Hacker News new | past | comments | ask | show | jobs | submit login
A crashed advertisement reveals logs of a facial recognition system (twitter.com)
1450 points by dmit on May 10, 2017 | hide | past | web | favorite | 522 comments

You'd be surprised / scared / outraged if you knew how common this is. Any time you've been in a public place for the past few years, you've likely been watched, analysed and optimised for. Advertising in the physical world is just as scummy as it's online equivalent.

Check out the video here http://sightcorp.com/ for an ultra creepy overview. You can even try their live demo: https://face-api.sightcorp.com/demo_basic/.

Woah, so this got a bit of interest. To be honest I'm a little surprised this seems to be news to the HN crowd.

I feel a little bad about calling out one API provider specifically, so here's a bunch more: https://www.kairos.com/ https://skybiometry.com/ https://azure.microsoft.com/en-us/services/cognitive-service... http://www.affectiva.com/ http://www.crowdemotion.co.uk/ http://emovu.com/e/ https://www.faceplusplus.com/

Face tracking, emotional analytics and vision based demographics analysis is a pretty huge industry. There's a entire spectrum of uses for this tech, from the altruistic (psychology labs, humans factors research), to the well, not.

I've lost track of how many times I've said this on HN:

We need HIPPA for all personal information, not just medical. We have an expectation of privacy in being "lost in the crowd" when we're out and about. Our physical & online whereabouts, who we're physically with, who we're communicating with, our personal contact information, and obviously payment information is private information that can be harmful if not kept private (false positives in automated legal systems, identity theft, and including all the defenses of securing medical information).

Anybody who chooses to hold such information must regard it with a high level of respect and privacy. Since nobody is doing so, and there are no penalties for violating privacy, and this gets into fundamental rights and proper functioning of society, it seems applicable to federal law.

HIPAA does not make your medical information private, it makes it Portable. Whether it has improved the protection of your digitized medical records is debatable, but it definitely forced almost every industry remotely related to medical care (and some previously unrelated industries) to digitize their records and share them.

Sure, paper medical records suck and aren't inherently more or less secure, but no one breaks into a car and runs away with 500 patients' medical histories when each patient's record fills pages, folders, or filing cabinets, rather than bytes on a hard drive (or even better, it slips away through a network connection that no one in the hospital even knew existed thanks to a back door on a piece of medical equipment).

HIPAA largely means that your medical information has been outsourced to whatever software/network/hardware provider claimed they could do the job (and whoever they outsourced the job to in some cases). If you don't sign whatever HIPAA agreement(s) your provider puts in front of you, chances are they can't treat you, so what choice do you really have?

Do you really think HIPAA is the only reason medical providers are going digital?

>We need HIPPA for all personal information, not just medical.

The UK has the Data Protection Act which does some of this.

One radical option would be to grant people copyright over their own PII (with about a billion caveats to allow journalism etc.)

>with about a billion caveats to allow journalism etc.

Then you'd just see setups like the financial industry has. You get analysts, call them journalists, and have people subscribe to your publication. The journalists go get insider-ish tips and 'publish' them to a select group of followers.

With laws like that you'd just hire a full time business analytics journalist to cover your store.

Who is this we? America opted out of the OECD privacy framework.

To be honest this is news to me and I lurk on hn every day :-/

I thought Minority Report was still a few years away...

Thanks for the links, this stuff is both fascinating and scary.

Amazon too:


Sentiment analysis for everyone!

Yep, Microsoft also offers much the same services. Works surprisingly well too. https://azure.microsoft.com/en-us/services/cognitive-service...

Indeed. This isn't new. It's everywhere.

The cameras retailers use with their surveillance systems are coming with facial recognition built in now. [1]

And lots of retailers, banks, etc, are using systems that track people's visits across multiple locations. [2]

You'll see a lot of these systems being sold as fraud/loss prevention solutions. The reason for this is that it's a relatively easy sell this way - customers can count how many thieves they've caught this way to easily determine the ROI they're getting on the system. Once the systems are in place, it's relatively easy to start using them for marketing related purposes.

Not all uses of systems like these are necessarily unethical. Consider a case where you want to set up a rule like 'if the average lineup length at the checkouts exceeds 5 people, call backup cashiers'. The problem is that once you have something like this in place, it's very tempting for company execs to want to use the data for legal but less than ethical purposes.

[1] https://www.axis.com/ca/en/solutions-by-application/facial-r... [2] https://www.facefirst.com/solutions/face-recognition-predict...

That's always going to be tempting, and the only real tractable solution is for society to have a larger conversation on the ethics so the law can catch up with it.

Note that some ethical consensus is key---without it, companies can just price "Well, some customers think image recognition is creepy" into the risk model and do it anyway. Compare privacy concerns---people talk big about their concerns over privacy, but in practice, we're still in a world where a survey-taker can get very personal information from a random individual at a mall by offering a free candy bar. Until and unless people arrive at a common consensus that their personal information---including their face---has value or they have a proprietary right to that information, even in public, there's no real tractable solution to this problem.

... because there's no real agreement that there's a problem to solve.

the only real tractable solution is for society to have a larger conversation on the ethics so the law can catch up with it

The department of commerce tried to facilitate talks about establishing a voluntary standard. The surveillance industry was so terrified of the idea that they should be held to a principled position that they wouldn't even budge on one of the weakest possible protections: A voluntary-participation standard that said people must opt-in to be identified by name through facial recognition when they are on public property.

https://www.eff.org/document/privacy-advocates-statement-nti... (and previous HN discussion on negotiations falling apart: https://news.ycombinator.com/item?id=9729696 )

Woah, i'd give away a lot of information for a candy bar. I get nothing from ads; they lower the quality of everyone's life.

Often, you're more-or-less getting the content surrounding the ads from the ads, albeit indirectly.

My local gas station upgraded its pumps recently to allow it to play video ads on the screen used to do the credit card transaction. I don't doubt it's partially the reason that gas station is still operational when similar non-franchises vendors in town have gone under.

Often times i don't give a damn about the content it sponsors. I'd much rather be able to do my business without being assaulted by ads, which often have little to do with reality, and often act as an alienating and dehumanizing force. It's very difficult to see the good.

I would rather have no content than ad-supported content. of course, nobody will ever offer that! You can't sell ads if people can opt out, and too many big players think they're the only way.

Thank gas station should have charged more or folded than sell you shit you don't want, won't want, and will never spend money on.

