The Federal Trade Commission (FTC) recently filed a complaint against Rite Aid, accusing the pharmacy chain of using untested and inaccurate facial recognition technology to secretly surveil shoppers between 2012 and 2020. According to the FTC, the technology misidentification led to thousands of innocent people, particularly women and individuals from minority groups, being wrongly accused of shoplifting. The agency alleges that some were harassed and publicly humiliated, forced to leave stores even when attempting to fill necessary prescriptions.
Rite Aid, currently in the process of closing hundreds of its over 2,000 stores after declaring Chapter 11 bankruptcy, disputed the allegations. The company stated that it fundamentally disagreed with the FTC's claims about its use of facial recognition technology.
In response, the FTC proposed a stipulated order, seeking to ban Rite Aid from utilizing facial recognition technology or other analysis systems for surveillance or security on the public for five years. If the technology is reintroduced, stringent measures must be implemented to ensure the public is not harmed, with the order set to remain in place for 20 years.
The FTC emphasized the need for companies deploying facial recognition and biometric technology to interact with the public to adhere to specific guidelines outlined in the proposed order. Commissioner Alvaro Bedoya noted that the settlement provides a robust baseline for what an algorithmic fairness program should entail.
"The settlement offers a strong baseline for what an algorithmic fairness program should look like," said FTC Commissioner Alvaro Bedoya in a statement.
The agency highlighted the widely acknowledged inaccuracy of facial recognition technology, particularly in correctly identifying individuals from minority groups. "Before deploying any automatic biometric security or surveillance system, Rite Aid will need solid proof that it’s accurate," said Lesley Fair, a senior attorney in FTC’s Bureau of Consumer Protection, in a blog.
Companies must test the accuracy of such systems, maintain records of the results, and address any issues to improve accuracy. Rite Aid allegedly failed to track false positives and monitor results for accuracy.
Additionally, the FTC stressed the importance of transparency in collecting biometric information on the public. "Does your company use [artificial intelligence] or other automated biometric surveillance technologies? The FTC’s action against Rite Aid demonstrates the need to test, assess, and monitor the operation of those systems and to ensure that their performance in real-world settings complies with consumer protection standards," said Lesley Fair.
Companies must provide notice at the collection locations and online, allowing individuals to avoid such areas if desired. "Before deploying any automatic biometric security or surveillance system, Rite Aid will need solid proof that it’s accurate," emphasized Lesley Fair.
Any addition of people's information to a database or watchlist requires individualized notice. Retailers are responsible for ensuring the quality of photos used in facial recognition systems, considering real-world conditions such as low light that can impact accuracy. The FTC also emphasized the need for companies to anticipate and mitigate the impact of false positives on customers, ensuring staff is fully trained and protocols are in place.
Moreover, the FTC expects companies to assess and mitigate the risks associated with third parties that have access to collected personal information. "The FTC’s action against Rite Aid demonstrates the need to test, assess, and monitor the operation of those systems and to ensure that their performance in real-world settings complies with consumer protection standards," said Lesley Fair.
Contracts with vendors should include clear, comprehensive, and enforceable requirements regarding information security standards. Rite Aid allegedly fell short in this aspect, with the FTC claiming their third-party contracts lacked adequate information security standards.
The FTC's order directs Rite Aid to undergo biennial assessments of its information security program by a third party. The action against Rite Aid underscores the importance of testing, assessing, and monitoring the operation of facial recognition and biometric surveillance technologies, ensuring compliance with consumer protection standards.
By fLEXI tEAM