United States

A. Biometric regulations

Although the adaptation of biometrics in technology has been increasingly incorporated into our daily lives (e.g. cellular phones, banking, computers, etc.), there has not been a commensurate proliferation of laws, on either the federal or state levels, that regulate how biometric data are collected or stored. Currently, there are only three states – Illinois, Texas and Washington – that have laws dealing specifically with protecting consumers’ biometric information. Other states have chosen to include biometric data as a category of personal information protected under consumer privacy or data breach notification statutes. Nevertheless, unlike the specific laws covering biometric data or consumer privacy that require proactive steps to protect consumers’ biometric information, the data breach notification statutes merely require disclosure of the data breach to affected parties.

(i) Illinois – Biometric Information Privacy Act

In 2008, Illinois became the first state in the US to pass legislation, the Biometric Information Privacy Act (BIPA),39 regulating the collection and storage of biometric information. The statute limits the definition of “biometric identifier” to mean “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”40 BIPA also identifies, in a long list, materials that would not be considered biometric identifiers, including “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.”41 The statute further defines “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”42 Thus, biometric information protected by BIPA would include any data or templates that result from the conversion of the captured biometric identifiers.

BIPA sets forth requirements for private entities relating to their retention, collection, disclosure, and destruction of an individual’s biometric identifiers or biometric information. These private entities: (1) must have retention and destruction schedules in place and these written policies must be made available to the public; (2) must obtain the individual’s written consent to collect the biometric data; (3) cannot profit off the biometric data – including by selling, leasing, or trading the data; (4) cannot disclose or disseminate the biometric data without the individual’s consent or authorization; and (5) must “store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry” and “in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”43 The private entities are not permitted to store the biometric identifiers or information past the time where the initial purpose of the collection is satisfied or for more than three years after the individual’s last interaction with the private entity.44

One unique aspect of BIPA is that it grants a right of action to any individual harmed by a violation of the law, and each violation can incur penalties ranging from $1000 to $5000 (or actual damages), depending on whether the violation was a result of negligence or intentional or reckless action on the part of the private entity, plua attorneys’ fees.45 As a result of this provision, multiple class action suits have been filed alleging improper collection of facial geometry or fingerprints. The first wave of such suits were filed in 2015 against social media and technology companies, including Shutterfly, Facebook, and Google, alleging that their respective use of facial recognition technology was used without the plaintiffs’ consent and was therefore in violation of BIPA.46 Many more class action suits have been filed since, with some employee suits alleging that employers’ collection of fingerprint data, used to track employees’ time and authenticate employees’ identity, violated BIPA.47

Due to the restrictive nature of BIPA, which requires written consent from the individual before collection of any biometric data, and the potential for large penalties as a result of class action suits, companies have taken care to avoid potential liability. For example, Google denied access to its Google Art & Culture mobile application (app) to Illinois residents (as well as Texas residents).48 The app contains a feature, the Art Selfie, which asks the user to upload a picture of the user (the “selfie”) and then compares the selfie to works of art and identifies works of art that most closely match the selfie.49 Similarly, in Illinois, the smart home technology company Nest disables the facial recognition capability in its smart doorbell.50

(ii) Texas – Capture or use of biometric identifier

Texas, in 2009, codified its law requiring notice of collection and consent by individuals before biometric identifiers can be captured and used for commercial purposes.51 As with the Illinois BIPA, biometric identifiers were only defined as “a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.”52 Unlike BIPA, which also extends protection to biometric information that results from the conversion of biometric identifiers, the Texas statute does not include a similar definition of or clause for biometric information. Under the Texas statute, notice and consent are required prior to the capture of any biometric identifiers. Moreover, companies or individuals cannot profit by selling or leasing the collected biometric data and cannot disclose the biometric identifiers to a third party. Mirroring BIPA requirements, the storage, transmission, and protection from disclosure of biometric identifiers requires that reasonable care to be taken and that it be done in the same manner that the company or person treats its own confidential information. Contrary to BIPA, no written consent is required for the collection of biometric data, and the destruction of biometric data must be destroyed “within a reasonable time, but no later than the first anniversary of the date the purpose for collecting the identifier expires.”53

There is also no private right of action for individuals against private entities that violate the law. Only the Texas attorney general may bring action against anyone that violates this law and the civil penalty for each violation is capped at $25000.54

(iii) Washington – Biometric identifiers

Washington passed its biometric privacy statute in 2017.55 It requires businesses to give notice to and acquire consent from an individual prior to “enrolling or changing the use of that individual’s biometric identifiers in a database.”56 The definition of “biometric identifier” in Washington’s statute is broader than those used in Illinois’s and Texas’s statutes. Washington’s statute defines biometric identifiers to encompass “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.”57 Note, however, biometric identifiers do not include “a physical or digital photograph, video or audio recording or data generated therefrom.”58

As with the Texas statute, the Washington statute differs from Illinois’s BIPA by not requiring written consent prior to the collection of the biometric data. Deviating from Illinois and Texas, the Washington statute states that biometric identifiers can be retained “no longer than is reasonably necessary” to provide the services that the biometric identifier was collected for or to protect against or prevent fraud or criminal activity.59 It also does not permit a private right of action against businesses that violate the law and only authorizes the Washington attorney general to enforce the law.60 Also unlike the other two states’ biometric privacy laws, the Washington statute does not include any language with respect to monetary penalties for each violation of the law.

