UPDATE: The city of Rochester and any municipality in New York state can, under home rule law, enact regulations similar to New York City's requiring businesses to post signage disclosing the collection of biometric data, a spokesperson for Mayor Malik Evans confirmed after checking with the city's law department. What is not known is whether there is interest and support for doing so.
Wegmans’ announcement that it has begun using facial recognition cameras at some of its stores has opened a larger discussion about retailers and others using biometric data.
The Rochester-based grocer has said it deployed the technology at some of its stores in multiple states that had “elevated risk” — looking to identify people previously “flagged for misconduct.”
Public reaction has run the gamut from outrage to shrugs. So is this a big deal, or is the Rochester-based grocer just doing what every other retailer already does?
“The primary concern is that you've got a company that's storing a digital key, a unique identifier set of information about you that can easily pinpoint you anywhere,” said Jonathan Weissman, a principal lecturer in the department of cybersecurity at Rochester Institute of Technology.
Weissman wasn’t just referring to Wegmans.
Walmart, Home Depot and others have been sued for allegedly collecting varying degrees of biometric data on shoppers without their knowledge. Theft prevention is often cited as a key reason for deploying the technology.
Biometric technologies range from fingerprint readers and facial recognition to voice printing and retinal scans. Use in retail shops, hospitals and government buildings is not new, but increasing public awareness is drawing more attention and debate.
These same technologies are commonplace on mobile phones and smart home devices.
But each new deployment creates a new dataset, which means another point of vulnerability for hackers.
“Once cyber criminals know that companies are storing such identifiers, these databases become targets of attack,” Weissman said.
The issue then becomes how that data is safeguarded.
"If your password is stolen, you can change it. If your credit card is stolen, get a new one,” he said. “If your biometric data is stolen, you can't get a new face, and you can’t get new hands. These are permanent identifiers of yourself that, if compromised, will always be there; can't be changed.”
One of the largest data breaches involved the U.S. Office of Personnel Management a decade ago when millions of fingerprint files were stolen. While there have not been documented cases of misuse of the data, that likely is only a matter of time, as biometrics come into more widespread use.
Weissman explained: "If cyber criminals get a hold of your biometrics, they can pass those biometrics to systems for authentication — and convince those systems that they're you.”
Wegmans’ practices came to light after it posted a notice to customers at its stores in Manhattan and Brooklyn. New York City requires public notification of such data collection. Such laws don’t exist in other communities, including Rochester. In response to a reporter’s inquiry, Rochester City Council President Miguel Meléndez said the topic has been raised, including from constituents, but that he was unsure whether the city had the same latitude as New York City to enact a sweeping policy.
Illinois was one of the first states to impose requirements on use of biometric data and penalties for companies that violate the law. That has led to lawsuits against Facebook, TikTok, and Google as well as against retailers including Target, Walmart and Home Depot.
“While this technology is out there, and there are major companies using biometrics, the government and the courts are actively pushing back,” Weissman said, also noting the FTC banned Rite Aid from using biometrics for five years before the chain went bankrupt and closed, “because it falsely tagged innocent people as criminals.”
Weissman though returns to how that data is protected, particularly by companies that don’t specialize in cybersecurity because, he explained: “It's not a matter of if a company will be breached nowadays, it's a matter of when.”
The placard in New York City stated that Wegmans was collecting biometric identifier information at the store “which may include facial recognition, eye scans, voiceprints.” In a statement, though, and on its website, Wegmans insists its systems only collect facial recognition scan data and that the company does not gather other biometrics.
Wegmans did not immediately respond to reporter questions of whether it collects and retains that data on all shoppers entering stores where the technology is used, or — to Weissman’s point — how it saves and safeguards the data.
The company said in an earlier statement that it would not divulge how long the data is retained, citing security reasons, "but it aligns with industry standards.”
