maryland House Delegate Charles Sydnor III, who proposed a similar bill in 2019, which did not make it out of committee. Consumers should exercise caution and make an informed decision when using any product, especially those that threaten constitutional rights, like privacy.

Sources:

Antony Barone Kolenc, “23 and Plea”: Limiting Police Use of Genealogy Sites After Carpenter v. United States, 122 W. Va. L. Rev.53 (2019).

Maryland v. King, 569 U.S. 435 (2013).

Our Story,Ancestry, https://www.ancestry.com/corporate/about-ancestry/our-story (last visited Jan. 16, 2020).

About Us, 23andMe, https://mediacenter.23andme.com/company/about-us/ (last visited Jan. 16, 2020).

Jason Tashea, Genealogy Sites Give Law Enforcement a New DNA Sleuthing Tool, but the Battle Over Privacy Looms, ABA (Nov. 1, 2019), http://www.abajournal.com/magazine/article/family-tree-genealogy-sites-arm-law-enforcement-with-a-new-branch-of-dna-sleuthing-but-the-battle-over-privacy-looms.

Breeanna Hare & Christo Taoushiani, What We Know About the Golden State Killer Case, One Year After a Suspect Was Arrested, CNN, https://www.cnn.com/2019/04/24/us/golden-state-killer-one-year-later/index.html (last updated Apr. 24, 2019).

Julian Husbands, GEDmatch Partners with Genomics Firm, Verogen(Dec. 9, 2019), https://verogen.com/gedmatch-partners-with-genomics-firm/. 

Nila Bala,We’re Entering a New Phase in Law Enforcement’s Use of Consumer Genetic Data,Slate(Dec. 19, 2019), https://slate.com/technology/2019/12/gedmatch-verogen-genetic-genealogy-law-enforcement.html.

Heather Murphy, What You’re Unwrapping When You Get a DNA Test for Christmas, N.Y. Times,https://www.nytimes.com/2019/12/22/science/dna-testing-kit-present.html? (last updated Dec. 23, 2019).

Taking the Fear out of Responding to Subpoenas for Medical Records, Norcal Group(June 29, 2017). https://www.norcal-group.com/library/taking-the-fear-out-of-responding-to-subpoenas-for-medical-records.

S.B. 46, 440th Gen. Assemb., Reg. Sess. (Md. 2020).

By: Dominique Kelly

State laws governing biometric data are not common in the United States, as there are only three states that currently employ such laws: Illinois, Washington, and Texas. As it stands, biometric data in the United States are not governed by federal guidelines, but are instead governed by contracts that users must usually agree to in order to utilize most devices (think: terms and conditions longer than a Supreme Court opinion standing between you and using your new smartphone). We may not be aware of the biometric data collection features surrounding our daily lives, but some common features such as fingerprint scanners or facial recognition to unlock phones, voice prints collected in the presence of our good friend ‘Alexa,’ or even retinal scans at a country’s borders. However, there is one important category of biometric data we may be quick to forget about: health data. Fitness tracker brands such as Fitbit, Garmin, Fossil, or even popular smart watches by Samsung, Apple, and other electronic brands, contain features which can track steps, heart rate, sleep cycles, trail locations, and menstrual cycles amongst other things. While this data may be harmless, users should still have a right to control this type of biometric information although they may have agreed to use the device to track the information.  

What could be the harm in collecting health related biometric data? Consider this: your employer offers you discounts on a new fitness tracking device in an effort to boost morale, promote fitness, and use friendly competition to enhance comradery. You do not want to miss out, so you purchase a great fitness tracker and your employer begins offering incentives for taking steps to pursue and/or maintain a healthy lifestyle. Your new fitness tracker arrives and you immediately take it out of the box and slap it right on your wrist and begin set up. You enter basic information, such as age, weight, cycle dates, etc. and the tracker begins, you guessed it: tracking. Now this tracker has obtained more information than you would be willing to give on a first date, in a matter of a few minutes. Not only is your tracker now tracking your steps, heart rate, and cycle, but you’ve also been tracking your weight, your exercise regimens, the running path you were just on for the past 30 minutes, and your caloric and water intake. Before you know it, you’re seeing ads on Instagram for the newest exercise machine, sponsored NIKE ads are attempting to sell you new running shoes, and Amazon is suggesting you purchase sanitary products around the beginning of your cycle.  