Interestingly, the Washington statute carves out a security exception to providing notice and obtaining consent. An entity is not required “to provide notice and obtain consent to collect, capture, or enroll a biometric identifier and store it in a biometric system, or otherwise, in furtherance of a security purpose.”61 Such a “security purpose” would include preventing shoplifting, fraud, misappropriation or theft of a thing of value, and “other purposes in furtherance of protecting the security or integrity of software, accounts, applications, online services, or any person.”62

(iv) California – California Consumer Privacy Act of 2018

California enacted a consumer privacy law on June 28, 2018 (amended September 23, 2018), the California Consumer Privacy Act (CCPA), that protects the personal information, broadly defined to encompass biometric information, of California residents that is collected or transmitted by businesses.63 Unlike the statutes discussed above, the CCPA is not specifically directed towards safeguarding consumers’ biometric information. However, the CCPA’s definition of biometric information is more comprehensive and broader than those biometric statutes. Biometric information, as defined by CCPA, means:

an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.64

The CCPA grants California residents many rights associated with controlling the collection and dissemination of their personal information. Consumers have the right to: (1) know what personal information is being collected; (2) know whether personal information is being sold or disclosed, what categories of personal information was sold or disclosed (including what “specific pieces of personal information” the business had collected), and to whom the information was sold or disclosed to; (3) prevent the sale of their personal information (“the right to opt-out”); and (4) request that a business delete any personal information collected.65 The CCPA also forbids a business from discriminating against consumers who exercise their rights under the CCPA, including by charging different prices or rates or providing a different level or quality of goods and services.66 Additional compliance requirements are also laid out in the CCPA, including disclosure rules and deadlines for delivery of requested personal information.

The regulations are applicable to any business that “does business in the State of California,” collects consumers’ personal information and meets at least one of the following thresholds: (A) has annual gross revenues in excess of twenty-five million dollars ($25,000,000); (B) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (C) derives fifty percent or more of its annual revenues from selling consumers’ personal information.67 Businesses that are located outside of California but meet the above criteria would be subject to the CCPA.

The statute authorizes a private right of action if there is a data breach of unredacted or unencrypted personal information and the company failed to implement and maintain reasonable security measures.68 The civil damages would be between $100 and $750 per consumer per incident or the actual damages incurred. Additionally, the California attorney general is also authorized to file suit with civil penalties of $2,500 for each violation or $7,500 for each intentional violation.69 Businesses are provided with thirty days after receiving notice of noncompliance to cure any alleged violation.

(v) Data breach notification statutes

Unlike states that have enacted laws specifically addressing biometric data, other states have data breach notification statutes that also include biometric data as protected personal information.70 For example, in 2017, Delaware addressed the issue of biometric data by amending its data breach disclosure law to expand the definition of protected personal information to include “unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes.”71 These data breach notification statutes merely require disclosure of the data breach to affected parties, with varying penalties for such breaches, and generally do not require any proactive steps to be taken to protect the information itself.

(vi) US industry security standards for biometrics

The FIDO (“Fast Identity Online”) Alliance, a non-profit industry consortium that was formed to standardize security specifications for strong authentication (e.g. authentication requiring at least two forms of verification, which may include biometric information) across devices, launched a Biometrics Certification Program on September 6, 2018.72 The FIDO Alliance membership consists of hundreds of global technology companies, including Google, Intel, and Microsoft.73 The membership does not currently include any of the major automotive manufacturers. The Biometrics Certification Program is intended to “certify that biometric subcomponents meet gFlobally recognized performance standards [i] for biometric recognition performance and Presentation Attack Detection (PAD) [ii] and are fit for commercial use.”74 This standardization of biometric technology security specifications, if universally adopted, should assure consumers and manufacturers that the biometric components in their products are secure and can repel attempts to bypass the biometric systems.

(vii) Biometrics regulations and autonomous vehicles

Due to the current lack of uniform regulations regarding biometrics and the varying data breach notification statutes amongst the states, and the likelihood of additional legislation in the future, automobile manufacturers should take care to consider each individual state’s collection, destruction, disclosure, and privacy requirements when incorporating biometric technology into their AVs.

