The Background
I was in Los Angeles a week ago to see some friends and surf. It’s my happy place. The ocean, I mean: not Los Angeles. Anyhoo, after a few hours of being in the waves, I wanted to grab some food with a pal. He suggested a nearby Whole Foods grocery store. Sounded good to me. I used to shop there frequently in the early 2000s and 2010s for good quality (and obscenely expensive) organic and healthy food.
But the stores have changed. Whole Foods was bought by Amazon in 2017 for just a few dollars. Since that time, the stores have been folded into Amazon’s corporate world and ecosystem. That means, for example, dehumanizing employees with the company’s famous and reLENTless focus on productivity.
Employees aren’t happy with these changes and I don’t blame them. Working in retail can be backbreaking and I wouldn’t want my employer to track my productivity to ensure I was always operating at maximum “productivity-ness”.
But Amazon doesn’t give a shit about that and their company track record makes that clear.
Their drivers piss in bottles to meet productivity goals. The company hid COVID infection rates from warehouse staff so they’d continue working during the pandemic, placing them at risk. The Federal Government found the company’s warehouses are twice as unsafe as other companies’ facilities, and, when workers began organizing unions to collectively bargain for better conditions, Amazon illegally tried to prevent unionization.
“It’s sort of hypocritical for Amazon to claim that safety’s their number one issue. It’s a fallacy that they like to put forth that they’re more concerned about safety when they clearly are not. They’re more concerned about profit.”
Michael Verrastro, former Amazon ALB1 warehouse employee
So, that’s Amazon.
Fines will come, of course. Amazon will pay them easily and then continue to abuse their employees. Why would they do otherwise? Government fines against corporations that abuse their workers are notoriously small and the company has enough money to pay whatever fine they’re levied.
They’re an ever-growing and highly-successful monopoly that makes their shareholders, leadership team, and Jeff Bezos insanely wealthy. One of the ways that they’ve been so successful is by making it as easy as possible to part consumers from their money.
Free 2-day shipping on anything you buy so you don’t need to go to the store? Sure! I’ll sign up for that!
Devices I can speak to that allow me to open door locks or turn on lights and other connected devices? Yes, please!
Paying for my groceries by letting Amazon scan and keep my handprint?
[Record scratch]
Exsqueeze me?!?
What. The. Fuck.
The next chapter of Amazon’s relentless goal of getting our money has begun. The company is now rolling out biometric handprint scanning to more and more of its Whole Foods locations. They began the process back in 2021 but limited it to a few stores. I’m guessing this was to measure how much more quickly and conveniently their new tech could help customers pay for their groceries.
Wave your hand: pay for your groceries. It’s simple, intuitive, and very, very FAST. Here’s what the equipment looked like at the Whole Foods where I met my friend.
How Does It Work
Amazon is calling this technology “Amazon One”. On the company’s slick announcement and explanation page here, they explain in simple terms how their systems use biometrics to verify that you are who you say you are.
Biometrics are unique parts of our bodies that can be used to identify us.
For example, humans all possess individual fingerprints, hand prints, iris/retinal prints, face prints, and more. Your bodily features are unique to you, even if you’re an identical twin! They can therefore be used to accurately identify you. Our biometrics sometimes come in handy in specific situations. For example, many of us use our fingerprints or face prints to unlock our phones.
Setting up an Amazon One account is possible wherever the new scanners are installed. To enroll, you'll need an Amazon account, a mobile number, and a credit or debit card. Then, you’ll be asked to provide one or both palm prints. These prints get linked to your other info.
Then, when it’s time to pay for your groceries, you can leave your wallet or phone in your pocket and your purse on your shoulder. Instead, just place a hand over a palm scanner, and presto! You’ve been biometrically identified as yourself and are charged $197.32 for one bag of Whole Foods groceries in seconds.
Neat, right?
Well… actually, no. Not really at all.
This episode of Tech Talk is sponsored by Smartr Daily - The Essential (and free!) Newsletter For Curious Minds. Sourcing the smartest articles on the Web, Smartr delivers thought-provoking ideas and insights straight to your inbox daily.
Fun fact: you REALLY can help Tech Talk earn money just by clicking the button below to learn more. No purchase is required, although Smartr is, actually, a pretty great newsletter.
The Problems
Every technology presents new solutions when first introduced. But they each also introduce new problems. Handprints and biometrics aren’t new, but Amazon’s implementation of them will possibly be one of the largest rollouts of this kind of technology in the United States.
