Mastercard’s roll-out of biometric-authenticated payments is merely the latest example of the accelerating encroachment of biometrics into everyday life. But a global push back is gathering.
Card payment giant Mastercard appears to be determined to wean consumers off not only cash, its eternal rival, but also credit and debit cards, its main line of business until now. To that end, it is about to launch a pilot “biometric checkout program” in the UK. The so-called “Smile to Pay” system will allow shoppers to purchase goods and services in store by smiling into a camera or waving their hand over a reader and is optional for the moment.
The UK is already the fourth most cashless economy in Europe, according to research by personal finance website money.co.uk. In 2017, debit card payments overtook cash for the first time. COVID-19 has turbocharged this trend. In the early months of the pandemic cash use was heavily demonized around the world for increasing the risk of Covid-19 infection. In early March 2020, a WHO spokesperson said: “We know that money changes hands frequently and can pick up all sorts of bacteria and viruses … when possible it’s a good idea to use contactless payments.”
Media outlets and long-standing enemies of cash such as credit card companies like Mastercard and fintech start-ups seized on the WHO’s comments and magnified them, sparking fears over the safety of cash. Businesses in the UK, both large and small, refused to accept cash. Many still do, even as COVID-19 restrictions have been lifted. At the same time, the UK government and regulators have steadily increased the contactless limit, first from £30 to £45, and then to £100 in March 2021.
This has all helped to increase the use of digital payment methods. But are consumers in the UK (and beyond) ready to ditch the contactless cards to which they have grown so accustomed and begin transacting with parts of their body?
It’s All About Convenience
Payments using gestures have struggled to gain widespread traction among consumers in the UK, the Financial Times reports. But that hasn’t stopped Mastercard from pushing them even harder.
Consumers have to first enrol in the program, by using their phone to scan their face, before being able to take advantage of its supposed benefits. According to Mastercard, they will include shorter queues, improved hygiene and greater protection from fraud. Convenience, as ever, is the watchword.
“The new technology ensures a fast and secure checkout experience, while also empowering consumers to choose how they want to pay,” the company said:
“No more fumbling for your phone or hunting for your wallet when you have your hands full – the next generation of in-person payments will only need a quick smile or wave of your hand. The trusted technology that uses your face or fingerprint to unlock your phone can now be used to help consumers speed through the checkout. With Mastercard’s new Biometric Checkout Programme, all you will need is yourself.”
In other words, consumers will not have to use safer two-factor authentication — biometrics plus a PIN or password — if they don’t want to. And they are essentially being encouraged by Mastercard not to. Another problem is what happens when the technology suddenly stops working, as tends to happen on an an almost monthly basis with the facial recognition automated verification technology being used at UK airports’ EU passport gates, often resulting in major disruption.
Biometric systems are also prone to biases. Facial recognition software have proven to be notoriously inaccurate on women and those with darker skin. Another issue is the security of the biometric data once it is in Mastercard’s hands. As I note in my book Scanned, if biometric data is hacked there is no way of undoing the damage:
You cannot change or cancel your iris or DNA, like you change your password or cancel your credit card.
“The idea of a data breach is not a question of if, it’s a question of when,” says Professor Sandra Wachter, a data ethics expert at the Oxford Internet Institute. “Welcome to the Internet: everything is hackable.”
Mastercard is also staking a claim to a wider role in the emerging biometrics payments ecosystem. Ajay Bhalla, Mastercard’s president of cyber and intelligence, told the FT that Mastercard could act as the “enabler of the ecosystem”, setting unified privacy and security standards for a technology that has raised serious concerns among privacy activists and data protection campaigners.
The idea of Mastercard setting standards in the emerging field of biometric payments is hardly comforting given Buzzfeed’s recent exposé that both it and Visa have been maintaining “a strikingly permissive relationship” with companies accused of credit card fraud:
A yearlong BuzzFeed News investigation reveals that both Mastercard and Visa, which together process three-quarters of all US credit card payments, move money for businesses with extensive records of fraud — making it possible for them to keep swindling customers, sometimes for years. The credit card giants collect a percentage of every sale, legitimate or not.
Mastercard also currently faces the biggest class action lawsuit in British history. The company is accused of charging excessive “interchange” fees — the fees retailers pay credit card companies when consumers use a card to purchase a product — between May 1992 and June 2008 and that consumers ended up bearing those costs as retailers raised prices. If found guilty Mastercard could end up paying out as much as £14 billion, which would be the equivalent of £300 each for all 46 million claimants.
Brazil, Middle East and Asia First, UK Next
Before testing its “smile to pay system” in the UK, Mastercard is trialing it in Brazil this week. Five St Marche supermarkets in Sao Paulo will allow customers to pay by smiling or waving. More pilots are being arranged in the Middle East and Asia.
It is common practice for Western companies, NGOs and supranational institutions to pilot biometric ID and payments schemes in the poorer, less developed parts of the world before unleashing them on more mature markets. Thanks to the surge of mobile communications as well as the huge numbers of unbanked citizens, Africa has become an ideal testing ground for cashless living and biometric identity programs.
