Chaayos, a popular tea store chain in India, has installed facial recognition systems at its outlets to replace mobile number OTP. MediaNama encountered one such system installed at one of Chaayos’ Delhi outlets. The interface did not display any terms and conditions regarding the use of the facial data that the terminals would collect. There was only an option to “start” the feature, and no opt-out option could be seen on the screen. There is no mention of facial recognition technology on Chaayos’ Terms and Conditions page. Also, this is happening while we still await a privacy law in India and there are no clearly established rules around facial recognition.
We don’t know where Chaayos stores all the facial data that it collects and how long it stores it for. We also don’t know if the outlet is looking to use this data for commercial purposes. In case the police approaches a Chaayos outlet to investigate a case, will the company share this facial data with them? We also don’t know the safeguards put in place to ensure that all this biometric data remains safe and secure.
“I was buying tea and didn’t even notice what was on the screen, and suddenly, the screen showed me. Remember, all this is happening without facial recognition norms, or a privacy law in India,” said Nikhil Pahwa, founder and editor of MediaNama, who shot this video.
In a series of tweets, Pahwa said that “biometric information is a permanent username + password. Should not be used”. He added that with no information being given to users about how their data is going to be used, this is not informed consent. Most people do not understand the risks of facial recognition data being collected and thus merely portraying this as a convenience is disingenuous of Chaayos.
We have reached out to Chaayos with the following questions:
- The Camera on the tablet on which the tech is enabled seems to be showing users’ face on the screen even before they choose any option. We want to know if it starts recording/recognising the user even before the user gives consent.
- Where does Chaayos store facial data of its customers?
- How long is this data stored for?
- What are the safeguards in place that will ensure that this facial data remains safe and secure from breaches?
- Does a user have the option to delete his/her facial data from your system if he/she wishes to do so?
- What personally identifiable data does Chaayos collect?
- Is a user’s facial data linked to that personally identifiable dataset?
Inc42 had previously reported of facial recognition systems at Chaayos’ outlets in Bengaluru and said that the systems recognise a “customer’s face with 99.9% effectiveness”. It said that by virtue of facial recognition systems, “regular customers can repeat orders and make payments without hassles of OTP”. However, a twitter user with the handle @ankitmalik, said that a cashier at Chaayos’ SDA outlet refused to let him use his existing Chaayos wallet balance until he registered his face in the system. “Facial recognition is eerie & disturbing & should be opt-in,” he added.
Love your chai @Chaayos, but bring back the phone number authentication.
Facial recognition is eerie & disturbing & should be opt-in.
— Ankit (@ankitmalik) November 16, 2019
Chai Point has had similar systems since 2018: Another popular tea store chain, and a rival of Chaayos’, Chai Point launched similar facial recognition systems in December last year, according to The Week. The systems at Chai Point outlets also do the same task — replace mobile number OTPs with a customer’s face scan. Customers have to first register themselves in the system by getting their picture clicked, and the machine will remember them during subsequent visits.