On Thursday, Amazon unveiled a new app designed to facilitate user registration for Amazon One, its palm recognition technology that has increasingly been adopted in various retail locations over the past few years. This development has sparked discussions among digital privacy experts.
Originally launched in September 2020, Amazon One allows users to register via their smartphones by submitting palm photos, eliminating the need to enroll at a physical site. The technology uses an individual’s palm and vein patterns to generate a unique palm signature, leveraging generative AI. This signature is then used by Amazon One scanners for a range of applications, including retail payments, age verification, and access control.
Amazon One scanners, previously exclusive to Amazon’s own stores, are now available in numerous Whole Foods outlets, select Panera Bread locations, and various third-party sites such as stadiums, airports, and fitness centers. The images of palms and veins captured during enrollment are encrypted and stored in the Amazon Web Service cloud, accessible only to a limited group of AWS employees with specific expertise.
Critics, such as Albert Cahn from the Surveillance Technology Oversight Project and Evan Greer from Fight for the Future, have expressed concerns about the privacy implications of biometric services like Amazon One. They question the necessity of handing over sensitive biometric data to private entities for convenience, highlighting the potential risks associated with tech companies’ management of personal information.
In response to these concerns, Amazon emphasizes the security of Amazon One’s palm signature technology, including its inability to be replicated and its liveness detection capabilities, which have successfully differentiated between real palms and artificial replicas in tests.
Amazon has also highlighted the precision of palm recognition technology, stating it is 100 times more accurate than iris scanning, with no false positives reported after millions of uses.
Users in California have the option to withdraw from the service and request the deletion of their personal information under the California Consumer Privacy Act. They can also remove their Amazon One IDs and inquire about any retained data.
This announcement comes amidst scrutiny of Amazon’s handling of user data, including a recent settlement with the Federal Trade Commission involving privacy concerns related to Amazon-owned Ring and allegations of improper collection and retention of children’s data through Alexa. Amazon has denied any wrongdoing in these cases.