Slashdot reader quonset writes: In an effort to more personalize a customer's experience, the U.S. restaurant chain Panera Bread is rolling out palm-scanning technology which will link the palm print with the customer's loyalty program. According to Panera Bread CEO Niren Chaudhary, the move will allow a "frictionless, personalized, and convenient" evolution of Panera's loyalty program, which boasts 52 million members. The claim is this will allow the company to offer menu choices based on a customer's order history, allow staff to personally greet the customer, and offer further suggestions.

Privacy advocates are not so sure. From the story:

Panera says the technology will securely store its customers' biometric data. However, digital rights activists worry that information could be tapped by federal agencies or accessed by hackers.

"Federal agencies like Customs and Border Protection have experienced devastating hacks where large databases of biometric information have been stolen," Fight for the Future told CBS MoneyWatch in an email. "Do we really expect Amazon, or Panera, to have better cybersecurity practices?"
The scanners are already installed at locations in St. Louis, Panera announced Wednesday, and scanners will "expand to additional locations in the coming months." (Panera has 2,113 locations in 48 states.) "After a simple scan of the palm, Panera associates will be able to greet guests by name, communicate their available rewards, reorder their favorite menu items, or take another order of their choice," the announcement gushes, "extending the guest experience into a true and meaningful relationship.

"When they are done ordering, guests can simply scan their palm again to pay."

France's AI-powered array of surveillance cameras for the 2024 Paris Summer Olympics cleared a final legislative hurdle on Thursday. From a report: The French government wants to experiment with large-scale, real-time camera systems supported by an algorithm to spot suspicious behavior, including unsupervised luggage and triggering alarms to warn of crowd movements like stampedes, for the mega-sports event next year. In a sparsely-attended chamber, French members of parliament approved the controversial bill after more than seven hours of heated debate. The text can still be challenged before the country's top constitutional court. Last week, a group of about 40 European lawmakers -- mainly left-wing -- asked their French counterparts to vote against the text. They warned in a letter that "France would set a surveillance precedent of the kind never before seen in Europe, using the pretext of the [2024 Paris Summer] Olympic games."

In the past few months, the plan was also met with intense pushback from digital rights NGOs, including France's La Quadrature du Net, as well as international groups such as Amnesty International and Access Now. Besides privacy concerns, they pointed out a potential conflict with the EU's Artificial Intelligence Act, which is currently under discussion in Brussels and could limit biometric surveillance. The government argues that algorithmic surveillance cameras are necessary to ensure the safety of the millions of tourists expected to visit Paris next year. During the debates Wednesday evening, lawmakers from President Emmanuel Macron's party claimed AI-powered cameras could have prevented the 2016 Nice terror attack by spotting the truck before it could drive into the crowd. They also said it could have helped avoid the security fiasco at the football Champions League final last summer.

JPMorgan Chase is planning to test new technology that would let consumers pay with their palms or faces at certain US merchants. From a report: The bank, home to one of the world's biggest payment-processing businesses, plans to roll out the service to its broader base of US merchant clients if the pilot program goes well, according to a statement Thursday. The pilot may include a Formula 1 race in Miami as well as some brick-and-mortar stores. "The evolution of consumer technology has created new expectations for shoppers," Jean-Marc Thienpont, head of omnichannel solutions for JPMorgan's payments business, said in the statement. "Merchants need to be ready to adapt to these new expectations."

JPMorgan is seizing on the rising popularity of biometrics technology, which uses unique body measurements to authenticate a person's identity. The technology is expected to account for roughly $5.8 trillion in transactions and 3 billion users by 2026, JPMorgan said, citing Goode Intelligence. Here's how it works: Customers enroll their palm or face through an in-store process. Then, at checkout, they scan their biometric to complete the transaction and get a receipt.

