This could be my fault…in a good way! Wegmans updated their Statement on Facial Recognition Technology page. There’s no “updated / changelog” note, or a date. No announcement or press release about the press release, just a little edit today. It’s changed since our last bit of coverage where we went line by line to translate how bad it was (and still is).
We compared the old version against the new. Here are the current and previous screenshots and what has changed.
Wegmans removed “communities that exhibit an elevated risk.” This was the most revealing line in the original…Wegmans deciding which neighborhoods deserve face scanning based on some internal risk score nobody outside the building ever reviewed. Now it just says “a small fraction of our stores.” Somebody in legal read our translation and realized how bad it sounded.
They also added an unprompted denial. New sentence: “The data is not, and will not, be used for any other purpose.” When a company volunteers a promise you didn’t request, someone internally asked a question.
The word “biometric” disappeared. Old version: “other biometric data such as retinal scans.” New version: “information like retinal scans.” One word gone, but multiple states have biometric privacy laws. Hey, even if you stop calling your data biometric, it’s still what you called it the first time. No take-backsies!
Expanded the third-party language. Old version said they don’t share data with “any third party.” New version adds “nor do any third parties have access to the data.” Sharing and access are different legal concepts.
Small stuff: “Images and video” became “facial recognition data.” Tightening language before someone FOIAs them, probably.
Wegmans isn’t explaining the rewrite. So far they have removed the neighborhood profiling language, dropped a word that triggers state privacy statutes, and added promises nobody asked for. But they’re still doing the same stuff. This isn’t the transparency that people who shop there want. More like they got caught saying stuff they should not have, and they are trying to revise it the wrong way.
The right thing to do is to post the actual policy, the data retention policy, ways to opt out, and also a way to inquire if you are on their secret list. Not the PR version… the real one, the one asset protection actually follows.
Wegmans should give a number of days on retention, not “aligns with industry standards,” which means nothing and they know it. Disclose which exact stores have the cameras. Publish how people get added to the watchlist, how long they stay on it, what triggers removal, and what happens when there’s a false match – because there will be false matches (there always are) and right now there’s no process, no remedy, and no one gets told.
Even the US government no-fly list has a redress process. Wegmans’ secret face database does not. Wegmans should let an independent auditor look at accuracy rates, false positives, and demographic bias instead of hiding behind unnamed “training and safety measures” that nobody can verify. Disclose any law enforcement data sharing agreements, not just “scan data,” all of it. And stop doing stealth edits on the statement page. Have a dated change-log, with versions, notify people see when it changes. (We’re already getting tons of Terms of Service changes in our inbox)
A grocery store that maintains a secret biometric watchlist with no oversight, no appeal, and no transparency is running a private surveillance system in a place people need to go every week to feed their families. “Just shop somewhere else” isn’t an answer, because soon every chain will be look to doing the same thing, and they will, unless someone makes it expensive not to.
Wegman’s cameras are still on, biometrics are still collected. This time, they have slightly better words.
from Adafruit Industries – Makers, hackers, artists, designers and engineers! https://ift.tt/kH1Rwv2
via IFTTT