B. Patent landscape - Biometrics in autonomous vehicles

Patents relating to biometric modalities in the US number well over 60000, with over 52000 additional patent applications filed. As might be expected, the greatest number of biometric patents and patent applications relate to the more well-established biometric modalities, e.g. fingerprints, facial recognition, and retinal scanning. As more of these biometric modalities are incorporated into next generation AVs, the number of related patent filings has also increased correspondingly.

(i) Leaders in biometric patents in the automotive

The patent landscape in the US for biometrics with applicability in the automotive industry is robust and growing rapidly. Over the last 30 years, there have been over 16000 patents issued that relate to biometrics and automobiles or AVs. Much of this growth has come in the past decade, with a eight-fold increase in these biometric patents issued. And in the last 20 years, over 15000 patent applications have been filed for inventions relating to the same. Interestingly, many of the top applicants for patents in biometrics in the automotive space have not been the major automotive companies. Instead, many of these top applicants are more traditionally known as technology companies.

As can be seen in the table below of the top 20 assignees with such patents and patent applications, IBM, Google, Microsoft, Apple, and Samsung are in the top five of both of these lists in terms of absolute numbers of patents granted and patent applications filed. Samsung has invested significantly in both biometrics and self-driving technologies.75 IBM is also involved in developing AVs and has a research group dedicated to biometrics.76 Microsoft, in contrast, is not directly involved in developing AVs, but is instead focusing on providing its software and technology to auto manufacturers that are developing such vehicles.77 Google, which has heavily invested in the development of autonomous vehicles under its subsidiary Waymo, has 410 patents issued and another 502 patent applications pending. (See Table 1.) Apple also has an AV program and has 346 issued patents and 639 patent applications pending at the Patent and Trademark Office (USPTO). For example, a recently published patent application, filed originally on Feb. 3, 2017, revealed that Apple was interested in incorporating mobile biometric technology, e.g. facial or fingerprint recognition technology (like its proprietary Face ID and Touch ID), to unlock a vehicle.78 Of the more traditional car companies, Ford Motor Company (Ford) appears on both lists and has expressed interest in putting biometric sensors in their cars.79 General Motors Company (GM) also has a significant number of patent applications relating to biometrics pending.

Non-practicing entities also appear to be well-positioned with large numbers of US patents and patent applications in the biometrics and automotive space. For example, American Vehicular Sciences, LLC is a subsidiary of Acacia Research Corporation, a company that focuses on patent licensing by partnering with patent owners, and holds 125 patents involving biometrics and the automobile industry. Similarly, Liberty Peak Ventures LLC has a large portfolio of 186 patents and 141 patent applications pending.

 

US Patents

 

US Patent Applications

 
 

Assignees

Number

Assignees

Number

1

Samsung

549

Samsung

1605

2

International Business Machines

426

International Business Machines

760

3

Google

410

Apple

639

4

Microsoft

354

Microsoft

612

5

Apple

346

Google

502

6

AT&T

297

Intel

455

7

IGT

292

IGT

453

8

Diebold

287

AT&T

388

9

Liberty Peak Ventures LLC

186

LG

351

10

Intel

184

Qualcomm

302

11

Qualcomm

174

Liberty Peak Ventures LLC

301

12

Digimarc

172

Sony

247

13

Fitbit

163

Ford Motor Company

239

14

Bally Technologies

139

Bank of America

207

15

Amazon

138

Elwha

205

16

LG

138

Fitbit

198

17

Ford Motor Company

137

Digimarc

187

18

American Vehicular Sciences LLC

125

General Motors Company

186

19

Verizon

125

Bally Technologies

179

20

Sony

117

Visa

177

Table 1: Top 20 Assignees with Most US Patents or US Patent Applications Relating to Biometrics in Automobiles.

(ii) Leaders in patents on biometrics in AV

Many of the major auto manufacturers are currently in various stages of research and development on AVs, either independently or in partnership with technology companies.80 Nevertheless, the companies that are developing or incorporating biometrics into AVs and seeking to protect their intellectual property generally are not the automotive manufacturer, with the exception of Ford and GM. This is reflected in Table 2, which shows that most of the patents and patent applications relating primarily to biometrics in AVs belong to technology or independent automotive research and development companies that are deeply invested in developing AVs and related technologies, including the incorporation of biometrics. For example, Veniam, Inc. is a startup technology company that aims to provide “[t]he networking solution for AVs and future mobility.”81 Veniam has the largest number of issued patents and filed patent applications for inventions relating to biometrics in AVs. Similarly, Z Advanced Computing, Inc. is a software startup company that focuses on the use of artificial intelligence with biometrics and AVs.82 Intelligent Technologies International, Inc. and Automotive Technologies International, Inc. are related companies that focus on automotive safety research and development.83 In contrast to the broader category of patents and patent applications relating to biometrics in the automobile industry (Table 2), here – where the inventions claimed relate to biometrics in AVs – non-practicing entities have not yet established a presence in the field.

