Mastercard’s roll-out of biometric-authenticated payments is merely the latest example of the accelerating encroachment of biometrics into everyday life. But a global push back is gathering.
Card payment giant Mastercard appears to be determined to wean consumers off not only cash, its eternal rival, but also credit and debit cards, its main line of business until now. To that end, it is about to launch a pilot “biometric checkout program” in the UK. The so-called “Smile to Pay” system will allow shoppers to purchase goods and services in store by smiling into a camera or waving their hand over a reader and is optional for the moment.
The UK is already the fourth most cashless economy in Europe, according to research by personal finance website money.co.uk. In 2017, debit card payments overtook cash for the first time. COVID-19 has turbocharged this trend. In the early months of the pandemic cash use was heavily demonized around the world for increasing the risk of Covid-19 infection. In early March 2020, a WHO spokesperson said: “We know that money changes hands frequently and can pick up all sorts of bacteria and viruses … when possible it’s a good idea to use contactless payments.”
Media outlets and long-standing enemies of cash such as credit card companies like Mastercard and fintech start-ups seized on the WHO’s comments and magnified them, sparking fears over the safety of cash. Businesses in the UK, both large and small, refused to accept cash. Many still do, even as COVID-19 restrictions have been lifted. At the same time, the UK government and regulators have steadily increased the contactless limit, first from £30 to £45, and then to £100 in March 2021.
This has all helped to increase the use of digital payment methods. But are consumers in the UK (and beyond) ready to ditch the contactless cards to which they have grown so accustomed and begin transacting with parts of their body?
It’s All About Convenience
Payments using gestures have struggled to gain widespread traction among consumers in the UK, the Financial Times reports. But that hasn’t stopped Mastercard from pushing them even harder.
Consumers have to first enrol in the program, by using their phone to scan their face, before being able to take advantage of its supposed benefits. According to Mastercard, they will include shorter queues, improved hygiene and greater protection from fraud. Convenience, as ever, is the watchword.
“The new technology ensures a fast and secure checkout experience, while also empowering consumers to choose how they want to pay,” the company said:
“No more fumbling for your phone or hunting for your wallet when you have your hands full – the next generation of in-person payments will only need a quick smile or wave of your hand. The trusted technology that uses your face or fingerprint to unlock your phone can now be used to help consumers speed through the checkout. With Mastercard’s new Biometric Checkout Programme, all you will need is yourself.”
In other words, consumers will not have to use safer two-factor authentication — biometrics plus a PIN or password — if they don’t want to. And they are essentially being encouraged by Mastercard not to. Another problem is what happens when the technology suddenly stops working, as tends to happen on an an almost monthly basis with the facial recognition automated verification technology being used at UK airports’ EU passport gates, often resulting in major disruption.
Biometric systems are also prone to biases. Facial recognition software have proven to be notoriously inaccurate on women and those with darker skin. Another issue is the security of the biometric data once it is in Mastercard’s hands. As I note in my book Scanned, if biometric data is hacked there is no way of undoing the damage:
You cannot change or cancel your iris or DNA, like you change your password or cancel your credit card.
“The idea of a data breach is not a question of if, it’s a question of when,” says Professor Sandra Wachter, a data ethics expert at the Oxford Internet Institute. “Welcome to the Internet: everything is hackable.”
Mastercard is also staking a claim to a wider role in the emerging biometrics payments ecosystem. Ajay Bhalla, Mastercard’s president of cyber and intelligence, told the FT that Mastercard could act as the “enabler of the ecosystem”, setting unified privacy and security standards for a technology that has raised serious concerns among privacy activists and data protection campaigners.
The idea of Mastercard setting standards in the emerging field of biometric payments is hardly comforting given Buzzfeed’s recent exposé that both it and Visa have been maintaining “a strikingly permissive relationship” with companies accused of credit card fraud:
A yearlong BuzzFeed News investigation reveals that both Mastercard and Visa, which together process three-quarters of all US credit card payments, move money for businesses with extensive records of fraud — making it possible for them to keep swindling customers, sometimes for years. The credit card giants collect a percentage of every sale, legitimate or not.
Mastercard also currently faces the biggest class action lawsuit in British history. The company is accused of charging excessive “interchange” fees — the fees retailers pay credit card companies when consumers use a card to purchase a product — between May 1992 and June 2008 and that consumers ended up bearing those costs as retailers raised prices. If found guilty Mastercard could end up paying out as much as £14 billion, which would be the equivalent of £300 each for all 46 million claimants.
