Why would you need facial recognition software to make better chai?

This is the question being posed to Chaayos, a chain of outlets that offers tea and snacks in several cities. Medianama’s Nikhil Pahwa found that the company was offering regular customers at an outlet in Delhi the opportunity to have their faces scanned instead of submitting One Time Password to log into accounts that would keep track of their favourite items on the menu and occasionally offer them discounts. The use of facial recognition technology came without any terms and conditions displayed, no explanation for what will be done with the data and no way to opt out later.

The feature, of course, was marketed as a convenient choice, one that does away with the task of keying in an OTP. The screens had vaguely ominous text that declared, “Why put numbers through when we can identify you?”

When Pahwa dug a little further, he found more ominous sentences in the terms and conditions, including a line saying that the “customer should not expect that Customer’s personal information should always remain private”. The company later updated some of its terms, and took to Twitter to insist that it was conscious of privacy concerns around facial recognition.

But this did little to assuage the concerns of many customers, who naturally came back to the question at the very start of this piece: Why does the company need a picture of your face to make better chai?

Inconvenient truth

Of course, there is an explanation and one that many might find reasonable too. Here the company is saying, giving us your facial data and we will smoothen your customer experience. As far as private companies go, convenience has always been touted as the excuse for getting customers to give up personal data, with rarely any sense of what is being done with it afterwards.

In this case, after a public outcry, the company has come out to say that it will not hand the data over to third parties. But we don’t know if it would have acted differently if there hadn’t been sharp questions put to it. Besides, the experience of the last decade has been that even companies that claim that they keep data private are often repackaging and using it elsewhere in some manner.

It is important to remember that this is also being done in a country where digital and data literacy is low. Think of how often shops and restaurants now ask patrons for their phone numbers at the cashier – and how readily most people divulge that information, without realising that it will be sold to data hoovering operations that build profiles.

People often ask why is it such a problem to give your phone number to a cashier or a company. It’s worth recalling news stories like this one about how the Uttar Pradesh Police found that recharge outlets were selling the phone numbers of unsuspecting women based on their appearances to men who would then harass them. Suddenly the dangers of giving up something like a phone number become much more real.

Waiting for law

Now extend that to facial recognition and all the potential that come with building a profile of behaviour that includes images – which may not be securely stored even if it isn’t actually being misused. The risks that come with such databases either being repackaged or leaking are tremendous, not least because they include data that you cannot alter, i.e. your face.

Of course, the first task at hand is to push for the government to pass both surveillance reform guidelines – which will govern state use of such tools – and a data privacy law that will clearly identify what sort of information can be collected, in a manner that hands control over that data to the individual. The latter is expected in this session of Parliament, though there is no draft text available yet.

But just as important is a public conversation, particularly led by companies, about data collection. It shouldn’t have taken a series of questions on Twitter for Chaayos to be more transparent about its operations. Companies should recognise that data privacy is a concern.

Indeed, it is in their interest to start a conversation about data practices and ensure that their policies are customer-friendly and enable privacy. While a privacy law is crucial, we shouldn’t have to wait for the state to crack the whip. Instead, we should push the companies that we engage with to make the right decisions.