
Retailers are turning to facial recognition software (2018) - elorant
https://www.buzzfeednews.com/article/leticiamiranda/retail-companies-are-testing-out-facial-recognition-at
======
neiman
"privacy advocates and industry stakeholders are debating ... how shoppers
should be informed about when their faces are scanned"

I don't want to be informed when my face are being scanned, in the same way
that I don't want to be informed when a website is about to sell my data. What
I want is for the law not to allow such things.

~~~
shadowgovt
I want the law to allow such things, because it is extremely useful to me as a
consumer and a customer if the system can automatically identify me and attach
me to my past history with the company.

This dimension of privacy is still open for debate.

~~~
teflodollar
Strongly disagree. While I can accept that it's supposedly valuable for you as
a consumer to be "identified and attached" to a company—even though it's
something that I want nothing to do do with and consider a net bad for
society—the notion that whole-scale identification of persons entering a store
may be an acceptable default behavior is absurd, even before considering the
so-called "dimension of privacy."

As the other child comment mentioned, there are many ways to identify yourself
to a store that don't require facial recognition. The YMCA for example has a
system that lets users track their exercise history; there's no reason Macy's
couldn't do the same for your purchases. If indiscriminate ID'ing is the
default position, then you have decided that _your convenience is more
important than the freedom of every other person in the store._ It should be
the responsibility of the person who wants this convenience to opt in, not the
responsibility of the rest of us to opt out.

The desire to not have PiD stored by anyone should be reason enough to close
the debate. But if it's not, we fortunately have hundreds (thousands?) of
cases of corporate consumer abuse and irresponsible data storage to point to.

~~~
shadowgovt
Amazon has an entire grocery store experiment that utilizes this is a core
element of the experience.

It seems to be getting largely positive reviews from its users.

> The desire to not have PiD stored by anyone should be reason enough to close
> the debate.

Why? There is an open question of societal benefit versus personal benefit
regarding how PID is tracked and used, to say nothing of the actual ownership
of that PID (if you walk into a store's private property and their security
cameras record an image of your face while you're standing in their private
property, do you own that image? Why should you? You're in their property and
it was recorded with a camera they own on to media they own).

------
siruncledrew
There's already many services that exist for accessing databases of personal
data, it's just a matter of combining them into some sort of mesh to really
tip the scales to the extreme.

With facial recognition being able to query a face against a number of
databases, and payment information able to be queried as well, it just takes a
matter of some SaaS subscriptions to be able to know someone's: name, address,
email/phone/social media, wealth, education, employment history, what they
look like, where they go, who they associate with, when they go places, what
they buy/own, etc, etc.

It's like having a stalker behind your back all the time letting subscribers
know someone's life history in exchange for trying to extract as much money
and value out of person as possible until they are completely used up.

We might as well just back to feudal society and slavery because the game may
be different but the motivations are the same.

~~~
petra
Maybe it's time to run an e-commerce marketplace with no tracking, no
"personalization" of anything, no ads, no marketing emails, non of that
bullshit.

With a focus on quality, peace of mind, and best value for money products,
focus on minimizing SEO plays and fake reviews.

The infrastructure exist and is rentable from many(although a bit pricy).

Maybe all of those, together, would offer enough value to enough people to
make prices reasonable.

~~~
hn_throwaway_99
Good luck. We may constantly decry the erosion of privacy on HN, but I
_guarantee_ you that the populace at large (like 95%+), even if they may
sometimes complain about a lack of privacy, also generally really _like_ the
stuff that personalization provides. People (again, the vast populace at
large) make their purchasing decisions based on things like price and
perceived quality; privacy considerations are a distant follow up. Why do you
think the ad-supported web is the dominant model in the first place? Because
to most users it feels like "free", because the stuff they're giving up (like
privacy and the cost of advertising baked into things they buy) isn't readily
apparent.

Privacy is a concern that really doesn't matter much, until it does. For other
concerns like this it seems like regulation is the only thing that works. For
example, insurance companies are highly regulated because the default risk of
an insurer is something so amorphous for the average consumer to determine
that it's basically impossible for them to judge on their own. So that's when
government steps in and says there are basic standards an insurance company
must adhere to to operate at an acceptable level of risk. I feel like that's
the same for privacy. The average user isn't really able to comprehend, or
value, the gradual long term effects of privacy erosion, so that's where the
government steps in to demand all players must have basic standards.

~~~
bobthepanda
> Because to most users it feels like "free", because the stuff they're giving
> up (like privacy and the cost of advertising baked into things they buy)
> isn't readily apparent.

