São Paulo subway facial recognition system slammed over user data security and privacy

A new surveillance system is deemed "inefficient and dangerous" as it fails to protect the personal information of 4 million daily users, associations say.

The company responsible for the operation of São Paulo's subway system has failed to demonstrate sufficient evidence that it is ensuring the protection of user privacy in the implementation of a new platform that will use facial recognition technology.

This is the conclusion of a group of consumer rights bodies following the conclusion of legal action initiated against Companhia do Metropolitano de São Paulo (METRO) about a project aimed at modernizing the subway's surveillance set-up.

The current legacy system includes an estate of non-integrated 2200 cameras that will be replaced by 5200 digital high-definition cameras controlled centrally. The platform, which will scan the faces of 4 million daily passengers, is expected to enhance operations and help authorities find wanted criminals through an integration with the police database.

The consumer rights bodies that have initiated the civil lawsuit noted in a statement by the Brazilian Institute of Consumer Protection (IDEC) that METRO failed to produce a report on the impact associated with the use of facial recognition technology, or studies that demonstrate the security of the databases to be used for the implementation of the new surveillance system.

In addition, METRO has not developed any data protection policies specifically aimed at children and teenagers, who have special constitutional protection, the organizations said, adding the company has also failed to produce a financial impact study in the event of data leaks.

Privacy-keen Germans push back against plans to 'duplicate the US data chaos'

Proposals that German firms could start scooping up more than just essential personal data have been met with anger by privacy advocates.

Read More

According to the consumer rights bodies, a technology project with impact at such scale "should be preceded by the wide and transparent disclosure of information of interest to users of the system". The organizations noted this is especially important when it comes to adherence to the principles established by the upcoming data protection regulations.

The absence of guarantees to users verified in the documents presented by the company in the class action is worrying given that use of facial recognition technology is being contested globally, according to the organizations, citing the recent interruption of that like of business by companies like IBM. The statement also noted the issue of false positives in the use of facial recognition technology in countries such as the UK.

"The ineffectiveness of technology, which is aggressive and invasive in nature, producing discriminatory actions against passengers, can worsen the already precarious experience of the public transport user, who may have their long and tiring daily journeys interrupted due to false positives", the IDEC statement said.

"METRO seeks to implement an inefficient and dangerous system, without even taking all the necessary precautions to avoid massive violations of privacy rights and, therefore, will seek to legally defend the interests of all users of the system", it added.

Responding to ZDNet's request for comment on the outcome of the class action, METRO said it clarified all the points raised and obeyed the legal requirements for the implementation of the surveillance system.

The company said, in a statement, that the system was contracted for the purpose of monitoring with cameras that have "smart" resources to support operational activities rather than the collection of personal user data.

"The [framework of the upcoming] general data protection regulations was the model used for this project, which will not employ a database with personal information nor record personal information, the priority being the increased security of METRO's passengers", the company noted.