London supermarket secretly photographs alcohol/cigarette buyers, wants national database

Budgens, a London supermarket chain, secretly records biometric facial photos of people who buy cigarettes and alcohol and compares it to a database of known underage buyers, and they're hoping to link their database with other grocery chains around the country. This means that just bringing a bottle up to the till means that your likeness and details will be added to a nationwide database, recording your movements and purchasing habits.

They'll probably be forced to drop the "secrecy" bit in the end, but that will not bring an end to the practice. Instead, they'll just put a sign up next to the till saying, "By buying alcohol here, you agree that we can violate your privacy and share your information with anyone we feel like." After all, that's what they do with the CCTV signs in London already.

If successful, it could be rolled out across the country to create a database of youngsters who try to buy alcohol.

The system alerts a cashier if it 'recognises' someone who has previously been unable to prove they are 18.

It is believed to be the first time a British retailer has used the technology in this way.

The software takes measurements between key points on the face to make a template of a person's features that is stored as a "token".

Customers' images are monitored and relayed to a control centre to be compared with under-18s already on record.

Future options include other retailers linking the scheme to their shops to create a giant database.

Link (Thanks, Frank!)


  1. so how would someone who’d just turned 18 get off the database… (let alone the implication in the first place of there even being a database…)

  2. I suggest hooking some tazerbot or gunbot to the biotrics for easy automated disposal of the offending youff.

    cost you an eye and a kidney! Welcome to the light universe…

  3. *Sigh* America’s point of view on the UK CCTV debate is so dumb it’s almost not worth commenting on. But here we go…

    Firstly, this will never take off because secretly the other supermarkets will never take up the scheme because of a. the privacy issues and b. the fact that Budgens has in one fell swoop lost all of it’s underage customers plus many more who simply do not want their photograph taken.

    But on a wider note. The way America views the CCTV system in the UK is simplistic at the very least. It would serve you better to be more suspicious of your government than you are of the UK’s approach to CCTV.

    In short the thousands of CCTV cameras that photograph us everyday and follow us as we move around the cities are not networked together, are often terrible quality and are rarely monitored live. CCTV is only valuable to the Police after the fact and most of the footage that is recorded is simply overwritten within a few days.

    This suspicious attitude that we are monitored, watched and our movements recorded in some file is a very generous assumption but I can assure you we are no where nearly that organized.

    Instead you should look to your own government’s stealthy passing of bills that give them the right to tap your phone, and monitor you in far more underhand ways, all without your knowledge. As well as fly you out of the country to torture you, keep you locked up illegally and waste your hard earned money stealing other peoples countries, while your poor die without health care.

    So come on BoingBoing, try journalism instead of this nonsense.

  4. How can the software determine the age of the person shopping? I don’t really see how this system helps do what they say it does! It just registers everyone who buys alcohol and cigarettes. Or do under eighteens have a particular measurement between the eyebrows?

  5. @Spooke : I might be wrong, but I’m fairly sure that Cory is Canadian and lives in London, so whilst I think you make some fair points about CCTV in Britain, perhaps you should do a little research on the author before making your own assumptions.

  6. Apologies Cory but the tone was distinctly American and the sloppy nature of the piece only goes to promote these incorrect attitudes to CCTV.

  7. Hey, Spooke — get stuffed.

    I’m a Canadian.

    I live in Britain.

    This isn’t “American” perspective on anything.

  8. God, the British smugness about civil liberties is insufferable.

    The UK suspended habeas corpus first, and more enthusiastically.

    The UK is closer to a national ID infrastructure than the US.

    The UK allowed (and finally rescinded) a regulation that would fingerprint all passengers in T5 in London.

    The UK passed RIPA, then sat quietly back as the Met and local councils used the extraordinary, invasive anti-terrorism powers to spot people whose dogs muck the pavement.