If you're expecting people to fold their livelihoods instead of sell ads, you may not understand how attached people are to their livelihoods. ;)

Meanwhile, there are some inroads into financial support alternatives to ads everywhere. Google has a "contributor" product (https://contributor.google.com/v/marketing) where you can basically bid against the ads they'd vend to you; instead of an ad running, you pay a microtransaction to buy the privilege of no ad.

It's an interesting idea, but it only works with Google's ad network.

Oh no, I'm not expecting it to go away.

Frankly, i don't mind google ads; i mind wasting 20 seconds to load a page with about two paragraphs of content and 3mb worth of ads. But this is all ignorig the broader point: why are we basing our revenue off of patterns many realize for being toxic, consumerist, negative-value? People AT GOOGLE will happily admit this while working to build it.

I do my own part by supporting Ad Nauseum[0] and actively punishing sites that serve ads, particularly facebook and google. It's also decent for a (very shallow, for now) layer of noise for your ad profiles. Offer me a flat fee and convince me to spend; don't trick me into viewing ads.

0: https://adnauseam.io

Gas stations in the US make very little, possibly zero, from the sale of gasoline.

Anyone have a source for this oft claimed fact? Retail to spot spread is averaging $.50-$.70/gallon for 86 octane with $.20-$.30 added for each premium tier in PHX. Does adding detergent & transport eat up that much margin?

There's no real reason to believe that, though. If someone has a space for an ad, why wouldn't they sell it, even if they don't need it to produce the content? This is one of the problems with profit-maximization: it means every avenue of efficient revenue generation should be exploited whether it's needed or welcomed or not.

Even the pay-for-no ads model doesn't hold up, because if you pay for content, why wouldn't they just double-collect and make you pay for ads served with the content? I purchased my phone and my phone service, but I still get ads in my notifications. Because I didn't pay "enough" to avoid it.

It's like paying off a blackmail ransom. You give them $100 and they come back next week and say "how about another $100?"

"The cameras retailers use with their surveillance systems are coming with facial recognition built in now. [1]"

Your source in the marketing material of an IP camera manufacturer.

We research that space and I can guarantee that less than 0.1% of IP cameras have facial recognition built-in or running. These manufacturers, like Axis, whom you cite, would love for such capabilities but they are still very uncommon.

Can't they still use the feed from regular camera and have another system to facial recognition from that feed?

>We research that space and I can guarantee that less than 0.1% of IP cameras have facial recognition built-in or running.

While I'm sure this is true (since the majority of IP cameras in the world are cheap things little more than webcams), do you have a number for retail stores specifically? I know many of the larger chains spend a lot of money on their cameras and movement detection and other intelligence has been onboard those for at least 15 years.

Just yesterday I was hearing news of how most of the retail giants and lots of smaller retail stores are going out of business due to competition from ecommerce. If that means the end of practices like this, then good riddance.

But, aren't ecommerce sites collecting this information and more from your browsing? I don't think it's possible to say one is much better than the other, just that we expect tracking online, not in the real world.

There is the point that in the "real world", social norms haven't yet adapted to the requirements of privacy (although you could also view it as societal norms allowing too much tracking). For example, if I wanted to use a mask to conceal my face from trackers, I would be ostracized. There are analogues in the virtual world of course, but it's usually harder in the physical world.

some modern cams (at least traffic ones) no longer use AGC and will not be fooled by this

They're even more accurate than facial recognition at building a profile of what demographic you fit in

It's likely traditional retail that falls by the wayside is going to make room for more competitive retail that leverages this information to its advantage in a way ecommerce sites can't.

Consider Amazon Go (https://www.theverge.com/2016/12/5/13842592/amazon-go-new-ca... setting up an account with a store, users enter, grab what they want, and leave. The system of cameras and biometric trackers observing the store figures out after-the-fact what you grabbed and charges it automatically to your account through a sensor fusion including face recognition. That's a level of convenience rivaling ecommerce for things people want to grab by hand (often produce and small items, for example), and it's completely enabled by this category of technology.

Perhaps, but it simply means the survivors will become more desperate to gain an edge. We've seen this exact behavior with online news sources cramming more and more ads and trackers into websites.


It is HIPAA, not HIPPA. It stands for "Health Insurance Portability and Accountability Act."

I get your basic point and I don't disagree that we need more privacy protection. But, no, we do not "need HIPPA" for all personal information.

I'm 65 and it says I am 39.

This is a wonderful app. I will use it every day!

It also picked up the colors in my aloha shirt perfectly. (Anyone who knows me knows that I am to aloha shirts as Steve Jobs was to black turtlenecks.)

When I want to feel young and go shopping for shirts, now I know what to do!

I'm a man and it thinks I'm a woman.

But it also scores me high for anger and sadness, despite (what I thought to be!) a rather neutral expression. Perhaps it knows more than we think :)

Hey! We should make a club. I am a 41 year old male and it recognized me as a 26 year old female. It recognized my wife at her age and gender until she took her glasses off. She lost ten years and stated, "I'm never wearing my glasses again!" Then, proceeded to walk straight into the wall.

As a 30 year old male who apparently looks 42, I hate all of you.

Take your glasses off (but check for walls before you do)..

I am a 22 year old male who looks like a 39 year old.

You can mess with it quite a bit by making different expressions and looking different directions.

Though I'm guessing it gets a lot more accurate when it can take and average multiple shots.

I tried the demo. A little sad, that it sees me as 12 years older than I am, and that I apparently always look angry and disgusted! I'm going to blame it on my glasses and bushy beard, and try to look at the bright side - apparently face scanning systems aren't quite good enough to get a read on me yet. (And try not to be too sad about looking like a grumpy old man)

(Anyone else with a glasses, a beard, or other non-typical facial features want to comment? I'm curious now how well their system handles these?)

I uploaded Comrade Putin. [1]

Thinks he is 45 years old. He is 64! Not calibrated for the superior Russian genetics.

[1] https://pbs.twimg.com/media/CuV5wciUAAA0aBz.jpg

It's hard to tell, with all the plastic surgeries.

Same experience here. Shows my age 10-15 years more than actual. I tried to smile and it just filled up the "disgust" bar. Neutral expression shows a high amount of "sadness". I wear glasses too, and have a slight beard.

I don't think glasses and beard are non-typical facial features!

