What is the price of paying with your palm?: Opinion

Scan your face to unlock your phone or clear immigration checks. Scan your finger to unlock the door. Now, palm reading is also coming to the fore as tech firms get creative with using biometrics.

At Alchemist cafe at 71 Robinson Road, a select group of Visa employees have been swiping their hands for several weeks now to pay for coffee, under a trial with Chinese tech giant Tencent to test its Palm Scan Payments system in Singapore. 

Plans are afoot to expand the trial to other DBS Bank, OCBC Bank and UOB Visa card holders in Singapore, Tencent’s first international stop outside China after having outfitted Beijing’s airport express train service and more than 1,500 7-Eleven convenience stores in Guangdong province with its palm-reading technology.

Imagine the convenience of leaving home with just you. No cards. No phones, which often run out of juice.

The argument for increasing use of people’s biometric data in everyday scenarios – in shops, at entertainment venues and on public transport – is convenience and security. However, it is one thing for governments to collect your face, finger and gait data for security, and another when firms with commercial interests get in the game.

What happens if your biometric data is stolen, or falls into the wrong hands? What is the price of paying with your palm?

What data is harvested?

Let’s unpack the technology to better understand what could be at stake.

On Nov 6, when The Straits Times visited the Tencent and Visa booths at the Singapore Fintech Festival, the companies demonstrated that a one-time enrolment to capture one’s palm data is required.

This is done in a few seconds using Tencent’s payment reader, which sports two cameras (one for reading the lines on the palm and another for detecting the veins under the skin).

Enrolment can be done at any participating merchant here when the scheme is rolled out. The local banks are still in discussion with Visa on the trial roll-out timeline.

Users also need to tap their Visa card on the Tencent reader to link it with the captured biometric data stored in the cloud by the Chinese firm. 

After this, users can ditch their wallets, payment cards and smartphones. Scanning one’s palm at payment readers here will initiate a charge to one’s linked Visa card. In China, payments are settled exclusively by users’ linked WeChat Pay accounts.

Tencent’s technology, developed at the company’s YouTu artificial intelligence (AI) lab, relies on the recognition of the palm’s unique characteristics including principal lines, wrinkles, epidermal ridges and veins under the skin.

Its technology can also detect if the palm is live or a replica.

Amazon has rolled out a similar technology, called Amazon One, across the US.

Amazon One scanners – once limited to Amazon bricks-and-mortar stores in 2020 – can also now be found in hundreds of Whole Foods locations and some Panera Bread stores to process payments. 

The tech giant demonstrated two other uses in the US: age verification and venue access control. 

At Coors Field, home of the Colorado Rockies Major League Baseball team, visitors have to hover their palm over an Amazon One device to verify that they are above 21 to buy alcoholic beverages. Age verification will require users to also upload onto Amazon One a selfie, as well as a photo of the front and back of their government-issued ID.

The selfie along with a “21+” message will be flashed on a screen for the bartender’s visual check at the point of sale.

At gym operator Crunch Fitness, members also no longer need their membership tags or mobile app to enter more than nine fitness facilities in San Francisco, New York City and Los Angeles. They can simply hover their palm over an Amazon One device installed at the facilities.

The technology has immense potential to also let people use their hand swipe as a replacement for their office key card, as well as for tickets to concerts and sporting events.

Questions swirling over privacy

What Tencent and Amazon have demonstrated is essentially an identity technology that could result in devastating outcomes if the data is abused. 

Just how secure is palm reading? Can someone impersonate me? 

Experts have said that palm scanning is one of the most secure methods of biometric authentication. Compared with the fingerprint or iris, palms are larger and have more details – including vein patterns under the skin detected only by infrared sensors – to tell one person from another to prevent misidentification. 

Palm prints are also harder to steal and impersonate, as a person’s palm is usually curled up.

This is unlike one’s face, which is instantly recognisable from a distance, or fingerprints, which can be left on touched surfaces. 

