Face-recognition tech is coming to a store near you, if it's not there already, and that's sparking a new wave of opposition, Axios' Kim Hart reports.

Why it matters: The systems can scan or store facial images of both shoppers and workers. Their use accelerated during the pandemic as retailers looked for ways to prevent fraud, track foot traffic with fewer employees, and offer contactless payments at a time when consumers were wary of interacting with others.

Driving the news: More than three dozen advocacy groups launched a campaign late last week to pressure retailers to stop using facial recognition technologies, or to pledge not to use them.

• "Facial recognition vendors are taking advantage of the pandemic to promote the technology to offer hands-free payments or monitor the distance between people, and stores are promoting them as features for safety and convenience," said Caitlin Seeley George, campaign director for Fight for the Future, which spearheaded the campaign.
• "But the truth is, you're giving up so much more than that," she said.

Where it stands: Stores including Walmart, Kroger, Home Depot and Target have said they won't use facial recognition technologies, per the advocacy groups' running list of retailers.

• But Albertsons, Macy's and Apple Stores are among major retailers that do use the technologies, per the groups' list. Their privacy policies say they use it for security and to prevent fraud.

How it works: Facial recognition tools are primarily used by retailers for security reasons — chiefly, to prevent shoplifting — and they usually don't link images to personally identifiable information, says Brenda Leong, senior counsel for the Future of Privacy Foundation.

There are plenty of other ways stores would like to use the technology, she said, such as:

• Identifying loyalty club members the minute they enter a store to send them push alerts and text messages.
• Knowing exactly how long a customer is in the store to help tailor their experience in future visits.
• Using biometric systems for employees to clock in and out and monitor productivity. Advocates find this use particularly concerning because employees do not have the choice to opt out.

What's happening: In China, Alibaba and JD have opened futuristic grocery stores where automated carts follow you around, wrist trackers scan your selections and payments are made by facial recognition systems, per Wired.

Amazon Fresh stores offer cashier-less "Just Walk Out" technology, but the company says its system doesn't use facial recognition.

The other side: Just because a camera is used in a store doesn't mean it's identifying or storing specific faces. And companies argue the systems can improve shoppers' in-store experiences in other ways.

The intrigue: Biometric information, like finger prints and facial images, is protected as personal data in states with strong privacy laws, like California.

• The city of Portland, Oregon, became the first U.S. city to ban the use of facial recognition by the government, police and commercial enterprises like retail stores, hotels and restaurants.
• Last month, Democratic Sens. Ed Markey and Jeff Merkley reintroduced a bill that would ban federal agencies from using biometric technology.

What to watch: Some industries, including retail, are experimenting with biometric technologies that can interpret facial expressions, detect sweat on a person's skin or identify an elevated heart rate.

The U.S., NATO and other allies are collectively calling out China for malicious cyber attacks, including a March attack that exploited a flaw in Microsoft's Exchange Server.

Why it matters: Along with the formal condemnation from the U.S. and allies — a first for NATO — authorities are detailing more than 50 different techniques that China has used and offering up recommended mitigations that businesses and organizations can take.

The U.S. says that China's Ministry of State Security is using contract hackers to conduct the attacks, many of which are being done for profit, including via ransomware.

• The U.S. and allies say they can now, "with high confidence," attribute the March attack using the Exchange flaw to cyberattackers affiliated with China's state security ministry. That attack crippled thousands of computers around the world.

Between the lines: There are a number of countries that have been blamed for past cyberattacks, including China, Iran, Russia and North Korea.

• The U.S. says Russian government hackers have been known to sometimes also "moonlight" in for-profit attacks, but in this case it was the Chinese military working directly with the attackers.

What's next: The U.S. says it has raised the concerns with Chinese authorities and said it hasn't ruled out a further response, but also cautioned that no one action is likely to deter China.

• Rather, the administration is pointing to a number of recent steps taken on cybersecurity including executive orders, work with the EU and G7 and new rules for pipeline and other critical infrastructure providers.

President Biden's Friday comment that Facebook is "killing people" by allowing vaccine misinformation to spread online kicked off a weekend back-and-forth between politicians and experts on one side and Facebook on the other.

Facebook's argument: "The fact is that vaccine acceptance among Facebook users in the U.S. has increased," Facebook VP of integrity Guy Rosen wrote in a Saturday blog post that echoed company statements Friday.

• "The data shows that 85% of Facebook users in the US have been or want to be vaccinated against COVID-19. President Biden's goal was for 70% of Americans to be vaccinated by July 4. Facebook is not the reason this goal was missed."

The other side: Vaccine acceptance among the entire U.S. population has also increased, so it's hardly surprising that would be reflected among Facebook users.

The big picture: For a long time, Facebook's content moderation efforts tolerated broad debate and considerable misinformation about vaccines, and critics argue that the social network could act more forcefully and effectively to limit it as the pandemic continues to grow in areas where large numbers of Americans remain unvaccinated.

• A March Washington Post story reported that an internal Facebook study of "vaccine hesitancy" found that a small number of users was responsible for the bulk of such content.

Surgeon General Vivek Murthy, whose Thursday statement on limiting the spread of vaccine-related misinformation kicked off this debate, said Sunday on CNN that what social media platforms are doing is "not enough."

Israeli cyber intelligence firm NSO Group's hacking software has been used to spy on heads of state, journalists, activists and lawyers across the world, per an investigation by 17 news organizations and nonprofits published Sunday, Axios' Rebecca Falconer reports.

Why it matters: Authoritarian governments and others have used this spyware "to facilitate human rights violations around the world on a massive scale," with 50,000 phone numbers of targets leaked — including the family of slain Washington Post journalist Jamal Khashoggi, alleges rights group Amnesty International, which helped conduct the research. NSO called the report "false."

Driving the news: The investigation into NSO's Pegasus software spyware, known as the Pegasus Project, was conducted by a consortium including WashPost, the Guardian and 15 other news outlets, alongside Amnesty and the Paris-based journalism nonprofit Forbidden Stories.

• The list of phone numbers doesn't necessarily mean the phones were hacked, but the consortium determined they were potential surveillance targets. Reporters identified "more than 1,000 people spanning more than 50 countries through research and interviews on four continents," the Washington Post reports.
• The reports did not disclose the source of the leak nor how journalists verified the material.

Of note: NSO argues that Pegasus helps solve crimes, combats terrorism and brings criminals to justice.

On Tap

• GDC 35, the game developers conference, takes place online this week.
• IBM reports earnings after the markets close.

Trading Places

• Felix & Paul Studios, the Montreal-based immersive film company, named Stéphane Ruel as head of space technologies and Oliver Trudeau as VP of distribution and partnerships.

ICYMI

• The California legislature Friday unanimously approved a $2 billion plan to build out a statewide open-access fiber network. (Ars Technica)
• Zoom is buying Five9, which makes a cloud-based system for running contact centers. (CNBC)

To get in the Olympic spirit, check out this race between a real-life tortoise and hare.