I'm a 25 year old male, bald with a full beard, and it thinks I'm a 33 year old woman. At least it could tell I was happy?

and profession = circus sideshow?

A 33-year-old Russian woman?

Of course you look angry and disgusted. That's only natural, considering that you are aware of what's going on.

Bearded male here, and it got me exactly right the first time - 33 yr old male, 100% happiness.

The second time it thought I was 28, which increased my happiness even more.

Pretty good with me too. Guessed 51. I'm 53. My happiness was inscrutable.

MS did this one a while back to estimate age. I loaded some family members and it was on the majority quite accurate.


With a bald head, beard/mo, and reading glasses it doesn't detect a face. Without the glasses it estimates me as 7 years younger than I am - and reasonably high on anger and sadness...

It added 5 years to my age (42) but got everything else right.

My partner tried it and it took 10 years off her age, and found an angry 31 year old man hiding in the folds of her clothing!

I did well... it said I was an angry 33 y/o male. Well, I am male... I'm almost 50... and I didn't think smiling at the camera conveyed anger... but who am I to question our AI overlords ;-)

(edit)... on the other hand they probably were just trying to sell product so thought flattery was the right approach...

Says I'm 4 years older than I am (31 / 27) and have high levels of sadness.

Covered up my receding hairline a bit and it said 29. I reckon if I shaved I could get it down to about 22 since that's how old people usually think I am.

Pulled a disgusted face and it said 47. Hmm.

It thinks I'm 15-20 years older than I am, and even if I smile it thinks I'm angry.

The real metric to judge it' s effectiveness is by comparing its accuracy to an average human observer's responses. I doubt a human would do a lot better at estimating someone's age.

Most people think I'm around 30 and I'm 42. The software said I was 40 the first time and 44 on the second try.

From the responses it feels like they are using aws recognition.

Don't think so - I just used the same pair of images - one with my glasses on and one without - AWS Rekognition guesses mostly the same for both of them - the sightcorp.com one doesn't even detect a face when I've got my glasses on.

Rekognition guesses a wider age range - but gets a "correct" answer - the sightcorp one guesses me as 7 years younger than I am.

I wonder if the age error is symmetrical, or if it tends towards guessing lower or higher? It would make for an interesting study.

Glasses and a beard. Pegged me as an angry white guy about five years younger than I am.

Apparently I'm a 40+ yr-old male. At least it got the "male" part right.

I was very unhappy to discover that shoes now often have RFIDs built into soles. This + anti-theft RFIDs readers that are already deployed by the entry of most stores can allow to easily assign unique ids to shoppers.

Most anti-theft tags are not RFID and the gates are not full RFID readers. At least in Europe, vast majority I see are still based on simple resonators that get disabled on checkout. Effectively, the gates only provide a yes/no signal and can't be used for tracking.

Applied Science has a good video on how they work:


Retailers also use your MAC address from your phone which is always being published unless you take precautions.


Not on iOS anymore, that value is scrambled on a regular basis.

This is super cool. Was there any announcement or documentation for this?

We used a Cisco Meraki router once for a client and rigged it up to know who was in the office (for fun, to be aware that it could be done). It'd be nice to know the iPhone/iPad scramble themselves if possible.

Apple made this change in 2014, it was widely reported. [1] Apparently it exists on Android now also, though I don't follow that platform closely.

1. https://arstechnica.com/apple/2014/06/ios8-to-stymie-tracker...

Android does the same thing, both announced a while ago

Only if your phone is locked and it is looking for all open wifi networks. If you unlock it or it is connected to a particular wifi network this is not true.

No necessarily. If you are connected to some wifi and sending/receiving data, your MAC is still visible in the air.

Would putting my newly bought shoes into a microwave be a good countermeasure?

I've heard that you can disable RFID readers (not tags, readers) with an appropriately-resonant coil and an EMP circuit.

I'm not sure if the same can be done to tags, but considering the size of the tiny electronics, and the fact that they are manufactured under the assumption they'll never need to be touched (aka, no CMOS spike tolerance), it might be trivially...

...wait. I just remembered about RFID alarm barriers in retail stores.

Well this is annoyingly difficult to discuss, then...

Indeed you can, from a disposable camera flash circuit[1]!

Though I concur, might be used for evil purposes, couldn't resist posting this. I just love disposable cameras hacks.


Ah, very interesting. Thanks for the link.

>> Well this is annoyingly difficult to discuss, then...

Why? Is there a law against public discussion about how to disable an anti-theft device or something?

Okay, not really - but it can be tricky to know where to draw the line. I guess I was uncertain.

I draw the line where actions are taken. A discussion is not an action. Using a device illegally is, like for instance pulling the trigger of a gun with the evil intent of murder, or taking something that isn't yours.

I heard that the "is there a pot on"-impulse of induction cooktops is strong enough to kill RFID-chips without burning them. Have not tried it though.

another trick would be to pay for the shoes in cash; in this case they will not be able to link the RFID chip to your real identity. Cash payment is a very privacy friendly technology.

That's not the point - the point is being identified as an entity by a unique marker that the RFID tag gives off. It's still an anonymous entity, but it can be deanonymized by correlation... with your face via video or whatever.

Next month: new shoe regulations require the use of materials that melt or burn when microwaved.

Nah, they won't need to push that hard. "Warranty void when microwaved" will most likely be enough.

I've never made a warranty claim for shoes, so that shouldn't be a problem.

Me neither (too lazy for that), but I know they are used and abused by people too. This leads to funny cases I heard of like a company specifying that some shoes are for "walking", not for "running", and refusing to refund them if you admit to running in them.

You guys need Norwegian consumer protection...

As long as it comes bundled with Norwegian famously cruel child "protection" services, thanks but no thanks.

That doesn't sound too unreasonable. Some shoes like heels are made for fashion, not function.

If it's "not unreasonable" for them to reject warranty claims if you run in shoes "not intended for running", does that mean it is reasonable to make a warranty claim on shoes "intended for fashion" if you're not picked up while wearing them?

"Wore these heels to six bars, didn't get hit on once. Please repair or refund."

Do you have a source for this? All I can find online is the occasional use of RFID for stock management or the odd marketing campaign. But nothing about customer tracking

Is there something like this available commercially, or at least a guide on making one with a Pi?

I suppose reading the paper is one option.

EDIT: Link to the paper seems to be broken. Here's the PDF: http://www.cs.vu.nl/~ast/Publications/Papers/lisa-2006.pdf

Pretty sure they already are built into credit cards for this exact purpose.

