Amazon One is about identity, not payments.
Earlier this week, Amazon unveiled Amazon One: new technology for its Amazon Go stores that lets shoppers pay for their groceries by scanning the palm of their hand. By analyzing the shape of your hand and the unique configuration of veins under your skin, Amazon says its technology can verify your identity the same way facial recognition does.
Although Amazon One will initially be used for payments only, it’s clear the tech giant has much bigger ambitions for this hardware. In the future, it says, Amazon One could not only be used for shopping but as a replacement for tickets at music and sporting events, and as an alternative to your office keycard, letting you scan in with a swipe of your hand. In other words, Amazon One isn’t a payment technology. It’s an identity technology, and one that could give Amazon more reach into your life than ever before.
Understandably, some experts are skeptical about Amazon’s claims of convenience, and worry about a company with a spotty track record on privacy becoming the controller of a new identity standard. Whether it’s Amazon’s use of biased facial recognition algorithms or its ambitions to grow a network of home surveillance cameras, this is an organization that has proved many times that individual privacy is not always its biggest concern. Is it a good idea if Amazon knows exactly who you are from the palm of your hand?
How the technology works
Let’s start by looking at the technology itself, which is blessedly straightforward. Palm scanning has been around for years, and although Amazon isn’t offering many details on its own implementation, it looks to be similar to examples of the tech we’ve seen before.
As the company explains on its FAQ page, the Amazon One hardware verifies a user’s identity by looking at “the minute characteristics of your palm — both surface-area details like lines and ridges as well as subcutaneous features such as vein patterns.” Usually, vein scanning is done using infrared light that penetrates the surface layers of skin, though Amazon doesn’t mention this technology specifically. It says anyone can sign up to Amazon One by inserting a credit card into one of its scanners and registering one or both of their palms. The scanners can then identify someone “in seconds” without skin contact. (A bonus during a pandemic, but no cleaner or quicker than using many contactless credit cards.)
From a security point of view, palm scanning has some key advantages over other biometrics. First, the information being used to identify you is not easily observable, unlike your face or ear print. Even fingerprints can be picked up from touched objects or photographed from a distance. It’s much harder, by comparison, to snap a picture of someone’s hand and use that to spoof their vein patterns.
“All the other biometrics that are becoming commonplace — face, fingerprints, iris — are all quite observable and visible from the outside,” Elizabeth Renieris, a law and policy researcher who focuses on data governance and human rights issues, told The Verge. “There’s definitely something to say for the advanced security [of palm scanning].”
Similarly, the information collected during a palm scan makes it easier to incorporate a liveness test: to check that you have a real, living person in front of you. For these reasons, it’s sometimes claimed that palm or vein recognition is the most accurate and secure of all common biometrics, though the stats depend on how the tech is implemented. It’s also worth noting that palm scanning is certainly not foolproof, and hackers have shown in the past they can create fake hands that can trick some scanners.
Do you want your palm stored in the cloud?
There’s one other big difference between Amazon One and other biometric systems you might be used to, and that’s that Amazon will be keeping its palm data in the cloud. People have long worried about this sort of personal data collection, but it’s striking that it’s Amazon that is now trying to make it happen.
As Reuben Binns, an associate professor focusing on data protection at the University of Oxford, explained to The Verge, cloud storage is inherent in the system Amazon is building. “For this kind of use case it’s difficult to do anything other than have [that data] in the cloud,” he says. “Whether that’s a good idea or not is another question.”
From Amazon’s point of view, it will mean it has to be particularly careful about how it stores and collects the data. Biometric information is protected in a way other data is not, by the EU’s GDPR regulations and by some state-level laws in the US. It’s unclear, for example, how Amazon One will work with regulation like Illinois’ Biometric Information Privacy Act (BIPA), which requires that companies get informed consent before collecting biometric data. (Amazon seems to recognize this in its copy for its palm scanning tech and says that presenting your palm to a scanner “requires an intentional action” by the customer.)
Binns contrasts Amazon One with technology like Apple’s Face ID, which uses facial recognition data to unlock your phone and verify payments but keeps the biometric data on your device. By keeping data in the cloud, you’re exposing it to hackers as well as potentially making it more accessible to interested third parties, like governments.
But Binns stresses that Amazon One also makes the same basic trade-off as any biometric system of authentication: do you want to create a password that’s part of your body?
“The advantage is that it’s on you all the time, this isn’t something you can lose, but that’s also a disadvantage because you can never change it,” says Binns. “You can never change your palm like you change your password or other identification tokens.” And while this might be acceptable for high-stakes scenarios — like using facial recognition to verify who you are with a country’s government at the border — Binns says it seems inappropriate for something like shopping, especially when equally convenient alternatives already exist.
“It seems to me like the wrong trade off between persistence [of data] and the level of assurance you actually need for some of these use cases,” he says.
If Amazon One is overkill for shopping, then what’s the company’s real end game?
It’s difficult to guess, simply because Amazon One could be put to so many different uses. But why wouldn’t a company like Amazon want to be in charge of an ID and payments infrastructure used across stores, stadiums, and offices? Amazon One is only launching in a pair of the company’s Amazon Go stores in Seattle, but the company is pitching the tech to anyone who’s interested, promising that if they adopt Amazon One, they can offer their customers “a seamless service, faster payments, and a personalized experience.” If the service takes off, you could imagine palm verification being incorporated not only into shops and offices, but smart homes, theme parks, airports, and anywhere else where you have to verify you are who you say you are.
Frederike Kaltheuner, a tech policy analyst and fellow at the Mozilla Foundation, tells The Verge that this is one possible motivation for Amazon: to fill in gaps in its data empire, particularly in the physical retail space. If it can better track what people are buying and spending money on, it can better target them with new products on Amazon.com.
“There is a missing link in the kind of data they have if I go to a shop,” says Kaltheuner. She notes that many data brokers exist that already collect information on shopping habits from things like loyalty cards, but if Amazon were able to collect that data itself, it could cut out the middle man. “When a company that already has so much data and knows so much about so many people enters a new industry, the question is, can the data be linked?” says Kaltheuner. (On the FAQ page for Amazon One, the company does not say what it plans to do with payments data it might collect from third-party stores.)
For some, though, worries about a service like Amazon One go far beyond data collection. Renieris says that what concerns her about the technology is the way in which it ties who you are as a person, physically, to a history of your purchases and similar transactions.
“The closest thing we have now is things like Apple Wallet and Apple Pay and other device-based payments infrastructure,” says Renieris. “But I just think, philosophically and ethically, there’s extreme value in having a physical separation between your transaction infrastructure and your physical self — your personhood and your body. As we merge the two … a lot of the rights that are based on the boundedness of a person are further threatened.”
Renieris says that from a historical standpoint, privacy has been based on physical spaces like your home, or your papers, or your possessions. But once those physical spaces bleed into the digital world, as with an identity system that is tied irrevocably to your actual hands, “it becomes harder to establish and preserve those rights.”
“Your physical self is literally becoming a transactional tool,” she says.