Rite Aid ‘left its customers facing humiliation,’ says FTC as it hits chain with five-year facial-recognition ban

Rite Aid agreed to the ban in a settlement with the Federal Trade Commission (FTC) yesterday, which also covered its violation of a 2010 order around data security. Obviously, that means the company neither confirms nor denies the charges, but the details of the FTC’s complaint are grim.

From October 2012 to July 2020—when a Reuters investigation triggered its abandonment—Rite Aid’s facial recognition system led store employees to follow people around the store, ban them from shopping at Rite Aid, accuse them of being known shoplifters “in front of friends, family, acquaintances, and strangers,” detain or search them, and call the cops on them. Unfortunately, the system was unreliable and generated thousands of false positives. Rite Aid allegedly didn’t even test its accuracy before rolling it out.

Rite Aid used low-quality imagery that naturally decreased the system’s accuracy, and it didn’t properly train employees in how to use it—though it did discourage them from telling customers that facial recognition was in use. The system automatically generated confidence scores to give some indication of how likely it was that the person being filmed was the same person on the database, but employees generally didn’t get to see those scores.

Here’s the bit of the complaint you should all have been waiting for by now: “As a result of Rite Aid’s failures, Black, Asian, Latino, and women consumers were especially likely to be harmed by Rite Aid’s use of facial recognition technology.” But of course.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said FTC consumer protection chief Samuel Levine in a statement. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”

Here’s hoping that other retailers—and shoppers—take note. According to the FTC’s complaint: “An internal presentation advocating expansion of Rite Aid’s facial recognition program following Rite Aid’s pilot deployment of facial recognition technology identified only a single risk associated with the program.” Was it the risk of false positives? The risk to customers?

Nope—“media attention and customer acceptance.” On that point, at least, the company got it rite. More news below, and do also check out my colleague Alexandra Sternlicht’s must-read piece on what it was like to be a Figma employee learning that the company’s $20 billion acquisition just fell through.

David Meyer

Want to send thoughts or suggestions to Data Sheet? Drop a line here.

NEWSWORTHY

Bird goes bankrupt. The scooter giant Bird has filed for Chapter 11 bankruptcy protection in South Florida, Bloomberg reports. The company, which went public in a 2021 SPAC, will sell some of its assets to its lenders, and Apollo Global Management and others are providing $25 million in financing to get Bird through this period. Bird’s European and Canadian operations are unaffected.

Google ad sales reorg. The Information reports that Google may cut jobs in its 30,000-strong ad-sales unit, as part of a looming reorganization. The publication notes context including Google’s increasing use of machine learning to create and place ads.

FBI vs. ransomware. The FBI has announced its infiltration of servers used by the notorious ALPHV or Blackcat ransomware gang and says the surreptitious operation allowed it to grab decryption keys that it then used to rescue victims. The FBI also seized ALPHV’s data leak site, but, as Bleeping Computer reports, the gang struck back: “As both the ALPHV operators and the FBI now control the private keys used to register the data leak site’s onion URL in Tor, they can go back and forth, seizing the URL from each other, which has been done throughout the day.”

ON OUR FEED

“[It’s] incredibly easy to avoid getting banned for being underage. Once a kid learns that this works, they will tell their friends.”

—An unnamed TikTok employee quoted in the latest Guardian article about the firm’s moderation practices. TikTok has an age limit of 13, but apparently, someone with their age listed as 12 got away with it because their bio said their parents were managing the account.

IN CASE YOU MISSED IT

Exclusive: Sam Altman quietly got $75M from the University of Michigan for a new venture capital fund earlier this year, by Jessica Mathews

Slack undergoes more leadership changes as 3 executives leave, including the COO, by Kylie Robison

Alibaba is replacing its e-commerce head after just nine months in the job as it tries to beat back Pinduoduo and Temu owner PDD, by Lionel Lim

AI’s top research conference morphed into a recruiting extravaganza, summing up a wild 2023, by Sage Lazzaro

Tesla’s recall of 2 million cars relies on a fix that may not even work, by the Associated Press

The Biden-Musk feud takes another twist as the White House backs Tesla charging stations as the standard for all American EVs, by the Associated Press

BEFORE YOU GO

Toshiba delisted. How the mighty have fallen. Reuters reports that Toshiba, one of Japan’s most venerable brands, has been taken private after 74 years as a listed company, by a group of investors led by private equity outfit Japan Industrial Partners.

Toshiba’s good name was sullied in recent years by a major accounting scandal and the collapse of energy subsidiary Westinghouse. Stockholders had thwarted its restructuring plans, but whatever form the conglomerate now takes, that won’t be a problem anymore.