This is currently because the internet treats data collection as an "opt-out"
feature, if you're even allowed to do that. Changing the law so that it is
"opt in", and via a mechanism that is clear to a layman, might significantly
change that for people. Wasn't that the point of GDPR, anyways?

~~~
shadowgovt
And it does not seem to have succeeded, If the mass proliferation of cookie
tracking warnings is any indication.

~~~
paulryanrogers
Counterpoint, robo-call/text laws do influence some companies. I worked with
one who required double opt-in for text to avoid getting blacklisted.

~~~
shadowgovt
People actually hate robocalls and unsolicited texts, because they are an
inconvenience.

Cookie tracking is transparent and doesn't bother most of the populace; In
fact, what bothers them is being annoyed by nagging cookie tracking
notifications.

------
rdiddly
I think I did hear brick-and-mortar stores complaining recently about having
too many customers, and wondering whether there was something else they could
do, something they hadn't thought of yet, to annoy and anger customers, maybe
add a little friction to keep them from walking in the door. /irony

No but, ever since "the Schneier piece" [0] I've been thinking differently
about this whole issue. It's about _identifying_ you, and well, the store
already knows exactly who you are as soon as you use your credit card. So does
Amazon.com of course, though ironically they might not have an image of your
face.

If you were going to that physical store and planning to use cash (or
shoplift), THEN this affects you. Although even without "AI," you would still
get captured on security cameras. So if your presence there became a matter of
interest - let's say for example, to corroborate or debunk your alibi for a
more serious crime elsewhere - someone would invest the time to identify your
face the old-fashioned way. Like probably a subordinate of the senior
detective on the case, watching hours of camera footage looking for you.

You can see how it was a series of small, slow, incremental steps, each one
not necessarily big enough to create an uproar, that got us here.

[0] [https://www.nytimes.com/2020/01/20/opinion/facial-
recognitio...](https://www.nytimes.com/2020/01/20/opinion/facial-recognition-
ban-privacy.html)

~~~
dmarble
I work on identity resolution problems among other data challenges at a big
retailer. We get very few details when a credit card is used in-store --
pretty much just the basic card info. We don't own the payment networks and a
variety of legal and business reasons prevent us from doing what may seem to
be possible to get an individual's data based on a card number (from the
networks themselves or other data brokers). What's possible is mostly limited
to what you can do with the name on the card and store location. We've
invested significantly in the problem and the answers are a patchwork of
guesses.

There's an interesting related issue here for brick & mortar businesses with
CCPA and GDPR in effect: you can do some useful analytics, personalization,
and fraud prevention work with probabilistic identity info, but if someone
verifies they actually are Person X and wants to download or delete whatever
data you have on them, what can you confidently say is actually their data?

Will companies be held to different standards based on how much money they've
invested and success they've had in identity resolution, in which case this
might be a factor dissuading them from doing more identification and
personalization? Or if they haven't invested millions in trying to figure out
who people are, but it's possible to do so, are they liable for some kind of
misconduct if they don't produce all the data they have that could have been
tied together for that person? Is the choice binary, i.e. either invest big in
identity resolution and take it as far as possible (with parallel governance
investment) or de-identify everything you can? A privacy advocate might think
on first pass that it's as simple as choosing the latter, but that's mostly
not possible due to requirements we face related to other regulation and
business realities: fraud, anti-money laundering, age-related laws,
shoplifting, intense competition in a razor thin margin industry, etc.

Data privacy is complicated.

~~~
lobotryas
Hobestly it doesn’t have to be. Ban majority of data collection aspects and be
done with it.

We are wringing our hands over the issue when in reality we can solve it like
the Gordian Knot.

------
allovernow
What do you do? Start growing all of your vegetables in your backyard, and
order what you must with a fake identity from behind a proxy online?

I was going to question if we'd reached the point where it is not only
impossible to avoid handing over intimate identifiable data, but necessary to
participate in society - and I realized that we probably passed that threshold
a few years ago, although this does make things seemingly worse.

I wonder how long before they'll ban adversarial masks or hats in the name of
safety or some other such nonsense...

~~~
pmoriarty
_" I wonder how long before they'll ban adversarial masks or hats in the name
of safety or some other such nonsense..."_

In the US it's long been illegal to wear masks in public. From what I
understand, this was done as a response to KKK members wearing masks to
intimidate their victims and hide their identity.

However, I've personally never seen or heard of the anti-mask laws enforced,
and I see Asian people wearing surgical masks in public relatively often,
without any legal consequence that I'm aware of. People wearing masks on
Halloween also seems to be not only tolerated but encouraged. And, while
concern about the Wuhan coronavirus lasts, I expect to see a lot more masks
worn in public.