Brazil, Middle East and Asia First, UK Next
Before testing its “smile to pay system” in the UK, Mastercard is trialing it in Brazil this week. Five St Marche supermarkets in Sao Paulo will allow customers to pay by smiling or waving. More pilots are being arranged in the Middle East and Asia.
It is common practice for Western companies, NGOs and supranational institutions to pilot biometric ID and payments schemes in the poorer, less developed parts of the world before unleashing them on more mature markets. Thanks to the surge of mobile communications as well as the huge numbers of unbanked citizens, Africa has become an ideal testing ground for cashless living and biometric identity programs.
The Better Than Cash Alliance, (BTCA), a UN-hosted partnership of governments (all of them in the so-called “Global South”), companies and international organizations funded by the Bill & Melinda Gates Foundation, Citi, Ford Foundation, MasterCard, Omidyar Network, the U.S. Agency for International Development and Visa Inc, has been promoting cashless initiatives in Africa since its foundation in 2012. Its mission, in its own words, is “to accelerate the transition from cash to digital payments globally.”
Technologies “Trickling Up”
While BTCA has poured funds into promoting cashless initiatives in Africa, Asia and Latin America, the Identification for Development (ID4D) initiative, founded with seed money from the World Bank, the Bill and Melinda Gates Foundation (again!), the French, British and Norweigan governments and Omidyar Network (again!), has lent billions to governments in Africa and beyond to help them set up biometric digital identity programs.
Once the system is well established, some of it will “trickle up” to developed countries, wrote Bill Gates in 2015. Gates’ eponymous foundation is a founding member of both BTCA and ID4D while Microsoft, the company he founded and led for decades, provided seed money for ID2020 Alliance, an obscure New York-based non profit whose founding mission is to provide digital identity to all people, including the world’s most vulnerable populations, by 2030.
Mastercard is also heavily involved in national ID programs on the continent. It is also a driving force behind smart city initiatives. In Africa’s most populous nation, Nigeria, the company partnered with the government to launch a Mastercard-branded biometric national ID card, which also doubles up as a payment card. The “service” would provide Mastercard with direct access to over 170 million potential customers – and all their personal and biometric data.
In 2021, Mastercard Community Pass launched a joint venture with South Africa-based fintech Paycode Inc with the aim of capturing the biometric data of 30 million individuals in remote parts of Africa by 2024, as Biometric Update reported:
Users’ face and palm biometrics are stored in a chip on Mastercard’s Community Pass smart cards. Paycode, which has been part of Mastercard’s business accelerator schemes runs a platform which offers the card holder a biometric identity (not a national identity) and financial services such as a digital bank account. Services can be accessed offline in real-time. Users do not need an existing identity document.
“Together, Paycode and Mastercard deliver a path to prosperity, enabling users to manage day-to-day needs including paying school fees for children, getting vaccinations for their families, selling goods, and growing their businesses,” states the release.
The partnership intends to help card holders “seamlessly access financial, health, agricultural, or aid services across providers, including government disbursements.”
Global Push Back Begins
The roll-out of biometric-authenticated payments is merely the latest example of the accelerating encroachment of biometrics into everyday life. Most national passports these days include biometric identifiers. Meanwhile, millions — perhaps even billions — of people have volunteered their digital fingerprints to log into their smartphones and other digital devices. In other words, people are already giving away their most private data to communicate, work, cross borders, or board planes.
But a push back is gathering globally. Aid organizations are beginning to question the wisdom of adding biometrics to so-called “smart cards” used in humanitarian settings. This came after the ICRC earlier this year suffered a “highly sophisticated” hack using tools employed mainly by states or state-backed groups. Personal information belonging to more than 515,000 people was exposed.
The United Nations High Commissioner (UNHCR) for Refugees has also come under heavy fire after Human Rights Watch revealed the UN agency had shared the biometric data it had collected from Rohingya refugees in Bangladesh with Myanmar’s government — the same they were fleeing from.
Last week, a global coalition of 53 civil society organisations, including Access Now, Algorithm Watch, Big Brother Watch, Fair Trials, Privacy International and State Watch, signed a joint letter calling on Members of the European Parliament to use their democratically-elected powers to ban biometric mass surveillance practices:
The AI Act is the obvious way for this important European Parliament resolution to be translated into binding, impactful law.