Amazon did not alert its New York City customers that they were being monitored by facial recognition technology, a lawsuit filed Thursday alleges. CNBC reports: In a class-action suit, lawyers for Alfredo Perez said that the company failed to tell visitors to Amazon Go convenience stores that the technology was in use. Thanks to a 2021 law, New York is the only major American city to require businesses to post signs if they're tracking customers' biometric information, such as facial scans or fingerprints. [...] The lawsuit says that Amazon only recently put up signs informing New York customers of its use of facial recognition technology, more than a year after the disclosure law went into effect. "To make this 'Just Walk Out' technology possible, the Amazon Go stores constantly collect and use customers' biometric identifier information, including by scanning the palms of some customers to identify them and by applying computer vision, deep learning algorithms, and sensor fusion that measure the shape and size of each customer's body to identify customers, track where they move in the stores, and determine what they have purchased," says the lawsuit.

"It means that even a global tech giant can't ignore local privacy laws," Albert Cahn, project director, said in a text message. "As we wait for long overdue federal privacy laws, it shows there is so much local governments can do to protect their residents."

An anonymous reader quotes a report from Motherboard, written by Joseph Cox: On Wednesday, I phoned my bank's automated service line. To start, the bank asked me to say in my own words why I was calling. Rather than speak out loud, I clicked a file on my nearby laptop to play a sound clip: "check my balance," my voice said. But this wasn't actually my voice. It was a synthetic clone I had made using readily available artificial intelligence technology. "Okay," the bank replied. It then asked me to enter or say my date of birth as the first piece of authentication. After typing that in, the bank said "please say, 'my voice is my password.'" Again, I played a sound file from my computer. "My voice is my password," the voice said. The bank's security system spent a few seconds authenticating the voice. "Thank you," the bank said. I was in.

I couldn't believe it -- it had worked. I had used an AI-powered replica of a voice to break into a bank account. After that, I had access to the account information, including balances and a list of recent transactions and transfers. Banks across the U.S. and Europe use this sort of voice verification to let customers log into their account over the phone. Some banks tout voice identification as equivalent to a fingerprint, a secure and convenient way for users to interact with their bank. But this experiment shatters the idea that voice-based biometric security provides foolproof protection in a world where anyone can now generate synthetic voices for cheap or sometimes at no cost. I used a free voice creation service from ElevenLabs, an AI-voice company. Now, abuse of AI-voices can extend to fraud and hacking. Some experts I spoke to after doing this experiment are now calling for banks to ditch voice authentication altogether, although real-world abuse at this time could be rare. A Lloyds Bank spokesperson said in a statement that "Voice ID is an optional security measure, however we are confident that it provides higher levels of security than traditional knowledge-based authentication methods, and that our layered approach to security and fraud prevention continues to provide the right level of protection for customers' accounts, while still making them easy to access when needed."

The Consumer Financial Protection Bureau, one of the U.S. agencies that regulates the financial industry, said: "The CFPB is concerned with data security, and companies are on notice that they'll be held accountable for shoddy practices. We expect that any firm follow the law, regardless of technology used."

AirTag competitor Tile today announced a new Anti-Theft Mode for Tile tracking devices, which is designed to make Tile accessories undetectable by the anti-stalking Scan and Secure feature. MacRumors reports: Scan and Secure is a security measure that Tile implemented in order to allow iPhone and Android users to scan for and detect nearby Tile devices to keep them from being used for stalking purposes. Unfortunately, Scan and Secure undermines the anti-theft capabilities of the Tile because a stolen device's Tile can be located and removed, something also possible with similar security features added for AirTags. Tile's Anti-Theft Mode disables Scan and Secure so a Tile tracking device will not be able to be located by a person who does not own the tracker. To prevent stalking with Anti-Theft Mode, Tile says that customers must register using multi-factor identification and agree to stringent usage terms, which include a $1 million fine if the device ends up being used to track a person without their consent.

