UK Grocer Facial Recognition With Hikvision Cameras, GDPR And Ethical Risks Examined

By Charles Rollet, Published Jan 17, 2022, 05:02am EST (Info+)

A UK grocery chain known for touting its ethical practices is running a live facial recognition (LFR) system across dozens of locations with tiny/often obscured signs and Hikvision cameras, sparking GDPR and ethics concerns.

IPVM Image

The Mail on Sunday ran an article based on IPVM's investigation: Co-op supermarkets are using facial recognition cameras made by Chinese state-owned company 'to track its shoppers'

Executive Summary

IPVM photographed nine Southern Co-op stores with LFR, finding one with no signage viewable by entrants at all, while seven had small and often obscured signage. In contrast, the UK's data regulator says LFR should include "prominent signage" that is "clearly visible" and viewed "before" people enter covered areas. This system is also powered by Hikvision cameras, raising ethics concerns over the firm's extensive Xinjiang involvement.

In response, Southern Co-op told IPVM it had "found one sign missing" at a store and replaced it, adding that overall "we provide clear signage", defending the system's "97% accuracy"; however Co-op did not respond to IPVM's questions about Hikvision or provide more specific data on the system's performance/accuracy.

UK facial recognition firm Facewatch, which runs the LFR system, did not respond to IPVM's comment requests. Reacting to IPVM's findings, privacy organization Big Brother Watch said the ICO, the UK's data regulator, "should urgently open a high priority investigation" into the system which it called "invasive, unethical and anti-human rights".

System Background

In November, Southern Co-op, a member of Co-op (the UK's seventh-largest grocer with 2020 revenues of ~$15.5 billion), disclosed that it is running LFR across 35 stores in England "with higher levels of crime". Co-op is known in the UK for touting ethics, what it calls "the Co-op difference", e.g. emphasizing human rights and fair trade while being communally-owned by its members unlike mainstream competitors (e.g. Tesco).IPVM Image

In a statement to Silkie Carlo, director of privacy watchdog Big Brother Watch, Southern Co-op identified the 35 specific stores with LFR, mostly in the Southampton-Portsmouth urban area. Big Brother Watch has been campaigning for Co-op to drop the system over the privacy risks.

Facewatch Background

IPVM Image

The facial recognition system is powered by Facewatch, a UK live facial recognition company which touts helping retailers catch shoplifters. Facewatch says it keeps a face database of "Subjects Of Interest" and alerts every time a matching face enters a store. Shoppers whose faces don't match the database have their data "deleted instantly"; SOI faces are kept for 2 years. IPVM examined Facewatch's GDPR compliance in 2019.

Southern Co-Op Says "Distinctive Signage", "Helped Reduce Theft"

Southern Co-op loss prevention officer Gareth Lewis explained on Facewatch's website that the LFR has "distinctive signage" and "has helped reduce theft in the stores where it is deployed":

IPVM Image

In my role as the loss prevention and security manager, I have found that facial recognition is one such technology that has helped reduce theft in the stores where it is deployed. We have completed a successful trial using Facewatch FR in a select number of stores where there is a higher level of crime. All of our customers have been made aware with distinctive signage and we have introduced a system which does not store images of our customers unless they have been identified in relation to a crime.

IPVM requested specific data about the effectiveness of Southern Co-op's system but Co-op didn't respond on this point.

IPVM Methodology Explained

IPVM hired professional photographer Stuart Martin to take photos of nine of the Southern Co-op supermarkets confirmed to have facial recognition in the Southampton-Portsmouth area. The stores examined by IPVM were randomly selected.

IPVM Image

What The ICO Says About Signage

The UK's data/GDPR regulator, the ICO, stated in a 2021 report that public places (including shops) using LFR should have signs that are "prominent", "clearly visible", and accessible" to the public:

IPVM Image

The ICO also emphasized that the signage should be viewed "before" members of the public "enter the area covered" by LFR. For more on GDPR compliance, read IPVM's GDPR For Video Surveillance Guide.