The urgent need for further action has also been recognised at EU Member State level. Italy has introduced Europe’s first moratorium on public facial recognition. The German coalition government has called for an EU-wide ban on biometric mass surveillance practices. Portugal dropped a law which would have legalised some biometric mass surveillance practices. And the Belgian Parliament is considering a moratorium on biometric surveillance.
Will you make (the right kind of) history?
There is already significant evidence that European residents have been systematically subjected to biometric mass surveillance practices. From football fans, to school children, to commuters, to shoppers, to people visiting LGBTQ+ bars and places of worship, the harms are real and prevalent. Via the Reclaim Your Face campaign, over 70,000 EU citizens urge you and your fellow lawmakers to better protect us from these undemocratic and harmful biometric systems.
Around the world, over 200 civil society organisations, from Burundi to Taiwan, have signed a letter calling for a global ban on biometric surveillance. As the first region to comprehensively regulate artificial intelligence, the EU’s actions – or inaction – will have major ramifications on biometric mass surveillance practices in every corner of the globe.
Meanwhile, back in the UK concerns are rising that the country’s headlong rush toward becoming a cashless economy risks leaving millions of people who still depend on cash in the lurch while exposing consumers to greater financial risks. According to a report commissioned by ATM network Link, more than 10 million Brits would struggle to live in a cashless society while forcing people to use digital money could lead to a loss of control over finances and spiralling debts.
Arch entertainment suggestion: Go to your local DMV, sit at the end of the room where people are renewing their license photos, and watch the interaction between the employee taking the picture and the victim in front of the camera. ‘NO, no smiling!’, barks the Camera Nazi, ‘NO, lets do it again!’ Hilarious! We were sideways in our chairs with mirth, giggling like children in church.
Oh yeah, I can see ‘smile to pay’ going over big, big, big in the U.S.. The credit card companies will still get their way eventually, but the journey there…
Something that happened to me not long ago made me realise how much I hate paperless currency (and this is without it leaning into biometrics).
I lost my bank card on a friday afternoon and didnt realise until later in the evening. I did the usual cancelling of card but only after i did that i realised “shoot, i dont have any money on me”.
No worries i thought, I have my account linked to my phone. Well that won’t work as its not my bank account it’s my debit card linked which is cancelled.
I then tried to link my paypal account to my phone so i can make contactless payments using my phone that will bill my paypal account which is linked to my bank account. Nope, can’t do that.
They have closed the local bank to me so even after the weekend had passed I was still without any money for a few days into the next week.
Some bank accounts in the UK allow you to request emergency funds via a cashpoint if you have lost your card but this is subject to their being a bank owned cashpoint within your reach (and if the bank actually offers that service!)
This was highly stressful so i can absolutely concur with the “more than 10 million Brits would struggle to live in a cashless society” point.
If you have the normal middle-class resources and don’t keep $500.00 in cash ($20.00 bills are best) around the house you have no imagination about what can go wrong. Don’t expect to get change either; I routinely use the “returns” register at Home Depot and pay there to avoid the long lines- they don’t have a change drawer at those registers.
I also keep two $50s in my wallet. The last time I needed to use one was four years ago. My car battery failed in a parking lot. I needed to get to the airport. I locked the car with a note on the dashboard, took my bag, walked out into the main street with the 50s in my hand and waved them at the passing cars. The third one stopped. One fifty got me to the airports 6 miles away.
Don’t keep them visible in your wallet; a cop might take that as a bribe offer and get offended. I used to keep them under my drivers licence, which you hand to the police officer during a stop. The first time I was stopped after keeping the bills there I spotted the problem. I didn’t do it again.
It’s come to my attention that there are different words for those two $50’s, depending on where you grew up and in what tribe. In our house it’s referred to as ‘The Stash’. It’s hidden in our wallets and in a single larger amount in the house. Do you have a name for it and do you know of other names?
So if my wave or smile isn’t convincing enough, will they sell my data to a pharmaceutical company so they can send anti-depressant ads to me?
If I’m not mistaken, Norway is now 95% cashless. On the 16th of May, the day before Norway’s biggest holiday, Independence Day, card terminals went down country wide. They were only down for a couple of hours but it was a huge inconvenience, people shopping before the big day. After they came back on, it was explained as a software glitch.
The day after, on Independence Day, NRK, the national broadcaster, ran an article “Experts Recommend Carrying Cash.” No shit Sherlock!! My wife and I always have cash on hand. And actually, we don’t need experts to tell us this but the journalist did, as she was on a short deadline to get the story out.
