SAN FRANCISCO — It sounds so easy. Buy groceries without a wallet, phone or smartwatch on you. Stroll into buildings and events without showing a ticket or a pass. All it requires is a quick flick of your wrist as you hold your chosen hand over a black circle, like magic.
Amazon announced a new palm-recognition system last week that lets people shop in two of its Amazon Go stores by scanning their palm at the entrance. The store automatically tracks what products they pick up and then charges the credit card associated with their hand.
It’s the latest in a long line of product announcements from the company to raise privacy or security concerns while selling its vision of an automated, frictionless future.
Called Amazon One, the palm-scanning system is only in two Go stores in Seattle at the moment. But with the massive online retailer behind it, it has the potential to become a standard form of payment or even identification. Amazon’s plan is to start selling it as a service to other companies, like retail stores, office buildings that use ID badges to get in and out, or stadiums that require tickets for events.
The week before, the company showed off a prototype of a personal indoor surveillance drone called the Ring Always Home Cam. In addition to using Echo speakers to normalize having an always-on microphone that saves recordings from inside people’s home to the cloud, Amazon has been busy pushing its other Ring products like doorbell cameras and working on police partnerships that let law enforcement request access to recordings from the personal cameras. It has even made its own facial recognition software, Rekognition, that was used by law enforcement until Amazon paused their use of the program for a year.
But some privacy experts worry the new biometric scanning device, which sends images of peoples’ palms into the cloud, could be a security risk.
(Amazon chief executive and founder Jeff Bezos owns The Washington Post.)
“As with everything at Amazon, we take data security very seriously, and any sensitive data is treated in accordance with long-standing policies. We are confident that the cloud is highly secure,” Amazon spokeswoman Kerri Catallozzi said.
The palm-scanning experiment is the latest sign that Amazon isn’t shying away from products that push the boundaries of what customers are willing to accept, if it can make their lives easier or spark a little joy. Now, buoyed by the success of the Alexa and Ring product lines, Amazon is leaning into biometrics in a way that companies like Apple have previously decided are too risky.
Biometrics are biological measurements that can be used to identify someone, such as fingerprints, face and iris scans, the way a person walks or other behaviors that are unique. They’re used by law enforcement to identify people, but have more recently been turned into a consumer tech offering as a way to access phones, skip the security line at an airport or board a plane.
Smartphones got here first. Fingerprints and face detection are now standard options for securing newer smartphones and even confirming things such as digital purchases. Their biometric authentications work in conjunction with wearables as well, turning a watch into a payment device. Smartphones are also already collecting more detailed data than Amazon could gather with just One, including a person’s location, where they shop and possibly what they buy.
It’s still not the same as letting a store scan your body part.
“There’s always something about the physical that catches our attention,” says Bryant Walker Smith, an associate law professor at the University of South Carolina specializing in law and technology. “The idea of an eye scan or a palm scan feels just so much more tangible than that all these companies have our phone numbers, and that these large platforms can track us by our behavior.”
The differences between the approaches are in the technical details. Major technology companies like Apple and Samsung have already settled on what they see as the safest ways to use biometrics. Smartphone users unlock their devices with a fingerprint or scan of their face, but instead of uploading that information to servers, the companies do all the processing on the device itself.
The Amazon One system does what those other companies have purposefully avoided: It stores sensitive biometric data in the cloud. Privacy advocates regularly warn about the dangers of unchangeable (at least without drastic measures such as surgery) biometric data being breached, or being made available to law enforcement.
“If your credit card number leaks, you can get a new credit card. If a biometric scan of your palm leaks, you can’t get a new hand,” said Evan Greer, deputy director of the privacy group Fight for the Future.
Amazon’s business has long been based on collecting data about what its customers buy, but it was an experimental gadget, the Echo, that charted its current path on privacy. It has used a spaghetti-against-the-wall approach with its products to see what sticks (not its effort to launch the Fire phone) and what traditional privacy precautions buyers are willing to give up for cool devices (a lot, it turns out). Launch a product, let the privacy concerns flare up and fade, then watch as people buy it anyway.
“You could call it coercion through convenience,” Walker Smith said. “That’s the story of every technology. We protest or we say, ‘I would never use that. Why would I use a smartphone?’ And then it turns out you can watch cute videos of cats on this thing or talk to grandparents. It just becomes what people do and then you will do it, too.”
The Echo speaker, released in 2014, uses always-on microphones to listen for a wake word, the name of its omnipresent assistant “Alexa,” and start recording commands. But it also set timers when your hands were full, played music instantly or read stories to your children. The smart speaker launched the rare, new-product category. Soon Google and Apple were rushing out their own versions.
Amazon continues to take the concept further. How about an Echo in your kid’s room? One on your nightstand? Another with a camera that can be turned on remotely if you enable the “Drop in” setting. How about a wearable that scans your body and listens to your voice to determine your “tone?”
There have been bursts of pushback as people learn more about how Amazon’s systems work. The audio files from Alexa devices can contain sensitive information and are sometimes recorded by accident. The company, along with Google and Apple, came under fire last year for allowing third-party contractors to review the voice recordings. Alexa recordings have been used in criminal investigations and trials, including at least one murder trial.
In the first half of 2020, Amazon said it received more than 3,000 requests from law enforcement for user information across its products, and that it complied with almost 2,000 of them. The company says it complies with law enforcement requests for Amazon One the same way it does for its other products.
The new One device looks similar to a regular credit card machine. To get a first-time user set up, it uses cameras to scan their hand. It then encrypts the images and uploads them to the cloud. Amazon’s Catallozzi says the scans are used to map out identifying features on the palm — the pattern of veins under the skin, the lines and ridges on the surface — and create a unique “signature” for the user. You hold your hand inches away, making it conveniently contact-free during a pandemic.
Fingerprints and face scans on smartphones aren’t uploaded into any databases. Amazon said the encrypted palm images it captures are stored in a custom-built area of the cloud. When asked, the company did not say how long each image would be stored, only that it is long enough to do things like generate the signature, update it if your hand changes over time or process a transaction. Users can ask to delete their accounts, including the images, at any time, Catallozzi said.
While not as common as fingerprints, palm prints are used by law enforcement to identify suspects. The FBI’s National Palm Print System, for example, contains more than 29 million palm prints.
“From a privacy perspective you could envision a potential issue in the future, where there’s a latent print on a knife, there’s a req from enforcement to Amazon,” said Samir Nanavati, CEO of security and tech consulting firm Twin Mill.
Nanavati has 26 years of experience in biometrics and has seen many start-ups come and go with similar pitches. He thinks the biggest hurdles for this kind of biometric system could end up being practical.
Using Amazon One requires installing new devices at every point of entry or sale, something the United States has been notoriously slow to do with previous payment systems such as chip-readers and NFC readers for contactless payments. It would also make something that is currently the customer’s issue — making sure their phone registers their face or fingerprint — into a store’s customer service issue. Every time a palm won’t scan, that’s time when the cashier-less Amazon Go store needs to deploy a human employee.
And a more secure wallet and phone-free option already exists in wearables such as the Apple Watch, Nanavati said. It uses biometrics on the iPhone to make sure the person wearing it is who they say they are, and make purchases.
Whatever the future of money is, it will still have to compete with the accessibility and anonymity of the lowest-tech option: cash.
“If we have a form of digital cash that is not just as private as cash is, that is just a huge blow to basic human rights,” Greer said. “People should have a right to pay for things that they need without subjecting themselves to surveillance.”