And I’d argue, we’re not even close to ready for it. Here’s why…
Amazon’s Track Record
If you weren’t already aware, Amazon collects a metric ton of our personal data. I encourage you to see just how much here. The data collected are vast and paint a very accurate view of who we are, what we like, where we live, how the insides of our homes are laid out, and how we communicate. And let’s not forget, when malicious hackers compromise Amazon’s devices, they’ve gained the ability to talk to our children. No, I’m not joking.
So that’s the world into which Amazon One will now join. Caveat Emptor.
Unsurprisingly, the reassurances on the Amazon One “help” page are extremely vague in my opinion. They fall far short of the transparency that I think should be required for a consumer biometric data service.
Below, I’ve highlighted a few key phrases from that “help” page because #problems.
What Data Does Amazon Collect?
In the first section, Amazon says (#1) that your biometrics will be “stored separately” from your other Amazon data. We also know our biometrics won’t be stored on the palm readers themselves. That’s great but WHERE will they be stored? Presumably in the cloud which is comprised of servers in a data center, but that’s not revealed. Also not detailed is this:
Where those data centers are located?
Who has physical access to those locations?
Are background checks required to be able to enter those facilities?
Who has access to our data?
What level of access will those people have?
Amazon also states (#2) that some of our anonymous data will be kept by the company to improve their product. Again, VAGUE. What’s not detailed is:
Which anonymous data?
What technologies are being used to anonymize it from the rest of our specific and non-anonymous data?
What are the “multiple layers of security controls” that they’re using?
My verdict: Amazon’s not being transparent enough here.
Where is Our Data Stored?
Amazon tells us (#3) that they have “high security standards” and that our palm data isn’t stored on the palm reader devices. OK, but that means, literally nothing. It’s tech jargon. Notably absent is what, exactly, their high standards are. And I don’t mean ethically, I mean what are the ACTUAL technology standards that Amazon employs to protect our data? For example, E2EE, TLS, NIST AES key wrapping, etc.
In place of specifics, the company mentions “encryption, data isolation, and dedicated secure zones with restricted access controls”. Gosh. Just look at all of those fancy words and terms! Clearly, Amazon has our best interests at heart, right?
No. Without defining what any of those terms mean, this is just empty bullshit. Remember: Amazon’s been notably hacked twice in recent years:
Their Ring camera systems were hacked allowing malicious hackers to spy on and talk to children in people’s homes. #ew
AWS or Amazon Web Services were hacked with the help of an Amazon employee leading to 100 million people’s personal data being exposed from Capitol One. These data include birth dates and social security numbers.
Therefore, you’d think Amazon would be MUCH more forthcoming with consumers about their most precious asset: parts of our bodies.
My verdict: Amazon’s withholding critical details here.
Can We Delete Our Data?
You’d think this would be the easiest matter of all. But, it’s not. While Amazon IS upfront about deleting our palm signatures from their systems, there’s no mention of ALSO deleting our phone numbers or credit cards from their systems. All three were required to enroll; I’d therefore expect that Amazon would delete all of those data.
They don’t mention that they do, so the assumption must be that they do NOT.
My verdict: Amazon’s retaining data they should not here.
Come On, Who Gives a Shit?
Some of you reading this might think I’m making a big deal out of nothing. After all, even if obtained and decrypted, our biometric data can’t be used to impersonate us, right?
Wrong.
Hackers can now make a fake hand with a real person’s prints that can defeat scanners.
Maybe I have your attention now. And, with your attention, let’s put everything that we now know all together:
Amazon’s been hacked before
Critical data has been stolen in those hacks
On at least one occasion, an Amazon employee with unique access rights helped a notable hack succeed
Amazon’s not providing specific details about this technology nor about how our data will be protected
The picture this paints should be an immediate warning to anyone who considers signing up for this technology.
Which is why… you should not. Especially given Amazon’s larger goals for this technology.
Amazon’s Vision: Surveillance
Amazon is not content to only keep these scanners in just their Whole Foods locations. See if you can catch their company’s larger vision that they make clear in this promotional video:
It’s so easy! It’ll save so much time! How awesome for everyone!
Um, but did you catch the part of the video where Amazon tells us that it wants to use the Amazon One scanners to ID us into our offices? Or to enter into music clubs? Or to visit local museums?
And there are “more experiences on the way,” says the voiceover.
Believe that. Believe it 100%. Because by knowing where you shop for groceries and how often you show up to your office and where you go to see live music and which museums you visit, and “more on the way”… your life’s habits, locations, and preferences will become known to the company even if you’re not buying goods on their platform.
I don’t call that convenience. I call it surveillance.
“This is Nothing New!”