Key Findings

In terms of GDPR compliance, IPVM found several risks:

  • One Southern Co-op using facial recognition had no disclosure to entrants that LFR was in use. This goes against clear ICO guidance that signage should be viewed "before" members of the public "enter the area covered" by LFR along with disclosure requirements in the GDPR's Article 13.
  • Seven stores using LFR had tiny, hard-to-notice stickers often obscured by sliding doors. This contravenes ICO guidance that LFR should include "prominent signage" that is "clearly visible" and "accessible".
  • All the stores had indoor signage disclosing LFR but these only included a link to Southern Co-op's main website. Southern Co-op's only LFR explainer omits many Article 13 disclosure requirements like storage periods and data requests.

The system's Hikvision usage also poses ethical and national security risks:

  • Hikvision has extensive and growing Xinjiang operations: it is currently financing and operating five large Xinjiang police projects worth ~$145 million and said it had ~500 staff there in November 2019. Hikvision's cameras were filmed surveilling four different Xinjiang concentration camps in 2020.
  • Although there are no legal restrictions on Hikvision in the UK, a UK parliament committee has (so far unsuccessfully) called for Hikvision to be banned in the UK over its Xinjiang involvement. Hikvision UK has refused to meet the UK's Surveillance Camera Commissioner about its Xinjiang operations unless in secret.
  • The UK Ministry of Defence guidance "Is Not To Use / Install Hikvision" over unspecified national security concerns; Hikvision is created and controlled by the PRC government.

Southern Co-Op Response

IPVM sent our findings to Southern Co-op, which responded below:

IPVM ImageOur limited and targeted use of this technology is only where there is a high level of crime. It has enabled our colleagues to identify when a known repeat offender enters one of our stores and has given them the time to decide on any action needed, eg delivering customer service or 'aisle' presence, thereby preventing crime from taking place and removing a catalyst for violence. Where this is in use, we provide clear signage throughout the store.

  • We have 200+ stores and have this in 35 stores where there is a higher level of crime. We have no plans at present to further roll this out to more stores.
  • Signage is on display in the relevant stores including near the door, inside the door, behind our tills and on shelf edges and we periodically review to ensure this is displayed as per our requirements.
  • Only images of individuals evidenced to have committed an offence in the store, including those who have been banned/excluded, are used on our facial recognition platform.
  • The facial recognition technology that we use has a 97% accuracy rate - it has the most accurate facial recognition algorithms in the market as ranked independently by NIST (National Institute of Standards and Technology). There is also a human validation of the match.
  • The system is GDPR compliant and does not store images of an individual unless they have been identified and evidenced as a repeat offender.

Southern Co-op claimed the face recognition algorithm is "the most accurate" as "ranked independently by NIST", but this is nonsensical as NIST competitions rank numerous different algorithms across numerous different kinds of tests. Southern Co-op/Facewatch have not publicly disclosed their algorithm's name nor which rankings it competed on.

As IPVM has explained, no product or system is 'GDPR compliant' since there is no official GDPR certification body and complying with the GDPR is an ongoing process. Facewatch's GDPR compliance claim relies primarily upon a UK private sector lawyer the firm hired.

Southern Co-op Replaces Missing Signage

Southern Co-op said it had "replaced" a sign that went missing at a store in Portsmouth (IPVM identified one Portsmouth store, The Hard, with no LFR disclosure to entrants at all):

Having recently reviewed the signage at our sites, we found one sign missing at a store in Portsmouth. This has now been replaced. All other site signage was clear and correct including near the door, inside the door, behind our tills and on shelf edges.

After this response, IPVM re-visited The Hard's Southern Co-op in Portsmouth and confirmed that now prominent signage is on display:

IPVM Image

One Face Rec Camera Per Site

Southern Co-op also said its stores had one LFR camera per site:

We have one facial recognition camera per site and the technology that we use has a 97% accuracy rate. No facial images are shared with the police or with any other organisation.

However, at none of the stores IPVM visited was it immediately clear to shoppers which camera was doing the facial recognition.

No Response On Hikvision, System Performance Data

Southern Co-op did not respond to IPVM's questions about ethics concerns surrounding Hikvision. IPVM also asked for relevant data on how many arrests/interventions have been made thanks to the system; Southern Co-op did not respond directly to these requests, stating generally that their LFR system is "limited and targeted":

IPVM Image

The purpose of our limited and targeted use of facial recognition is to identify when a known repeat offender enters one of our stores. We use a combination of facial recognition technology and human verification.