The Anti-Theft Mode option is meant to make it easier to locate stolen items by preventing thieves from knowing an item is being tracked. Tile points out that in addition to Anti-Theft Mode, its trackers do not notify nearby smartphone users when an unknown Bluetooth tracker is traveling with them, making them more useful for tracking stolen items than AirTags. Apple has added alerts for nearby AirTags to prevent AirTags from being used for tracking people. Enabling Anti-Theft mode will require users to link a government-issued ID card to their Tile account, submitting to an "advanced ID verification process" that uses a biometric scan to detect fake IDs. [...] Anti-Theft Mode is rolling out to Tile users starting today, and will be available to all users in the coming weeks.

Congress can find common ground on the protection of privacy, competition and American children, says U.S. President Joe Biden. In an op-ed at Wall Street Journal, he shares why he has pushed for legislation to hold Big Tech accountable. From the start of his administration, says Biden, he has embraced three broad principles for reform: First, we need serious federal protections for Americans' privacy. That means clear limits on how companies can collect, use and share highly personal data -- your internet history, your personal communications, your location, and your health, genetic and biometric data. It's not enough for companies to disclose what data they're collecting. Much of that data shouldn't be collected in the first place. These protections should be even stronger for young people, who are especially vulnerable online. We should limit targeted advertising and ban it altogether for children.

Second, we need Big Tech companies to take responsibility for the content they spread and the algorithms they use. That's why I've long said we must fundamentally reform Section 230 of the Communications Decency Act, which protects tech companies from legal responsibility for content posted on their sites. We also need far more transparency about the algorithms Big Tech is using to stop them from discriminating, keeping opportunities away from equally qualified women and minorities, or pushing content to children that threatens their mental health and safety.

Third, we need to bring more competition back to the tech sector. My administration has made strong progress in promoting competition throughout the economy, consistent with my July 2021 executive order. But there is more we can do. When tech platforms get big enough, many find ways to promote their own products while excluding or disadvantaging competitors -- or charge competitors a fortune to sell on their platform. My vision for our economy is one in which everyone -- small and midsized businesses, mom-and-pop shops, entrepreneurs -- can compete on a level playing field with the biggest companies. To realize that vision, and to make sure American tech keeps leading the world in cutting-edge innovation, we need fairer rules of the road. The next generation of great American companies shouldn't be smothered by the dominant incumbents before they have a chance to get off the ground.

An anonymous reader quotes a report from Wired: Last month, a young woman went to work at Sarzamineh Shadi, or Land of Happiness, an indoor amusement park east of Iran's capital, Tehran. After a photo of her without a hijab circulated on social media, the amusement park was closed, according to multiple accounts in Iranian media. Prosecutors in Tehran have reportedly opened an investigation. Shuttering a business to force compliance with Iran's strict laws for women's dress is a familiar tactic to Shaparak Shajarizadeh. She stopped wearing a hijab in 2017 because she views it as a symbol of government suppression, and recalls restaurant owners, fearful of authorities, pressuring her to cover her head. But Shajarizadeh, who fled to Canada in 2018 after three arrests for flouting hijab law, worries that women like the amusement park worker may now be targeted with face recognition algorithms as well as by conventional police work.

After Iranian lawmakers suggested last year that face recognition should be used to police hijab law, the head of an Iranian government agency that enforces morality law said in a September interview that the technology would be used "to identify inappropriate and unusual movements," including "failure to observe hijab laws." Individuals could be identified by checking faces against a national identity database to levy fines and make arrests, he said. Two weeks later, a 22-year-old Kurdish woman named Jina Mahsa Amini died after being taken into custody by Iran's morality police for not wearing a hijab tightly enough. Her death sparked historic protests against women's dress rules, resulting in an estimated 19,000 arrests and more than 500 deaths. Shajarizadeh and others monitoring the ongoing outcry have noticed that some people involved in the protests are confronted by police days after an alleged incident -- including women cited for not wearing a hijab. "Many people haven't been arrested in the streets," she says. "They were arrested at their homes one or two days later."

