Retail giant Amazon recently offered to pay $10 USD for your palm prints. Would you offer them your hand?
Many seem to home in and seethe over the price being too little for something as priceless and unique as their palm print, not realizing that when it does come to registering biometric data in general, everyone gives their prints away for free.
Palm print prices aside, Amazon is definitely encouraging current and potential customers to to enrol their prints using Amazon One, its new contactless identity service.
Amazon One was introduced in September 2020 as (according to Dilip Kumar, Vice President of Physical Retail & Technology for Amazon in an official post) “a quick, reliable, and secure way for people to identify themselves or authorize a transaction while moving seamlessly through their day.” The announcement came in the thick of the Covid-19 pandemic, which seemed to give it a boost due to its non-contact nature.
Since then, Amazon has rolled out Amazon One to more of its stores in the Seattle area and beyond. This biometric scanner can now be found in use in Amazon Books, Amazon Go convenience stores, Amazon Go Grocery, and Amazon 4-star stores in various US states, including Maryland, New Jersey, New York, and Texas.
How does it work?
Amazon says it scans and captures the minutest detail of a palm, which includes ridges, lines, and features under the skin like vein patterns, to create a unique palm signature. Why palm prints, you ask? In the FAQ section here, Amazon claim that “palm recognition is considered more private than some biometric alternatives because you can’t determine a person’s identity by looking at an image of their palm.”
To a degree, this is true. It’s certainly less obviously personally identifiable than face recognition and it’s difficult to take a photo of someone’s palm and use that to spoof anything. But, like fingerprints, latent palm prints can also be lifted or picked up from touched objects, making it a viable way to help identify an individual. In fact, the forensic science community generally accepts palm prints as positive identification.
Palm signatures are created, encrypted, and stored in the cloud. Palm images, card details, and phone numbers are also never stored in the Amazon One device, and (the company further claims) they are “protected at all times, both at rest and in-transit”. How these palm signatures are encrypted, Amazon didn’t specify. They also didn’t say if they comply with current standards for capturing, exchanging, and storing biometric data.
Amazon is well capable of creating a very secure system, but any plan to create a centralized repository of authentication information should give us pause. Particularly if that information is biometrics that can’t be changed if they’re leaked or breached. It is the opposite of the approach being taken by FIDO2, for example, a passwordless authentication scheme that can be used with biometrics without the biometric data ever leaving its owner’s control.
Amazon stores palm data indefinitely, unless someone manually deletes it from their profile or if the member doesn’t use the feature for two years.
Becoming a transactional tool
Critics have pointed out that having our palms scanned for increased convenience and quick(er) closing of transactions is unnecessary when a contactless payment card can do the exact same thing. And, unlike a palm print, a payment card can be easily changed if it’s compromised. Worse, with our biometric data in its hands, Amazon can essentially do what it wants with it—and this could go beyond targeted advertising, considering that Amazon has already opened its doors to third-party companies who are interested in making Amazon One a part of their business.
It’s not a long shot to imagine that the retail giant could very well involve law enforcement once again: either selling them the biometric recognition service/technology or working with them for the purpose of surveillance, both of which Amazon has done in the past.
What particularly concerns Elizabeth Renieris, a lawyer and policy expert on data governance, is how Amazon is tying you as a person, via your palm print, to your shopping habits and purchase history. She said in an interview with The Verge last year: “The closest thing we have now is things like Apple Wallet and Apple Pay and other device-based payments infrastructure, but I just think, philosophically and ethically, there’s extreme value in having a physical separation between your transaction infrastructure and your physical self—your personhood and your body. As we merge the two…a lot of the rights that are based on the boundedness of a person are further threatened.”
“Your physical self is literally becoming a transactional tool,” she said.
The post Amazon will pay you $10 for your palm prints. Should you be worried? appeared first on Malwarebytes Labs.