Facial recognition at Welcome Back Concert raises concern

This year, USC’s annual Welcome Back Concert featured one name that was not on the setlist: PopPay. The consumer payment system was advertised to students before and during the event — and signing up was the only way to purchase food inside the venue.

PopPay is an e-wallet product created by PopID that links a user’s facial features with their payment information, allowing transactions to take place seamlessly through facial recognition. The system boasts its low processing fees, contactless payment format and reduced transaction time.

In a statement to the Daily Trojan, PopPay wrote that it is “a paid sponsor of promotional events to market our products … So far our service has been received very well by students at USC and local merchants.”

For students at the event — without another option if they are hungry — signing up for a quick and easy new payment system that comes with the promotional “up to $10 off” slogan can seem like a no-brainer.

But for some, signing up for a facial recognition payment system was an unnerving request — I overheard one student say in passing, “I don’t like the idea of this whole PopPay thing.” And these concerns are not without reason.

While the company’s founder John Miller asserts that PopPay complies with even the strictest law in the United States regarding facial recognition data — the Illinois Biometric Privacy Act that allows individuals to sue companies over alleged violations and requires consent for data collection — there is always the possibility of a data breach.

PopID’s privacy policy states, “Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.”

PopPay does not receive direct access to user’s data; rather, it goes directly into a secure data vault and the company is provided with a unique identifying token that matches a user’s account. This system, which PopPay compared to Venmo and Robinhood in its statement, is similar to the process of paying directly with one’s bank information.

Yet Robinhood, a share-trading app, faced a data breach that included more than seven million customers’ personal data in 2021. And while Venmo has yet to suffer a breach itself, individual user accounts are regularly hacked, something that could pose a huge issue if it applied to PopPay — where facial images are at risk.

Leaked facial recognition data could pose an enormous risk to students, especially with the recent advancements in artificial intelligence technology. Recently, there has been a rise in widespread concern over deep fake pornography, which uses individuals’ faces to make digitally edited explicit videos, often without the individual’s consent.

The Hollywood strikes have also brought image use and AI to the forefront of minds as SAG-AFTRA members revealed that studios wanted to scan background actor’s faces for use as AI replicas in future work — while only being paid for the day’s work when their faces were scanned, leaving them uncompensated for any future use of their likeness.

Unless users take it upon themselves to request deletion or nondisclosure of their biometric data, PopID stores that data for three years after a person last uses their system. A breach of that data could be catastrophic, with real potential consequences of nonconsensual image use by AI.

“Our service must always be initiated by a user by either pressing an onscreen button or asking the cashier to use PopPay … Only then do we activate a camera or palm scanner to check your biometrics … We never perform any kind of passive recognition,” the statement read.

However, PopPay cannot necessarily regulate how businesses use their service: Lynzee Louden, a senior majoring in political science, said her face was scanned at a local donut shop that uses PopPay without her opting into the service or asking the cashier to use the payment method.

“I was just standing there, I actually wasn’t buying anything, but the iPads in there scanned my face … I didn’t click any buttons or anything,” Louden said.

While she said that to order something and complete the payment she would have had to press a button to opt in, the system recognized her face and displayed her previous purchase history without any explicit consent.

The choice to enroll in a private company’s system, especially one operating something as sensitive as facial recognition, should be one made freely — not one made out of necessity because alternative options are not being offered.

Vera Wang, a freshman majoring in economics, said she found the presence of PopPay at the Welcome Back Cconcert to be forceful.

“[It’s] slightly coercive, because you’re not really being given a choice between normal payment methods and using your face, which is a pretty intimate subject matter,” Wang said.

Louden said she signed up for the service in her first year on campus at a USC event where there was no other way to pay for food, but didn’t understand how the system worked.

“When freshmen are signing up for these things, they should know what they’re getting themselves into,” Louden said. “It’s definitely a little scary to think about.”

Students attending the Welcome Back Concert, including freshmen who have only been on campus for a few days at that point, are particularly susceptible to peer pressure, leading them to potentially sign up for something without considering the consequences — or reading the privacy policy — especially when it means discounted or free food.

The USC Concerts Committee did not respond to the Daily Trojan’s request for comment.

The Concerts Committee owes students a reasonable alternative to participating in a private company’s payment system — it shouldn’t sacrifice students’ freedom of choice for a paid sponsorship.

CJ Haddad contributed to this report.