The balance between information and physical security

By Daniel Pagan

Alberta Privacy Commissioner Frank Works did the right thing in a Feb. 20 ruling when he ordered the Tantra Nightclub and its parent company, Penny Lane Entertainment, to stop scanning driver licences and to destroy any patrons’ information that has been collected on a database. In an age of information theft and privacy assault, it is refreshing to see an official drawing a line in the sand for privacy rights. However, even getting rid of id scanning programs will still not answer the important issue of information security in bars and nightclubs.

The first problem with the SecureBar and BarLink id scanning programs is that they scan too much information. By scanning the card, the software collects all of the information on a patron’s driver licence, even the patron’s driver licence number and his/her weight, for an example. Is it necessary to collect all of the information on the card, even the patron’s home address? Does the security really need to know about if a bar patron is a tall, thin man or a rotund dwarf, beyond initial identification? Finally, even with reasonable data encryption, limited access, and other security measures in place, identity theft can still happen. There are vital questions about SecureBar and BarLink’s security, such as their ability to prevent a third party from hacking into their systems, or if SecureBar keep copies of information obtained from the database, or whether a determined criminal (or indeed a group of determined criminals) can access the id scanner and the database physically. Criminals can get jobs as bouncers at a bar and access the personal data there too. Heavy security measures cannot stop a determined criminal if he is intent on stealing the information.

Identity theft is a big business, with over $50 billion lost by consumers and businesses in the United States of America since 2002 and with many people losing control of their finances. Many of these thefts were due to criminals using stolen information to impersonate someone else and then drain their accounts. In other cases, a loan is taken out in the victim’s name and the victim is left bankrupt. Worse yet is identity cloning, where a criminal acquires a victim’s identity and impersonates the victim to perform a crime or avoid detection. That can result in the police issuing an arrest warrant for the victim, even if that person is completely innocent. Damage can be still done even if the offender does not use a victim’s personal information for identity theft, such as when a stalker uses the database to track down a woman by looking up her address. Many people’s naïvety about giving out private information in public space could lead to such situations.

The Privacy Commissioner’s ruling has a broad implication on the bar business such as the Students’ Union and its Den/Black Lounge pub business. How would the Students’ Union reacts to this ruling? One can imagine the situation SU VP Operations and Finance, Fraser Stuart is in. The SU can keep the SecureBar id scanning program and risk the Privacy Commissioner’s wrath (and a possible large fine), or get rid of it, potentially making the Campus Security and Den security unhappy. Campus Security and the Den/Black Lounge security are very confident in the usefulness of SecureBar in keeping the numbers of alcoholic incidents on campus down. Plus there are the initial implementation costs of the system which, according to Penny Lane president Paul Vickers, are not unsubstantial. In short, the SU finds itself between a hard rock and a frying pan.

Identity theft considerations aside, the ruling does not solve the thorny question of security at bars and nightclubs. The first problem is based in the nature of the bar and nightclub business. Serving alcohol and other intoxicating drinks to hundreds of buzzed, horny young adults during late nights and early mornings is simultaneously a genius idea with possible millions of dollars in profit and a mad business proposal with heavy security risks. These risks can be bigger when wasted patrons decide to start a riot, requiring a prompt police response. Even better, what about gang members and troublemakers with weapons?

Fights and murders at nightclubs always generate bad news in media, and always spoil the days of everybody involved–including the patrons who have nothing to do with the fights, along with the bar staff and bouncers who have to deal with the consequences. Would people still risk their personal safety and health by attending a bar where one person got murdered, even years afterwards? Would a nightclub still be popular if a drive-by shooting took out a whole line? Bouncers, for all their preventative work still have to break up fights, while bartenders and bargirls have to deal with harassment from drunk customers who don’t take kindly to being cut off.

The question about security is why nightclub owners such as the Vickers will appeal against Frank Work’s ruling as hard as possible. It is also why he plans to turn all of his bars into private clubs, where people would have to fill out forms for membership and show a copy of their driver’s licence before being allowed in, and would see a reduction of customers, thanks to all the potential workload. This concern for the safety of patrons and staff is strong enough to overrule privacy worries about the use of an ID-scanning system, with all the privacy and information theft issues associated with them.

However, what bar owners like Paul Vickers fail to recognize is that information security is as important as physical security. Concerns about identity theft are valid and by not addressing these, the owners are doing their own customers a disservice. There are other acceptable security measures, such as metal detectors, scanners, hiring more bouncers and off-duty cops who have more training in dealing with the unruly. Even Tequila Bar & Nightclub manager Jeff Beddoes noted in a Dec. FFWD article that more bouncers at the front door are as effective as an ID scanning program.

If bad news about violent fights at a bar weren’t bad enough, news about patrons’ personal information being hacked off a bar’s security database would be a media bombshell. What is needed is a new dialogue on what makes an acceptable replacement for id scanning programs and a debate on how much personal information is fine to give out to strangers. If you can’t trust your best friend with your intimate information, why should you hand it over to a random bouncer at a nightclub?

At least, if Penny Lane’s appeal got rejected, he can always make a visit to Israel or Bali to see how they can make metal detector scanners a fashionable nightclub accessory.

Leave a comment