91 comments

[ 2.4 ms ] story [ 70.8 ms ] thread
[flagged]
> The proposed order will require Rite Aid to implement comprehensive safeguards to prevent these types of harm to consumers when deploying automated systems that use biometric information to track them or flag them as security risks. It also will require Rite Aid to discontinue using any such technology if it cannot control potential risks to consumers. To settle charges it violated a 2010 Commission data security order by failing to adequately oversee its service providers, Rite Aid will also be required to implement a robust information security program, which must be overseen by the company’s top executives.

Not a ban. They'll have some oversight, and a little slap on the wrist.

Boo hoo. This isn't a win for consumers. This is a win for Rite Aid.

I believe those restrictions are in addition to the ban:

> I. Use of Facial Recognition or Analysis Systems Prohibited

> IT IS ORDERED that Respondents, in connection with the activities of any Covered Business, are prohibited for five (5) years from the effective date of this Order from deploying or using, or assisting in the deployment or use of, any Facial Recognition or Analysis System, whether directly or through an intermediary, in any retail store or retail pharmacy or on any online retail platform.

https://www.ftc.gov/system/files/ftc_gov/pdf/2023190_riteaid... (PDF, page 14)

Your quoted text is ambiguous, but the order is not. The distinction is "facial recognition" and "biometric information".

> IT IS ORDERED that Respondents, in connection with the activities of any Covered Business, are prohibited for five (5) years from the effective date of this Order from deploying or using, or assisting in the deployment or use of, any Facial Recognition or Analysis System, whether directly or through an intermediary, in any retail store or retail pharmacy or on any online retail platform.

> IT IS FURTHER ORDERED that Respondents, in connection with the operation of any retail store or retail pharmacy or online retail platform by any Covered Business, must not use any Automated Biometric Security or Surveillance System in connection with Biometric Information collected from or about consumers of such retail store, retail pharmacy, or online retail platform, unless ...

So, it is a ban on facial recognition, and additionally any use of biometric information is subject to this bureaucracy.

Cities are employing the same kind of technology to Orwellian levels of dystopia. It would be nice for the same level of scrutiny to be applied if I'm honest.
(comment deleted)
Is that within the scope of the FTC? My naive assumption would be that it's not, and cities tend not to self-regulate on matters of any real importance.
"The same level of scrutiny" doesn't imply the same agency doing it.

Stronger federal and state privacy laws are probably needed to curb the current abuses.

No oversight, no accountability, full speed ahead with tracking everyone, everywhere, all the time, just in case they might become a crime suspect.
I'm getting "FTC website currently unavailable" - the other comments here are discussing the article, making me wonder if I'm being geoblocked?(!)
I'm not sure why the site is unavailable for you, but here's a copy from the Internet Archive's Wayback Machine:

https://web.archive.org/web/20231220025346/https://www.ftc.g...

It's unavailable to me as well, I'm in Australia. I found the article through Googles cache no worries at least

https://webcache.googleusercontent.com/search?q=cache:https:...

Ditto here on Australia and lack of direct access.

That said:

    Rite Aid will be prohibited from using facial recognition technology for surveillance purposes for five years to settle Federal Trade Commission charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in its use of facial recognition technology in hundreds of stores.
makes me happy we (Australia) put a temporary stop at least on the roll out of facial recognition of "untrustworthy shoppers" by Bunnings (Australian Hardware store with a sideline in sausages).

    FTC says Rite Aid technology falsely tagged consumers, particularly women and people of color, as shoplifters;
It seems likely that the same base level issues exist across most implementations of (alleged) "bad actor" recognition systems.
TIL about Bunnings wanting to roll out facial recognition :/, thanks for the headsup...

Also - very strange, I'm in AU too. The site's working for me now though.

Very strange, I'm in AU too. The site's working for me now though.
(comment deleted)
> Rite Aid is currently going through bankruptcy proceedings and the order will go into effect after approval from the bankruptcy court and the federal district court…

Talk about kicking someone while they’re down.

I dunno, it seems like the judgement is sound to me. I’d place that error on the offending party, not the enforcing body. Company clearly wasn’t paying attention to the books nor the harm their use of technology was causing, and thus got their just rewards for that behavior. “Talking about screwing up twice” seems like a more accurate statement.
Not only does being poor not exempt you from the law, it's usually who the laws apply most to.
(comment deleted)
You don’t get a get out of jail free card because you have financial problems.
I can't believe they would arrest me for being a peeping tom, don't they know I have a lot of credit card debt?
Governments and authorities all over the world seem to be adopting technology as magic pills. Need more such stories to temper the enthusiasm and make them see the pitfalls and harm such blind adoption can cause.
(comment deleted)
Why are retail establishments permitted to use this at all? The state of privacy law in the United States is a clown show.
(comment deleted)
Companies provide written legislation that is ratified into law with at most an assistant reading through it. Regular citizen constituency lacks the coordination and resources and bribery power to do likewise and must instead wait years between votes to try to find better representation.
Why shouldn't retailers be allowed to use this at all? The FTC's reason seems to be because they did it poorly and discriminatorily but that doesn't seem to be your concern.

