Nervous System: Paying with Your Finger

In the early 2000s, the now-defunct Pay-By-Touch was the first service to offer payment via a fingerprint registered with a biometric recognition system. Privacy concerns related to the massive database of fingerprints the company left behind would eventually inspire legislation like BIPA.

In the early 2000s, the Pay-By-Touch service offered consumers the ability to conduct business without needing cash, a credit card, a wallet, or anything else on their person at the time. Instead, consumers could enroll their fingers into a biometric recognition system and supply a payment type to accompany the registration. To complete a purchase, the consumer only had to swipe their finger across a reader at a participating merchant. Privacy advocates worried about connecting consumer finances to biometrics but noted the typical American habit of choosing convenience over privacy. The service was popular, but in less than a decade the startup had collapsed for reasons that had nothing to do with the technology.

John J. Rogers had founded the San Francisco-based Pay-By-Touch with high-profile backing from the likes of billionaires Gordon Getty and Ron Burkle. Formally known as Solidus Networks, the company performed its first fingerprint-based payment transaction in 2002. In the following years, Rogers and Solidus signed up an array of merchants and retailers such as Jewel-Osco, Cub Foods, Piggly Wiggly, and Pathmark.

At its height, the company processed hundreds of thousands of payment transactions a month. Perhaps this was a rounding error compared to the monthly payment processing volumes provided by major credit cards, but at certain locations the fingerprint payments amounted to close to a quarter of all sales.

But technological challenges pressed hard on the bottom line. Each merchant that used Pay-By-Touch needed all of its checkout lanes to be outfitted with equipment. On top of that, the equipment had to function well with whatever point-of-sale hardware that particular store used. A dizzying array of point-of-sale systems were in use.

Then there were the challenges regarding the accuracy of the systems. When a consumer swipes a credit card through a reader, the hardware and software associated with that swipe need to correctly recognize the account number to process the transaction. To facilitate this process, credit card account numbers are engineered with built-in validity checking codes. The point of the card swipe is to find a perfect digit-for-digit match to confirm the account holder and complete the transaction.

By contrast, human fingerprints are biological features subject to a range of uncontrollable factors, such as the humidity of the air, cleanliness of the scanner, dirtiness of the finger, and amount of pressure applied at the scanner. Because so many variables can affect how a finger is scanned, each swipe of the finger is different. And because each finger scan is different, a system like Pay-By-Touch is not able to look for a perfect match, but rather is called upon to evaluate its level of confidence that a given set of data is sufficiently similar to another set of data.

In the context of payment processing, this raises the concern that the system might misread the finger of person A to charge their purchase erroneously to person B. This type of error is called a false match or a false acceptance. To avoid this risk, Pay-By-Touch engineered its systems to require a much higher level of confidence on the match, which had the effect of increasing the rate of false rejections. Consequently, consumers risked frustration when using the seemingly unworkable finger swipe terminals.

These problems could be minimized with additional engineering—but that meant more costs and time.

By 2007, the company had some $340 million to spend on solving those problems, but somehow was burning through about $8 million a month. There were allegations Rogers was using that money on lavish parties and drugs.

Solidus filed for bankruptcy in 2008, which brought the privacy concerns back to the forefront. Left behind in the aftermath of Pay-by-Touch’s demise was a database of some three million customer fingerprints, the security of which was unknown. When Pay-By-Touch sold off its assets, what would happen to all those customer fingerprints?

Looking back on this moment from the vantage point of today, there is no evidence to suggest that any fingerprint data from Pay-By-Touch was sold off or otherwise redistributed. There is no indication that any of that data has since been reused, either commercially or criminally. Nonetheless, in 2008, uncertainty about the fate of such sensitive information inspired legislators.

Illinois was the first to act, passing the Biometric Information Privacy Act (BIPA) in 2008. It was the first such law of its kind in the country and remains an outlying pioneer. Other states such as Texas and Washington followed with their own laws limiting the collection and use of biometric information by businesses, and Missouri, Maine, and New Hampshire limit government collection and use of biometrics. Illinois’ law is distinctive, however, in that it provides individuals the right to file suit on their own behalf. That private right of action has since led to numerous class actions under Illinois’ BIPA.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.