Generally, individuals who buy health trackers don’t believe the information that is being tracked will be used by other entities for monetary gain. But in this age of increasing sponsored advertisements on social media platforms based on seemingly unrelated searches completed on search engines, should we have expected our health-related biometric data to be commercialized? There is a push for states to regulate privacy protections of biometric data as there is no federal body currently governing this type of data. Amidst the new acquisition of Fitbit by Google, lawmakers have begun preparing bills in an effort to protect consumer health data. One bill that has been created is the Smartwatch Data Act or the Stop Marketing and Revealing the Wearables and Trackers Consumer Health Data Act. Conveniently defined, the purpose of this proposed Act is to protect identifiable biometric data (sleep, health, exercise data, etc.) that would likely be tracked by fitness trackers created by Fitbit, Garmin, and other brands. This bill would ideally treat these types of biometric data as protected health information and require the enforcement of violations as any other HIPAA (Health Information Portability and Accountability Act) violation. The bill would also stop entities collecting this biometric data on personal fitness trackers from transferring, selling, or sharing said data. 

Currently, HIPAA does not protect this type of personal information because HIPAA regulations currently only applies to health plans, health care clearinghouses, and any health care provider transmitting health information electronically. Since entities who create fitness trackers do not fall under a health plan, health care provider, or clearinghouse, they do not have to submit themselves to HIPAA guidelines. Thus, if those advocating for more protection of health related biometric data cannot successfully bring this protection under HIPAA guidelines, then perhaps an alternative is to encourage each state to create general biometric information protection laws. For example, the Illinois Biometric Information Privacy Act gives individuals the right to control their biometric information by requiring notice before collecting the data and giving the individuals the power to withhold consent. Another law governing collection and use of biometric data can be found in Washington state. This Act requires entities that collect biometric data (including health related biometric data) to disclose the way the information would be used and provide notice and obtain consent from the individual before the data is used. Much like the Illinois Act, only the Washington state attorney general has the ability to enforce the act preventing consumers from being able to sue companies when there is a violation. Texas is the third state that has enacted laws regulating the use and collection of biometric data. The Act requires only that any employer using biometric identifiers must destroy those identifiers within a reasonable time from the date the purpose for collecting the data expires. So, for example, if the data was collected for security purposes, then the expiration date of the purpose would be the date the employee no longer works with the employer.

In turning back to the biometric health data collected by fitness trackers, the state laws that are enacted in Illinois, Washington, and Texas may not provide the protection necessary to prevent the unlawful or unwanted use of consumer health data. The Illinois Act may be the closest law available to protect health data until bills and laws such as the Smartwatch Data Act, that include HIPAA or HIPAA related protection, become widespread in each state. Until then, we should continue to be aware of how our sleep, heart rate, exercise regimen, water intake data, etc. are used. In the meantime, grab a cup of tea and enjoy those long ‘terms and conditions’ agreements.  

Sources:

In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016).

Fitbit, Inc. v. AliphCom, No. 15-cv-04073-EJD, 2017 U.S. Dist. LEXIS 12657 (N.D. Cal. Jan. 27, 2017).

Chelsea Cirruzzo, Cassidy, Rosen Introduce Consumer Privacy Bill Amid Google Scrutiny, InsideHealthPolicy(Nov. 14, 2019, 7:02 PM), https://insidehealthpolicy.com/daily-news/cassidy-rosen-introduce-consumer-privacy-bill-amid-google-scrutiny.

Jerry Lynn Ward, Texas Biometric Privacy Law restricts certain “biometric identifiers.” Only three states have laws regulating the collection and storage of Biometric data., GarloWard, P.C. (Mar. 26, 2018), https://www.garloward.com/2018/03/26/texas-biometric-privacy-law-restricts-certain-biometric-identifiers-three-states-laws-regulating-collection-storage-biometric-data/.

U.S. Dep’t of Health and Human Servs., Summary of the HIPAA Privacy Rule (2003).

Justin Lee, Washington’s new biometrics law softer on privacy protections than Illinois BIPA, BiometricUpdate.com(July 24, 2017), https://www.biometricupdate.com/201707/washingtons-new-biometrics-law-softer-on-privacy-protections-than-illinois-bipa.