 

Owners

Patents

Applications

Total

1

Google/Waymo

247

313

560

2

Samsung

105

429

534

3

AT&T

181

234

415

4

LG

87

246

333

5

Microsoft

110

197

307

6

Diebold

184

115

299

7

Intel

69

229

298

8

Digimarc

135

141

276

9

American Vehicular Sciences LLC

123

152

275

10

International Business Machines

87

153

240

11

Apple

74

151

225

12

Ford Motor Company

78

143

221

13

Autoconnect Holdings LLC

55

145

200

14

GM

54

128

182

15

Veniam, Inc.

54

124

178

Table 2: Top 15 Assignees with Most US Patents or US Patent Applications Relating to Biometrics in Autonomous Vehicles.

The number of patents issued and patent applications filed on inventions involving biometrics in AVs has slowly increased over the past decade. In 2017, however, the numbers of patents and patent applications dramatically increased, with the number of patents granted and patent applications filed increasing by about 50% from the previous year. See Table 3.

Year

Granted patents

Applications published

2009

146

133

2010

243

131

2011

282

194

2012

293

160

2013

415

255

2014

432

364

2015

506

556

2016

596

956

2017

867

1493

2018

1115

1245

Table 3. Biometrics in autonomous vehicles: Total number of patents granted and applications published in 2008-2018.

This upward trend will likely continue as there have been 675 patents granted and over 1190 such patent applications published in just the first six months of 2019 (on track for over 1300 patents granted and nearly 2400 published patent applications for the year).

Of the traditional auto manufacturers, Ford, GM, Toyota, and Honda currently have the largest number of patents and patent applications relating to biometrics in AVs. Figure 1. As more auto manufacturers begin to incorporate biometrics into their proprietary technologies, it is likely that they will seek to protect their substantial investments in the AV space by increasing their own patent filings.84 For example, in 2018,

Ford created Ford Autonomous Vehicles LLC to “accelerate[ ] the integration and application of technology across its industrial system.”85

Figure 1. Biometrics in autonomous vehicles: Patents and patent applications assigned to auto manufacturers.

(iii) Future risks of patent litigation and trade secret misappropriation

Although there have been litigations on patent infringement and trade secret misappropriation relating to AV technologies, and patent infringement litigations relating to biometric technologies in other product spaces (e.g. cellular phones), there have not yet been similar claims made with respect to biometric technologies in AVs. Nevertheless, in view of the ever-increasing numbers of patent applications filed and patents granted for biometric technologies in the AVs space, it is likely that the risk of patent litigations will also correspondingly escalate. There is also a risk that non-practicing entities will utilize their existing automotive biometric technology patent portfolios and seek to assert them against companies working on AVs that include biometric technologies.

As the AV industry matures, the automotive industry may adopt the same solutions for potentially overlapping intellectual property that the technology and software industries developed to end high-stakes disputes, the identification of standard-essential patents (SEPs) and the licensing of SEPs on Fair, Reasonable, and Non-Discriminatory (FRAND) terms. In addition the automotive industry may create patent pools and enter into cross-licensing agreements to avoid damaging, expensive, and time-consuming litigations.

The risk of trade secret misappropriation is always a concern in technology fields, and this holds true for the AV industry. Although the concepts between capturing biometric information are well known, the proprietary algorithms are usually not publicly available. There has been significant crossover of personnel between the many companies working on AVs and that increases the risk of loss of trade secrets.86
To preserve a potential trade secret misappropriation claim, AV manufacturers must ensure that the trade secret is not freely disseminated and that reasonable efforts are made to keep it secret.

Trade secret misappropriation claims can be filed under federal or state law. In Waymo LLC v. Uber Technologies, Inc., Waymo LLC (“Waymo”; the AV unit of Google’s parent company Alphabet) filed suit alleging patent infringement of its laser-based scanning and mapping technology (“LIDAR”), trade secret misappropriation of subsequent and unpatented confidential LIDAR designs and technical information, and unfair competition against Uber Technologies, Inc. (“Uber”), OttoMotto LLC, and Otto Trucking LLC (together, “Otto”).87 Waymo claimed defendants violated both the federal Defend Trade Secrets Act (“DTSA”) and California Uniform Trade Secrets Act (“California UTSA”).88 Waymo alleged that its former manager Anthony Levandowski had searched for and downloaded more than 14,000 proprietary files before his resignation from Waymo in 2016 and his formation of Otto, which was acquired by Uber six months later for $680 million. Waymo claimed that Uber was aware of Levandowski’s possession of Waymo’s files and was using Waymo’s trade secrets and patented technology to develop its own LIDAR system. After five days of trial, the parties settled with Uber, granting Waymo 0.34 percent of Uber’s stock, valued at about $245 million, and agreed that Uber would not use Waymo’s confidential information in its self-driving technology.89

