If you want to purchase a new pair of glasses from an online retailer, there’s just one problem. How will you look with that particular set of frames?
It turns out that it’s not a problem. Many online retailers now use something called Virtual Try On (VTO) software to allow you to superimpose the frames onto an image of your face.
Walmart uses VTO software to allow online shoppers to “try on” clothing. Dubbed Be Your Own Model, the technology allows consumers to use pictures of themselves to see how clothing items will look on their exact bodies.
To virtually try on glasses you use your phone’s or PC’s camera to take a picture of your face, select some frames and the software does the rest. But what happens to that picture of your face, what is known as “biometric data?”
More than a dozen retailers, including Gunnar Optical, use a platform called Fittingbox to run the software. The Fittingbox privacy policy is unambiguous. The company says it does not capture consumers’ facial images.
“Your image is processed live, only for the duration of the virtual try-on experience,” the company said. “FITTINGBOX does not store, collect, disclose or process your image, or any biometric information in connection with your image. FITTINGBOX will not sell, distribute, lease or otherwise disclose or store your personal data or your image. If you ever save a screenshot of your try-on experience, this image will be stored on your device only; FITTINGBOX cannot access this image and you are solely responsible for the security and safekeeping of the photos, content, information, and data stored on your personal device.”
That’s not what we found
Yet when ConsumerAffairs researchers tried on a pair of glasses on the Gunnar site using Fittingbox’s VTO technology, they noticed that data was being sent to outside servers. They identified the data as a coded image that was sent to Fittingbox’s server. When they used an image decoder to see what the image was, they discovered that it was a picture of one of the researcher’s face.
ConsumerAffairs reached out to Fittingbox for an explanation but has not received a response. Even though the company’s actions appear to run counter to its stated privacy policy it does not appear to be in violation of state privacy laws, such as Illinois’ Biometric Information Privacy Act (BIPA), the toughest in the U.S.
In dismissing a suit claiming illegal collection of biometric data, Svoboda v. Frames for America, an Illinois judge recently ruled that the act of trying on glasses is part of a health care exam and therefore, companies providing the service fall under the health care exemption to Illinois’ BIPA.
There’s a good chance your image will be stored somewhere
That said, consumers using VTO when shopping for glasses frames should know that their facial image most likely will be collected and stored.
Rajesh Namase, co-founder of TechRT and a tech blogger, says the risk to consumers is if the database where their facial image is stored is hacked.
“Retailers must have cutting-edge cybersecurity measures and practices in place that should be up and running 24/7 while continuously being developed and tested for possible breaches,” Namase told us.
Aside from the “creepiness factor,” is there a real threat to consumers if the image of their face ends up in the hands of a hacker? Probably not yet, says James Lee, the chief operating officer at the Identity Theft Resource Center (ITRC). Lee says facial images are not very valuable on the dark web. He says social media accounts with lax privacy settings are a bigger source of images used in identity fraud.
“The various systems that are used today to verify identities using facial images – not facial recognition – are designed to recognize if a stored image is used instead of a live picture, further reducing the risk of identity fraud,” Lee told ConsumerAffairs. “Plus, the stolen image would have to match the biometric parameters of a control image, such as a passport or driver’s license photo on file.”
In this scenario, he says the risk of identity theft is likely to be low if a stored image is compromised. But consumers must decide whether they are comfortable with a picture of their face sitting in a database.
Mark McCreary is co-chair of the privacy and data security practice at Fox Rothschild, a nationwide law firm. McCreary says most state laws generally aren’t that strict about disclosing how biometric data is used. At the moment, the responsibility appears to be on the consumer.
“I believe any consumer should think long and hard about disclosing any biometric data to a government or private company,” McCreary told ConsumerAffairs.
He cites examples that include retina scans at airports and a palm scan at Whole Foods. If that data is retained somewhere, hackers may be able to access it.
“You should be very concerned about your data sitting in a database,” McCreary said.
Consumer awareness
Biometric data privacy is an issue that has only recently gained attention from legislators and regulators and it may not be anywhere top-of-mind with consumers, who for years have been posting images of themselves and other family members on social media.
Mark Kapczynski of OneRep, an online privacy firm, says online shoppers especially need to be more aware of how their biometric data is being used and stored.
“In addition, ask vendors whether they sell or give away any biometric data,” he told us. “It is your data and you have every right to scrutinize who is allowed to store, transmit, or access it.”