    The UK collects enormous amounts of financial data on its citizens, then lets the bloody HMRC repeatedly lose 25,000,000 households’ worth of that information. Repeatedly. Over a period of years.

    The US is not a model nation by any means, but whatever privacy-discarding madness it is gripped by, the UK is likewise in the grasp of.

  9. Other lovely facts about the British approach to privacy:

    If you’re arrested (or even brought in for interrogation but not charged), your DNA is sampled and held on file, indefinitely, whether or not you are convicted of any crime.

    Immigrants — even those who’ve lived in the country for years, as I have, and are only renewing their visas — are now required to give a full suite of biometrics to the Home Office.

    HMRC maintains a semi-secret taxation records-keeping system for the wealthy and titled, because they don’t believe that the existing system used by “normal” people is secure.

    British passports have biometric identifiers and RFID chips.

    Scotland Yard has announced its intention to begin to mine Oyster Card data to automatically identify “criminals.”

    The head of Scotland Yard advocated DNA sampling for children as young as 5 who exhibit “antisocial” tendencies, so as to make it easier to arrest them later in life.

  10. OK,

    I hate Big Brother, the Nanny State and the incessant bloody need for people to know every little thing I do but I don’t see why this is so terrible.

    According to the article the system stores key points as a token (or hash). It does *not* take a photograph of the person doing the purchasing.

    What the supermarket is doing is only a privacy issue if:

    – multiple databases use the same information and its possible to cross-reference people using their facial hash.
    – It is possible to convert the points back into a photograph

    I’m not saying that these aren’t the case but scare-mongering like this only makes those of us who are trying to argue reasonably about privacy seem like crazies.

  11. No, it’s not necessary for the hash to be reversible in order for it to violate privacy — for example, the hash may be stored with other identifiers (e.g. names gleaned from debit cards) or may be mined after the fact — e.g., someone wants to figure out if you were in a certain place at a certain time, so they take the hash of your face and run it against the database.

    Indeed, the storing of hashes without other identifiers creates new privacy risks, inasmuch as such hashes will necessarily contain many collisions, so that false circumstantial evidence of your presence at a given till could be generated, without any way for you to refute it.

  12. This is a perfect example of how in the UK (and I do live there, at least until they try to rename me with a serial number) the response to even the smallest of problems always seems to be some kind of invasion of privacy.

    If Budgens staff are checking IDs properly, i.e. when someone doesn’t appear to be old enough, this system won’t make any difference to underage drinking. You could still get someone else to buy it for you, or use a fake ID.

    Given the current climate of nannyism and surveillance in the UK, I can imagine somebody proposing to use a system like this to monitor who is smoking and drinking, and how much, or even who is eating unhealthily.

  13. Sad news, Cory… Halas, France and others eurocountrys are catching up with Civil Rights bashing and liberticideness! No good.

    Perhaps, there will be light in the dark universe.

  14. Well, side-stepping all the UK/US-bashing, whether or not it works as advertised is a valid point. I guess that if they don’t try to link the facial data with actual identities then the argument could be made that the database isn’t covered by the Data Protection Act. However, unless they link the data with identity they won’t be able to tell when a person passes their 18th birthday and so, presumably, would be allowed to shop for alcohol and tobacco again. And if they don’t do that, then there’ll be a significant pool of customers that they’ll lose to someone who isn’t so fussy.

    I’m wondering if the software works at all well — there don’t seem to be a lot of points in the example picture, less than in a good fingerprint match and faces vary less than fingerprints do — and Budgens isn’t just trying to recoup the development loss by marketing it to other chains.

  15. Actually, if you’re going to bash any group for this farce of an idea, it should be the programmers and marketroids who come up with expensive and technologically baroque solutions to simple problems. As Gareth says, all the stores have to do to be compliant with the law is train their staff to examine IDs properly. What’s the compelling sell on this toy that they should pay out for it and the support staff it will require?

