Estructuras y vehículos de fondos

When Retail Surveillance Meets National Security

A customer entering a supermarket may expect cameras above the aisles, loyalty data at the checkout and perhaps an app recording what was purchased. What is less visible is how quickly those separate systems can become part of a much larger surveillance market.

Facial-recognition tools developed for police and border agencies are now being tested or deployed by retailers seeking to identify suspected shoplifters. Location and behavioural data gathered through commercial apps can be bought by intermediaries and used to map individual movements. Cloud, artificial-intelligence and data-analysis companies increasingly serve both private businesses and government security organisations, allowing technologies to move between consumer and national-security settings with little change to their underlying architecture.

This convergence has been described as the “military-retail industrial complex”. The phrase is deliberately provocative and should not be mistaken for a recognised economic sector. It captures a real governance problem, however: commercial surveillance systems are being built in environments where customers have limited ability to understand what is collected, who supplies the technology or how the information might eventually be used.

The issue is not that every retailer operating a security camera is secretly participating in military intelligence. It is that the boundaries among retail security, advertising technology, policing and national security have become increasingly porous. The same biometric techniques, identity databases and pattern-recognition systems can be sold across several markets, while data originally collected for ordinary commercial purposes can acquire a very different value once combined with other datasets.

For retailers, the immediate attraction is understandable. Theft, violence and abuse towards staff create genuine costs and safety concerns. For investors and boards, the harder question is whether a short-term security benefit justifies the legal, reputational and operational exposure created by biometric identification and persistent customer tracking.

The convergence begins with ordinary commercial data

Modern retail businesses collect information through multiple channels. Payment systems record transactions, loyalty programmes connect purchases to individual accounts, mobile applications gather device and location data, websites monitor browsing behaviour and in-store systems can analyse movement through physical space.

Each dataset may appear limited when considered alone. Its value changes when records are linked.

A loyalty programme can show what a person buys and how frequently. Mobile location data can indicate where that person travels before and after visiting a store. Facial recognition can attempt to identify the same individual across different premises, while public records and data brokers can add addresses, employment indicators, demographic information and inferred interests.

The commercial incentive is to improve fraud prevention, marketing, pricing and store operations. The national-security concern is that the same data can support profiling, relationship mapping and “pattern-of-life” analysis.

Research into the commercial data market has shown how easily sensitive information about military personnel can be obtained. A Duke University study was able to purchase data relating to serving members and veterans from commercial brokers, including information that could create national-security and personal-safety risks. Separate work by the US Army Cyber Institute has warned that low-cost commercial datasets can expose personnel, families, routines and sensitive locations.

The risk is not limited to government access. Foreign intelligence services, criminal organisations and other hostile actors may be able to buy or acquire comparable information through intermediaries. Commercial surveillance can therefore become a national-security vulnerability even when the original company has no relationship with the military.

Facial recognition is moving into the shop

Retailers have increasingly considered facial recognition as a way to identify people previously associated with theft, aggression or other misconduct. A camera captures a face, converts it into a biometric representation and compares it with a watchlist maintained by the retailer or its technology provider.

The operational case is easy to understand. Retailers face pressure to protect staff, reduce losses and intervene before a known offender causes another incident. Facial recognition promises faster identification than asking employees to rely on memory or circulate still photographs among stores.

Its use also creates a category of risk that conventional video surveillance does not.

A normal security camera records an event. Facial recognition attempts to establish identity. It can therefore follow a person across visits, connect behaviour to a name and trigger action before any new offence has taken place.

Wegmans confirmed in early 2026 that it used facial recognition in a small number of New York City stores considered to face elevated risks. The company said the system was intended to identify people previously flagged for misconduct and that facial data were not shared with third parties. The disclosure nevertheless prompted wider questions about retention periods, watchlist standards, accuracy and what recourse customers would have after an incorrect identification.

Those questions are not theoretical. In 2023, the US Federal Trade Commission prohibited Rite Aid from using facial recognition for surveillance for five years after alleging that the pharmacy chain had deployed the technology without adequate safeguards. According to the regulator, the system generated false-positive matches, with women and people of colour disproportionately affected, and employees sometimes acted on inaccurate alerts by searching, confronting or removing customers.