Trade secret misappropriation claims are not limited to only civil lawsuits but also can have criminal implications for theft of trade secrets, with the potential for up to ten years imprisonment.90 In separate criminal suits filed six months apart by the Federal Bureau of Investigation (“FBI”), two engineers were charged with attempting to steal trade secrets relating to Apple Inc.’s AV project, Project Titan. In the first case, with charges filed on July 9, 2018, Xiaolang Zhang was a former Apple engineer who had worked on Project Titan and was arrested by the FBI as he was about to board a plane to China. Apple’s database security team had identified suspicious network and download activity by Zhang in the days prior to a meeting where Zhang had informed Apple that he intended to return to China to be closer to his mother and that he would be working for Xiaopeng Motors, a Chinese electric car start-up company that was also working on AVs. Zhang was accused of downloading proprietary information containing trade secrets relating to Apple’s AV project.91 During interviews with Apple and the FBI prior to Zhang’s arrest, he admitted to taking hardware (a Linux server and two circuit boards) and transferring confidential Apple files onto his wife’s laptop. Zhang has entered a plea of not guilty, and the case is ongoing.

In the second criminal case, filed on January 22, 2019, Jizhong Chen is also accused of theft of trade secrets from Apple’s AV project.92 According to the complaint, Chen was seen taking photographs of the Apple work space by another Apple employee, who then reported Chen to Apple. When questioned by Apple’s investigation team, Chen admitted to taking the photos and also making a back-up of his Apple work computer to his personal device, in violation of Apple policy. Chen granted Apple’s investigators access to his personal devices and thousands of files containing Apple confidential information were found. Additional photographs of the interior of Apple’s building were also found on his cell phone. Chen was immediately suspended, and Chen’s employee and network access was terminated. Apple subsequently learned that Chen had applied for a job with a China-based AV company, which was also a direct competitor to Project Titan. Chen was arrested a day before he planned to leave for China. Chen has pled not guilty.

In addition to theft of trade secrets, companies should also be wary of economic espionage. While economic espionage cases have yet to be filed relating to AV technology, there are examples of such cases in other high-tech industries. For example, on September 27, 2018, the US government filed an indictment against Taiwan-based United Microelectronics Corp. (“UMC”), China state-owned Fujian Jinhua Integrated Circuit, Co., Ltd. (“Jinhua”), and three former employees of the US semiconductor company Micron Technology Inc. (“Micron”) alleging economic espionage, theft of trade secrets, and conspiracies to commit economic espionage and theft of trade secrets.93 The indictment alleges that former employees of Micron stole trade secrets relating to the design and manufacture of a memory storage device, dynamic random-access memory (“DRAM”), from Micron and then provided the information to UMC and Jinhua under the direction of Stephen Chen, the former president of Micron’s Taiwan subsidiary, and others. After Chen left Micron, he became a Senior Vice President of UMC and then later became President of Jinhua in charge of its DRAM production facility. UMC and Jinhua had a technology cooperation agreement to develop DRAM technology, which Chen helped negotiate while at UMC. The US government valued the eight trade secrets alleged to have been stolen as worth at least $400 million and up to $8.75 billion. The US government also later filed for an injunction against the two companies to prevent the export of any products related to the alleged theft of trade secrets into the US and to prevent any further transfer of the trade secrets.94 Micron itself had earlier filed a civil complaint against UMC and Jinhua alleging violations of DTSA and California UTSA.95

Although economic espionage charges were not asserted, on January 16, 2019, the US government filed a ten-count criminal indictment charging Huawei Device Co., Ltd. and Huawei Device USA, Inc. (collectively, “Huawei”) for theft of trade secrets conspiracy, attempted theft of trade secrets, wire fraud, and obstruction of justice.96 The indictment alleges that, beginning in June 2012, Huawei conspired to and attempted to steal T-Mobile USA, Inc. (“T-Mobile”) trade secrets relating to its proprietary robotic phone testing system, called “Tappy.”

The Tappy automated testing system simulates how people use the phone, with a robotic arm that touches the device screen, and tracks the phone’s responsiveness and performance, among other things. The indictment states that Huawei was interested in developing its own robotic testing system in order to improve the quality of its phones and to pass Tappy’s testing, and T-Mobile rejected overtures from Huawei to license or purchase the Tappy system.

Huawei USA engineers then proceeded to photograph the Tappy system and the software interface and provide access to the Tappy laboratory to an unauthorized Huawei China engineer, in violation of nondisclosure agreements. On May 29, 2013, a Huawei engineer also secretly removed one of the Tappy robotic arms from the laboratory. Upon questioning by T-Mobile, the Huawei engineer first denied taking the robotic arm and then claimed that it was a mistake and returned the robotic arm the next day, but only aftertaking photographs and detailed measurements of the robotic arm. T-Mobile then banned all Huawei personnel from the laboratory.

