I was refused entry in a local B&M store today

Ergates

Okell said:

Jenni_D said:

Ref. SAR ... as it stands the companies have no name for the OP, so how will they service a SAR? The OP attaches a photo to their SAR? (And the process of making a SAR will present further data to the company(ies) than they currently hold - something the OP has already said they're uncomfortable with).

user1977 said:

A_Geordie said:

nero33 said:

Not interested in legal action but would like to see their evidence and ideally be removed from their most wanted list

In that case you should write to Facewatch and exercise your data subject rights to make a subject access request together with a erasure request. 

Isn't the problem here that the OP can only demand erasure of their own data - not everybody else who looks like them?

booneruk said:

I was wondering, how would one execute a SAR by submitting a photograph. What about twins/doppelgangers? Also, if a name was provided how would that link to some random mugshot (or more likely a biometric fingerprint of a face) in the system.

These strike me as problems re submitting a SAR

B&M and Facewatch don't know who the OP is - just that they think he resembles someone banned from certain stores.  How do they know what is his data and what isn't?

It also highlights to me the unacceptable nature of this sort of vetting.

It will be nearly impossible to meet all their requirements under GDPR with such a system.

Either they can't meet their requirements to service a SAR, OR they risk failing to protect the data they hold.

booneruk

Is the storing of biometric face data any different to the storing of faces on CCTV systems?

nero33

MeteredOut said:

 How do people get registered onto FaceWatch? I assume individuals at each store can do that?

OP said they went into that B&M previously with a relative, but left without buying anything and went to another shop. Could someone at B&M have erroneously flagged them as suspicious, so the issue here is not a look-a-like but an erroneous flagging?

We went in, found what relative was looking for. Went to till. I didn't want to queue up so walked out of the store. Empty handed!  If that's suspicious behaviour....

subjecttocontract

Wear a disguise.....hat, glasses, beard,  moustache etc.  Facial recognition can be fooled if you work at it. But I can see how the situation is very annoying for you. Stores have to try something to combat shoplifting which has got out of hand.

nero33

Just an update.  My relative went in.  Spoke to store manager and same security guard.

Asked they could have some sort of explanation.  They both went away, presumably to view CCTV or the system and returned after about 20mins.

They returned and said there must've been an incident and someone has manually activated a ban in-store.  Couldn't say who did it or why and when asked if they knew what the incident was, they said they don't know.

I suspect they know something but won't say.  I feel there may be some discriminatory behaviour at play as my 10 min visit to B&M as innocuous as it gets.  Maybe they're protecting a colleague?

They asked us to contact Facewatch directly

A_Geordie

Jenni_D said:

Ref. SAR ... as it stands the companies have no name for the OP, so how will they service a SAR? The OP attaches a photo to their SAR? (And the process of making a SAR will present further data to the company(ies) than they currently hold - something the OP has already said they're uncomfortable with).

user1977 said:

Isn't the problem here that the OP can only demand erasure of their own data - not everybody else who looks like them?

Okell said:

These strike me as problems re submitting a SAR

B&M and Facewatch don't know who the OP is - just that they think he resembles someone banned from certain stores.  How do they know what is his data and what isn't?

It also highlights to me the unacceptable nature of this sort of vetting.

Unless there is an exemption in place under data protection laws that means they don't have to comply, companies who process data must have policies and procedures in place to comply and meet data subject rights. In the case of facial recognition technology (I'll refer this to as FRT), they need to have the ability to be able to extract any images that are stored along with other information relevant to the request. Compliance with the ICO Surveillance Code of Practice is required and if I remember, it talks briefly in there somewhere about being able to meet SAR requests.

The only obvious way I can see a company comply with a request relating to FRT is to submit a photograph of themselves in order for the company to be able to conduct a search and determine if they hold said data. that photograph can and should be destroyed following the request since it was provided for a specific purpose which was to comply with the SAR. I'm aware of certain local councils and some retailers who require passport/driving licence for SAR requests where sensitive information is concerned and agree to destroy the passport/driving licence data if that was something they did not originally hold about the specific individual.

Facewatch claim in their privacy notice that they store images for up to 12 months since the last incident. Presumably the data that can be erased will be the image taken from B&M's CCTV that was used to compare against the Facewatch database. Given their claim to accuracy, I would imagine it can't be that difficult to search and delete the offending image and associated descriptions, along with the model image included in a SAR.