  16. And furthermore, Spooke, the fact that all these cameras “are not networked together, are often terrible quality and are rarely monitored live” does not make anything OK. It simply tells us that for the limited uses in limited locations we might find them acceptable they, or their masters, do a rotten job. Everywhere else they do something unacceptable rather badly. That is nothing about which to be relaxed.

    “CCTV is only valuable to the Police after the fact” – it also becomes valuable to anyone else who secretly acquires it and uses it for private gain or purposes which the subject of the film hasn’t had a reasonable opportunity to prevent and may consider unreasonable at exactly the same moment.

    And by the way, in Central London they are currently as networked together as is possible and you can bet that will be case at any point in time from now on – i.e. more and more.

  17. @ #12 Bluesheep,

    The supermarket clerk who looks at you may also remember your face. But the reason we don’t worry about this as an invasion of privacy and do worry about the recording of computerized image data, however crude, is that it is possible to combine such data into huge computer databases–even if this is not done initially it can be done later.

    And what is the problem with computerized databases? Myself not being so well-informed as Cory, I know of at least two such problems.

    One is the ease with which such data can be superficially searched looking for abstract criteria that supposedly predispose a person to “bad behavior”. This can easily lead to lots of innocents being harassed (remember innocents being kicked off airplanes or searched every last time because their name is similar to the name of a terrorist), or people guilty of something minor (e.g. dog pooping) being persecuted by overzealous authorities just because it computers make it easier to do this than to pursue greater crimes.

    The other is much, much worse: such data is easily *manipulated*. Take the American presidential election in 2000 in Florida. According to research of Greg Palast, tens of thousands of citizens, many of them black and probably democratic, were systematically prevented from voting in the following way: 1) convicted felons are prohibited from voting by law; 2) the voter rolls were computer-searched and people whose names remotely resembled those of convicted felons were identified; 3) these names were automatically purged from the rolls. Fact 1 is unethical in itself, but 2 and 3 would not be possible without the digitization and dehumanization of the entire process of dealing with large lists of personal information.

    I think it is good to bring out this particular aspect of the subject more clearly: computerization makes certain types of abuse, previously unthinkable in the days of paper and typewriters due to sheer impracticality, as easy as the touch of a button. And since things are changing so fast, it is going to be harder and harder to predict new kinds of abuse that have become possible just due to computerization of personal data.

  18. From a paranoid American view, we do notice all the horseshit our government is trying to throw at us and we don’t want end up like the UK.
    While any of these technologies may be harmless in and of themselves at first, how can anyone, with any sense of history, not feel that they could all lead to future serious abuses of power. We get used to seeing CCTVs everywhere..what’s the harm in that? Oh, our picture gets taken at the grocery, I can get used to that, I’m not a criminal. Then my phone is tapped, my e-mails are scanned for any words that raise red flags. In time the word “Terrorist” is used to defame anyone who disagrees with the powers that be much like “Communist” used to and a whole string of data can be formulated to prove whatever the fuck a savvy editor who gets a hold of all your recorded information and data trail wants.

    Back to the topic of Budgens…I imagine this technology is going to work just as well as the American No-Fly list.

  19. This reminds me of the time I tried to get into an R-rated movie a month shy of my 18th birthday.

    I still haven’t seen that damn movie, but I did hear it was kind of crap.

  20. I just have an offtopic question. It’s about the national ID issue.

    Why is it so bad? Here in Spain we’ve to got a NID as long as we’re older than 16. And it’s been that way for a long time. As far as I know, my parents have been using them since they were young!

  21. Underrat @22:

    Then my phone is tapped, my e-mails are scanned for any words that raise red flags.

    My emphasis.

    You seem to be labouring under the illusion that this isn’t already happening in the US.

    See, I can’t really object to Cory’s observations about the panopticon society that we’re evolving, in part because he’s never tempted to do the UK/US comparison thing about it. I do take exception to hyperbolic comments about these blog entries that paint the UK as if Orwell’s 1984 was already extant, and that Oceania, sorry, the US is a haven of freedom. Whereas such comments reveal exactly the same kind of complacency the commenter accuses we Brits of.