The indictment further alleges that, in order to preserve its relationship with T-Mobile, Huawei showed T-Mobile a redacted “Investigation Report” on Huawei’s purported internal investigation that contained false statements that served to distance Huawei China from the theft of trade secrets and blamed the two engineers for what they termed “isolated incidents,” when, in fact, the engineers’ actions were instead directed and coordinated by Huawei USA and Huawei China. The indictment also disclosed that Huawei China had a bonus program that rewarded its employees for stealing competitors’ confidential information. Huawei has denied the allegations in the indictment. Previously, T-Mobile won a $4.8 million civil suit against Huawei for breach of contract and misappropriation of trade secrets relating to the Tappy system.97

C. Biometrics and automobile insurance

In our previous analyses of the effects of AVs on the insurance industry, we emphasized that insurers can be—and have been—leaders in adapting to the development of AV technologies. Insurers’ roles regarding biometric technologies in AV is no different. Automobile insurance companies are developing ways to take advantage of biometric technologies in vehicles, including by using biometric technologies to monitor drivers and investigate claims.

(i) Monitoring drivers

Automobile insurers have been using technology to monitor driving behaviors for over 20 years, but biometric technologies can expand that practice. Currently, several insurance companies offer programs through which drivers agree to install monitors in their cars in exchange for potentially lower insurance rates. The monitors track data that insurance companies can use to determine how safely the car has been operated. These technologies monitor the drivers indirectly, by extrapolating the drivers’ behaviors from the performance of their vehicles.

In contrast, biometric technologies give insurers the opportunity to monitor the drivers themselves. Biometric data can help insurers determine who is operating a vehicle and what physical or emotional state that person is in. For instance, State Farm has obtained patents for systems to assess a driver’s impairment, such as anxiety, intoxication, illness, or injury.98 According to these patents, sensors could monitor the driver’s gaze, movement, heart rate, blood pressure, grip pressure, body temperature, and vocal pattern, among other things, to determine whether the driver is in an impaired state. Another State Farm patent describes a system to adjust insurance rates based on any detected impairment of the driver.99 As these patents suggest, biometric data may allow insurers to adjust their insurance rates based on the actual behavior of vehicle operators.

But the utility of monitoring drivers through biometric data extends beyond insurance pricing. Insurers may also increase safety by responding to biometric data. A Hartford Insurance patent describes a system that uses biometric information to load a profile for the vehicle operator, and then impose restrictions on the vehicle’s operation based on that profile.100

The system could require the driver to pass a breathalyzer before operating the car, prevent the car from exceeding a maximum speed, or cause the car to become inoperable outside of a particular geographic area. As another example, State Farm’s systems for detecting a driver’s impaired state would also respond to impaired states.101 Depending on the kind and degree of impairment, the systems could select an appropriate response, such as playing music, releasing a scent, providing visual or auditory alerts, altering the vehicle’s internal lighting, blasting hot or cold air at the driver, or limiting the inflow of external stimuli like text messages and phone calls. The systems might encourage the driver to stop the vehicle by suggesting nearby destinations to visit, and the system could even provide coupons for those destinations. By responding to the operator’s impairment, the insurer may be able to promote safer operation of the vehicle.

(ii) Investigating claims

When claims are made on a policy, biometric data may help insurers investigate and gather relevant evidence. Insurers may be able to obtain biometric data directly from the car that would reveal who was driving, how many people were in the car, whether the driver was alert, distracted or impaired, and how attentive the driver appeared. The biometric data could include vital medical information of vehicle occupants, like heart rate, blood pressure, and body temperature. By collecting this data directly from the car, the insurer may be able to obtain the information quickly and check it against information provided by other sources.

Biometric data may also help insurance companies determine if a claim falls under a policy exclusion. For example, many auto insurance policies contain a public or livery conveyance exclusion that excludes coverage for vehicles used to transport
people for money. Biometric data could reveal the number or frequency of new individuals entering a vehicle, and insurers could assess whether that information appears consistent with the vehicle’s use as a taxi, limousine, Uber, or Lyft. This information could suggest whether the public or livery conveyance exclusion is applicable. As another example, some states permit named driver exclusions, which allow policyholders to exclude certain individuals from their insurance (like a household member with a bad driving record) in order to obtain a better rate. Biometric data may tell insurers whether the driver involved in an accident was indeed the policyholder, or instead an excluded household member. In these ways, insurers can use biometric data to make more accurate coverage decisions.