Any sources for this?

By grinning like an idiot I was classified as a very happy 33 year old female. I'm a 25 year old male.

I tried variations of the standard expressions and pulled off sad, disgust, anger quite easily.

I knew binge watching Lie To Me before my psychology mid would come handy at some point!

if you ever are homeless you could be like the guy from The Imposter (2012 film) and trick a family into believing you are their long lost daughter.

I was blown away by the accuracy of Microsoft's https://how-old.net/ This just kicked it up a notch.

Counterpoint: this tool pegged my 8-year-old as 13 (and she looks younger than her age) and me as 56... well into the double-digit error zone.

Someone recently thought I was 30. People aren't any better than computers.

When I was 18, some lady at the community pancake breakfast in my grandpa's small town told my mom that 13 and younger are free. Humans make mistakes too.

Are you by chance of a specific ethnicity? (no offense). These systems fail spectacularly if the training set includes only certain ethnicities and the test-ee is not one of them.

If it fails, it fails spectacularly, worse than any human ever would.

When I was 18, someone thought I was 35. You apparently don't appreciate how failure-prone humans are.

It thinks I'm 91.

I am not 91.

"Emotion Recognition

Understand how your customers feel. Detect and measure facial expressions like happiness, surprise, sadness, disgust, anger and fear."

Creepy, indeed.

Perhaps. On the other hand, it's something that good salespeople are doing internally already; there's an argument to be made that this is just automating yet another part of the customer service process.

(There's an old joke that sometimes shows up on HN about augmenting an automated bugtracker to snap a photo when a crash is detected or a bug is reported, so developers can be reminded that bugs tie down to real people who are actually sad / angry that the software failed them ;) ).

>You can even try their live demo

I'd rather not give them my facial image so they can optimize for me.

Matched to your IP none the less. I wonder why Microsoft made that "how old are you?" web app...

To collect training data.

Why is this scummy exactly? If a salesperson was to try to sell to you in a store, they would take into account how you appear and act to tailor the sale. There's nothing wrong with that. Why is it suddenly bad if a machine does it?

Because when you talk to a salesperson you know you're being looked at (and reciprocally you're looking at them), and human memory is limited so it's unlikely they will retain any "data" about you when the contact is finished.

Here, instead, there is no indication that you're being watched, analyzed and kept recorded for indefinite amounts of time.

Reminds of a law here in Sweden and how car surveillance work on the bridge to Denmark. The law forbids the unnecessary registration of people so in order to avoid breaking the law the police have a live system in place where information of a car on the danish side get show on a screen on the Swedish side, giving border and toll guards enough time to react. The whole thing is legal only because the system operate live and never store any data, which otherwise would create a illegal register with personal information.

I assume that the data is being used for A/B testing on the display designs (we get 20% more attention from teenagers when the background is orange) - if that's the case, not very scummy.

If you are in public you are being looked at I do not understand your logic. When you go in a public place there are already public accessible web cams that people use to track this kind of thing i remember a thesis that used public accessible cams to try and track people and build up a database. I have always had the opinion you lose privacy when you leave your house since you are in public, and public like is opposite of private/privacy so to me it makes sense.

I have always had the opinion you lose privacy when you leave your house

Privacy is not black and white.

There is a world of difference between someone seeing you for a moment as they pass you in the street and forgetting you a moment later, and automated systems that permanently record everything, analyse it, correlate it with other data sets, make it searchable, and ultimately make automated decisions or provide information that will be used by others to make judgements about the affected individuals, all without the knowledge or consent of those individuals and therefore without any sort of reciprocity.

The idea that you have no reasonable expectation of privacy in a public place dates from a time when you could also expect to pass through town in relative anonymity, go about your business without anyone but your neighbours and acquaintances being any the wiser, and would probably change those neighbours and acquaintances from time to time anyway so the only people who really knew much about you would be your chosen long-time friends and colleagues. I think it's safe to say that that boat sailed a while ago, and maybe what privacy means and how much of it we should expect or protect aren't the same in the 21st century.

Just because there is no expectation of privacy does not mean that a reasonable person would assume that their every action is being recorded in precise detail to be stored away forever by a third party.

... but mostly because reasonable people haven't been brought up to speed on what is technologically feasible now.

A lot of things are technologically feasible, and in many cases can't realistically be prevented ahead of time, yet are still considered socially unacceptable or even made illegal. Just because we can do something, that doesn't mean we should. This principle has never been more relevant than in the use of technology.

What's technologically feasible is irrelevant to our moral expectations. It's technologically feasible to brain you with a club and steal your stuff, and has been for millennia.

Preventing the misuse of Blunt Instrument Technologies™ is literally what laws are for. Surveillance is just a club we don't have laws about yet, but should.

Well, your behavior and appearance isn't logged in some computer somewhere available for someone to look at whenever they want. Not to mention, face-to-face interaction means you know someone else is watching. This allows someone to do this without your knowledge.

It's just creepy.

Because a machine has much more capabilities than one salesperson.

The salesperson doesn't know in what shops you have been before.

The salesperson might also not know you talked to his colleague the day before.

This is about trust and privacy. You can't trust what they do with your data.

So if the salesman has an eidetic memory it becomes unethical? How about just an above-average one?

Your reply is disingenuous. The problem is not that abuse is not possible in a human-driven system. Of course some gifted salespeople have incredible memories, hypnotic powers of persuasion, and so on. However, you must consider the following:

1) These people are rare in the general population, and demand for their time is likely to be incredibly high. Therefore, they cannot be deployed everywhere, unlike machines.

2) When confronted with a human being in a sales scenario, people have a chance to be on guard against potential manipulative behavior. When the sales scenario becomes ubiquitous and invisible, it is much harder for people to avoid being taken advantage of.

3) Ethics are not so absolute. Something that is only mildly bad at an individual level can have terrible results when thousands are doing it. (Littering, for instance, or illegal hunting/fishing.) This is known as a social trap, and it leads to negative outcomes for everyone involved.

>1) These people are rare in the general population, and demand for their time is likely to be incredibly high. Therefore, they cannot be deployed everywhere, unlike machines.

A temporary problem solved by natural selection, technological augmentation, and increasing incentives. Perfect performers in any profession are hard to come by. Ambitious people still strive to get there.

