Regulators set sights on Amazon One biometric payments next

19 August 2021

Waving a hand to authenticate payment using Amazon palm recognition system, Amazon One, at an Amazon Go outlet in Seattle, Washington. (Photo by – / Amazon / AFP)

It appears the regulatory tide is truly against the big US tech giants, as Amazon One, the e-commerce juggernaut’s latest biometric payment system that utilizes palm scans, became the latest casualty to go under the data privacy microscope.

Three US senators published an open letter last week to new Amazon CEO Andy Jassy, expressing concern about the new payment method and stating that it “raises serious questions” about “user privacy, including about how Amazon may use the data for advertising and tracking purposes.”

The company first introduced Amazon One in late-2020 at two of its pilot Amazon Go stores in Seattle, where users could self-checkout for groceries and other items by linking their accounts to a credit card, and by scanning their palms to verify the payment as they exited the store.

Since then, Amazon One has been rolled out at around 50 locations across the US, including at Whole Foods Market outlets which Amazon acquired back in 2017. The retail and fulfillment giant has been looking to ramp up adoption of the biometric payment system, and earlier this month began offering a US$10 discount to account holders who were willing to upload scans of their palm prints to the Amazon One database.

The senators Amy Klobuchar, Bill Cassidy and Jon Ossoff who co-signed the bipartisan letter cited various cases where Amazon and its Big Tech cohorts like Facebook, Apple, and Google parent company Alphabet had been hauled up by regulators and privacy watchdogs to answer concerns surrounding numerous data privacy and antitrust allegations.

“Once deemed consumer champions, Big Tech now appears to be the new dark side of capitalism, arguably presenting a bigger risk to society than bankers were in 2007,” a recent GlobalData report outlined. “Public outrage at their actions is now forcing regulators to act.”

US lawmakers are asking hard questions about how the ecommerce giant’s Amazon One hand-scanning payment system protects users' data and privacy rights

Amazon One was touted as “a fast, convenient, contactless way for people to use their palm to make everyday activities like paying at a store, presenting a loyalty card, entering a location like a stadium, or badging into work more effortless.” (Photo by – / Amazon / AFP)

Last month, the Luxembourg data protection authority CNPD slapped Amazon with a record fine after accusing the online retailer of processing personal data in violation of the EU’s GDPR. Amazon disclosed the findings in a regulatory filing, labelling the decision as “without merit.”

In May 2021, both Amazon and Facebook drew scrutiny from European Union (EU) regulators for different reasons. First the EU’s powerful antitrust authority, the European Commission launched an investigation into Facebook’s buyout of a US startup, over concerns that the social media giant could misuse personal data. Last year Facebook had announced its purchase of Kustomer, a five-year-old company that specialises in helping businesses interact with customers online.

And EU member Germany’s competition authority opened an inquiry into Amazon over potential “anti-competitive practices”, applying a new law giving regulators more power to rein in big tech companies. Federal Cartel Office head Andreas Mundt said his office is examining whether Amazon has “an almost unchallengeable position of economic power” and whether it “operates across various markets”.

The US senators’ letter also pointed out the July 2020 lawsuit brought by two individuals in Illinois who claimed that Amazon, Microsoft and Alphabet had used their images without their consent to train facial recognition systems, in violation of Illinois state law. Images of the claimants’ faces were shown to have been found in IBM’s Diversity in Faces database.

Use of biometric input to power payment solutions and ID verification systems have of course not been restricted to hand-scanning and facial recognition. In fact, the amount of biometric payment transactions is expected to double from 671 million in 2020 to 1.4 billion by 2025.

Apple and Google, of course, have been applying fingerprint biometric data to unlock devices and verify payments on their smartphones for a few years now. But while that data is stored locally on users’ devices, Amazon One biometric info is instead stored in the cloud, which the three senators called “unique security risks.”

“Like many companies, Amazon has been affected by hacks and vulnerabilities that have exposed sensitive information, such as user emails,” Klobuchar, Cassidy and Ossoff wrote, citing reports about cybersecurity vulnerabilities and concerns expressed by 48 advocacy groups in an open letter to the Federal Trade Commission in July.

The senators have posed new CEO Jassy – who succeeded Amazon founder Jeff Bezos just last month – a series of queries around the role of Amazon One payments. Details asked for include which third parties will have access to the biometric payment data; how the company intends to shield that data and how customers are being informed of how their personal information is being used; how many users have already registered with the service; and if the palm print data is ever paired with facial recognition data that Amazon has collected.

Amazon for its part mentioned in an April blog and FAQ post that it continues to take data security and privacy seriously, and that the hand scan data is never stored on devices but is instead encrypted and “sent to a highly secure area we custom-built for Amazon One in the cloud.”