D. Conclusion

Biometric technologies are increasingly being integrated into the mundane aspects of daily life, from completing financial transactions via ATM or online access to unlocking laptops and cellphones. There are a multitude of biometric physical and behavioral modalities that have been used for identification and authentication. While physiological traits such as fingerprint and facial recognition are well-recognized and their potential uses covered by an ever increasing number of patents, biometric systems based on gait and gesture recognition continue to be developed and patented. The automobile industry is embracing this trend and working on moving biometric controls in automobiles, such as gesture recognition, from the concept stage to mass production. However, given the increasing number of patents and patent applications on inventions relating to biometrics, and biometrics in the automotive arena, manufacturers should carefully consider whether there is existing intellectual property that covers the manufacturer’s intended uses and proceed accordingly. Care should also be taken by AV manufacturers to protect and secure confidential and proprietary information from competitors and their own employees.

43 740 Ill. Comp. Stat. 14/15.

44 Id.

45 Id. at § 20.

46 Rivera v. Google, Inc., No. 16-CV-02714 (N.D. Ill. Dec. 29, 2018) (alleging lack of required disclosure and consent); In re Facebook Biometric Info. Privacy Litig., No. 15-cv-3747 (N.D. Cal.) (alleging lack of required disclosure and consent); Norberg v. Shutterfly Inc., No. 15-CV-5351, 2015 WL 9914203 (N.D. Ill. 2015) (alleging the collection of facial geometry of individuals without required notice or consent).

47 See e.g. Sekura v. Krishna Schaumburg Tan, Inc., No. 1-18-0175 (Ill. App. Ct. Sept. 28, 2018) (lack of required disclosure); Aguilar v. Rexnord, LLC, No. 17-CV-9019 (N.D. Ill. July 3, 2018) (lack of required disclosure and consent); Howe v. Speedway LLC, No. 17-CV-07303, 2018 WL 2445541 (N.D. Ill. May 31, 2018) (lack of required disclosure and consent).

48 Alix Langone, You Can’t Use Google’s New Selfie Art App in These States, Time (Jan. 17, 2018), https://time.com/5106798/google-selfie-app-not-work-states.

49 https://play.google.com/store/apps/details?id=com.google.android.apps.cultural&hl=en_US

50 Ally Marotti, Proposed Changes to Illinois’ Biometric Law Concern Privacy Advocates, Chicago Tribune (Apr.10, 2018), https://www.chicagotribune.com/business/ct-biz-illinois-biometrics-bills-20180409-story.html. Nest is owned by Alphabet, which is also the parent company of Google.

51 Tex. Bus. & Com. Code Ann. § 503.001.

52 Id. at § 503.001(a).

53 See id. at §§ 503.001(b), (c)(3).

54 Id. at § 503.001(d).

55 Wash. Rev. Code Ann. § 19.375, et seq.

56 Id. at § 19.375.900.

57 Id. at § 19.375.010.

58 Id.

59 Wash. Rev. Code Ann. § 19.375.020(4)(b).

60 See id. at § 19.375.030.

61 Id. at § 19.375.020.

62 Id. at § 19.375.010.

63 California Consumer Privacy Act, Cal. Civ Code § 1798.100 et seq.; amended SB 1121 on Sept. 23, 2018

64 CCPA § 1789.140(b)

65 CCPA § 1798.100 et seq.

66 CCPA § 1789.125

67 CCPA § 1789.140(c)

68 CCPA § 1789.150

69 CCPA § 1789.155

70 Arizona - Ariz. Rev. Stat. § 44-7501 (2006), as amended (2007, 2016, 2018); Colorado - Colo. Rev. Stat. Ann. § 6-1-716 (2006), as amended (2018); Iowa - Ia.Code Ann. §§ 715C.1 et. seq. (2008), as amended (2014); Louisiana - La. Rev. Stat. § 51:3071-3077 (2005), L.A.C. 16:III.701; Maryland - Md. Code Ann., Com. Law § 14-3501-3508 (2007); as amended (2017); Nebraska - Neb. Rev. Stat. §§ 87-802 to -806 (2006), as amended (2016); New Mexico - 2017 H.B. 15, Chap. 36; North Carolina - N.C. Gen. Stat. §§ 75-65 (2005); as amended (2009); South Dakota - Senate Bill 62 (2018); Wisconsin - Wis. Stat. Ann. § 134.98 (2006); as amended (2008); and Wyoming - Wyo. Stat. Ann. §§ 40-12-501, 40-12-502 (2015).

71 An Act To Amend Title 6 Of The Delaware Code Relating To Breaches Of Security Involving Personal Information, 6 Del. C. §§12B-101(4)(a)(11), amended Aug. 17, 2017.

72 Press Release, FIDO Alliance, FIDO Alliance Launches Biometrics Certification Program (Sept. 6, 2018) (https://fidoalliance.org/fido-alliance-launches-biometrics-certification-program/). The FIDO Alliance membership consists of hundreds of global technology companies (https://fidoalliance.org/overview/).