    The three-letter agencies in the US already have the power to tap your phone and read your email without any oversight. They even have the power to throw you in the clink without due process, provided they can smear you with the “terrorist” label first.

  22. The thing about CCTV is that it tends to be a privately owned camera monitoring either public property, or the camera owner’s property.

    As a photographer I spend a lot of time defending my right to take pictures in public, so I’m not really sure that I can then turn around and argue the opposite with regard to private CCTV.

    Government monitoring and tracking systems are a completely separate matter of course.

  23. Dear Stygyan:

    How often do you have to show your NID card? Driving? I suspect driver’s licence there. Walking down the street? In your home? At work or school? How many times a day do you have to PROVE to your own government who you are? A NID makes it easy for them to make it mandatory fifty times a day if they wish – for any activity or place.

    As for any business that photographs me; expect me to be willing to pay more at your competitor to have my rights respected. I am slapped in the face daily by lying government, I’m not taking it from insolent merchants.

  24. @Cory: “The US is not a model nation by any means, but whatever privacy-discarding madness it is gripped by, the UK is likewise in the grasp of.”

    ====Disclaimer====: I’m involved with my employer’s CCTV and aware of the legal position of such systems. I’m also a member of ORG, Liberty, Amnesty and various other orgs active in this area.

    Cory’s statement is true, I think, but it is not inconsistent to point out that many of the civil libertarians who hold up the UK’s CCTV setup as a national surveillance state (a) don’t know anything about how it actually functions, and/or (b) are using it as an admittedly very efficient posterchild for the wider case about a surveillance society. Spooke was correct in all his factual statements, although getting into a “your country is more big-brothery than mine” is nonsensical and counter-productive.

    That’s not to say that there aren’t /genuinely/ dangerous attempts to deploy a CCTV panopticon with ANPR and/or facial recognition – such systems are vastly more dangerous than individual systems operated by local businesses and the like.

    Whether the UK or US is at greater risk of descending into V-for-Vendetta land is largely irrelevant, really; so far as I can tell, Cory’s right that we’re both enthusiastically abandoning our traditional rights to privacy. It’s rather like the people who holler about global warming causing a 100 metre sea-level rise in the next few decades — it’s sufficiently wrong that it gives ammunition to the cynics and nay-sayers.

    If in doubt, go to primary sources. There’s a lot of stuff about the operation of the DPA and CCTV on the net. (Hint: google Mark Thomas’ situationist comedy fun & games with CCTV systems.)

    “Brother, brothers, surely we should be struggling together against the common enemy!” (“The People’s Front of Judea??”)

  25. In Germany, you have to show your ID card if you look too young and want to buy alcohol or cigs.

    Warning! This low-level solution will not spill money into the security industries accounts! This solution will not make the lobbyists happy. This solution will not lead to a database of smokers and drinkers. Therefore, this solution is of no use to health insurance companies.

    This solution is only meant to protect minors from drugs. How stupid, huh?!

  26. @ #2 – that was my thought too. What happens when the kid turns 30 and still can’t buy booze?

  27. ‘protect minors from drugs!’

    heh, just one more incentive for yon teenagers to smoke a spliff instead of going through all the hassle of getting some semi-‘legal’ intoxicants!

  28. the answer is: moonshine! nuthin like a little home brew, and tendin the still keeps the kids off the street

  29. #27 You are absolutely right. If anyone here in the US thinks we do have true freedom and privacy, they’re living in a delusion. This is why many of us support the EFF and ACLU and support grassroots Libertarian campaigns. I really don’t want to get into a UK vs US pissing match about who has lost more freedoms. Looking at my post, the wording of ‘not ending up like the UK’ was poorly stated, I just don’t want to attain the comfort level of just accepting all these things as o.k. They aren’t.

