Over 100 supermarkets and convenience stores in the Tokyo metropolitan area have been recording images of shoppers’ faces as part of antishoplifting measures. Though the stores have posted signs stating cameras are in place, the stores have been sharing the biometric data of customers without their knowledge.

Such sharing should be considered an invasion of privacy and going against the intention of Japan’s Personal Information Protection Law.

After 115 stores of 50 separate companies installed a shoplifting prevention system, they obtained the power not only to record every customer’s face but also to share that record in a network.

If a person shoplifts or makes unreasonable complaints, camera footage of the person is turned into biometric data and classified into categories such as shoplifter or complainer. That data is then stored on the firm’s server and made available to other stores.

When the same face is recognized at another store, the staff is notified that the blacklisted person is in their store.

Because the accuracy rate of current recognition software has become extremely high — 99.9 percent accurate by some accounts — the data is more or less equivalent to the original image. That means that even when the original images of the faces are not made available, a nearly complete replication of that face, in data form, is being shared.

The problem is the lack of checks on the system. Seemingly whoever has access to the network could classify customers according to an arbitrary criterion. But what constitutes an “unreasonable” complaint is open to question. And whether an act of shoplifting is reported to the police and whether the suspect is convicted of the crime is a matter of the law. It should not be a matter of how an employee feels about it.

Unfortunately with this technology, stores are now able to put people on a blacklist for any reason whatsoever.

Biometric recognition systems have become increasingly sophisticated. More than ever before, such systems can quickly and easily confirm the identity of a captured image and connect that information to other data.

These biometric systems were primarily developed to identify terrorists in airports and other high-risk situations. Those terrorists are a far cry from a high school kid who slips some candy into his pocket or an elderly person who complains too loudly about bad service.

The current Personal Information Protection Law states that facial images are considered personal information. They can be filmed for the purpose of crime prevention, but sharing data with a third party without the person’s consent is clearly not the intention of the law.

Stores must recognize that their customers’ legal right to privacy is just as important as their right to protect themselves against shoplifters. For its part, the government should update the Personal Information Protection Law as necessary to keep pace with rapidly evolving technology.

In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.