Is your concern that they're recording people in the store? Are there non-clown show countries where they were forward thinking and put a stop to the collection of that biometric data decades ago? Or that they're looking at the recordings? Comparing the recordings to other recordings? Like... what's the too far step that America needs to ban to not be a clown show?

> Is your concern that they're recording people in the store?

Recording via CCTV for security purposes is not the same as using facial recognition technology. Facial recognition technology produces data which may or may not be shared/sold to unknown (to me) third parties.

That ship has sailed. When in public, consider yourself always recorded and always identified.
It's embarrassing that the issue was the accuracy of the intrusive, privacy-invading technology.
Different laws and rights have different priorities. Private property ownership trumps a lot of rights and laws, passing near authoritarian rights to owners within their property. Free speech for example has no priority over property ownership as I can remove you and therefore your speech from my property. The right to bear arms takes a back seat to my right to again dictate if you can or cannot be on my property. Exceptions of course exist, like I can't exactly murder someone on my property legally (unless they're invading unlawfully and I feel threatened, in some states).

Quite a bit exists and caters to protect those who own things in this country.

While I agree that this technology is a problem, what privacy laws/regulations would you suggest?

The problem with coming up with reasonable ones for this sort of thing is that the customers are in a public place. Are businesses not allowed to record on their property and analyze those recordings? What about a security guard spotting someone who shoplifted last week? Or a business tracking credit card numbers across stores?

In order for things to be different, the policy makers need reasons to draw lines between this and examples like the above that most people would agree businesses can do. Here, accuracy helped be that reason, but it’s only a matter of time before the models are more accurate.

Why is it a privacy issue? How people look isn't secret. Having a security guard who won't allow people who look like people who've been banned from the store, or mugshots that have been circulated, is normal practice, no?
Because your face is ultimately tied to a payment method and profile of you and sold to whatever data broker wants it.
Reuters did a great piece on Ride Aid's facial recognition in 2020: https://www.reuters.com/investigates/special-report/usa-rite...
How do they expect the Chinese to even train on white, black and Latino people recognition.
Surely Tik-Tok is the quiet answer out loud here?
I know you’re being sarcastic, but note China holds significant, almost colonial, investments in Africa and Latin America. Those investments include control of the telecommunications infrastructure carrying all the data they could ever want from those areas.
(comment deleted)
[flagged]
I genuinely wonder how long until these stores just get retooled into automats. That's the only way the ongoing "one retail worker has to try and keep watch over an entire store" business strategy would work long-term anyway.
(comment deleted)
> it violated a 2010 Commission data security order by failing to adequately oversee its service providers

It would be great to get the list of those service providers and anyway I wouldn't want to be the C*O with the responsibility of monitoring them and be sure that they are not fooling me with false statements of compliance.

Add the remediations and maybe it costs less to lose some items from the shelves.

Why wouldn't you want to be the C*O? They don't carry any personal responsibility from breaking these laws. They have probably earned shittons from making the illegal system and will continue to get obscene pay after this too.

Nothing will change until there's real personal repercussions.

(comment deleted)
5 years is a long time in tech, it’s like 20, 20 years back
It's specifically 5 years, but it does _feel_ like 20.
I think parent comment meant that progress has accelerated to such a degree that the same amount of innovation will have happened between now and 2029 as happened between 2003 and now.
I agree with that interpretation.

I disagree with the parent comment.

I don't think they appreciate the scope of change over the last 20 years. From mobile, tablet and headset interfaces, to social media, to infrastructure (ADSL never mind fibre), WiFi, cell tech. Voice assistants, chatgpt, I could go on.

Crumbs, the Web didn't even have ajax back then.

We're not even close to duplicating that scale of change over the next 5 years.

Future is difficult to predict, but in past take last 20 years and 20 years before that and so on. It feels like rate of change is accelerating by factor of 4 or more.
>Rite Aid banned from using AI facial recognition for five years

First mover disadvantage.

By then everyone else will have been using it for a while.

I wish hackers used their talents to expose C-level execs of companies like this (and their partners), instead of blackmailing game developers and leaking their in-progress work.

Do something for good.