  30. “So… can we expect an Instructables for spoofing this system?”

    Clear tape. Use it just before purchasing to pull your ears or eyebrows into a slightly different position. With a little work you might also change the shape of your nose.

  31. Why would anyone spend money on this system? They already need to be checking IDs to put someone into the system as “unable to produce ID”, and to allow people who later are able to produce ID, or are old enough that they are now legal.

    Once you’re checking IDs, what’s the point of the camera system?

  32. Noen- As used in the league of Gentlemen! This is a local shop! Nothing for you here!

  33. #32 babasikander

    This solution is only meant to protect minors from drugs. How stupid, huh?!

    Hmm… Do they really give a damn if minors buy booze? I doubt it. I think this solution is probably designed to protect Budgens from prosecution. Just guessing here, but Budgens’ lawyers and accountants probably cooked up this idea as a way of mitigating liability.

    Still guessing: Britain has some pretty draconian penalties for selling alcohol to minors. Budgens cost-benefit analysis concludes that it’s potentially cheaper to treat all customers like criminals. This is the logical conclusion of a stupid public policy.

    Set me straight, Brits.

    Off Topic:
    #30 Takuan: I’m back in Flagstaff, and am determined to find a photo of that bicycle with beer kegs for wheels!

  34. Apologies Cory but the tone was distinctly American and the sloppy nature of the piece only goes to promote these incorrect attitudes to CCTV.

    Incorrect attitudes? You sound like the Chinese Communist Party or the Saudi Morality Police.

    On a lighter note, the immediate solution to this problem can be found by carefully studying The Dukes of Hazzard.

  35. Uhhh. . . civil liberties aside, underage buyers aren’t underage FOREVER. Can you imagine legally buying smokes or booze on your 21st b-day (or whatever constitutes “adult” in the UK), only to have the computer say “no”, and the cashier confiscate your legal ID as “an obvious fake ID” because you’re “underage.”

    I imagine they’d have the foresight to figure in aging, but then I never underestimate the propensity for these things to get screwed up.

  36. I’m not much of a conspiracy theorist, but this system sounds like it’s meant for something other than what they say it’s for. What economic incentive does a supermarket chain have to spend huge sums of money on this system to solve a problem (underage purchase) that actually increases sales. I suppose the chain would save fines from the government for underage sales when caught, but unless they are doing extremely poor verification now, that can’t be that much. And in that case the problem is cashiers not doing their job of checking ids correctly. Why should their customers have to submit to this degradation of privacy to solve a problem with the cashiers.

    No, it’s pretty clear to me that this system would be primarily used for other things. Tracking known shoplifters or bad check writers might be one thing. Perhaps the police would get a feed allowing them to track known lawbreakers.

    Most disturbingly, I see it being used for marketing purposes. In the USA all the supermarket chains give out “member cards” with unique ids, so that they can track what a particular person buys over time. This data is so valuable to marketers that I usually save 10-20% off my grocery bill using a “member card”. But it’s also currently fairly easy to fool the system by registering for multiple cards with bogus information.

    A biometric recognition system would be the ultimate tool for letting marketers identify which purchases were made by which person. They wouldn’t even have to offer discounts for that privacy invasion, which could save big bucks for the chains, at our expense.

  37. It’s 18 to drink in the UK, and 16 to smoke. Driving is 17 and sex is 16 (was 18 if you were gay, changed to 16 in 2000).

    And AFAIK they couldn’t ‘confiscate’ your ID, it’s your property and they are not a member of the constabulary.

  38. I think there’s a point to be made about ID in the US. I’ve smoked for close to ten years now, and I’ve /never/ been asked for ID before living in the US when buying tobacco. With alcohol, I’ve been asked maybe once or twice in the UK when I was about eighteen and going to a bar in Leicester Square–which is touristy enough that it probably gets checked up on by the police–before seeing a film. In the US I can’t buy booze without ID–or if I do, because I always try just to see what happens, the guy behind the counter gives me a wink, like he’s doing me a favour. In western Massachusetts, I couldn’t get booze even /with/ ID, because the ID had to be checked by a machine that only reads US driving licenses. I was twenty-two and had to get my mates to buy me beer. Talk about demeaning.