>2) When confronted with a human being in a sales scenario, people have a chance to be on guard against potential manipulative behavior. When the sales scenario becomes ubiquitous and invisible, it is much harder for people to avoid being taken advantage of.

Because people don't understand technology or sales. In your reality, people should be on guard all the time because sales and marketing were already continuous, even before hidden cameras. In actual reality, most people don't care that much about being sold to as long as the sale itself it not abusive.

> 3) Ethics are not so absolute. Something that is only mildly bad at an individual level can have terrible results when thousands are doing it. (Littering, for instance, or illegal hunting/fishing.) This is known as a social trap, and it leads to negative outcomes for everyone involved.

Sure, but that omits the necessary step of justifying this behavior as being either mildly bad on an individual level or terrible on a mass scale, much less both. It is neither.

Also, I would add item 0: advances in technology mean that surveillance devices will only become smaller, cheaper, and more connected over time. The future you fear so much is, in fact, inevitable.

You are applying binary "all or nothing" logic to the real world, which contains many more shades of grey.

It is true that technology (both social and digital) continues to progress, and that the genie can't be put back in the bottle once it escapes. However, you don't have to put it back in the bottle. Speed limits don't stop speeding, and laws against murder don't stop homicide. The legal and regulatory system exists not to fully prevent understand behavior, but rather to reduce it to a manageable level.

In short: I agree with one part of your premise. Technology will continue to evolve and will continue to challenge human society in this area. Unlike you, however, I don't believe that we have to roll over and accept the implications and consequences of unregulated privacy invasions, neuromarketing and whatnot.

I don't think that either, because I correctly recognize that in public, you do not have privacy, either de jure or de facto. Especially if you're not even wearing a burqa, which would today at least give you de jure privacy because it demonstrates intent.

I'm sure that in the future, we will also create cheaply available opaque faraday cages that you can roll around in if you wish. And that most people will not care to do so.

You do have privacy in public. Both the de jure "reasonable expectation of privacy" and the de facto privacies of anonymity, free association, and predictable rules of social engagement.

>the de jure "reasonable expectation of privacy"

Does not protect your exposed face

>the de facto privacies of anonymity, free association, and predictable rules of social engagement

Are outdated illusions with no basis in fact

Well, I seem to have no trouble practicing all of those, so I know they are based on fact. Perhaps you don't actually understand what I'm talking about? Or maybe your experiences differ. Either way, telling me the things that that I personally do are not being done is... not an argument.

>>the de jure "reasonable expectation of privacy" > Does not protect your exposed face

Yeah, that's why it is "reasonable expectations" not "absolute enforcement."

In other words, as long as you are unaware of the surveillance, you are happy to pretend it doesn't exist? So where's the problem? Just don't click on links like the OP.

Eidetic memory and follows you everywhere and can transfer all those memories perfectly to any number of other people? Yeah. It's like super-stalking and it's obviously horrible.

Humans will get there too.

Stalking per se is mostly only illegal because it becomes harassment and bothers the victim. This kind of monitoring is entirely unobtrusive. As the response to the original tweet illustrates, most people aren't even aware that it is happening.

The information is being used to conduct asymmetric psychological warfare. The notion that it's harmless even if never outright abused where we define abuse as use for other than its intended purpose, is false.

Being subjected to constant sensory input and trickery from dozens of teams of experts on consumer psychology is bad enough when they haven't also been stalking and recording your every move.

Caveat emptor becomes an absurd position when the power imbalance is so great. Massive data collection and mining needs to be reigned in. The fact that it's not obvious people seeking to trick you by any means necessary are recording you everywhere you go does not make it OK, at all. Surveillance capitalism is way, way over the line, has been for some time, and just keeps going farther. That they're good at keeping you from realizing you're under surveillance is no defense whatsoever.

Complaining about warfare that is asymmetrical solely due to the incompetence of one side does not elict any sympathy from me.

Consumers do try to aggregate data for the equivalent of "massive data collection and mining". Most just don't care to pay for something that is not wholly controlled by a storefront. Generally, producers are more likely to understand the ROI.

Also if it records images it would fall under data protection legislation in the EU

I find it funny that the store doesn't trust their salespersons to make such a judgement on their own. Probably they hope to do analytics on what kind of people are visiting and when. Selling the data would only make sense if they are able to link it to an identity, I am not sure that they can legally do that.

Well, you never know into what dystophia you are heading...

Most humans today are prejudiced against nonorganic life due to not growing up interacting with anyone but other meatbags.

There's a huge double standard in place that makes it somehow wrong for computers to do what humans have been doing without objection for decades or millenia.

It's because people view the AI as an infallible machine that records everything, which is much more intimidating than the gut instincts of a salesperson.

Right, that's the manifestation of their prejudice. In reality, there is a spectrum, not a dichotomy, and some humans can have better memories than some computers.

Everytime I eat at Chipotle I smile at the sign on door that proclaims this property is protected by Envysion.

> Any time you've been in a public place for the past few years, you've likely been watched, analysed and optimised for

I don't believe this. This kind of advertisement in public would be illegal in germany as it is mass surveillance.

Germany is an outlier; their history with the Nazis makes the country unusually conservative about anything that could be abused for mass-surveillance purposes.

Not that this is a bad thing---being able to think differently like this is one of the positives of having countries!---but relative to the rest of the world, what Germany considers "surveillance" is unusual and sometimes surprising.

I think East Germany is probably the anti-surveillance sentiment more than 70 year old history.

That demo is amusing. I did a Google image search for "N year old faces" for N = 5, 9, 10 and 14, and eliminated results where the accompanying text did not confirm the age, and then gave some of the remaining ones to it. It was always at least 10 years too old on its guess for these children. It got the gender right maybe 3/4 of the time.

I also tried it on a few internet porn images. It looks like it is definitely only relying on the face for determining gender, or it thinks that there are a lot of women with hairy flat chests and large penises...

Really neat, except, it's about... 22 years and 5 months off. Plus a gender. http://i.imgur.com/wVmPdDj.png

I also have my own facial recognition open sourced as well.


Runs on CPU only, realtime 1280x720 @ 15 fps.

Is it creepy? Sure. But anyone can run it. I was looking at a rewrite to work in CLI with a web interface instead. But the core loop is the magic part that makes everything work nicely.

Isn't it illegal in most countries to put cameras in public places? Especially if they don't contain a warning?

No one's going to go to jail for their first offence of putting a in an advertising sign.