Unfortunately the authorities tend to only allocate public resources to protecting the rich. There's little to no risk attacking tiny game devs.
That's...SIGH. I didn't think of that, you're right.
C-level execs are unsafe and should be rewritten in Rust.
Why would it matter if the execs are exposed? This stuff carries at most very minor repercussions for them.
No hackers needed, just look into the former CEO of Thrifty and the relationship between Thrifty and Ride-Aid using any old search engine or properly trained AI.
the safest stores with the least amount of theft are going to be 1) membership clubs which require ID cards to enter or 2) stores that operate like a vending machine... most stores already have order online functionality, they just need to implement it in kiosks in a lobby area of the store and have staff bring it out. For most people, there is no need to even enter the store anymore. I order online at Walmart, Target, Sams Club, Best Buy, etc and they just bring it to your car. The whole issue of theft goes away at that point, IMHO
From statistics I recall reading years ago, a significant amount of retail theft comes directly from employees. So, until you automate those roles away, there's still theft there.
Since that time many jurisdictions have significantly lowered the penalties for shoplifting, and even set a $900 threshold before the police can even become involved.

Here in California, one such state, whenever I go to a Walgreens, and this sounds like hyperbole, but I assure you it is not, at least one person shoplifts and just walks out of the store without a hint of hurry in their step. The worst occasion I saw four people just straight up come in, help themselves, and walk out.

These aren't even people who visibly seem to be short of money that they could spend on these items, they're just taking advantage of a lax regulatory environment. Which, perhaps some stores have technical workarounds that they can afford, but what this really does is kill small businesses and locally owned stores entirely.

Hilarious. How do they morally justify doing this? Must be all these "oppression" theories they now teach in schools.
On the other hand this happened a couple weeks ago: https://m.startribune.com/us-retail-lobbyists-retract-claim-...

> In a January earnings call, Walgreens' CEO told investors that "maybe we cried too much" when reporting rising shoplifting the previous year.

> NRF data from its annual Retail Security Survey indicates that the percentage of shrink attributed to external theft, including organized retail crime, has largely remained around 36% since 2015.

My knowledge is about a decade out of date but at least circa ~2010 about 1/4 of retail theft originated from employees. External theft was definitely had the largest share of losses.
> or 2) stores that operate like a vending machine... [..] they just need to implement it in kiosks in a lobby area of the store and have staff bring it out.

There is a Walgreens in Chicago that was recently redesigned into exactly that due to the amount of theft going on.

I don't know about theft, but I go to lots of stores and feel no safety threat, and have experienced no safety threat. I can't remember if I've ever seen or experienced anything threatening.
>bring it to your car. Sweethearting is a thing.
> I order online at Walmart, Target, Sams Club, Best Buy, etc and they just bring it to your car.

I was at Target the other day buying Command hook adhesive strips. The price in the Target app on my phone was $4.49 with a disclaimer “when purchased online”, and the price in the store was $3.99.

I can easily see businesses giving different prices or coupons resulting in different prices to different people based on what they think they will be willing to pay. My friend already gets different Target Circle rewards than me, so I think being able to better price segment customers is at least partly the goal.

> For example, the technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States, according to the complaint.

So it's not that the data was wrong, just not properly scoped to stores in a given city/region? Or was it misidentifying people because they looked like someone in the database?

It's in a paragraph about false-positive matches, so FTC is saying the data was likely wrong.

The complaint has more specific details:

> a. In numerous instances, Rite Aid’s facial recognition technology generated match alerts that were likely false positives because they occurred in stores that were geographically distant from the store that created the relevant enrollment. For example, between December 2019 and July 2020, Rite Aid’s facial recognition technology generated over 5,000 match alerts in stores that were more than 100 miles from the store that created the relevant enrollment. ...

> b. Some enrollments generated high numbers of match alerts in locations throughout the United States. For instance, during a five-day period, Rite Aid’s facial recognition technology generated over 900 match alerts for a single enrollment. The match alerts occurred in over 130 different Rite Aid stores (a majority of all locations using facial recognition technology), including hundreds of alerts each in New York and Los Angeles, over 100 alerts in Philadelphia, and additional alerts in Baltimore; Detroit; Sacramento; Delaware; Seattle; Manchester, New Hampshire; and Norfolk, Virginia. In multiple instances, Rite Aid employees took action, including asking consumers to leave stores, based on matches to this enrollment.

> c. Between December 2019 and July 2020, Rite Aid’s facial recognition technology generated over 2,000 match alerts that occurred within a short time of one or more other match alerts to the same enrollment in geographically distant locations within a short period of time, such that it was impossible or implausible that the same individual could have caused the alerts in the different locations. For example, for a particular enrollment image that was originally captured at a Los Angeles store, Rite Aid’s facial recognition technology generated over 30 match alerts in New York City and Philadelphia between February 2020 and July 2020. Each of the New York and Philadelphia matches occurred within 24 hours of a match alert in a California store and thus was likely a false positive.