    So it’s changing, obviously, but I never carried ID in the UK, but I can’t go anywhere without it here. So there’s that.

  39. I imagine most BB readers, as people with an interest in the intersection technology, society and culture, broadly speaking subscribe to the view that attempting to suppress (say) hacking tools because they can be used for $evil is foolish. The fallacy is that “hacking tools” (or knowledge of nuclear physics, or possession of “piracy software”, using p2p, whatever) should be banned because they can be used for evil. Well, so can a garden fork; should we ban those? Of course not; the positive effects outweigh the negative. We are all familiar with this argument in many different forms.

    So what are the possible positive uses of mass CCTV of public places, controlled by tens or hundreds of thousands of different individuals and organisations?

    Is there no way that pervasive video can be used for good? If I didn’t think the answer was “yes”, I’d hand in my Nerd Pride card on the spot and vow never to use PGP again…

  40. @#45 – My experience is similar. I grew up in England, and emigrated in ’92 when I was 22. I was carded exactly once there while buying alcohol, at Heathrow Duty-Free of all places. I don’t recall any of my friends ever being asked for ID either, for that matter.

    Is the U.K. getting more America-like about checking ID these days? Are they descending likewise into MADD-induced insanity?

  41. @44 Arkizzle

    It’s actually 18 to buy smokes now too, got raised last October.

    Though this is a massive invasion of privacy, I don’t feel it was that unexpected that a supermarket would propose such a system eventually.

    This is because of the ridiculous, hugely over-the-top fines slapped on anyone involved in a transaction selling alcohol to under eighteens. Both the store and the purchaser can be fined, as will the store clerk in question, who can also be JAILED, for up to 3 months. For selling fucking alcohol to some kids.

    This is an overreaction from a relatively small supermarket chain to an extremely poor set of legislation. Stores are terrified of losing their alcohol licenses, as you are only allowed three mis-sales per year and the police regularly pay underage kids to attempt to buy alcohol. In that kind of situation, just reminding your staff to double-check id’s isn’t enough.

    That said, I still think this is a huge invasion of privacy, and wouldn’t shop in these stores even if I could (I’ve never seen any in my area), but I can understand how they would come around to this point of view.

  42. The shopkeeper looked at his screen and gave Tommy a very funny look, but he did let Tommy buy the pack. Outside, as Tommy shook a cheap, dirty-tasting fag out of the box, he looked over his shoulder. The merchant was making a phone call. Tommy lit the cigarette and headed out to enjoy the day.

    Later, he went to buy a pint. The bartender shook as she handed over the sloshing glass. Her eyes darted back and forth. Then she went to clean glasses at the far end of the bar, keeping an obvious eye turned on Tommy. Tommy tried to enjoy his beer.

    A hand rested on his shoulder. “You should come with us,” said a friendly voice. It was a police officer. “You’re wanted for armed robbery.”

    At the station, Tommy tried to explain himself. He was sixteen and still went to school. He was not a violent criminal.

    “If you’re underage,” the sloppy officer said, sloshing milky tea into his saucer, “What are you doing out of school, smoking?”

    He had him there.

    The officer snapped his fingers. “I get it. It’s the face software. You just look like this robber, that’s all. Don’t go smoking and drinking, though. And stay in school, now.” The officer seemed slightly flustered as he shooed the boy out.

    Then Tommy stood blinking int he sunlight, wondering what this resemblance would mean for the rest of his life, and whether the two of them would keep looking the same as they aged. What if the other man committed murder? What if Tommy didn’t have an alibi?

    He also wondered if this other man would be able to buy a beer, the next time he tried.

Comments are closed.