What's the worst that could happen? The local advertising regulator will order you to meet the regulatory standards or remove the cameras, but give you x number of weeks to act per unit installed.

Oh dear it thinks I'm a 35 year old woman...

And I suppose you're not?

It's AI, it knows you are secretly trans.

Now I kinda want to see what comes out if one gives a neural network a big pile of pre-transition photos of trans people, and another pile of similarly old photos of cis people. Would it be able to reliably predict if someone's likely to transition based on some subtle cues in the images?

Problematic parts: sourcing these images (I know there sure aren't many photos of pre-transition me, and I don't let the ones in my possession go much of anywhere), lots of ethical issues around having a system that can say "I am 97% sure this person is gonna want to transition". Also probably lots of other ethical issues I'm not thinking of.

No idea, I wasn't really being serious, but what inspired me was a real case of a woman who somehow got identified as pregnant by her supermarket long before she was willing to tell anybody (I don't remember reasons) and they sent her some coupons or something and her family found out. Needless to say, she didn't appreciate.

It was the father who complained. The case as reported by NYT http://www.nytimes.com/2012/02/19/magazine/shopping-habits.h...

haha, i did something like this in college for a project, it was confined to only emotions though and used images skimmed from google to train it.

Maybe i should try to sell it..

I will be honest, I have no real problems with this. Then again I enjoyed some of the concepts for advertising shown in Minority Report which did feature ads which could identify you.

the idea of collecting who looked at your display is invaluable. It would be beneficial for both government and ad agency. Ad agency is obvious but government could learn if displays present information people want and it was presented in a manner to catch their attention. The negative aspects of government use could be limited through privacy laws and such.

Then new Hitler (Erdogan) enters office, and starts using said device to deport infidels like it's 1915.

I've tested it a few times and it's indecisive on my gender and age (depends if I'm smiling, angle etc etc).

Microsoft's service is much more consistent and accurate (I've tested the same images...): https://azure.microsoft.com/en-us/services/cognitive-service...

Wearing a baseball cap makes me invisible to their scan...

I tried, but nothing from the response... is that normal?

I take my glasses off, but with exactly the same expression and position; 15 years younger, suddenly a lot African(?) and very happy.

Fearful with my glasses on and angry with them off - I'm sitting here while my morning coffee is steeping so I was expecting sleepy!

Try it but first take some clay and apply it all over your face that's skin-tone... then use that as your face ha.

I love how many people replied to your comment about how creepy this is with their age, appearance, and gender.

I love how people tried it in the first place. Now the site has faces tied to IP addresses.

hahahah!!! I did try this image and here are the results (removed plenty of px-related lines). My commentary next to the "<---" :

  "error_code": 0, <--so i guess no error

  "img_size": {
    "w": 1200,
    "h": 1609
  "people": [
      "age": 26,     <--- they need to re-calibrate that and make it x3
      "gender": -87,
      "mood": 21,

      "clothingcolors": [
      "ethnicity": {
        "african": 17,     <--- wow!!!
        "asian": 8,        <--- wow!!!
        "caucasian": 65,   <--- for real!!!!!
        "hispanic": 7      <--- wow!!!
      "emotions": {
        "happiness": 0,
        "surprise": 4,    <--- even HE can't believe he's POTUS
        "anger": 76,      <--- not surprised at all
        "disgust": 0,
        "fear": 6,
        "sadness": 4      <--- #SAD

> they need to re-calibrate that and make it x3

They guessed 39 for me (I'm 25). The age bit seems not so accurate

Now your employer can monitor your facial expressions to determine if you are actually working or just reading HN.

The future is here:

"WorkSmart can track workers' keystroke activity and take webcam images to ensure they're doing their jobs."


The future was here in 1995....

I worked for the U.S. Postal service for a time doing data entry (here as a matter of fact... http://www.sltrib.com/news/3445651-155/the-first-and-last-of...).

That job measured the number of keystrokes per hour of each employee. You had to maintain a 10,000 keystrokes per hour minimum data entry rate, they also spot checked for accuracy. Capturing the data you were suppose to enter (a scan of a piece of mail) what you entered, and what should have been entered.

While there was no question about goofing off... they used commodity hardware, but nothing else was general purpose (no internet, no email, no solitaire, no obviously general purpose OS), and no phones, talking., etc... they were very much watching for speed and accuracy during the entire time you were clocked in.

> what you entered, and what should have been entered.

If they knew what should have been entered, why couldn't they just automate the data entry?

They extrapolated your accuracy from auditing a relatively small sampling of it, or fed you known-value items and automatically audited them.

Yes, this. I don't know what technique they used. I expect it was known-value variety because they would have better automation in error detection. They may also have used a consensus model, showing work product that really wasn't known value, but was shown to enough different data entry people that the error rate was negated (the error rate requirement was pretty low as I recall) as in a group almost everyone would have done the entry correctly. A third alternative would be to send images that had passed OCR intake for the testing sample.

What sort of data entry? Seems like OCR/human combo would have been better.

Data entry of all the addresses that the OCRs failed to read.

OCR was pretty bad back in 1995 (which is why the Palm Pilot had a special handwriting for users to learn).

See this NPR piece: http://www.npr.org/2010/12/28/132393643/Undeliverable-Mail-I...

Also "Act Three" of Episode 70 of "This American Life": https://www.thisamericanlife.org/radio-archives/episode/70/o...

This is a very sad sad life people agree to :(

It was tedious and not well suited for people needing a certain level of variety or intellectual stimulation in their work. I found it a touch soul crushing... on the other hand I knew people there that were completely content doing exactly that work. They'd turn on their radio/books on tape/etc. (some, including me from time to time, would even read a bit) an go to a world of their own thoughts for 8-10 hours and be content. I had a relative that worked at the same place for 20 years and was completely happy with the job and life.

I did the data entry job for (as I recall) about a year and a half: it paid the bills and gave me a better life than I would have without it and I didn't have the right qualifications or work experience for anything better. For those reasons I was appreciative of the work while at the same time I looked to improve my working situation... something I can say of my work today (though what counts as improvement in working situation is way different now).

There are many jobs out there that need doing. Many of them are boring, or dirty, or dangerous. I don't think that necessarily makes for any more or less of a "sad life". I'm completely thankful to those that do those boring, dirty, or dangerous jobs. Some of them, like me, did it as an early first job sort of thing and used the work experience to get a better job: we paid our dues as it were. Others, like what I find unfulfilling or uninteresting. Some want to work outside, some want to work with their hands, some want to work with minds, and some simply want to be a bit financially better off than they are without the work.

