A few years ago, I was contacted by a man who'd given up on his CPA exam dreams due to Prometric data collection. He was looking for my help exposing Prometric's data collection and alleged sale of said data – although I was never able to prove that Prometric was making money off candidate data, it looks like this guy has gained some support, at least in the Alaska legislature.
Yesterday, I testified (by remote communications) in the Alaska House of Representatives’ Health and Social Services Committee, which is considering a bill to heavily regulate the collection and use of biometrics. The bill is inspired by a man who was denied entry into the CPA exam when he refused to have his fingerprints scanned for that purpose. You can read more about his campaign at the PrivacyNOWalaska.org site.
I’m entirely sympathetic to his concerns about potential overcollection of biometrics in digital form, and what may happen to biometric data after it is collected. As I said in my testimony, “a digital record of a biometric can be stored indefinitely, copied an infinite number of times, and transmitted around the globe at the speed of light. This creates security and privacy concerns cutting against the use of machine-biometrics.” On the other hand, the CPA exam apparently has a problem with imposter fraud and faux test-takers who go simply to memorize questions and sell them on a test-prep black market.
Unfortunately, the bill is not callibrated to balance the competing interests at stake. It would create a “notice and consent” regime for biometrics collection, an idea that has failed to produce privacy protection in other areas. It would require massive and expensive re-tooling of data systems to provide consumers a right to amend or revoke their permission to use biometrics or order destruction of biometric data. And it would flatly outlaw marketing that uses biometric information—not just the stuff we learned to be spooked about in the film Minority Report, but knowingly agreed-to tailoring of discounts at the grocery store if we used a biometrically-secured payment system, for example.
I urged the Alaska legislators to ensure that biometrics collectors account for and prevent potential harm to Alaskans when they design and use their systems, but not to constrain biometrics so much that their security benefits never materialize.
Now, I wouldn't say the CPA exam has a problem with fake test takers. Multiple levels of security are in place to prevent that – such as Prometric Gestapo requiring two IDs (even if they don't always enforce that rule). And memorizing CPA exam questions is an exercise in futility given the sheer number of possible exam question combinations. So why, exactly, does Prometric need to scan your fingerprints?
I think that's all this guy wants people to ask.