Although there are other ways women could have been identified, Shajarizadeh and others fear that the pattern indicates face recognition is already in use -- perhaps the first known instance of a government using face recognition to impose dress law on women based on religious belief. Mahsa Alimardani, who researches freedom of expression in Iran at the University of Oxford, has recently heard reports of women in Iran receiving citations in the mail for hijab law violations despite not having had an interaction with a law enforcement officer. Iran's government has spent years building a digital surveillance apparatus, Alimardani says. The country's national identity database, built in 2015, includes biometric data like face scans and is used for national ID cards and to identify people considered dissidents by authorities.

The shoebox-shaped device, designed to capture fingerprints and perform iris scans, was listed on eBay for $149.95. A German security researcher, Matthias Marx, successfully offered $68, and when it arrived at his home in Hamburg in August, the rugged, hand-held machine contained more than what was promised in the listing. The device's memory card held the names, nationalities, photographs, fingerprints and iris scans of 2,632 people. From a report: Most people in the database, which was reviewed by The New York Times, were from Afghanistan and Iraq. Many were known terrorists and wanted individuals, but others appeared to be people who had worked with the U.S. government or simply been stopped at checkpoints. Metadata on the device, called a Secure Electronic Enrollment Kit, or SEEK II, revealed that it had last been used in the summer of 2012 near Kandahar, Afghanistan. The device -- a relic of the vast biometric collection system the Pentagon built in the years after the Sept. 11, 2001, attacks -- is a physical reminder that although the United States has moved on from the wars in Afghanistan and Iraq, the tools built to fight them and the information they held live on in ways unintended by their creators.

Exactly how the device ended up going from the battlefields in Asia to an online auction site is unclear. But the data, which offers detailed descriptions of individuals in addition to their photograph and biometric data, could be enough to target people who were previously unknown to have worked with U.S. military forces should the information fall into the wrong hands. For those reasons, Mr. Marx would not place the information online or share it in an electronic format, but he did allow a Times reporter in Germany to see the data in person alongside him. "Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it," Brig. Gen. Patrick S. Ryder, the Defense Department's press secretary, said in a statement. "The department requests that any devices thought to contain personally identifiable information be returned for further analysis." He provided an address for the military's biometrics program manager at Fort Belvoir in Virginia where the devices could be sent. The biometric data on the SEEK II was collected at detainment facilities, on patrols, during screenings of local hires and after the explosion of an improvised bomb. Around the time when the device was last used in Afghanistan, the American war effort there was winding down.

Italy prohibited the use of facial recognition and "smart glasses" on Monday as its Data Protection Agency issued a rebuke to two municipalities experimenting with the technology. Reuters reports: Facial recognition systems using biometric data will not be allowed until a specific law is adopted or at least until the end of next year, the privacy watchdog said. The exception is when such technologies play a role in judicial investigations or the fight against crime. "The moratorium arises from the need to regulate eligibility requirements, conditions and guarantees relating to facial recognition, in compliance with the principle of proportionality," the agency said in a statement.

Under European Union and Italian law, the processing of personal data by public bodies using video devices is generally allowed on public interest grounds and when linked to the activity of public authorities, it added. However, municipalities that want to use them have to strike "urban security pacts" with central government representatives, it added. The agency was reacting to measures taken in the southern Italian city of Lecce, where authorities said they would begin using a technology based on facial recognition. The privacy watchdog also targeted the Tuscan city of Arezzo, where local police were due to be equipped with infrared super glasses that can recognise car number plates.

Stadiums around the world, including at the 2022 World Cup in Qatar, are subjecting spectators to invasive biometric surveillance tech. From a report: This fall, more than 15,000 cameras will monitor soccer fans across eight stadiums and on the streets of Doha during the 2022 World Cup, an event expected to attract more than 1 million football fans from around the globe. "What you see here is the future of stadium operations," the organizers' chief technology officer, Niyas Abdulrahiman, proudly told AFP in August. "A new standard, a new trend in venue operations, this is our contribution from Qatar to the world of sport." Qatar's World Cup organizers are not alone in deploying biometric technology to monitor soccer fan activity. In recent years, soccer clubs and stadiums across Europe have been introducing these security and surveillance technologies.