Some of you, rightly, will point out that Google already has a massive and very accurate dossier on you. I detailed that myself back in Episode #15. But Google allows us to better control which information we give them permission to collect. Amazon, notably, does not.
Therefore, you can either use Amazon and know that your very personal data - including your biometrics - are being harvested or you can leave the platform entirely and request that all of your data be deleted. There’s no middle ground. Those are the options.
Is the Competition Any Better?
By comparison, if you have an Apple product, your biometric data (fingerprints or face prints), are encrypted and stored on your Apple device. It’s stored in what Apple calls a “Secure Enclave”, a part of Apple’s physical chips on the logic boards of their devices. So your most sensitive data is secured inside the brain of your own device, so to speak. These enclaves, Apple states, are a “hardware feature of most versions of iPhone, iPad, Mac, Apple TV, Apple Watch, and HomePod”. Ditto for newer Macbook Pros with TouchID.
The reason that I know this is the same reason that you can know this as well: because Apple devotes different web pages to explaining how its biometric systems work. These pages get deep into the weeds, including the kinds of encryption used to secure our most sensitive data.
Samsung has a similar approach. Their technology runs a “Trusted Execution Environment” or TEE. Notably, this TEE runs on its own chip and own operating system. That is very important because - even if a Samsung smartphone were to be compromised or hacked - the TEE mechanism would remain, as it always is, separate from the rest of the device. Biometric data, along with other sensitive data is stored in a part of the TEE that Samsung calls the “Knox Vault”.
Nice touch. And, although hackers have demonstrated that it’s possible to hack that system, at least Samsung is fucking trying to help its customers. At least they’re willing to be transparent about HOW it’s trying to help consumers.
Amazon? Not so much.
My Final Advice
If it’s not clear already, I’d recommend avoiding this technology entirely. Not until Amazon comes clean about its tech, standards, employee vetting, and more.
Until then, here’s an assignment for all of us…
Press For Change
States like California, Illinois, and Washington and cities like New York all have laws that govern the collection and use of citizens’ biometric data.
However, there are no Federal Laws that do the same. There needs to be. Fortunately, momentum is building.
In 2021, Senator Ed Markey from the State of Massachusetts introduced S.2052, the Facial Recognition and Biometric Technology Moratorium Act of 2021. That bill, if passed, “imposes limits on the use of biometric surveillance systems, such as facial recognition systems, by federal and state government entities.”
The bill was reintroduced earlier this year in March 2023 by members of both houses of Congress. Although the bill mentions nothing about the use of biometrics by US corporations and businesses - focusing only on State and Federal government - it’s a start. It ain’t enough, but it’s a start.
I’m more a fan of S.4400 proposed by Senator Jeff Merkley from the State of Oregon: the National Biometric Information Privacy Act of 2020. THAT bill goes much further than Senator Markey’s 2021 bill because it requires that:
People must be informed in writing that their biometrics were collected and why
Any private entity possessing people’s biometrics may not sell, lease, or otherwise profit from the data
Citizens have the right to bring court action against the companies that have their biometrics if there are any violations of the bill's provisions
Good. That’s an even better start. Until then, if you’re someone who values privacy and security, contact your representatives in Congress here. Tell them to support S.2052 and S.4400. If they cannot, tell them to introduce bills of their own that treat as sacred our biometric data.
How our data is treated in the next few years has the potential to impact our lives for generations… for either the good and privacy of all or the profits of a few.
And that’s a wrap for today’s episode, everyone. Thanks for being a part of our community and, as always… surf safe! 👍🏼 👌🏾
Popular Past Issues:
Which secure routers to purchase and WHY.
My recommendations on the best VPN providers.
My favorite, free tool to keep email addresses private.
A crash course on keeping your devices updated.
Our Current Recommendations
My e-book on home tech: “Screw The Cable Company!”
The online backup software I use: iDrive (affiliate link)
Who I use to delete my private data from the web: DeleteMe (affiliate link)
The VPN software that I use: Nord VPN (affiliate link)
The email anonymizer that I use: 33Mail (affiliate link)
The secure router I use at my office: Gryphon (affiliate link)
The secure router I use at my home: Synology RT6600ax (affiliate link)
Please visit the TechTalk Product Recommendation page for more up-to-date picks for best-in-class software, hardware, and services. These are the very same products and services that we own and use ourselves.
Transparency Statement
Please read the TechTalk Transparency Statement to learn about our newsletter’s strict policies on linking to products and services that we recommend to our readers.
Episode #88: Amazon Wants Your WHAT...?!