With facial recognition, shoplifting may get you banned in places you’ve never been

With facial recognition, shoplifting may get you banned in places you’ve never been
Image: Getty Images via cNet

There are hundreds of stores using facial recognition — none that have any rules or standards to prevent abuse.

Alfred Ng | cNet | Source URL

At my bodega down the block, photos of shoplifters sometimes litter the windows, a warning to would-be thieves that they’re being watched.

Those unofficial wanted posters come and go, as incidents fade from the owner’s memory.

But with facial recognition, getting caught in one store could mean a digital record of your face is shared across the country. Stores are already using the technology for security purposes and can share that data — meaning that if one store considers you a threat, every business in that network could come to the same conclusion.  

One mistake could mean never being able to shop again.

While that may be good news for shopkeepers, it raises concerns about potential overreach. It’s just one example of how facial recognition straddles the line between being a force for good and being a possible violation of personal privacy. Privacy advocates fear that regulations can’t keep up with the technology — found everywhere from your phone to selfie stations — leading to devastating consequences.

“Unless we really rein in this technology, there’s a risk that what we enjoy every day — the ability to walk around anonymous, without fearing that you’re being tracked and identified — could be a thing of the past,” said Neema Singh Guliani, the American Civil Liberties Union’s senior legislative counsel.  

The technology is appearing in more places every day. Taylor Swift uses it at her concerts to spot potential stalkers, with cameras hidden in kiosks for selfies. It’s being used in schools in Sweden to mark attendance and at airports in Australia for passengers checking in. Supermarkets in the UK are using it to determine whether customers are old enough to buy beer. Millions of photos uploaded onto social media are being used to train facial recognition without people’s consent.

Revenue from facial recognition is expected to reach $10 billion by 2025, more than double the market’s total in 2018. But despite that forecast for rapid growth, there’s no nationwide regulation on the technology in the US. The gap in standards means that it’s possible the technology being used at US borders could have the same accuracy rate as facial recognition used to take selfies at a concert.

Accuracy rates matter — it’s the difference between facial recognition determining you’re a threat or an innocent bystander, but there’s no standard on how precise the technology needs to be.

Without any legal restrictions, companies can use facial recognition without limits. That means being able to log people’s faces without telling customers their data is being collected.

Two facial recognition providers told CNET that they don’t check on their customers to make sure they’re using the data properly. There are no laws requiring them to.

“So far, we haven’t been able to convince our legislators that this is a big problem and will be an even larger problem in the future,” said Jennifer Lynch, surveillance litigation director at the Electronic Frontier Foundation. “The time is now to regulate this technology before it becomes embedded in our everyday lives.”

Faced everywhere

At the International Security Conference in New York last November, I walked past booths with hundreds of surveillance cameras. Many of them used facial recognition to log my gaze.

These companies want this technology to be part of our daily routines — in stores, in offices and in apartment buildings. One company, Kogniz, boasted it was capable of automatically enrolling people as they enter a camera’s view.

“Preemptively catalogues everyone ever seen by the camera so they can be placed on a watchlist,” Kogniz’s business card says.

This technology is available and advertised as a benefit to stores without any privacy concerns in mind. As more stores adopt this dragnet approach to facial recognition, data on your appearance could be logged anywhere you go.

California-based video surveillance startup Kogniz launched in 2016 and now has about 30 retail and commercial customers, with thousands of security cameras using its facial recognition technology. Stores use Kogniz’s facial recognition to identify known shoplifters.

If a logged person tries entering the store, Kogniz’s facial recognition will be able to detect that and flag security, Daniel Putterman, the company’s co-founder and director, said in an interview.

And it’s not just for that one location.

“We are a cloud system, so we’re inherently multi-location,” Putterman said.

If someone is barred from one store because of facial recognition, that person could potentially be prevented from visiting another branch of that same store ever again.

Kogniz also offers a feature called “collaborative security,” which lets clients opt in to share facial recognition data with other customers and share potential threats across locations. That would mean facial recognition could detect you in a store you’ve never even visited to before.

Putterman said none of Kogniz’s customers has opted into that program yet, but it’s still available.

Recognition without regulation

People don’t have to be convicted of a crime to be placed on a private business’ watch list. There aren’t any rules or standards governing how companies use facial recognition technology.

“The clients use it at their own discretion for their own purposes,” Putterman said. “If someone is falsely accused of being a shoplifter, that’s beyond our control.”

Amazon provides Rekognition, its facial recognition software, to law enforcement agencies like the Washington County sheriff’s office in Oregon. The tech giant recommends that police use Rekognition with a 99 percent confidence threshold for the most accurate results.

But the sheriff’s office told Gizmodo in January that it doesn’t use any established standards when employing facial recognition.

Gemalto, a digital security company, has been providing facial recognition to the Department of Homeland Security, which uses it at US exits to log foreign visitors leaving the country.

The company also works with local police departments on facial recognition. As with Amazon’s Rekognition, its customers aren’t beholden to any standards when using its facial recognition.

“Once the customer has it, they’re going to operate with the standards that they define,” said Neville Pattinson, Gemalto’s senior vice president for government programs. “It’s not our responsibility to have involvement past the point of delivery.”

The lack of standards across the entire industry leads to a massive potential for abuse, privacy advocates say. One store that uses Kogniz shares its login information with its local police department, Putterman said.

He declined to disclose which store, but the police are automatically alerted when the store’s facial recognition detects a flagged face — even if the person is not committing a crime.

“The retailer has given them permission to log in and see what’s going on,” Putterman said. “That local police department can look at the live footage and decide whether or not they want to act on it.”

That practice comes with legal concerns, Guliani said. Police need a warrant to track a specific person’s whereabouts, as the Supreme Court decided last June regarding phone location data. But with facial recognition, authorities can get around this limitation.

“That means without a warrant, without any oversight, what law enforcement can do is track your movements any time you walk into a store,” Guliani said.

And as facial recognition expands into more places, privacy advocates worry that more businesses will provide that access to law enforcement agencies with no limits.

“If they’re using it for when you’re shopping, or driving through the Holland Tunnel for your daily commute, what happens when law enforcement wants to tap into all of those systems and use them for recording?” said Jake Laperruque, a senior counsel at the Constitution Project.  

‘We need clear rules’

The federal government hasn’t taken action on facial recognition yet, but local governments are starting to limit how the technology can be used.

In late January, San Francisco supervisor Aaron Peskin proposed legislation to completely ban the city’s government agencies from using facial recognition. State lawmakers across the US have suggested similar legislation, like in Washington and Massachusetts.

Last Thursday, senators proposed a bill that would stop businesses from using the technology without notifying customers and prevent them from sharing that data without people’s consent. If passed, it would be the first federal law protecting your privacy from businesses using the technology.

Facial recognition providers balked at the proposed regulations, arguing that the technology’s benefits outweigh privacy concerns.

“I would hate to see the technology end up with reactionary restrictions on the basis of concerns on privacy,” Pattinson said.

Putterman said Kogniz understands the potential for abuse, and said his company does not sell facial recognition to government agencies. He hopes for regulations to arrive so that the technology can be used responsibly.

As it finds its way into every corner of our daily lives, facial recognition offers benefits — but without regulations, it could grow into an uncontrollable privacy violation, advocates argue. Before it does, many are calling for lawmakers to protect your privacy.

“This isn’t something that needs to be completely banned or cut off, but we need clear rules,” Laperruque said.

Leave a Reply

Your email address will not be published. Required fields are marked *