In Denmark, Brondby Stadium has been using facial recognition for ticketing verification since 2019. In the Netherlands, NEC Nijmegen has used biometric technology to grant access to Goffert Stadium. France's FC Metz briefly experimented with a facial recognition device to identify fans banned from Saint-Symphorien Stadium. And the UK's Manchester City reportedly hired Texas-based firm Blink Identity in 2019 to deploy facial recognition systems at Etihad Stadium. In Spain, Atletico Osasuna uses facial recognition to monitor and control access to El Sadar Stadium, while Valencia CF signed a deal in June 2021 with biometrics company FacePhi to design and deploy facial-recognition technology at Mestalla Stadium in the upcoming season. The sport club then became a global ambassador for the company's technology. FacePhi's biometric onboarding technology was already used for a pilot project to enroll Valencia CF fans in an automated access control system that allowed them to get into the stadium using a QR code via the football club's mobile app. (A FacePhi spokesperson declined to provide details about the project but said "that we are not yet in the implementation phase with Valencia CF.")

An anonymous reader quotes a report from Ars Technica: Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What's different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.

On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn't yet available. In the coming months, all of that should be ironed out, though.

Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack. Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or -- in the absence of biometric capabilities -- the PIN that's associated with the token. What's more, hardware tokens use FIDO's Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in. "Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography)," said Andrew Shikiar, FIDO's executive director and chief marketing officer. "By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user and -- very significantly -- allows the service provider to start retiring passwords as a means of account recovery and re-enrollment."

In other words: "Passkeys just trade WebAuthn cryptographic keys with the website directly," says Ars Review Editor Ron Amadeo. "There's no need for a human to tell a password manager to generate, store, and recall a secret -- that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."

If you're eager to give passkeys a try, you can use this demo site created by security company Hanko.

Texas has filed a lawsuit against Alphabet's Google for allegedly collecting biometric data of millions of Texans without obtaining proper consent, the attorney general's office said in a statement on Thursday. From a report: The complaint says that companies operating in Texas have been barred for more than a decade from collecting people's faces, voices or other biometric data without advanced, informed consent. "In blatant defiance of that law, Google has, since at least 2015, collected biometric data from innumerable Texans and used their faces and their voices to serve Google's commercial ends," the complaint said. "Indeed, all across the state, everyday Texans have become unwitting cash cows being milked by Google for profits."

An anonymous reader quotes a report from The Daily Beast: A star University of Maryland (UMD) professor built a machine-learning software "useful for surveillance" as part of a six-figure research grant from Chinese tech giant Alibaba, raising concerns that an American public university directly contributed to China's surveillance state. Alibaba provided $125,000 in funding to a research team led by Dinesh Manocha, a professor of computer science at UMD College Park, to develop an urban surveillance software that can "classify the personality of each pedestrian and identify other biometric features," according to research grant documents obtained via public records request. "These capabilities will be used to predict the behavior of each pedestrian and are useful for surveillance," the document read.

Manocha is a decorated scholar in the AI and robotics field who has earned awards and accolades from Google, IBM, and many others. His star status brings rewards: Maryland taxpayers paid $355,000 in salaries to the professor in 2021, according to government watchdog Open the Books. The U.S. military also provides lavish funding for the professor's research, signing a $68 million agreement with Manocha's lab to research military applications of AI technologies. But Maryland taxpayers and the U.S. military are not the only ones funding Manocha's research. In January 2018, the University of Maryland and Alibaba signed an 18-month research contract funding Manocha's research team. In the grant document obtained by The Daily Beast, Manocha's team pledged to "work closely with Alibaba researchers" to develop an urban surveillance software that can identify pedestrians based on their unique gait signatures. The algorithm would then use the gait signatures to classify pedestrians as "aggressive," "shy," "impulsive," and other personalities. The grant required UMD researchers to test the algorithm on videos provided by Alibaba and present their findings in person at Alibaba labs in China. The scholars also had to provide the C++ codebase for the software and the raw dataset as deliverables to Alibaba. The software's "clear implication is to proactively predict demonstrations and protests so that they might be quelled," Fedasiuk told The Daily Beast. "Given what we know now about China's architecture of repression in Xinjiang and other regions, it is clear Dr. Manocha should not have pitched this project, and administrators at UMD should not have signed off on it."