Because palm prints contain more identifiable data, it can also be argued that any data leak could make any impersonations more convincing in the age of AI and deepfakes.

It is unthinkable what scammers could do if they got hold of the raw biometric data, which definitively establishes your unique identity.

Even if the tech giants have formidable fortresses to safeguard the information, one can never rule out rogue employees. And while it may be hard to create a replica of one’s palm, it is also technically possible with the power of 3D printing.

Given all these concerns, users need to know how their biometric data is stored, and who has access to the information.

On its website, Tencent said that the captured biometric data is encrypted for storage in the cloud in a manner that does not allow the unique palm signatures to be reconstructed. In other words, Tencent and Visa do not store raw biometric print and vein data.

Nevertheless, Tencent, Visa and local banks must be prepared to field questions about which employee has access to the biometric data.

Bank employees here are sworn to secrecy under the Banking Act, and face criminal liabilities if they flout it. Consumers would expect the same of Tencent employees.

Also relevant is how users’ consent will be sought if their data is used. Tencent said that biometric data would not be used without consumers’ consent. Do these uses include AI training and sharing with third parties? Will the information be buried in the small print in user agreements or communicated upfront?

Similarly, can consumers be unenrolled from the service and have their personal data deleted from the cloud servers? 

Under Singapore’s Personal Data Protection Act, consumers may tell businesses to stop collecting, using or disclosing their personal data. But businesses are not required to delete or destroy the personal data and may retain it for as long as there are business or legal needs.

The right to be “forgotten”, however, is enshrined in stricter regimes such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation. Consumers may also request data access to check if any of their data has been retained.

The age of deepfakes

While it may be risky to let commercial entities store one’s biometric data, Tencent and Amazon’s identity technologies could solve some of the biggest problems that have arisen from the creation of deepfakes.

Today, internet safety is not even a question of verifying if someone is who they say they are, but whether there is even a real person behind the online identity.

The ease of accessing AI tools has helped identity thieves create scarily convincing impersonation scams. A scammer can grab as little as 30 seconds of someone talking on YouTube, TikTok or Instagram to create an AI version of that person’s voice.

In February, CNN reported that a finance worker at a multinational firm in Hong Kong was duped into paying US$25 million (S$33 million) to fraudsters after attending a multi-party video conference call with deepfake re-creations of the company’s UK-based chief financial officer and other staff.

Singapore’s Senior Minister Lee Hsien Loong and Prime Minister Lawrence Wong have also had their likeness used in deepfake scams, while an advertisement that uses the name and image of Leader of the Opposition and Workers’ Party chief Pritam Singh has been seen online.

So far, only one company has taken on the ambitious task of distinguishing humans from bots. Even so, the way it carried out the project has attracted a lot of negative attention and sanctions in several countries including India, Kenya, Spain and Portugal.

World Network, a cryptocurrency project founded by OpenAI chief executive Sam Altman, has been scanning human irises using its “orb” devices around the world, including in Singapore.

Every verified human gets cryptocurrencies and a World ID, which the company describes as a “digital passport” to prove that its holder is a real human. World IDs can, in turn, be used to verify accounts on other platforms such as Discord and Shopify.

Tencent and Amazon have stopped short of issuing a digital passport, choosing instead to focus on in-person verifications.

But the privacy concerns that surround World Network also apply to Tencent and Amazon.

Their technologies are unlike Apple’s Face ID, which uses facial scans to unlock your phone and verify payments but keeps the biometric data on your device.

Keeping data in the cloud, anonymised or not, could expose it to hackers.

And if other players with less robust security regimes also get in on the act, hackers would have a field day.

A lot of education is needed. A lot of communication must be done by tech companies too, so users sign on the dotted line with their eyes open.

The effects of a biometric data leak or breach may be much worse than losing passwords; the effects may be irreversible and lifelong.

After all, unlike passwords, one can never change one’s palm prints.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

ADV: ECC-SAL International Mooting Competition 2025 MAS to focus on collaboration in regulating digital assets and GenAI