My local Rite Aid here in Marin County CA put this in some years ago. As soon as I noticed it, I yelled at the manager and told him neither I nor anyone in my family would be coming in there again. I also edited OSM.org to show the facial recognition cameras in the store. Sadly, I think I am a minority who resists this stuff. If more people would do the same, they would have stopped it. Don't be afraid to tell stores what you think. If it affects their business, they will change.
How did you notice? Don't they just look like normal cameras with the AI facial recognition running on the backend?
Reminds me on that infamous restaurant with facial recognition running on in-venue displays, which was ousted after AI software on one of those crashed and started displaying detection logs, in plain text.

I read about it a couple years ago. Anyone has a link to that story?

How did you know it was facial recognition system and not just a regular security camera that was recording?

Trying to understand what to look for..

I don't remember the name of the company that provided it, but it was a two foot pillar mounted camera at the register. I researched the company, but the cashier already told me it used facial recognition.
Your comment spurred my interest because I would think the cameras looked like normal cameras. They don't though, they're huge. The FTC report has more details about their alert and training practices: https://www.ftc.gov/system/files/ftc_gov/pdf/2023190_riteaid...

There's also a bunch of "enrollment" store employees did that they're kind of murky on. The whole thing is a shit show from what I read under "Rite Aid’s Enrollment Practices":

    21. In connection with its use of facial recognition technology, Rite Aid created, or directed its facial recognition vendors to create, an enrollment database of images of individuals whom Rite Aid considered “persons of interest,” including because Rite Aid believed the individuals had engaged in actual or attempted criminal activity at a Rite Aid physical retail location or because Rite Aid had obtained law enforcement “BOLO” (“Be On the Look Out”) information about the individuals. Individual entries in this database are referred to herein as “enrollments.” Enrollments in the Rite Aid database included images of the individuals (“enrollment images”) along with accompanying information, including, to the extent known, individuals’ first and last names, individuals’ years of birth, and information related to criminal or “dishonest” behavior in which individuals had allegedly engaged.

    22. Rite Aid regularly used low-quality enrollment images in its database. Rite Aid obtained enrollment images by, among other methods, excerpting images captured via Rite Aid’s closed-circuit television (“CCTV”) cameras, saving photographs taken by the facial recognition cameras, and by taking photographs of individuals using mobile phone cameras. On a few occasions, Rite Aid obtained enrollment images from law enforcement or from media reports. In some instances, Rite Aid employees enrolled photographs of individuals’ driver’s licenses or other government identification cards or photographs of images displayed on video monitors.

    23. Rite Aid trained store-level security employees to “push for as many enrollments as possible.” Rite Aid enrolled at least tens of thousands of individuals in its database.

    24. It was Rite Aid’s general practice to retain enrollment images indefinitely.
Reuters has more details on the cameras themselves: https://www.reuters.com/investigates/special-report/usa-rite...

> The cameras were easily recognizable, hanging from the ceiling on poles near store entrances and in cosmetics aisles. Most were about half a foot long, rectangular and labeled either by their model, “iHD23,” or by a serial number including the vendor’s initials, “DC.” In a few stores, security personnel – known as loss prevention or asset protection agents – showed Reuters how they worked.

> The cameras matched facial images of customers entering a store to those of people Rite Aid previously observed engaging in potential criminal activity, causing an alert to be sent to security agents’ smartphones. Agents then reviewed the match for accuracy and could tell the customer to leave.

The FTC report also says that while they employees were sent details used to confirm the match they were never sent confidence scores while any and all matches were sent to employees as alerts.

The basic idea of seeing who has robbed your store before and directing security staff to pay attention to them seems like a good one to me...

Especially in small theft incidents where police can't be bothered to intervene (eg. Stole $15 of stationary), it makes sense to have this system automatically collate thefts by the same criminal to eventually do a prosecution.

In isolation, this is true. The problem is that there's no way in hell it would ever be limited to theft prevention. It's only a matter of time before this will be used for more nefarious purposes.

Remember that browser cookies and software was once used for good and legitimate purposes. But since there is no (enforced) legislation against their misuse, online stalking and spyware has become the norm.

Going to echo the other commenters - how did you notice this? Security cameras are everywhere. How does one suddenly notice that these cameras are now doing facial recognition?
Why did you yell at the manager? I mean they don't have the power to change such things. They can report it to the higher ups, but yelling at them will only lower the chances that complaint would ever see the light of day.
> the order will go into effect after approval from the bankruptcy court and the federal district court as well as modification of the 2010 order by the Commission.

I like the outcome but i don’t understand the statutory or constitutional authority involved here

why is the FTC doing this as opposed to… some other agency?

Either this one is an overreach, or I can think of a lot of other normalized moderately inconvenient private business practices to sic the FTC on

(comment deleted)