Opinion

Opinion: The Knicks won. Their fans lost their privacy. It’s time to ban the scan.

A City Council bill would ban MSG and other businesses from engaging in biometric surveillance of their customers.

Madison Square Garden is one of the most aggressive users of facial recognition software in the country.

Madison Square Garden is one of the most aggressive users of facial recognition software in the country. Angela Weiss / AFP via Getty Images

After more than fifty years, the Knicks are champions once more, and New York is still celebrating. But even as fans revel in our victory, some are now taking Madison Square Garden to court.

Just days after the win, hackers exposed millions of customer records in a massive data breach tied to Madison Square Garden Entertainment, publishing files online for anyone to download.

The breach is a reminder that when businesses collect vast amounts of personal information – including biometric data – they also create enormous risks. New York City does not have to accept that tradeoff. That is why the City Council must pass Intro 213, which would prohibit businesses open to the public from collecting or using customers’ biometric information for surveillance.

Reporting indicates the leaked information includes more than 26 million customer records: emails, personal information and internal files profiling prominent guests, including home addresses. Ironically, among the records exposed was an email from a customer expressing concern about Madison Square Garden's facial recognition system; that private concern is now itself part of the leaked data. The records also include a dossier on activists who have publicly criticized the company’s use of facial recognition, including members of our Ban The Scan coalition and Surveillance Technology Oversight Project founder Albert Fox Cahn. 

Madison Square Garden is one of the most aggressive users of facial recognition technology in the country. Owner James Dolan scans the faces of people entering his venues and uses the technology to bar individuals he dislikes. In one widely reported case, a mother was turned away from the Rockettes at Radio City Music Hall while chaperoning her daughter’s Girl Scout troop, because she worked at a law firm involved in litigation against Madison Square Garden Entertainment. She posed no security threat. The technology simply enabled retaliation.

Facial recognition makes some of the harms of biometric surveillance visible: you know when you're denied entry. But the greatest danger is often invisible.

Biometric data is fundamentally different from other personal information. You can change your password. You can replace your credit card number. You cannot change your face. Once your faceprint is compromised, the consequences can last a lifetime. Every database of biometric information becomes a permanent target for hackers and a permanent risk for the people whose information it contains.

Madison Square Garden is hardly alone.

In 2023, the Federal Trade Commission barred Rite Aid from using facial recognition technology for five years after finding that its system falsely flagged shoppers – disproportionately women and people of color – as suspected shoplifters. The FTC also faulted the company for failing to secure the massive amounts of sensitive data it collected.

Earlier this year, shoppers at Wegmans stores in Manhattan and Brooklyn noticed small signs informing them that their faces were now being scanned. Fairway has done the same. Most customers likely walked right past those signs without realizing what they were consenting to.

That's because under current New York City law, businesses only need to post a notice, not ask permission. Businesses can collect, store and potentially share your biometric information without your affirmative agreement, and there are few meaningful limits on how long they can keep it. The longer data is stored by private businesses, and the larger the database gets, the higher the risk of a data breach.

The problem extends beyond grocery stores and sports arenas. To access certain online services, the IRS relies on a private contractor, ID.me, to verify identities using facial recognition. Medicare is rolling out the same this year. A face scan is increasingly becoming the price of participating in everyday life – and every scan lands in a database that can be breached.

New Yorkers should not have to choose between attending a game, buying groceries or protecting their privacy.

There is a clear solution before the City Council. Intro 213 would prohibit businesses open to the public from engaging in biometric surveillance of their customers and would provide a private right of action, allowing New Yorkers to sue businesses that violate the law. A companion bill, Intro 428, would extend similar protections to tenants in their own residential buildings.

The lawsuit against Madison Square Garden should end the illusion that companies can responsibly collect unlimited biometric information without meaningful safeguards. Every database of faceprints creates another target for hackers and another opportunity for abuse.

The Knicks gave New York a championship to celebrate. Now let’s give New Yorkers their privacy.

It’s time to ban the scan.

Shahana Hanif is a New York City Council member representing District 39 in Brooklyn. Michelle Dahl is executive director of the Surveillance Technology Oversight Project.

NEXT STORY: Opinion: Why I voted no on the $126 billion budget