"There is no such thing as a lousy job - only lousy men who don't care to do it."

If only we ran other government agencies the same way!

We used to do this in a school - it wasn't creepy - hear me out:

We had labs of iMacs and if anything happened to a machine, kids would (more often than not) just yank the power cord. Occasionally this would foobar the machine entirely and create unnecessary work. We couldn't catch the culprits.

So, if the machine managed to boot up successfully, after an unexpected power loss, we would take a photo using the built in camera and send it along with a ticket to the job queue, as well as do a complete re-image of the machine (automatically).

The number of funny photos we collected of kids just starting at the computer with WTF looks on their faces. But - from these photos we at least had the opportunity to educate the individuals about how to look after the computers a bit better.

There was a minor scandal a few years ago when a school was sending laptops home with kids and randomly snapping photos via the webcam for similar reasons

I think this is the original story, you can follow the "related stories" links at the bottom to see how it developed:


That's creepy.

Couldn't you just identify the user by their logon?

It's been a while but I don't think the old iMacs at my elementary school had individual user logins at the system level. For things like the reading test program there was a login I think but not for the whole machine.


You're assuming there were usernames and passwords. For consumer grade devices in decades past, that was not the norm.


Damn it!"

Fair point.

Haha :D

Amazon uses pretty tight tracking in their product warehouses to verify that floor runners are meeting expected performance goals.

just tried it... 57 yo?! Fucking kids wrote this code. Everyone above 30 is an old man for them.

I'm 40 and it keeps saying I"m a 28y/o

It just said I'm 23 on one picture. The other one unfortunately was pretty close to my real age.

It said I was 35 years old and yet I am 23 so I don't think it is just you

In Japan at least, before automated facial recognition, cashiers recorded buyer demographics by hand. I would think other places do it too.

Edit: Here is what the buttons look like. Gender and age. https://image.slidesharecdn.com/hvc-c-android-prototype20141...

I've seen this in Canada, at a Dairy Queen.

The cash register had a matrix of buttons

M: [0-9][10-19][20-29][30-54][55+]

F: [0-9][10-19][20-29][30-54][55+]

They'd just push a button as they punched in your order.

Presumably most cashiers would just optimise to pressing the same button on every transaction, since doing it "right" makes no difference observable to them.

Unlikely to be common behavior. The tally would come back at the end of a shift or day and the person doing that would be reprimanded, then fired if it continued. It would be enforced by the manager/s.

Now, would they press a random demographic button after that (instead of the same button every time)? Maybe, however there are numerous other ways to increase compliance in that case as well. If the logs kept coming back sketchy, well the cashiers are on tape - bam, another firing (note from the video tape: cashier intentionally hits male button when it's obviously a female, then repeats the behavior multiple times). Eventually the example gets across to the other workers to at least make an effort.

You're giving the organizations too much credit. A roommate of mine worked at a fast food restaurant in the early 2000s, where they were measuring the speed that workers took orders by timing the transactions on the cash register. The store manager had the brilliant idea to game it by running all cash transactions on pen&paper - not using the register at all! not even the cash drawers! - and then keying in the orders as fast as possible after the fact. The store won an award, the manager got a big bonus.

Hah, that's brilliant.

In a few stores here in Australia, I am asked for my post code (or country of residence if no post code) by the cashier when ringing up a sale. Predominantly at tourist/tour related points of sale, but I've also had it an electronics and white goods stores.

No idea if the operator is also recording gender and perceived age group etc., but I do know that on most occasions, you can opt not to answer the post code question.

When you go to those weekend open inspections in Sydney, you are almost guaranteed to be asked for your postcode. They record that as well.

I actually did some experiments - for different properties in roughly the same area/price range, I told different real estate agents different postcodes. It is beyond reasonable doubt that the code you tell them play a huge role on how they rank you as potential buyers. When you tell them a random north shore post code, you are guaranteed to receive a nice & friendly follow up on the coming Monday, however if you tell them that you live in the west (when mostly inspecting north shore properties), they would smile and immediately end the whole conversation.

The sample size here is ~50, which I believe is big enough to draw some reasonable conclusions.

If you give them a mobile phone number (which they all ask for) they will simply use that to track you far more closely than than can with a postcode

How? As far as I know a commercial company can't get your location or other personal information just by knowing your mobile phone number?

You are fooling yourself here. They probably have a whole data cake already, they want the mobile number as a cherry topping on this cake.

You know about the anonymized and aggregated data that one can buy ? Well it can be easily anonymized and deaggregated.

The good part is that you don't even have to do it yourself and go directly to data brokers that have done the hard work for you.

Coming from the standpoint of a very curious independent researcher, I'm curious what I might query/search for to learn more about these data brokers.

Not at all out of anything that might be categorized as malice, just to add this datapoint to my mental map.

Buying data lists. You usee your mobile number to get your cinema ticket - or whatever - the cinema sells that data. Do you get package alerts when you have a parcel due, now your phone number is joined to that address, plus presumably the credit card companies sell their data (?).

Companies amalgamate that data, then sell lookups of varying degrees.

Screwfix in the UK gather a lot of personal data as part of their sales process, they're the least covert about data gathering I've seen.

I'm not sure if it's true, but a friend once told me the reason a store asked for your zip code was to see if they had a large audience coming from a certain area. This let them know other locations to possibly open other stores.

As far back as 2000, my partner was asked for her zip code as we made a purchase and I curtly replied "no comment," to the surprise of everyone there. She walked for her phone number, which really irritated me because this was a $5 retail purchase of some type), and I got more curt when I said, "You don't need that!"

I've been annoyed by this stuff long before most people were ready to consider privacy concerns anything more than paranoia.

I like to give fake numbers in these situations. The way I see it, intentionally supplying bogus data is one of the only ways we have left to fight the machines and their algorithms!

I like to give obviously fake numbers. Like 12345 for a zip code or 212-555-1234 for a phone number. Most people don't care enough to have a reaction, now and then you get a laugh, and rarely you'll get someone who calls it out as bogus. My standard retort is somewhere between "Are you saying I don't know my own phone number?" and "Are you calling a liar?!" depending on how surly the response.