It's not just Alibaba that was interested in the professor's expertise. In January 2019 -- back when the Alibaba grant was still active -- Manocha secured a taxpayer-funded, $321,000 Defense Department grant for his research team. The two grants funded very similar research projects. The Alibaba award was titled "large-scale behavioral learning for dense crowds." Meanwhile, the DoD grant funded research into "efficient computational models for simulating large-scale heterogeneous crowds." Unsurprisingly, the research outputs produced by the two grants had significant overlap. Between 2019 and 2021, Manocha published multiple articles in the AI and machine-learning field that cited both the Alibaba and DoD grant. There is no evidence that Manocha broke the law by double-dipping from U.S. and Chinese funding sources to fund similar research projects. Nevertheless, the case still raises "serious questions about ethics in machine learning research," Fedasiuk said.

Vietnam's Ministry of Information and Communications updated cybersecurity laws this week to mandate Big Tech and telecoms companies store user data locally, and control that data with local entities. The Register reports: The data affected goes beyond the basics of name, email, credit card information, phone number and IP address, and extends into social elements -- including groups of which users are members, or the friends with whom they digitally interact. "Data of all internet users ranging from financial records and biometric data to information on people's ethnicity and political views, or any data created by users while surfing the internet must be to stored domestically," read the decree (PDF) issued Wednesday, as translated by Reuters. The decree applies to a wide swath of businesses including those providing telecom services, storing and sharing data in cyberspace, providing national or international domain names for users in Vietnam, e-commerce, online payments, payment intermediaries, transport connection services operating in cyberspace, social media, online video games, messaging services, and voice or video calls.

According to Article 26 of the government's Decree 53, the new rules go into effect October 1, 2022 -- around seven weeks from the date of its announcement. However, foreign companies have an entire 12 months in which to comply -- beginning when they receive instructions from the Minister of Public Security. The companies are then required to store the data in Vietnam for a minimum of 24 months. System logs will need to be stored for 12 months. After this grace period, authorities reserve the right to make sure affected companies are following the law through investigations and data collection requests, as well as content removal orders. Further reading: Vietnam To Make Apple Watch, MacBook For First Time Ever

Migrants who have been convicted of a criminal offense will be required to scan their faces up to five times a day using smartwatches installed with facial recognition technology under plans from the Home Office and the Ministry of Justice. The Guardian reports: In May, the government awarded a contract to the British technology company Buddi Limited to deliver "non-fitted devices" to monitor "specific cohorts" as part of the Home Office Satellite Tracking Service. The scheme is due to be introduced from the autumn across the UK, at an initial cost of 6 million pounds. A Home Office data protection impact assessment (DPIA) from August 2021, obtained by the charity Privacy International through a freedom of information request, assessed the impact of the smartwatch technology before contracting a supplier. In the documents, seen by the Guardian, the Home Office says the scheme will involve "daily monitoring of individuals subject to immigration control," with the requirement to wear either a fitted ankle tag or a smartwatch, carried with them at all times.

A Home Office data protection impact assessment (DPIA) from August 2021, obtained by the charity Privacy International through a freedom of information request, assessed the impact of the smartwatch technology before contracting a supplier. In the documents, seen by the Guardian, the Home Office says the scheme will involve "daily monitoring of individuals subject to immigration control," with the requirement to wear either a fitted ankle tag or a smartwatch, carried with them at all times. Photographs taken using the smartwatches will be cross-checked against biometric facial images on Home Office systems and if the image verification fails, a check must be performed manually. The data will be shared with the Home Office, MoJ and the police, with Home Office officials adding: "The sharing of this data [to] police colleagues is not new."