Of course there are certain locations like banks, jewellery stores,
courthouses and other government buildings, where wearing a mask probably
won't be looked upon too kindly.

~~~
will_pseudonym
It is not illegal to wear masks in public in _The United States_. It may be
illegal to wear masks in certain _states_, but that's quite different.

------
goalieca
Six years ago I interviewed at a company that was working on this technology.
My background was in image processing and segmentation. I knew someone else
would work on it if I didn’t but I still couldn’t sleep with myself at night
working for a company whose monetization depends on data mining people. It
deeply saddens me that even this shopping mall where I’m currently posting
from, tracked customers secretly and got busted with a bit of luck. Eventually
they will win. :(

~~~
Balgair
It's a funny thing. You hear on HN constantly that everyone's backend is a
mess, that the SQL tables are incomprehensible, the AWS server has crashed
again. Surely these scummy companies must be in the same state?

I know that security through obfuscation is not a valid method for storing
bitcoin keys. But privacy via idiocy is more common than not (exceptions do
apply:
[https://en.wikipedia.org/wiki/History_of_the_Jews_in_the_Net...](https://en.wikipedia.org/wiki/History_of_the_Jews_in_the_Netherlands#The_Holocaust))

~~~
ikeyany
Talented people write unmaintainable spaghetti code all the time.

------
bsenftner
Loss/theft prevention is a priority for retail adoption of FR, but the cherry
on top is the creation of real world consumer tracking that every website gets
"for free" due to their web platform, which until FR had no equivalent in the
real world. With an FR enhanced retail location, the store knows your face
visited just as a web site knows your IP address visited. This will overlay a
tracking capability on the real world with as much capacity as the out of
control tracking of people online. For this key reason, we need regulation to
prevent the sharing of any and all personal data between organizations. Wrong
identification and junk/incorrect/false data in retail/non-authoritative
databases must never be combined to create an uber-database of dirty data we
get impressed as "official".

------
falcolas
> ”It’s making Illinois a technology desert.”

It makes me want to move to Illinois. How tone deaf is this company?

I also noticed that they couch their losses in “lost sales”, as if the
shoplifters would have purchased the items had they only been caught.

~~~
BurningFrog
_Someone else_ would have purchased the items, had they not been stolen.

~~~
lonelappde
Extraordinary assertion without evidence.

How often is a desired product unavailable because some of the inventory was
shoplifted?

~~~
asdfasgasdgasdg
Even if it is not lost _sales_ , there's obviously an increased cost
associated with breakage in that you have to buy new goods at the wholesale
price to replace the ones that were stolen. Grocery stores, for example, have
gross margins of about 10-15%, so even if "lost sales" is not entirely
accurate, it's close enough that it's not going to severely misrepresent the
size of the problem. Perhaps in the case of a luxury goods shop where the
gross margins are 50%+ this is not the case.

------
mortenjorck
I was going to complain about "consent" being removed from the headline, but
the consent model for this is all wrong anyway.

Even if you had to sign a EULA when you entered the store, there's no way to
meaningfully consent to submitting your biometric data into a legally
unlimited universe of analysis, cross-referencing, marketing, credit
reporting, law enforcement, and whatever else ingenious minds can invent. This
just isn't a consent problem. It's a regulatory problem.

Under a proper regulatory regime, you shouldn't need to consent to a computer
recognizing your face any more than you should for an employee to recognize
your face, because the laws constrain what the computer can do with that
recognition, and you can reasonably expect those limits to be in line with
what the employee could do.

------
m463
Las Vegas has been doing this for DECADES.

The casinos all have facial recognition, and share the data.

The card sharks and other troublemakers are greeted at the door and shown the
exit.

source: have a friend who works in las vegas.

~~~
ChuckNorris89
TBH, casinos are not brick and mortar shops. When you go into an establishment
that attracts troublemakers(casinos, night clubs, etc.) you expect the
security-privacy balance to tip towards the former as that's the easiest way
to keep out scammers and troublemakers.

------
dropoutcoder
Ten years ago I thought there would be a cultural shift towards wearable spy
technology. Now I wonder if there will be a shift towards developing anonymous
masks worn as part of a cultural norm.

~~~
BurningFrog
Honestly, wearing a mask in public is really creepy.

I'm sure I'm far from alone in assuming you're out to commit violent crime.

~~~
dredmorbius
Wearing of masks in public has actually been a social _norm_ at times, notably
in Venice:

[https://www.veneto-explorer.com/history-of-the-venetian-
mask...](https://www.veneto-explorer.com/history-of-the-venetian-masks.html)

------
mistrial9
This has been going on for more than five years in California; Target and
Chipotle are rumored early adopters. Individual vendors are supplying and
installing the setup into corporate chain retail locations, creating "jobs".

