At a Glance
In August 2022, Amazon began rolling out palm-scanning technology at its Whole Foods grocery stores. The biometric tech, dubbed Amazon One, allows customers to scan their palms to pay for their purchases.
While this all sounds convenient (once you get it set up, anyway), do we really need another contactless payment system? Is it safe? What type of privacy and security concerns are there when using your handprint to pay?
In this article, I’ll tell you how the system works, what Amazon does with your handprint, where it’s stored, and what else the handprint may eventually be used for.
How Does the Whole Foods Payment System Work?
Customers register their handprint at an Amazon One kiosk or during checkout in participating stores. In addition to having your palm scanned, you’ll also need to register a credit or debit card, provide your phone number, and agree to pages and pages of Amazon’s terms and conditions. Once set up, you can simply hover your palm over the scanning device to pay.
Once you’ve signed up and scanned your hand, Amazon then stores the images of your hand in the cloud. So nothing to worry about, right? The security used to protect cloud-based storage of images has never been breached, right? Right? (Where is the <SARCASM> tag on this thing?)
What Can Amazon/Whole Foods Do With Your Palm Print?
When you check out at Whole Foods, and if you haven’t already signed up for Amazon One, you’ll be asked to do so during the process. This is presented as a convenience, although it also offers Whole Foods the ability to push the system on you at a time when you’re already likely rushed, as is everyone in line behind you, nearly ensuring that you do not have enough time to read all of the terms and conditions you are agreeing to while signing up.
While I’m not saying that Amazon and Whole Foods are trying to slip one by their customers, there have been times when users have agreed to terms and conditions they did not fully read.
In one case, users were required to give up their firstborn child to use a WiFi hotspot. We’ve also seen Disney try to get a Disney World-related lawsuit thrown out because the plaintiffs had once subscribed to Disney+, thereby agreeing to arbitration instead of suing the Disney Corporation. So, companies do rely on users blindly signing terms and conditions without fully reading them.
So, how does your palm print fit into Amazon’s way of doing things and how can they use your data? In the company’s FAQs, it says:
“Amazon One palm data is also not used by Amazon for marketing purposes, and will not be bought by or sold to other companies for advertising, marketing, or any other reason.”
Okay, that’s a good start, but what can they do with the images and associated data? Slate magazine investigated.
When pressed, an Amazon spokesperson told the publication:
“When you use Amazon One, Amazon One doesn’t track what you do or buy after entering any location. That data is not associated with your biometric identity, and we built Amazon One that way intentionally.”
Sure, that should make any Whole Foods shopper feel all warm and fuzzy. But, if you read through Amazon’s Privacy Notice, you may not feel quite so comfortable.
In the notice, Amazon says it reserves the right to use “cameras, computer vision, sensors, and other technology to gather information about your activity in the store, such as the products and services you interact with.”
Elsewhere, the company says it “may disclose personal information in connection with business transfers (for example, as part of a merger) or for the protection of Amazon or others.” So, if Amazon is purchased by another company, or more likely, buys another company, they may share your info with that company.
Plus, Amazon “employ[s] other companies and individuals to perform functions on our behalf,” so third-party contractors may also have access to your data.
Let’s face it, Amazon wants you to agree to its Amazon One terms and conditions without examining them too deeply. If you’re in a checkout line on a busy Saturday afternoon with a big guy behind you who’s in a hurry to get home and watch the UCLA game, you’re likely to go ahead and push “I agree” just to get the hell out of the store.
Amazon will also benefit from handprint scanning in the future when it sells the handprint scanning technology to other companies (or the government). I can see a future where you scan your palm to ride the subway or bus, scan your hand when you grab a cup of coffee on the way to work, scan your hand to enter the building when you get to work, scan your hand to… You get the idea.
Face it, handprint scanning technology will make it MUCH easier to track you. Privacy advocates have been concerned about having a tracking chip inserted in your hand. Turns out, your palm print will basically do the same thing.
Can My Handprint Be Stolen?
If you have a password that is stolen in a data breach you can create another password. If your handprint is stolen, what are you going to do, get a new palm? If your handprint is an image stored in the cloud, it can be stolen.
As you might expect, Amazon’s terms of use do not identify any compensation or recourse if your handprint were to be stolen or exposed in a data breach. There haven’t been too many legal precedents set on this situation, meaning you’d likely be facing a long drawn out and expensive legal battle to seek any compensation.
The only sure way to have your handprint deleted from Amazon’s servers is to delete your Amazon One ID or to not interact with an Amazon One-connected device for two straight years, when the handprint will be automatically deleted. However, one transaction during that time and the two-year timer resets.
I Already Use Face ID and Touch ID on My Devices, So What’s the Big Deal?
Your biometric data (your facial image and your fingerprints) are encrypted and stored solely on your Apple device. It is not stored in the cloud, it is only on your device. This cuts way down on the possibility of anyone stealing your biometric data. Also, even if someone could steal this data (which is nearly impossible because the data is stored in your iPhone or Mac’s secure enclave) it is encrypted and even Apple can’t decrypt it.
Unfortunately, Amazon One stores your handprint in the cloud, meaning bad actors could possibly access it. Plus, even though Amazon says your handprint will only be used for payment, things could change down the line. Once you’ve “handed” over your palm print, you no longer have complete control over your biometric identity.
Biometric data can be exposed in data breaches. It is estimated that nearly half of the American population has had their data exposed in a data breach at least once in their lives.
Amazon has had several data breaches over the last 10 years or so, and has also paid fines to the European Union for violations of its General Data Protection Regulation (GDPR). As I was writing this article, I received a notification that Amazon has suffered yet another data breach, this time exposing the information of nearly three million employees. So, can we really trust Amazon and its subsidiaries to protect our data and our privacy? I think not.
As I previously mentioned, if your debit or credit card information is exposed you can always request a new card or account. If your palm print is stolen, you cannot (yet) request a new palm.
What about the issues scanning systems have with scanning the darker skin of non-caucasian customers? What about how your palm print can change over the years? These types of systems rely on your palm print remaining the same. What if you suffer a deep wound or another type of injury to your palm? Wouldn’t that pose issues down the line? At the very least, you won’t be able to pay using your palm while a bandage covers the wound.
In Closing
While Amazon pushes its Whole Foods handprint scanning system as a way to save time and to make it more convenient when paying for merchandise, customers need to carefully consider the downsides of such a system.
Can we trust Amazon to keep our biometric information safe from bad actors? How else will Amazon use the technology? Will Amazon sell or otherwise share your handprint with other companies? Sure, they say they won’t but their terms and conditions statements seem to indicate otherwise.
In my humble opinion, the world has enough contactless payment options. We already have Apple Pay and G-Pay, and tap-to-pay is available on most credit and debit cards. We don’t need to hand over more biometric information to a company that may very well misuse and profit from the information.