I was in an albertsons back when they wanted a number in tahoe and went in the 2nd time... cashier remembered me and said "what's that number again... something something something 5309eynine..." and was dancing a bit... it took me a second then I said "what's the area code here?" he glady gave it to me, so for about 12 years I just did $CURRENT_ZIP-867-5309.

My safeway card is in someone else's name... one day they had to pull it for some reason and I got a "Have a nice day.... Mr.... Soprano." and a big smile.

My father had memorized a fake Social Security Number that had come as a sample card in a wallet he got in the 1950s. When anybody except the government asked for his SSN and who wouldn't relent on his pushback, he would give them that number.

Wow, nice! I don't know if he was one of the 12 in 1977, but he would have been if this is the number he used. Woolworth's totally makes sense. If he were alive, he would poop purple Twinkies at that story. Thanks!

How does that work for him for things that do credit checks?

He's been dead for 10 years, but he didn't use it for those. As I remember it, in the 80s-90s it was more common for SSNs to be requested for normal consumer things.

!!!!!!! Can't wait for those numbers to leak out!

I gotta say, it's possible he never actually used it in my lifetime, but he could sure tell that story and rattle off the digits at a moment's prompting.

Some countries have law making it illegal to give bogus information about you, with hefty fines and jail time.

There's a bit of plausible deniability if you give slightly bogus info, like transposing numbers. You could assert that there was a typo on the company's part.

Really? I say "Nope" constantly and they're like "no problem" or "it's way easier to look up refunds that way" which is true depending on the store.

If you purchased with a card, they can usually look up a transaction based on that.

> "it's way easier to look up refunds that way"

"Thanks good to know, from now on I'll go buy at a business where this artificial limitation does not exist."

The GM of the big box that I worked at 25 years ago said that the zip code thing was to measure the "destinationness" of the store.

In our case, the average big ticket buyer travelled an average of 30 miles, which was awesome in that it made the end caps more valuable.

Sometimes the credit card terminal will ask especially at gas pumps for my zip code as an anti fraud measure, and will reject the transaction of you enter the wrong number. If a cashier is asking I always use 90210.

I guess a lot of people not from the US will use 90210 when prompted for a US postal code. I can't even remember what the show was about (except that it was set in Beverly Hills, obviously), but the number stuck.

The show was called 'Beverly Hills 90210'

Just a generic teen drama

I had same issue when visiting the US. I tried some fake numbers but it wouldn't accept it (my actual postal code has letters, so that wasn't possible), so I just ended up paying by cash.

Did you try your postal code minus the letters? Afaik[1] usually only the numbers in your address are verified anyway.

[1]: https://en.wikipedia.org/wiki/Address_Verification_System

My UK postal code only has two numeric digits, whereas I seem to recall the US gas pumps require five digits. Just means you can't pay at the pump.

Post codes in Australia are just 4 numbers, so when buying subway tickets in NYC, I just put in 10000 or something (I believe that's close enough to the local code?).

I've heard (unsure if true) it was to reduce entropy.

IE they keep the last 4 digits of your credit card, combined with a post code you have a unique id.

Not necessary, most point of sale systems can provide a unique hashed or tokenized version of the account number for analytics and identification purposes.

By cross-referencing your name (from your credit/debit card) with your zip/post-code, stores are able to determine specifically who you are with greater probability than without the zip/post-code.

With near 100% probability actually. There was a detailed report on that few years ago.

Googling for "why stores ask for the zip code" brings up a lot of press post, e.g. https://www.forbes.com/sites/adamtanner/2013/06/19/theres-a-...

This is the correct answer.

I always give the post code of the shop, if I know it, or one nearby that I do know.

Wait, why do you know the post codes of the places you shop?

Wait, you don't? :-)

Seriously, I mostly shop in the same neighbourhoods. And when not, there's often something on the counter with their address...or I can give a mate's address and let him get the junk mail....

Isn't it a credit card security feature? That's what it's for at gas stations.

Correction, that what they pretend it is for at gas stations.

99,99% of the time when asked a piece of personal data it is for cross-referencing or other privacy invading purpose.

I think they mean if a salesperson asks you for it, rather than when you put it in for a credit transaction.

Of course you can refuse, but you can also just give them a false one.

Don't forget loyalty cards are both a way to track demo and purchasing trends.

I volunteer at the Boston Museum of Science on Sundays and we also track how many people we interact with at the various activities. We log by group, so log might read "1 man, 1 woman, 2 boys, 1 girl (family)" or "3 women, 10 girls, 12 boys (school group)"

It's really handy to see how many people the activities attract, and who they appeal to most. You're tracked everywhere!

Could you be more specific? What could they possibly [Edit:] have recorded in a second other than male/female, Japanese/foreigner, or child/adult?

Facial recognition is a unique identifier but cashiers have access to almost nothing they can record... [Edit] What was it?

Edit: clarified that I am asking about the history here, what information was manually collected by cashiers as parent stated

Demographics and sales data is a primary example of big data.

The tweeted advertisement system also looks like it's only recording demographics. Not individual personal IDs.

Sorry, I wanted you to expand on this: "cashiers recorded buyer demographics by hand".

Give me an example of what they used to record by hand. All I can think of is "male, adult". I am specifically interested in what else you say they used to record.

I wasn't asking about the present status quo, only your historical statement about cashiers recording by hand.

Oh, OK. I edited in a link to the buttons the cashiers used, in the original post.

Thank you! Obviously that is far less privacy violating than demographics could be.

Today advertisers that phone home (spyware) often lie and claim only aggregate data is produced - but this manual example really is the kind of data that is okay. It's far less detailed than something like facial recognition. Thanks for adding the link!

You could distinguish people who are married or are parents (with false negatives) by recording people who are at the till with their spouse or children. (Send out demographic-research cards once, to a few of the same stores you've collected this info from, to derive a normalization factor that will make such collected observations useful from then on.)

You could make a note of a person's seeming affect—positive/negative/neutral emotion.

I'm asking historically what was actually done, not what could be done. (For, "what could be done" you could ask if the cashier had seen this person before? Are they a regular shopper here, as far as the cashier notices?) I am asking what information cashiers in Japan actually in fact recorded by hand. What did these cards look like for each customer. Etc.

Image of actual buttons used added to the original post.

Keep in mind this has to be done while doing usual cashier things, so not much attention can be taken up by it.


Generally what has been "accepted" as done is age and male/female. I'm sure some places have done more but that's all I've heard of (lived in Japan for about 6 years now).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact