Say cheese! You might get kicked out

Bars and clubs are legally required to check government issued identification before allowing patrons into their establishment. This is a form of security authentication to reliably (probabilistic) determine if someone is at least 21 years old. Should we allow business owners to install government issued identification data retention and sharing technology? Should we accept being treated like a criminal before committing a crime?

Re: SPD increases efforts to put ‘shooters in handcuffs’ after East Precinct gun violence

In the wake of the shooting, Baltic Room owner Jason Brotman told CHS he and other Capitol Hill club owners are exploring a new ID scanning software that would track who has been kicked out of a club earlier in the night.

I think this is the system I was swept up in in Vancouver, Canada in 2014. I didn’t expect it. My group of friends were all going in and I couldn’t just walk out on them after spending 45 minutes in a line. Should I ask for the data retention and data sharing policies before accepting them taking a picture of me, scanning my ID, and uploading it to someone else’s servers? Should I request to audit their system’s security before feeling comfortable they or an unknown company will share my data with whoever their corporate policies and regressive laws allow?

A quick Internet search: “club id scanning who gets kicked out”

First result: http://www.patronscan.com/ (notice the company doesn’t employ website transport security)

Servall Biometrics Inc. creates cumulative reports from other data points, such as the postal code, age, and sex of the patrons in any one venue or one city, and makes these summarized reports available to venues who are paying customers. All information is confidential and no identifying data is provided.

Police Departments may request access to the database, but only when an official investigation has been launched (eg. sexual assault). They must specify their request, by providing the name of the venue, and the time frame for which they wish to review data. They have access to the first name, last name, sex, age, and photo from the identification. The police may use this to search for suspects, victims, and/or witnesses to a crime.

So police, presuming there’s a verification process, simply need “an official investigation” to hand over my data. It’s one thing for local PD to show up at a bar and inquire about events. It’s another for them to have access to a centralized database of specific data just because they were out with their friends and family.

We have a Fourth Amendment for a reason. Privacy invasions are severe because when they happen, they cause lasting effects on people and their families. Domestic violence, sexual assault, stalking — these are all problems that people, who go out to bars and clubs, already have. The Washington State Address Confidentiality Program has over 5,000 participants state wide. Why would Seattle bar owners think it’s ok to force patrons to document their locations in someone’s identification database? Shareable to police without a warrant? That’s called a search! It doesn’t excuse the warrant requirement because a third party collects the data. Victims of police brutality, or victims of people who are police officers is not uncommon. When you collect data to solve a problem, you are creating many more.

Thanks to Mikael Thalen for pointing me to this related issue in Oregon: Oregon Police Give Nightclubs ID Scanners to Datamine Customers