The number of devices to be produced and the cost of each smartwatch was redacted in the contract and there is no mention of risk assessments to determine whether it is appropriate to monitor vulnerable or at-risk asylum seekers. The Home Office says the smartwatch scheme will be for foreign-national offenders who have been convicted of a criminal offense, rather than other groups, such as asylum seekers. However, it is expected that those obliged to wear the smartwatches will be subject to similar conditions to those fitted with GPS ankle tags, with references in the DPIA to curfews and inclusion and exclusion zones. Those who oppose the 24-hour surveillance of migrants say it breaches human rights and may have a detrimental impact on their health and wellbeing. Lucie Audibert, a lawyer and legal officer for Privacy International, said: "Facial recognition is known to be an imperfect and dangerous technology that tends to discriminate against people of color and marginalized communities. These 'innovations' in policing and surveillance are often driven by private companies, who profit from governments' race towards total surveillance and control of populations.

"Through their opaque technologies and algorithms, they facilitate government discrimination and human rights abuses without any accountability. No other country in Europe has deployed this dehumanizing and invasive technology against migrants."

An anonymous reader quotes a report from Reuters: Shoppers at a supermarket chain in southern England are being tracked by facial recognition cameras, prompting a legal complaint by a privacy rights group. Big Brother Watch said Southern Co-operative's use of biometric scans in 35 stores across Portsmouth, Bournemouth, Bristol, Brighton and Hove, Chichester, Southampton, and London was "Orwellian in the extreme" and urged Britain's Information Commissioner's Office (ICO) to investigate whether it breaches data protection legislation.

The complaint claims the use of the biometric cameras "is infringing the data rights of a significant number of UK data subjects." It outlines how the facial recognition system, sold by surveillance company Facewatch, creates a biometric profile of every visitor to stores where the cameras are installed, enabling Southern Co-operative to create a "blacklist" of customers. If a customer on the list enters the store, staff are alerted. [...] "We take our responsibilities around the use of facial recognition extremely seriously and work hard to balance our customers' rights with the need to protect our colleagues and customers from unacceptable violence and abuse," Southern Co-operative said. It said it uses the facial recognition cameras only in stores where there is a high level of crime to protect staff from known offenders and does not store images of an individual unless they have been identified as an offender. Kmart and Bunnings stores in Australia are also being investigated for the privacy implications of their facial recognition systems. The two chains were trialing the technology to spot banned customers, prevent refund fraud and reduce theft.

"As many as 100 people could be looking at the board and see something different," reports the Michigan news site MLive.com. "Look up at a Detroit Metropolitan Airport departure board and you could see a personalized travel itinerary."

Delta's site features a trippy video showing the screen with a different greeting depending on where the camera is positioned.

"Hello Liz!"
"Hello Albert!"
"Hello Cora!"

The maker's of the technology envision it someday being used in theme parks, stadiums, and convention centers. But what exactly is happening here? MLive explains: In late June, Delta Airlines launched a beta version of its new Parallel Reality technology that allows dozens of people to simultaneously see unique content on the same digital screen. Detroit is the first, and currently only, airport in the country to experiment with the futuristic technology developed by Misapplied Sciences, based in California...

Delta passengers can scan their boarding pass, select a language and test out the system. Using "multi-view pixels and proprietary technology," the board then shows personal flight information, boarding time or even standby status, a news release said... Delta Senior Vice President of Customer Experience Ranjan Goswami said the new system means "customers will no longer have to search for flight and gate information."

"This technology truly must be seen to be believed," Goswami said in an announcement. The Parallel Reality displays project up to millions of light rays that can be directed to a specific person. Non-biometric sensors then reportedly track passengers who can see the display even if they move....

Delta says the Parallel Reality experience will "always be opt-in" and customer information is not stored.
"If this new technology can make finding your gate and departure information quicker and easier, we're not just showing customers a magic trick — we're solving a real problem," said Delta's senior VP of customer experience. "Customers already rely on personalized navigation via their mobile devices, but this is enabling a public screen to act as a personal one — removing the clutter of information not relevant to you to empower a better journey."