MattMattMattUK

A_Geordie said:

Facewatch claim in their privacy notice that they store images for up to 12 months since the last incident. Presumably the data that can be erased will be the image taken from B&M's CCTV that was used to compare against the Facewatch database. Given their claim to accuracy, I would imagine it can't be that difficult to search and delete the offending image and associated descriptions, along with the model image included in a SAR.

From what I can see online that is not how the system operates. Facewatch relies entirely on it's own cameras, which are much higher resolution than CCTV and also build a 3D model of the face to use for comparison. It seems to scan everyone as they enter and/or leave the store and then store workers have the ability to flag a particular face based on an image it stores as well as the model data. Store employees could use their own CCTV to try and figure out who to flag in the system, but the Facewatch system is entirely separate from store CCTV. 

pinkshoes

MeteredOut said:

 How do people get registered onto FaceWatch? I assume individuals at each store can do that?

OP said they went into that B&M previously with a relative, but left without buying anything and went to another shop. Could someone at B&M have erroneously flagged them as suspicious, so the issue here is not a look-a-like but an erroneous flagging?

^This.

A camera will not be able to pick out someone doing something "naughty".

There would need to be an incident in store (theft, violence, aggressiveness etc...) that was unacceptable, then a HUMAN (member of staff) would have to look at their camera recordings and select the person that needs to be added to FaceWatch.

It looks like the OP has been incorrectly selected by the member of staff.

@nero33 - do you know anyone that works there and dislikes you?? It might be worth writing to the store to suggest they re-train their staff to use the system, as they've clearly added a valued paying customer to their facewatch list and no doubt the thief is still permitted to shop there!

MeteredOut

nero33 said:

MeteredOut said:

 How do people get registered onto FaceWatch? I assume individuals at each store can do that?

OP said they went into that B&M previously with a relative, but left without buying anything and went to another shop. Could someone at B&M have erroneously flagged them as suspicious, so the issue here is not a look-a-like but an erroneous flagging?

We went in, found what relative was looking for. Went to till. I didn't want to queue up so walked out of the store. Empty handed!  If that's suspicious behaviour....

Based on your later response that they said "there was an incident", I wonder if they "mis-saw" something, eg, the two of you standing together and them thinking your friend put something in your pocket before you left the shop. eg, if something had gone missing that day and they reviewed footage and found someone to pin it on.

But its obviously B&M are not going to show you the footage, so it looks like FaceWatch is your only choice.

EDIT: Another thought, have you contacted B&M Head Office, or just the local store?

outtatune

MattMattMattUK said:

Aylesbury_Duck said:

Presumably you simply look very like someone who has caused a problem.  I doubt there's anything you can do about it, and nor do I expect them to be inclined to do anything, either.

Looking like someone should not really be a factor, but it depends on the quality of the facial recognition technology.

Aylesbury_Duck said:

How good is the technology?  I'd have some fun and go back to B&M in glasses or a fake beard to see what happens.

Facial recognition tech can be as simple as being defeated by someone frowning whilst walking past the camera, to being able to differentiate identical (monozygotic) twins. It depends on what and how many reference points it uses, whether it is just visible light or also uses IR and UV etc. Their website is big on buzzwords and almost entirely lacking detail so hard to tell, but I imagine it sacrifices accuracy for speed of processing and to reduce both the processing power required as well as the bandwidth requirements. 

The only accuracy example I can find for FaceWatch is that the Met Police facial recognition has a false positive rate of 0.012% under operational conditions sampling 200 faces per second in a crowd. The FW system quotes an "accuracy rate" which is different as it can include false negatives as well, "up to 99.87%" but gives no data on the sampling rate. So the Met system has a false positive rate of about 1-in-8,000, the FaceWatch system give an inaccurate result at a rate of about 1-in-750 (false positive and false negative combined). 

For context.

'Up to 99.87%' of course means 'less than 99.87'; presumably that accuracy is only achieved when matching identical poses against an identical plain background, using a data set whose demographics perfectly match the demographics of the test sample. (If your data set has only one person of visibly Chinese ethnicity, for example, then it's likely to match every single Chinese, Japanese, Korean, Mongolian, etc person against them)

But if we imagine the 1 in 750 is about right, then lets imagine that every day 750 scallies whose images are in the system try to enter one of the stores, and every day 75000 innocent members of the public try to enter the stores. (No clue if these are realistic numbers). The system will flag 749 of the scallies and miss one. It will flag 100 innocent people and miss 74900. So the chances of any one person flagged being innocent are not 1/750 but 100/849 or about 12%.

So their system if going to false positive a shedload of innocent people. It seems like they have no clue how to deal with that.