See more of the story

The war for the e-commerce shopper is fought on the battlefield of convenience. One-click ordering, same-day delivery, automatic toilet paper refills: There's no pain point so small someone won't pay to do away with it.

Although shopping online might be hassle-free, getting those orders delivered can be tricky. To solve that problem, Amazon.com Inc. and Walmart Inc., the two largest retailers in the U.S., are now offering to send delivery people inside your house to safely deposit your packages indoors and your groceries inside your fridge.

To calm fears that delivery people might get up to no good, both companies are promising to let you watch the deliveries happen live on video. There's one catch: Amazon and Walmart get to hang on to that video too.

Sound like a good deal?

With little formal accountability or transparency on how these companies store, process and monetize the video and audio recordings of your home, privacy experts are concerned that consumers could be signing up for more than they realize.

"The surveillance society we have tiptoed into is going to need a set of social norms that are today still awkward and unclear," said Jules Polonetsky, chief executive of the Future of Privacy Forum, a nonprofit that studies privacy issues around new technologies. "If we don't set some of those lines, it's likely to have negative repercussions."

Those risks include having sensitive home data — including voice and video recordings and codes for the front door's smart lock — hacked and released online, or having the same private data subject to search by law enforcement.

More prosaically, with the advent of computer-vision analytics, which offer the ability to extract consumer insights from millions of hours of video, the companies behind these smart-home services could use imagery from your living room to improve their ad targeting or as raw material to train their computer vision algorithms.

"It's certainly not the case that any of these companies are out to do something malicious," said Jeremy Gillula, tech-policy director at the Electronic Frontier Foundation. "But you don't have to be malicious to invade someone's privacy."

The business case for providing these services is clear. The two largest retailers in the country are offering in-home delivery programs — Key by Amazon and InHome by Walmart — to woo customers who don't want to have valuable purchases or perishable groceries left on their porches, prey to package thieves or raccoons.

The cameras involved are pitched as security measures. To receive in-home Amazon deliveries, customers need to buy a smart lock and an Amazon Cloud Cam to point at their door. When the delivery person drops something off, the customer receives a notification enabling them to watch the delivery in real time or after the fact from the Cloud Cam's point of view.

In Walmart's case, the delivery person wears a proprietary body camera, allowing the customer to livestream the delivery process from their point of view or review the footage later.

Basic security concerns have already arisen with the programs. Within weeks of Amazon's rollout of Key in 2017, security researchers found a way to hack the camera and freeze the image, allowing a delivery person to wander the house undetected after a drop-off. Amazon quickly patched the security hole, but it was an illustration of the fact that almost any networked hardware can be vulnerable to attack.

But even when the system is working properly, the question of what the companies do with all that video footage remains.

Amazon has a standing policy of responding to legal demands from law enforcement, which often come with gag orders preventing the company from informing its customers that their data are being turned over. According to its latest transparency report, the company gives at least some of the data requested to law enforcement in more than 75% of cases. Amazon has been subpoenaed for recordings made by its smart devices in the past. In late 2018, it was ordered by a judge in New Hampshire to turn over Echo recordings, but it's unclear whether the company complied.

According to an Amazon spokesperson, the company is not using customer video footage to improve product recommendations or ad targeting. (Amazon is the third-biggest player in digital advertising, after Google and Facebook, and has been rapidly growing its market share.) The spokesperson also noted customers can delete footage of their homes whenever they please.

Yet any footage that goes undeleted "may be used to help improve Amazon's services, for example, by improving our computer vision algorithms," the spokesperson said. In April, Amazon acknowledged it was sending clips of speech captured by its Echo devices to workers in four countries who transcribed the clips to help improve the devices' speech-recognition accuracy.

Walmart — which is rolling out its service in Pittsburgh, Kansas City, Mo., and Vero Beach, Fla., this fall — said it was too early to say how the footage would be stored and processed. But the fact that Walmart owns the in-home recording device, in contrast to the customer-owned Cloud Cam, could lead to even less accountability for how footage of customers' homes is used.

"For these companies, it would be very difficult to resist the temptation of 'Look, we have all this video inside people's houses,' " Gillula said. "Let's use it to train AI to recognize specific products we can recommend."

In fact, Google last year filed a patent application laying out a system that would do exactly that.