The company's statement adds that Delta "is also investing in digital identity technology, which allows customers to move through the airport using facial recognition, eliminating the need to show a boarding pass or government ID." The technology is already available at airports in Atlanta, Detroit, Los Angeles, and New York, "and will eventually be activated in all of Delta's U.S. hubs."

On Tuesday Brendan Carr, a commissioner on America's Federal Communications Commission,warned on Twitter that TikTok, owned by China-based company ByteDance, "doesn't just see its users dance videos: It collects search and browsing histories, keystroke patterns, biometric identifiers, draft messages and metadata, plus it has collected the text, images, and videos that are stored on a device's clipboard. Tiktok's pattern of misrepresentations coupled with its ownership by an entity beholden to the Chinese Community Party has resulted in U.S. military branches and national security agencies banning it from government devices.... The CCP has a track record longer than a CVS receipt of conducting business & industrial espionage as well as other actions contrary to U.S. national security, which is what makes it so troubling that personnel in Beijing are accessing this sensitive and personnel data.
Today CNN interviewed Carr, while also bringing viewers an update. TikTok's China-based employees accessed data on U.S. TikTok users, BuzzFeed had reported — after which TikTok announced it intends to move backup data to servers in the U.S., allowing them to eventually delete U.S. data from their servers. But days later Republican Senator Blackburn was still arguing to Bloomberg that "Americans need to know if they are on TikTok, communist China has their information."

And FCC commissioner Carr told CNN he remains suspicious too: Carr: For years TikTok has been asked directly by U.S. lawmakers, 'Is any information, any data, being accessed by personnel back in Beijing?' And rather than being forthright and saying 'Yes, and here's the extent of it and here's why we don't think it's a problem,' they've repeatedly said 'All U.S. user data is stored in the U.S.," leaving people with the impression that there's no access.... This recent bombshell reporting from BuzzFeed shows at least some of the extent to which massive amounts of data has allegedy been going back to Beijing.

And that's a problem, and not just a national security problem. But to me it looks like a violation of the terms of the app store, and that's why I wrote a letter to Google and Apple saying that they should remove TikTok and boot them out of the app store... I've left them until July 8th to give me a response, so we'll see what they say. I look forward to hearing from them. But there's precedence for this. Before when applications have taken data surreptitiously and put it in servers in China or otherwise been used for reasons other than servicing the application itself, they have booted them from the app store. And so I would hope that they would just apply the plain terms of their policy here.
When CNN points out the FCC doesn't have jurisdiction over social media, Carr notes "speaking for myself as one member" they've developed "expertise in terms of understanding how the CCP can effectively take data and infiltrate U.S. communications' networks. And he points out that the issue is also being raised by Congressional hearings and by Republican and Democrat Senators signing joint letters together, so "I'm just one piece of a broader federal effort that's looking at the very serious risks that come from TikTok." Carr: At the end of the day, it functions as sophisticated surveillance tool that is harvesting vast amounts of data on U.S. users. And I think TikTok should answer point-blank, has any CCP member obtained non-public user data or viewed it. Not to answer with a dodge, and say they've never been asked for it or never received a request. Can they say no, no CCP member has ever seen non-public U.S. user data.
Carr's appearance was followed by an appearance by TikTok's VP and head of public policy for the Americas. But this afternoon Carr said on Twitter that TikTok's response contradicted its own past statements: Today, a TikTok exec said it was "simply false" for me to say that they collect faceprints, browsing history, & keystroke patterns.

Except, I was quoting directly from TikTok's own disclosures.

TikTok's concerning pattern of misrepresentations about U.S. user data continues.

LastPass says they're now the first password manager with a passwordless sign-in feature. Engadget reports: Grant permission through the LastPass Authenticator mobile app and you can update account info on the web without entering your master password. The approach relies on FIDO-compliant password-free technology. The feature is available to both personal and business users. LastPass is also promising options beyond the Authenticator app in the future, such as relying on biometric scans or hardware security keys.