If a facial image match takes place upon store entry, these are flagged as an alert to the store/duty manager and then validated by a colleague in store. 'No match' images are immediately deleted from the system. Once a match is verified in person, our colleagues are able to use customer service and 'aisle presence' to deter any incident from taking place, or to escalate the incident as appropriate, for example, if the offenders entry on to the premises is in breach of an injunction or Banning Order.

The violence and abuse faced by our colleagues is sickening and unacceptable. We take our customers' rights extremely seriously and have worked hard to balance these with the vital need to protect our store colleagues, and any customers present, from these appalling attacks.

97% Accuracy Figure Examined

IPVM also asked Southern Co-op how it arrived at the 97% accuracy figure (e.g. false positive and false negative rates) and whether this accuracy still applied for people wearing masks and glasses. Co-op did not provide specific data but stated masks do reduce accuracy "slightly", however, "all our matches are verified in person":

The technology accuracy is slightly reduced with face coverings but all our matches are verified in person with any 'no match' images immediately deleted from the system.

IPVM's research from February 2020 found Masks Cause Major Facial Recognition Problems (over 50% loss in confidence). It is possible that accuracy has improved since then, although it is unlikely to have done so dramatically.

Big Brother Watch: ICO Should Investigate

Silkie Carlo is the director of UK privacy rights organization Big Brother Watch, which has been campaigning for Southern Co-op to drop the LFR system since 2020. Reacting to this report, Carlo told IPVM that the ICO "should urgently open a high priority investigation":

IPVM Image

We have long had concerns about the legality of the Southern Co-op's use of Orwellian facial recognition surveillance, and this investigation shows the company is giving even the most basic privacy laws little regard. In our view, the Southern Co-op's surveillance practices are wide open to legal challenge and the given the scale of impact, the ICO should urgently open a high priority investigation.

The supermarket is adding customers to secret watchlists with no due process, meaning people can be blacklisted and denied the opportunity to do their food shopping despite being innocent. This is an deeply unethical and frankly chilling way for a business to behave.

The Southern Co-op should drop its facial recognition cameras immediately. [emphasis added]

Carlo added that using Hikvision cameras helps make Southern Co-op's system "the most invasive, unethical and anti-human rights supermarket in Britain":

IPVM Image

It is highly unlikely that the Co-op's customers have any idea their local supermarket is spying on them, much less that Chinese state-owned technology is being used to do it, unless through our investigations and media reports.

The Southern Co-op’s use of intrusive facial recognition and Hikvision cameras to snoop on shoppers makes them the most invasive, unethical and anti-human rights supermarket in Britain. [emphasis added]

IPVM Image

ICO Response

IPVM presented a summary of our findings to the ICO and asked whether it would investigate. ICO did not comment on Southern Co-op's system but stated generally that Facewatch is "amongst the organisations" it is "assessing the compliance of" over private use of LFR technology:

IPVM Image

Data protection law sets a high bar for police forces, public authorities and businesses to justify the use of live facial recognition (LFR) technology and its algorithms in public places. We have explained in two separate Opinions the important data protection standards that organisations must follow before and during the use of LFR.

As with any new technology, it is crucial that people's privacy is at the heart of any decisions to deploy LFR so public trust and confidence are not lost.

We are assessing the compliance of a number of private companies who have used, or are currently using, live facial recognition technology. Facewatch is amongst the organisations under consideration

Surveillance Camera Commissioner Reaction

Fraser Sampson, the UK government's Biometrics and Surveillance Camera Commissioner, told IPVM "surely signs should be written, designed and displayed" in a way that "leave[s] people in no doubt that their images will be recorded":

IPVM Image

On the issue of signage, this is beyond my remit but if the purpose is to leave people in no doubt that their images will be recorded if they enter premises and to exercise choice about whether they wish to accept that condition of entry, surely signs should be written, designed and displayed in a way that achieves that aim?

Regarding Hikvision usage, Sampson noted that Hikvision - which has refused to publicly meet him about its Xinjiang operations - "has said very little but their response tells people a lot":

This is a very timely question. While my statutory remit covers only the use of surveillance camera systems by the police and local authorities, I was asked to do an interview with Facewatch yesterday in which I addressed the importance of ethical practice – individual and corporate – if we are to retain public trust and confidence in the legitimate use of facial recognition generally. I also spoke about the importance of ethical leadership in this area which I believe involves not only responding to challenge but actively inviting it. As you know I have publicly raised a number of pertinent questions with Hikvision several months ago. So far their answer has said very little but their response tells people a lot.