~~~
strictnein
Target stopped this, per the article.

------
ckastner
This has got to be a US thing, as this would almost certainly be illegal under
the GDPR.

Facial recognition is processing of biometric data, which belong to the
"special categories of personal data", which are protected under Article 9
GDPR [1].

Customers would need to give _explicit_ consent to this.

Contrast this with normal security cameras, which don't use biometric data:
these do not necessarily require consent. For example, security cameras
filming a cashier's desk are usually lawful because of legitimate interests
(see Article (6)(1)(f) [2]).

But legitimate interests don't work with Article 9 data.

[1] [https://gdpr-info.eu/art-9-gdpr/](https://gdpr-info.eu/art-9-gdpr/)

[2] [https://gdpr-info.eu/art-6-gdpr/](https://gdpr-info.eu/art-6-gdpr/)

------
dadarepublic
I like how the gif showing the shoppers they should "observe" as being a risk
is of two burn out looking dudes. A total stereotype. It begs the question are
these type of stereotypes baked into the FaceFirst software?

The other image of a violent offender is more along the Ted Bundy type. Less a
victim of traditional bias but a total serial killer stereotype - white,
inconspicuous male.

It's usually a slippery slope with these kinds of biases being perpetuated at
the software design level - "stoner" types, minorities, and other marginalized
groups often getting the short end of the stick.

I understand retail wanting to reduce shrinkage (the term for stock loss via
theft). I guess that's one concern as a whole, how is it ethically being
handled?

------
huffmsa
Casinos have been doing this for a long time.

You've also got a GPS becon in your pocket, and are probably paying with a
card attached to your name and government ID number.

So unless you're paying in cash and not carrying a phone, you're already a big
red dot.

~~~
Jedi72
I live in Texas, and I've seen awkward moments at dinner parties where pro-gun
people say the government must not ever have a registry of owners or
civilization will collapse. I bet that the next day, to let off a little
steam, they bought bullets on their iPhone and had Google maps take them to
the range...

~~~
DSingularity
Why is it awkward? Because only you recognize the extent of their privacy
loss? Enlighten them.

~~~
Jedi72
This is not a case of consistent logic through ignorance. The same friends who
will literally go out guns blazing before letting law enforcement take their
AR15, believe Snowden was a traitor and the intelligence agencies would never
abuse their power ¯\\_(ツ)_/¯

------
kstenerud
So if someone starts getting misidentified, or is erroneously put into a
database somewhere and passed down the data brokerage systems, who does one
petition to be removed? With the government, you (usually) know where the data
is. With private databases, who knows where it starts and ends?

And once all major stores link up and you get banned from everything, how do
you survive once you can't buy anything anymore?

------
peter303
Minority Report movie predicted eye iris identification. 25 years ago irises
were thought to result in fewer false positive matches than facial parameters,
but the latter has improved since then. A problem with iris identification is
building a large database. Face images are collected by the government. DNA is
collected by police and ancestry companies. Not so much for irises.

~~~
the8472
> Not so much for irises.

High quality selfies might be sufficient to build a database. But since faces
are larger features that don't need close-ups they're commercially more
useful.

------
peter303
At 2019 SIGGRAPH a Chinese software company was creating free unique 3D avatar
characters for whomever voluntarily stopped at their booth. They probably
archived your face photo and badge ID for future research and other database
uses(!!!). Other booths could probably collect face and badge from walkerbys,
but not of the quality of someone who voluntarily submitted to their pictures
taken. I realized this shortly after getting my avatar (-:

------
Trias11
I don’t mind stores protecting themselves with this.

I do mind when the line is crossed and my information is shared with unrelated
external entities to monetize me

------
Animats
Will this be crosschecked to identify known illegal aliens and notify ICE to
come and grab them for deportation?

------
jedberg
Anyone remember the movie Minority Report? Specifically the part where he
walks into a store and the sign recognizes him and shows him a targeted ad for
an item in the store?

I feel like that use of facial recognition would have a far greater ROI than
loss prevention.

~~~
m463
gotta get a clean set of eyeballs.

------
davidhyde
We can name and shame companies who use facial recognition tech. If the bad pr
outweighs the benefits then they will abandon them. The challenge is to
educate the general public about the dangers of it.

------
jiofih
Instantly reminds me of the “Forbidding face-recognition is the wrong step”
article posted yesterday.

------
tempsy
Isn’t this what B8ta does, which I haven’t heard much criticism of or about?

------
dwighttk
going to need to start wearing bandanas to go to the store to get bananas

------
gregjw
Not okay.

------
NewsAware
Shouldn't this have a 2018 tag?