So if for example Norway declares war on Russia, then Russian hackers only have to target the internet in Norway and the economy is toast. Or maybe free lance hackers shut down the internet in Oslo and demand a ransom or else it stays off. This is a fiasco just waiting to happen as there are so many points of vulnerability.
You’re right, Rev. And it’s not like this is news to policy makers. We already saw what happened in Puerto Rico in 2017 following Hurricane Maria, which brought down the electricity supply and with it electronic payment systems for weeks on end. A Politico article from 2018 cited warnings from some quarters that “a gradual phase-out of cash in many countries poses a serious threat to the financial system, as relying too heavily on digital payment systems exposes them to catastrophic failures in the event of cyber attacks.”
https://www.politico.eu/article/central-bankers-fear-cybersecurity-chaos-in-a-cashless-society/
The crazy thing is that your post makes plain the extreme hazards of going this way but so many banks and governments are saying ‘Nah, it’ll be fine.’
The government is not a singular voice in this.
You have some departments rising a stink over privacy and disaster recovery, yet others, in particular the taxation authority, are pushing hard because they see it as a way to curtail black markets and like.
And it also means less physical mail to be sent and processed, so they save money while still collecting fees.
I get why someone with tunnel vision would think that electronic everything would be just absolutely fabulous, but as with hurricanes, earthquakes can also knock out everything.
With the Loma Prieta Earthquake, IIRC, power including electronic communications was toast. IIRC, several hundred miles north in all directions affecting six million people. Hurricanes can devastate entire states and earthquakes have the possibility of destroying ⅔ of California and isolating thirty million people. We know that the Big One is going to hit and hurricanes will hammer the coast. But when it happens is just guessing, which means that reducing the redundancy for profit will continue.
On the biometric identification, there has been an increasing profit of DNA appearing in crime scenes, then labs, and finally trials of people who weren’t ever at the crime scene. DNA travels. We are looking at wastewater for COVID genetic stuff. People’s DNA can travel across cities floating from surface to surface. The police and the courts are not very diligent and the technology for finding DNA is increasingly effective. But it’s only looking at what is there, not how it got there. Or like with the faulty use of finger prints. It is very hard to match the often distorted fingerprints found at a scene so they use points of congruence. It works well enough if they use many points, but the police and the FBI often reduce the number of matching points because they want to get someone, often anyone. Matching points are already used to identify people with already distorted and incomplete prints. Innocent people have been convicted on faulty DNA and fingerprints. And fingerprints were used because the previous methods of body and face measurements were not accurate enough.
Forget about having the data hacked. Just how diligent will the banks be in using their chosen metrics? I can tell you that the American legal system is not. I think that the potential sloppiness in biometrics is a feature and not a bug. It would allow “the system” to hammer anyone that want with the goal not of being to punish or help, but of terror and extortion. Of getting the case off the books. Much like how civil asset forfeiture is an alternate means of taxation and not of punishment. The chosen metrics or methods (fingerprints, police intuition, whatever) cannot be wrong; the chosen guilty one must be guilty. I dread trying to keep my money or my freedom in such a system.
Norway recently experienced an hour long nation wide failure of its card payment terminals. Lead to some “hilarity”. And yet the central bank is pondering the phasing out of physical currency.
Never mind that more and more is done using a digital “ID”, and banks are pushing a money transfer scheme using phone numbers and smartphone apps.
I used to be gung ho about the net and computers, but these days i feel more and more like a luddite.
I remember my grandmother saying something about eggs and a basket. However, she was old and not tech savvy like modern people /s
A then old saying memorialized in a ceramics tile of “good sayings” for kitchens’ walls display mountings, or like a needlepointed truism framed for display: “We are too soon old and too late smart.”
‘Biometrics’ is the latest ‘data collection for profits’ thing. See Apple’s latest iPod stuff. (How can an owner of the latest and greatest stuff sell at second hand something tied to biometric data and expect it to work for a new owner?)
https://www.biometricupdate.com/202108/apple-studies-integrating-biometric-health-sensors-in-airpods
and
https://www.imore.com/apple-patent-reveals-earbuds-biometric-sensors
Analog is looking better all the time. / ;)
Was the whole push to use contactless payments during COVID just bs opportunism by FIRE?
> “Smile to Pay”
As readers know, I find the “Let me see you smile” demand made by anti-maskers extremely creepy, and often part of a dominance game played by higher-ups against subalterns. In fact, I’m starting to find the role of smiling in public life extremely problematic.
And boy howdy, does this post reinforce that feeling.
Smile, though your heart is breaking…