One Store With No Outdoor Signs To The Public

One store, The Hard Co-op in Portsmouth, had no outside disclosure whatsoever:

IPVM Image

This presents the most clear GDPR violation risk since the ICO says signage should be viewed "before" members of the public "enter the area covered" by LFR. The GDPR's Article 13 says data subjects are to be notified "at the time when personal data are obtained" i.e. as soon as they are filmed.

As mentioned, Southern Co-op replaced said the sign here was "missing" and it has now been "replaced", which IPVM confirmed:

IPVM Image

Tiny Signage That's Hard To Notice

Other stores IPVM examined did have outdoor signage, but it was tiny and hard to notice. At the Southern Co-op Elm Grove in Portsmouth, the sign was a hardly-noticeable corner of an A4-sized paper:

IPVM Image

Most stores had tiny square stickers rather than paper signs, e.g. the Southern Co-op on Archers Road in Southampton:

IPVM Image

The Southern Co-op Fawcett Road in Portsmouth:

IPVM Image

The Southern Co-op Winter Road in Portsmouth shows how many other stickers are present, with no effort for the Facewatch one to be made distinct:

IPVM Image

The Southern Co-op City Gateway in Southampton:

IPVM Image

And at the Southern Co-op Devonshire Square in Portsmouth:

IPVM Image

Signage Often Obscured By Sliding Doors

The problem with putting tiny stickers on sliding glass doors is that they are often obscured when the doors are opening/closing, e.g. the Archers' Road Southern Co-Op:

IPVM Image

Another example is the Southern Co-op on Eastney Road in Portsmouth:

IPVM Image

And the Devonshire Square Southern Co-op in Portsmouth, where the LFR disclosure is obscured by Christmas decorations when the door opens:

IPVM Image

Only One Store With Prominent Signage

Only one of the nine stores IPVM examined, the Southern Co-op at Commercial Road in Southampton, had a large sign that may be considered "prominent", "clearly visible", and "accessible" and was not on a sliding glass door:

IPVM Image

Signs Inside Stores

All nine Southern Co-Op stores had larger internal signs disclosing facial recognition. However, these signs do not significantly improve the system's GDPR compliance:

  • The signs only included a link to the main page of Southern Co-Op's website which has no information on facial recognition.
  • The only such information on Co-Op's website, which is findable via Google rather than the link on the signs, is this notice which omits key information recommended by the ICO and the GDPR's Article 13, notably storage periods, how subjects can access their data, and the right to lodge a complaint.
  • The internal signs can typically only be seen after shoppers enter and have been captured by the LFR. However, the ICO has emphasized that signage should be viewed "before" members of the public "enter the area covered" by LFR.

Hikvision Camera Use Examined

Eight of the nine stores examined by IPVM used Hikvision cameras indoors and outdoors. One store (Elm Grove in Portsmouth) had Hikvision indoors but not outdoors, using a wide variety of camera brands throughout, unlike the others. The three Southampton stores had large indoor dome Hikvision cameras similar to this one that Facewatch tweeted in July:

IPVM Image

Southern Co-op told IPVM there is "one facial recognition camera per site", however it wasn't directly clear in any of the stores which specific camera was being used for LFR. The stores' exteriors featured a variety of Hikvision turret and dome cameras, for example, at Co-op Commercial Road:

IPVM Image

At Co-op City Gateway:

IPVM Image

At Co-op Archers Road:

IPVM Image

At Co-op Devonshire Square:

IPVM Image

At Co-op Eastney Road:

IPVM Image

At Co-op Fawcett Road:

IPVM Image

At Co-op The Hard:

IPVM Image

At Co-op Winter Road:

IPVM Image

Facewatch And Hikvision Background

In November 2019, Facewatch and DVS - a major UK Hikvision distributor - announced they had "joined forces" to distribute a "a game changing, GDPR compliant facial recognition solution":

IPVM Image

As IPVM has explained, no products (or systems) are GDPR compliant.

Facewatch, Hikvision, DVS No Response

IPVM did not receive a response to our questions from Facewatch, Hikvision, or DVS. If we do, we will update.

