One-Way-Mirror Society: What are the specific privacy issues posed by digital signage networks / what risks exist?

Report home | Read the report (PDF) | Previous section | Next section

Specific and substantive policy issues and privacy risks exist in modern digital signage networks. This section summarizes those issues and risks.

Security Camera Footage: Repurposing footage for marketing and profit

Perhaps the most egregious repurposing of data is the use of security camera footage for store marketing purposes. From the industry literature, this appears to be an established business practice at this point. It is one that needs to be examined closely.

For example, researchers who specialize in studying shopping patterns, in describing their process of gaining shopper insight, include the option of using existing security cameras to collect shopping research data on consumers:

“The research is usually implemented by setting up one or more video cameras, recording consumer shopping activity for several hours a day, and then coding behavior at a later time, either with human-research assistant or machine – vision tools. Existing security cameras may be used to collect the data if they provide adequate visual coverage and fidelity.” (emphasis added) [79]

The POPAI Recommended Code of Conduct for Tracking Consumers specifically mentions this issue:

Using video or image data from surveillance, security, or loss-prevention systems may violate Federal, State and/or local laws, and is generally not recommended. If this practice is allowed by law, marketers must use separate computer systems and storage devices from those used to store the security/surveillance data. These computer systems and storage devices must be password protected with different passwords used than for the security/surveillance systems. (See Appendix A of this report for document.)

There is a lack of transparency around the use of surveillance footage for marketing purposes.

Lack of Transparency or Notice to consumer

Transparency and Consumer notice in the digital signage ecosystem is woefully lacking.
First, the collection of consumer images can be extremely difficult to detect, if not nearly impossible. Digital signage does not usually come with a notice to the consumer that they are being recorded when they look at the screen. Digital signage does not usually come with any notice that facial recognition technology is being used to target ads to the consumer based on gender, age, and possibly ethnicity. And while some digital signage has obvious cameras affixed to it, other signage uses pinhole cameras that are extremely difficult to detect.

One manufacturer touted its pinhole cameras, one of which was shown tucked into an end-cap display in a way that would not be noticeable to most consumers:

At the heart of the platform will be a custom-designed DSP chip that will receive incoming visual data from an attached pinhole camera. The screen display unit will then be able to log viewer statistics based on their age, gender, and ethnicity and will be capable of reacting to these details based on the demands of the site display. [80]

Second, even when consumers are expressly asked to interact with digital signage and give information (such as calling a mobile number to play a game or to sign up for a coupon) the amount of meaningful information a consumer receives about the collection and use of the data is generally absent. As discussed earlier, privacy policies posted on web sites generally do not discuss digital signage installations or networks. Even if they do, it is unreasonable to provide notice to consumers of digital signage privacy issues on a web site instead of providing notice directly at the place the cameras or sensors are located.

Thirdly, when consumers are notified about recording, the notification can be euphemistic at best. A notification sign under a security TV at one Wal-Mart in Oceanside, California stated: “in order to bring you low prices, we use closed circuit televisions and electronic merchandise tagging systems.” That notice strongly suggests that the camera is for security and says nothing about collecting consumer information, and no other signs discussed the myriad other video and consumer tracking activity occurring at Wal-Mart.

A Walgreens in Encinitas, California, labeled each security camera with a large card that said “security camera.” One screen was not labeled this way, but instead said: “Providing safety and savings: video recording in process.” (Figure 6). What do these kinds of notices mean to consumers? Do the notices correspond to the reality of how the footage is actually being used? Do the notices cover all instances of consumer tracking in the retail space? Are the notices deliberately misleading?

Digital_Signage__The_One_Way_Mirror_Society_1

Figure 6
A video recording notice in a retail store. Is the video used only for security purposes?

In a blog discussion of notice to consumer and what consumers would accept regarding gaze tracking tools, one industry expert had this to say:

Mark Lilien of the Retail Technology Group had an interesting perspective, feeling that gaze tracking tools would be accepted as long as the retailer posts a sign telling folks that the store uses video surveillance. But rather than making it seem like an invasion of privacy, convey it in a positive light such as, “we’re using the finest technology in the world to help us stock what our customers want most. [81]

Lack of Consent, Opt-in, Opt-Out

In some instances, for example, in some loyalty card programs tied to digital signs, there are opt-in and opt-out structures available for consumers. For example, Hot Topic’s loyalty program offers such a structure for text messages and other marketing messages. But how does a consumer consent to being recorded and analyzed and targeted by digital signs that employ hidden or pinhole-sized cameras or sensors? How does a consumer opt out of being recorded in the first place? How does a consumer opt out of having her image captured by a camera and then analyzed by facial recognition software and then used for demographic marketing analysis or feedback on ad effectiveness? How does a consumer opt out of being offered targeted ads based on what her age is, or gender, or ethnicity? Does a consumer “passively consent” to this activity by simply walking into a store, or passing by a digital signage installation?

