The new face of retail is yours, according to a latest trend — paying with your face via biometric scanning. Russia’s largest food retailer, X5 Retail Group, in partnership with VISA and Sber (a bank), is introducing payment via facial recognition (face scanning) at the checkout counters of supermarkets and convenience stores.

The trial at 52 stores succeeded well enough that the firm hopes to institute “facepay” (?) at 3000 stores. It works, at least technically, because we are more unique than we think:

With the huge rise in digital wallets, biometrics – face or hand recognition – has started to become more popular as the safest means of protecting customers from identity fraud. Because nobody can replicate or guess fingerprint or retina composition, they are virtually spoof-proof and by 2023, up to 1.3 billion people globally are expected to be using digital wallets on their cellphones.

Mark Faithfull, “Forget Apps, Russia’s X5 And Visa Have Launched Pay With Your Face” at Forbes

Unique features that can be used to identify you include a number of features: facial, voice, handwriting, and DNA recognition, as well as fingerprints, photo, and video. If you are working at a keyboard you can also be identified by your typing pattern, physical movements, navigation standards, and patterns of engagement with technology. (Security Magazine, 2020) Is it really spoof-proof? Read on.

For now, retailers hope that the technology will speed up checkout lineups:

Payment using the technology takes just a few seconds, as shoppers do not need to use their bank card or smartphone, however face masks do need to be removed in order to process the payment.

Stephen Wynne-Jones, “‘Pay With Your Face’ Technology Rolled Out In Russian Supermarkets” at ESM (March 10, 2021)

In China, Alipay and WeChat Pay already offer some biometric payment services, as do a handful of US firms. MasterCard intends to replace PIN numbers with a thumbprint, when technically feasible.

This trend was predicted for retail nearly a decade ago in the science literature. There’s even a journal called Biometric Technology Today
But in North America, the focus of biometrics has been more on security than commerce. Serious interest for commerce was spiked by the COVID-19 pandemic.

Back in 2018, privacy was an active discussion:

Arturo Falck, CEO of startup Whoo.ai, also sees customer loyalty as the next logical step, but he sees privacy concerns coming up even then.

“Once companies are using this type of technology for crime prevention purposes, there’s no reason why they should not be using it for upselling their customers,” Falck told Biometric Update. “In a way you can see the natural progression. If you remember way back when Gmail first started, we didn’t really think through the fact that pretty soon the advertisements that we were seeing when we were browsing the internet were targeted to us based on the emails that we were sending to each other. And you can imagine how that extends to the real world and how people are nervous about it.”

Chris Burt, “Biometric retail technology is ready for its close-up; but are shoppers ready for it?” at BioMetricUpdate.com (November 13, 2018)

Many consumers appear willing to trade privacy for convenience:

Sophisticated voice recognition software in Google Home, Siri and Alexa make life easier in a lot of ways. Whether it’s making appointments, ordering food, making purchases or just asking random questions for fun, these smart speakers confirm that biometrics have practical uses in our homes.

“Biometric technology means big things for retail and hospitality” at NCR (February 22, 2021)

The software industry insists that it uses the information recorded only in order to improve service. Maybe, but we are also told, “Apple contractors ‘regularly hear confidential details’ on Siri recordings — Workers hear drug deals, medical details and people having sex, says whistleblower” (The Guardian, July 26, 2019)

What about security? Ah yes, …

We are discouraged from worrying:

And as X5 Retail Group was understandably keen to stress, biometric data isn’t stored as an image or graphic but as an encrypted code, keeping people’s personal data secure. So if a system was to be hacked, the hacker would only uncover a set of encrypted data and not images or information

Mark Faithfull, “Forget Apps, Russia’s X5 And Visa Have Launched Pay With Your Face” at Forbes

Wait. Major enterprises, including governments and hospitals, are getting hacked all the time. So are Big Tech firms like Twitter. Biometric scanning itself, never mind the data it encrypts, is vulnerable to hacking. Even our fingerprints are not in fact secure against hacking:

A team of researchers at New York University’s Tandon School of Engineering, for instance, created an algorithm to not only simulate a person’s fingerprint but to create a single print that can masquerade as several others and fool scanners as often as 20 percent of the time — all without replicating an actual print.

So much for the peace of mind that biometric scanning once promised. Indeed, as biometric security technology increasingly saturates our digital lives, a growing number of experts are expressing concern that the consequences of a security failure — a practical inevitability, they say — are only getting higher. “You can always replace your credit card, but you can never replace your fingerprint or iris,” says Kon Leong, CEO and co-founder of the data archiving company ZL Technologies, “This means that any breach would require an overhaul of the entire infrastructure. Furthermore, it is not a matter of if there will be a breach. It is a matter of when.”

Sarah Wells, “With the Proliferation of Biometric Scanning, Some Hidden Risks” at Undark (April 1, 2019)

It’s true that your fingerprints are unique — in nature. But that doesn’t mean no one can copy them using advanced technology. There are broader issues as well, including “function creep”: “the extra data a biometric scanner might gather without users’ explicit consent, such as information about skin color, age, and even perceived emotion.” Also, because the biometric technology is usually owned by third parties, all the information gathered is always at risk of third party theft.

None of this even touches on the use of biometric scanning obtained from private sources for government surveillance — a story, to be sure, for another day.

The question that is coming gradually into focus is, in a busy world, how much of the privacy and freedom that we take for granted will we give up for convenience?

You may also wish to read:

Could DNA be hacked, like software? It’s already been done. As a language, DNA can carry malicious messages.