73 FIDO Alliance, FIDO Members (https://fidoalliance.org/members/). (last visited Fed. 15, 2019)

74 Id.

75 Press Release, Samsung, Samsung Electronics Expands Commitment to Autonomous Driving Technology (Sept. 14, 2017), https://www.samsung.com/us/ssic/press/samsung-electronics-300-m-automotive-innovation-fund/; Vineeth Joel Patel, Having Multiple Partnerships Will Help Samsung Become an Autonomous Tech Leader, FutureCar (May 15, 2018), https://www.futurecar.com/2263/Having-Multiple-Partnerships-Will-Help-Samsung-Become-an-Autonomous-Tech-Leader.

76 Susane Keohane, How Inventing Became a Passion: Developing Autonomous Vehicles to Help Support Healthy Aging and People with Disabilities (Mar. 15, 2018), IBM, https://www.ibm.com/blogs/research/2018/03/developing-accessible-autonomous-vehicles/; see Biometrics, IBM Research, https://researcher.watson.ibm.com/researcher/view_group.php?id=1913 (last visited Nov. 13, 2018).

77 Andrew Meola, Microsoft is Approaching Self-Driving Cars in a Unique Way, Business Insider (June 6, 2016 2:23 PM), https://www.businessinsider.com/microsoft-is-approaching-self-driving-cars-in-a-unique-way-2016-6.

78 US Patent Application No. 16/075,442 (Publication No. 20190039570; filed Feb. 3, 2017, published Feb. 7, 2019)

79 See Table ___ (Top 20 Assignees with… biometrics in automobiles); Jen Wieczner, Why Ford Wants to Put Biometric Sensors in Your Car, Fortune (May 4, 2017), https://fortune.com/2017/05/03/ford-self-driving-car-biometric/.

80 Audi A8; Volvo XC90 (Zenuity); BMW i8 at CES 2016 and (BMW iNEXT); Ford (Argo); GM (Chevy Bolt); Honda and Waymo; Hyundai & Aurora and see CES 2019; Tesla.

81 Products. https://veniam.com/autonomous-vehicles (last visited Feb. 15, 2019).

82 http://www.zadvancedcomputing.com/ [fix cite]

83 https://iti-i.com/about-us and https://ati-i.com/about-us-3/; both owned by David S. Breed [fix cite]

84 See Bret Kenwell, GM, Ford Bump Up Investments in Electric and Autonomous (Mar. 24, 2019), TheStreet, https://www.thestreet.com/lifestyle/cars/gm-ford-invest-in-electric-and-autonomous-14904586.

85 Press Release, Ford Motor Company, Ford Creates ‘Ford Autonomous Vehicles LLC’; Strenthens Global Organization to Accelerate Progress, Improve Fitness (July 24, 2018) (https://media.ford.com/content/fordmedia/fna/us/en/news/2018/07/24/ford-creates-ford-autonomous-vehicles-llc.html).

86 Examples of individuals from Waymo to Uber, Waymo to Apple, etc.

87 No. 3:17-cv-00939 (N.D. Cal. Feb. 23, 2017).

88 Defend Trade Secrets Act, 8 USC. § 1836, et seq.; California Uniform Trade Secrets Act, Cal. Civ. Code § 3426, et seq.

89 Cara Bayles, Uber, Waymo Settle Trade Secret Case Amid Trial, Law360, Feb. 9, 2018, https://www.law360.com/articles/1010900/uber-waymo-settle-trade-secret-case-amid-trial.

90 18 USC. § 1832.

91 US v. Zhang, D.I. 1, No. 5:18-cr-00312, N.D. Cal. July 9, 2018.

92 US v. Chen, D.I. 1, No. 5:19-cr-00056, N.D. Cal. Jan. 22, 2019.

93 US v. United Microelectronics Corp., D.I. 1, No. 3:18-cr-00465, N.D. Cal. Sept. 27, 2018.

94 US v. United Microelectronics Corp., D.I. 1, No. 5:18-cv-06643, N.D. Cal. Nov. 1, 2018.

95 Micron Tech., Inc. v. United Microelectronics Corp., D.I. 1, No. 3:17-cv-06932, N.D. Cal. Dec. 5, 2017.

96 US v. Huawei Device Co., Ltd., D.I. 1, No. 2:19-cr-00010, W.D. Wash. Jan. 16, 2019.

97 T-Mobile USA, Inc. v. Huawei Device USA, Inc., D.I. 1, No. 2:14-cv01351, W.D. Wash. Sept. 2, 2014.

98 US Patent Nos. 9,908,530 (Mar. 6, 2018) and 10,121,345 (Nov. 6, 2018).

99 US Patent No. 10,163,163 (Dec. 25, 2018).

100 US Patent No. 9,070,168 (Jun. 30, 2015).

101 US Patent Nos. 9,908,530 (Mar. 6, 2018) and 10,121,345 (Nov. 6, 2018).

Auto manufacturers are also integrating face and iris recognition technology with a vehicle camera system directed at the driver to detect fatigue or drowsiness.”