In many if not most instances, digital signage installations that capture images of customers or individuals have no consent structures in place. The only meaningful opt out available to people is to wear clothing that obscures their face, such as a hoodie and sunglasses. In the preponderance of situations, consumers images are being captured and analyzed without their consent, knowledge, or understanding.

Identifiable data capture – anonymity

As discussed throughout this report, digital signage networks can use advanced video analytics to capture, record, and analyze images of individuals. That this is occurring is unambiguous. What is ambiguous is the way industry defines privacy and anonymity. The digital signage industry has come up with non-standard and self-serving statements about anonymity and privacy. Somehow, there are widespread views in the industry that video images of identifiable individuals are neither considered to be private information nor identifiable information.

It is difficult to argue that a camera collecting and analyzing images with facial recognition technology to glean audience characteristics such as gender and age is not using personally identifiable information. An individual’s face is personally identifiable information. Period.82 As long as the digital signage industry uses its own convenient definitions of personally identifiable, stored, and recorded, then the industry will be out of step with consumers. .

Discrimination by Age, gender, and ethnicity

There is no question that age discrimination is a possibility with this technology. Targeting by age, gender and in some cases ethnicity is happening right now. One company selling technology capable of accomplishing this targeting wrote:

“The latest version of the company’s iCapture audience-measurement system can instantly identify older shoppers; earlier versions of the software could delineate between an adult and a child as well as determine gender and ethnicity. Coupled with the company’s PROM (proactive Merchandising) software, iCapture allows retailers and marketers to target senior shoppers by serving up ads that are interesting and relevant to them.

“We believe we have come up with a breakthrough in targeted marketing by allowing retailers and marketers to display age-appropriate content on a real-time basis, said George Murphy, CEO, TruMedia.” [83]

This “breakthrough” came in 2008, and the technology has matured even further since that time. The question becomes: how does a senior being targeted by his or her age consent to that activity? How do they opt in or opt out of the targeted ad? The ad is being targeted to them because of how they look in the camera. There is no hiding behind a computer or deleting a cookie or downloading an “opt-out cookie.” A sign telling a consumer they may see ads based on their race, gender and age might inform them of the program, but how can a person effectively give their permission for being targeted by their demographics?

It is not difficult to envision improper uses of this targeting capability. There are not appropriate or even any apparent controls in place to prevent this from happening.

Data retention issues

Some companies in the digital signage space state they do not store images collected from digital signage that captures images for video analytics, and they conclude therefore that privacy is protected. However, even in 2008 companies acknowledged in a New York Times article that image retention could be accomplished:

“The companies that make these systems, like Quividi and TruMedia Technologies, say that with a slight technological addition, they could easily store pictures of people who look at their cameras.” [84]

There is no enforceable standard that would force companies to erase data captured from digital signs and billboards, either facial recognition data, aggregate statistics, images, or other data. If a company wanted to put up digital signage that recorded every passerby or shopper, and stored that footage for later marketing or other use, it could. Who would know?

Sensitive information

When digital signage is used in areas where sensitive information such as financial or medical data could be captured, privacy concerns become more pointed. An example is use of images of individuals purchasing health products or prescriptions. Some in industry have raised additional security concerns in this area.

When Cardinal Health launched its Pharmacy Health Network in August 2009, the launch included flat-panel LCD screens placed in independent and franchised pharmacies throughout the United States. The idea was that video advertisements would run on the screens while people waited for prescriptions to be filled. Cardinal Health stated it would make the Pharmacy Health Network (PHNTV) available to more than 5,000 independent retail and franchised pharmacies throughout the United States. [85] The screens do not appear to record images of consumers. Nevertheless, the launch of the network attracted the attention of a CEO of a digital signage company, who wrote an open letter to the Chairman and CEO of Cardinal Health warning the company of broader potential security issues with digital signage installations.

“Because the PHNTV media player device is likely to sit on the same network segment as confidential patient information, any mildly capable hacker who is able to penetrate the digital signage player (especially one running Windows and using unencrypted HTTP transfers) now has a rogue device within the trusted Pharmacy Network from which they may attempt to access confidential patient information.” [86]

The author suggested three ways to solve the problem, and also noted that he did not want the significant security risks raised by the deployment of a third party system in any trusted medical or health network to become a “Canary in the coalmine example we all look back on in 10 years and recall as the great big lawsuit that made security a real topic in Out Of Home Digital.”