2 reports cite this report:

GDPR Complaint Filed Against UK Facewatch, Partner on Aug 01, 2022
UK facial recognition company Facewatch and its partner, supermarket chain...
Latin American NGOs Denounce 'Perverse' Facial Recognition on Feb 09, 2022
A consortium of 11 Latin American NGOs, released a report on what it labels...

Comments (9)

Only IPVM Subscribers may comment. Login or Join.

what makes LFR "illegal" compare to human based search of suspicious visitor across printed photos of shoplifters?..

Agree: 1
Disagree
Informative
Unhelpful
Funny

Thanks for your comment, it's a good point.

To be clear, neither LFR nor human-based search is 'illegal'. But processing personal data is regulated by the GDPR, so both LFR and printed photos of shoplifters are covered by the GDPR and national data protection regulations. For example in Ireland, the data regulator has warned against sharing CCTV footage of shoplifting suspects.

What Southern Co-op/Facewatch are doing does pose a heavier GDPR compliance burden. For example, processing that is on a "large scale" and uses "new technologies" must do a Data Protection Impact Assessment (Article 35). Also, Article 9 specifies that "biometric data for the purpose of uniquely identifying a natural person" is a 'special category'. Facewatch's LFR system has numerous such biometric data profiles, creating a unique compliance burden.

Putting up a poster of a shoplifting suspect in a store can pose potential GDPR challenges. But this doesn't require processing the personal biometric data of every single shopper entering the store like Facewatch's LFR system does. This is why such systems are under much heavier regulatory scrutiny. As the UK's data regulator states, "where LFR is used for the automatic, indiscriminate collection of biometric data in public places, there is a high bar for its use to be lawful".

Agree
Disagree
Informative: 2
Unhelpful
Funny

processing that is on a "large scale" and uses "new technologies" must do a Data Protection Impact Assessment

Has this Co-op done that? Is such an assessment public?

Agree
Disagree
Informative
Unhelpful
Funny

Good question, I've just asked them that and will update. Worth noting that despite clear GDPR language, Facewatch says DPIAs are "not strictly necessary in most cases" such as if the processing is "for the purposes of crime prevention and detection":

As a Data Controller you must perform a DPIA for processing that is likely to result in a high risk to individuals. There is unlikely to be a high risk if your business conducts this processing for the purposes of crime prevention and detection in line with your business’ procedures, the 6 Data Protection Principles and the Facewatch Subscriber Agreement

However, it is good practice to prepare a DPIA for any processing of personal data where there is a risk to individuals from such things as human error, misuse, unauthorised access or a disproportionate response.

A DPIA, whilst not strictly necessary in most cases, will help you identify the measures your business takes in order to reduce the likelihood or impact of those risks, and thereby fulfil both the Accountability Principle and the requirement for Data Protection by Design and Default contained within the UK Data Protection Act 2018 and GDPR. [emphasis added]

To be sure there is no language in the GDPR that "crime prevention and detection" does not constitute a "high risk". That is Facewatch's (quite convenient) view.

Agree
Disagree
Informative
Unhelpful
Funny

Also, no, there is no mandate for DPIAs to be public. Some companies may publish theirs to reassure the public but that is voluntary.

Agree
Disagree
Informative
Unhelpful
Funny

Update - Southern Co-op said they did a DPIA, but they refused to release it:

Southern Co-op carried out a data protection impact assessment which we consider to be confidential business information. We were satisfied with the results and believe that our use of the system meets the tests of being necessary and proportionate.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Are there any tangible examples of harm, injury or damage caused by Co-op’s use of these LFR cameras? If yes, has it been litigated?

We all clearly understand the big brother argument, however private businesses should not be held to the same standards.

Agree
Disagree
Informative
Unhelpful
Funny

Just read an article stating the UK government is going on an anti-encryption marketing blitz to educate the public that end to end encryption is harming our children. Not a joke.

Governments are hypocrites with no credibility. Leave the private businesses alone and focus on your own deficiencies.

Agree
Disagree
Informative
Unhelpful
Funny: 1

Update: although Facewatch did not respond to IPVM's requests for comment for this article, its CEO Nick Fisher accused us on LinkedIn of being "a mouthpiece for Big Brother Watch":

IPVM Image

Of course, IPVM is not a Big Brother Watch "mouthpiece". We quoted them due to their activism on this issue - it is widely cited in the UK press on privacy issues as shown on their Media page.

Agree
Disagree
Informative
Unhelpful
Funny
Loading Related Reports