The Better Than Cash Alliance, (BTCA), a UN-hosted partnership of governments (all of them in the so-called “Global South”), companies and international organizations funded by the Bill & Melinda Gates Foundation, Citi, Ford Foundation, MasterCard, Omidyar Network, the U.S. Agency for International Development and Visa Inc, has been promoting cashless initiatives in Africa since its foundation in 2012. Its mission, in its own words, is “to accelerate the transition from cash to digital payments globally.”
Technologies “Trickling Up”
While BTCA has poured funds into promoting cashless initiatives in Africa, Asia and Latin America, the Identification for Development (ID4D) initiative, founded with seed money from the World Bank, the Bill and Melinda Gates Foundation (again!), the French, British and Norweigan governments and Omidyar Network (again!), has lent billions to governments in Africa and beyond to help them set up biometric digital identity programs.
Once the system is well established, some of it will “trickle up” to developed countries, wrote Bill Gates in 2015. Gates’ eponymous foundation is a founding member of both BTCA and ID4D while Microsoft, the company he founded and led for decades, provided seed money for ID2020 Alliance, an obscure New York-based non profit whose founding mission is to provide digital identity to all people, including the world’s most vulnerable populations, by 2030.
Mastercard is also heavily involved in national ID programs on the continent. It is also a driving force behind smart city initiatives. In Africa’s most populous nation, Nigeria, the company partnered with the government to launch a Mastercard-branded biometric national ID card, which also doubles up as a payment card. The “service” would provide Mastercard with direct access to over 170 million potential customers – and all their personal and biometric data.
In 2021, Mastercard Community Pass launched a joint venture with South Africa-based fintech Paycode Inc with the aim of capturing the biometric data of 30 million individuals in remote parts of Africa by 2024, as Biometric Update reported:
Users’ face and palm biometrics are stored in a chip on Mastercard’s Community Pass smart cards. Paycode, which has been part of Mastercard’s business accelerator schemes runs a platform which offers the card holder a biometric identity (not a national identity) and financial services such as a digital bank account. Services can be accessed offline in real-time. Users do not need an existing identity document.
“Together, Paycode and Mastercard deliver a path to prosperity, enabling users to manage day-to-day needs including paying school fees for children, getting vaccinations for their families, selling goods, and growing their businesses,” states the release.
The partnership intends to help card holders “seamlessly access financial, health, agricultural, or aid services across providers, including government disbursements.”
Global Push Back Begins
The roll-out of biometric-authenticated payments is merely the latest example of the accelerating encroachment of biometrics into everyday life. Most national passports these days include biometric identifiers. Meanwhile, millions — perhaps even billions — of people have volunteered their digital fingerprints to log into their smartphones and other digital devices. In other words, people are already giving away their most private data to communicate, work, cross borders, or board planes.
But a push back is gathering globally. Aid organizations are beginning to question the wisdom of adding biometrics to so-called “smart cards” used in humanitarian settings. This came after the ICRC earlier this year suffered a “highly sophisticated” hack using tools employed mainly by states or state-backed groups. Personal information belonging to more than 515,000 people was exposed.
The United Nations High Commissioner (UNHCR) for Refugees has also come under heavy fire after Human Rights Watch revealed the UN agency had shared the biometric data it had collected from Rohingya refugees in Bangladesh with Myanmar’s government — the same they were fleeing from.
Last week, a global coalition of 53 civil society organisations, including Access Now, Algorithm Watch, Big Brother Watch, Fair Trials, Privacy International and State Watch, signed a joint letter calling on Members of the European Parliament to use their democratically-elected powers to ban biometric mass surveillance practices:
The AI Act is the obvious way for this important European Parliament resolution to be translated into binding, impactful law.
The urgent need for further action has also been recognised at EU Member State level. Italy has introduced Europe’s first moratorium on public facial recognition. The German coalition government has called for an EU-wide ban on biometric mass surveillance practices. Portugal dropped a law which would have legalised some biometric mass surveillance practices. And the Belgian Parliament is considering a moratorium on biometric surveillance.
Will you make (the right kind of) history?
There is already significant evidence that European residents have been systematically subjected to biometric mass surveillance practices. From football fans, to school children, to commuters, to shoppers, to people visiting LGBTQ+ bars and places of worship, the harms are real and prevalent. Via the Reclaim Your Face campaign, over 70,000 EU citizens urge you and your fellow lawmakers to better protect us from these undemocratic and harmful biometric systems.
Around the world, over 200 civil society organisations, from Burundi to Taiwan, have signed a letter calling for a global ban on biometric surveillance. As the first region to comprehensively regulate artificial intelligence, the EU’s actions – or inaction – will have major ramifications on biometric mass surveillance practices in every corner of the globe.
Meanwhile, back in the UK concerns are rising that the country’s headlong rush toward becoming a cashless economy risks leaving millions of people who still depend on cash in the lurch while exposing consumers to greater financial risks. According to a report commissioned by ATM network Link, more than 10 million Brits would struggle to live in a cashless society while forcing people to use digital money could lead to a loss of control over finances and spiralling debts.