One blog commenter on the letter voiced the opinion that the system as implemented was not likely to fall afoul of best practices because the implementation did not collect data from the signs. [87]

Another issue related to digital sign deployment is wireless security. Many digital sign networks send information using wireless connections at some point in the infrastructure. [88] There are no available statistics on wireless security practices in the digital signage industry, but it is an area of concern for spying and for data breach. An intriguing concept to consider is how – or even if — a company using a digital signage vendor that was compromised would give consumers notice of data breach.

Information Captured on Children and Teens

Digital signage that captures data from teens and especially from children under the age of 13 may run afoul of the policy that is the basis for Children’s Online Privacy Protection Act, or COPPA. [89] COPPA applies to information collected online and requires affirmative parental consent, but online is ambiguously defined in COPPA. Most companies with digital signage networks appear to be silent on COPPA compliance in regards to, for example, audience measurement techniques and ad targeting.

Some companies with digital signage installations have acknowledged that targeting teens and children is inappropriate in general terms, but not in terms specific to the digital signage program.

Generally, taking images of children for audience surveillance purposes raises multiple issues that have not been addressed yet.

Combination of offline and online data and data from digital signage

One of the goals of placing advanced video analytics into digital signage networks is to tie that data to other data sources. This is understood within the industry:

“More sophisticated shopper analytics will be combined with other data sources, including loyalty programs and inventory management systems…” [90]

Loyalty programs are fairly simple to link to digital signage, as are mobile telephone numbers. The Castrol case in the UK shows how marketers will, if they can, link digital signage governmental databases for marketing purposes. The linking of digital video signage data to additional data sources is particularly sensitive because of the issue of identifiability.

__________________________________

Endnotes

[79] Raymond R. Burke, Retail Shoppability: A Measure of the Worlds Best Stores, 2005. p. 13. Originally published in Future Retail Now: 40 of the World’s Best Stores, Retail Industry Leaders Association. <http://kelley.iu.edu/features/archive/fall_2007/shoppability2.html>. 80 1-2-1 View Developing Audience Measurement Chip, Dec. 16, 2008. <http;//www.digitalsigagetoday.com/article.php?id=21238>.

[81] Laura Davis-Taylor, The In-Store Profiling Debate, May 20, 2008. <http://www.popaidigitalblog.com/blog/articles/The_in_store_shopper_profiling_debate-439.html>.

[82] See, for example, the Privacy Act of 1974 that provides that a photograph is a record about an individual. 5 U.S.C. § 552a(a)(4) (definition of record).

[83] Digital signage today, TruMedia’s PROM software targets digital signage ads, August 19, 2008. <digitalsignagetoday.com/article.php?id=20430>.

[84] Stephanie Clifford, Billboards That Look Back, New York Times, May 31, 2008.

[85] Cardinal Health launches in-store retail pharmacy digital advertising program. August 11, 2009, Press Release. <http://www.cardinal.com/content/news/8112009_112654.asp>. See also a more detailed description of the network and a demo video loop at <http://www.phntv.com/>.

[86] An Open Letter from Chris Riegel, CEO STRATACACHE to Mr. Goeorge Barrett., Chairman and CEO, Cardinal Health, August 13, 2009. Available at <http://www.dailydooh.com/archives/14964/print/>.

[87] Id.

[88] Deena M. Amato-McCoy, Stepping it Up: Traffic-Counting Technology Improves Marketing, Sales, Chain Store Age, Vol. 84, No. 5, May 2008. “By eliminating the cabling expense required with wired solutions, wireless options can be used in new settings, including across store departments and fitting rooms.”

[89] Children’s Online Privacy Protection Act, < http://www.ftc.gov/ogc/coppa1.htm>.

[90] Deena M. Amato-McCoy, Stepping it Up: Traffic-Counting Technology Improves Marketing, Sales, Chain Store Age, Vol. 84, No. 5, May 2008. Quote from John Szczygiel, president, Mate Intelligent Video.

Roadmap: The One-Way-Mirror Society – Privacy Implications of the new Digital Signage Networks: VI. What are the specific privacy issues posed by digital signage networks / what risks exist?

Return to Index

Posted January 27, 2010 in Behavioral Advertising, Consumer Privacy, Digital Signage, Facial Recognition, Future of Privacy, Online/Offline, Report: One Way Mirror Society, Retail Privacy, Uncategorized

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.