The case established an important commercial principle. A retailer cannot outsource the consequences of a biometric decision to the technology provider. It remains responsible for testing, governance, staff procedures and the harm caused when the system is wrong.

The vendor may operate in several worlds

One reason the military-retail label has gained attention is that facial-recognition and analytics companies frequently sell into several government and commercial markets.

A supplier may provide identity tools to police departments, immigration authorities, military units and private security teams. The underlying technology may be similar even when the customer and legal authority differ substantially.

Clearview AI is the most visible example of a company whose facial-search system has been used by law-enforcement and federal agencies, including immigration and military organisations. Its product is based on a very large database of images gathered from publicly accessible internet sources. The company has faced regulatory action and litigation in several jurisdictions over privacy, consent and the collection of biometric information.

That does not mean that a retailer using facial recognition necessarily uses Clearview, nor that retail data automatically enter a government database. It does show why vendor transparency matters. A company purchasing biometric technology should know who trained the system, where reference images originate, which other sectors the supplier serves and whether data collected for one customer can improve products sold to another.

Contracts should prohibit secondary use clearly rather than rely on broad assurances. The retailer should also understand whether the provider retains biometric templates, uses subcontractors, transfers data across borders or responds to law-enforcement requests without informing the client.

The most important due-diligence question is often not whether the software works. It is what the vendor’s business model allows it to do with the information passing through the system.

Commercial intelligence is becoming an asset class

Governments have long purchased information from private suppliers. What has changed is the scale and granularity of commercially available data.

Satellite imagery, advertising identifiers, mobile-location records, social-media activity and consumer databases can all support what is increasingly described as commercially sourced intelligence. Governments can obtain insight that previously required specialised surveillance infrastructure, sometimes by buying access to services already developed for advertising, logistics or risk analysis.

The same market benefits allies and adversaries.

Commercial satellite imagery can document military movements, humanitarian emergencies and environmental damage. Location data can help analyse evacuation patterns or disaster response. Yet the same information can reveal troop concentrations, sensitive installations and the routines of individual personnel.

In May 2026, US lawmakers disclosed correspondence indicating that adversaries had reportedly used commercially available location data to monitor or target American military personnel in operational areas. The episode demonstrated that consumer-data practices are no longer merely a domestic privacy concern. They can affect force protection directly.

Retail and advertising businesses should therefore stop treating every legally obtainable dataset as strategically harmless. Information does not remain confined to its original use simply because a privacy notice describes it as marketing or analytics data.

Once sold, shared or exposed, it may be combined with records from hundreds of other sources. The organisation that collected it first may have little control over the final inference.

Loss prevention does not remove proportionality

Retail crime is real, and any serious discussion of surveillance must acknowledge the pressure facing employees and operators.

The relevant decision is not whether retailers may protect their premises. It is whether the selected technology is proportionate to the risk and supported by evidence that less intrusive measures are inadequate.

A flagship city store experiencing repeated violence may present a different case from a low-risk branch using facial recognition because the software has already been purchased centrally. A narrowly managed watchlist of people linked to documented serious incidents is different from scanning every visitor against a broad external database.

The system should therefore begin with a defined problem. What harm is it expected to prevent? How frequently does that harm occur? Which stores are affected? What conventional measures have been attempted, and what evidence shows that biometric identification will improve the result?

Without that analysis, deployment can expand through convenience rather than necessity.

Retailers should also examine whether the technology displaces risk onto frontline employees. A facial alert still requires someone to decide what happens next. If staff are encouraged to confront a customer on the basis of an uncertain match, the system may increase rather than reduce safety exposure.

Human review is essential, but invoking it does not resolve every problem. A poorly trained employee may defer automatically to an algorithm, particularly when the software is presented as highly accurate. Review procedures must specify what evidence is required before intervention and which actions are prohibited on the basis of a biometric alert alone.

Accuracy figures rarely tell the full story

Facial-recognition providers often advertise very high laboratory accuracy. Those numbers can be technically correct and operationally misleading.

Performance changes with camera angle, image quality, lighting, age, demographic characteristics and the size and composition of the watchlist. A system tested on clear images may perform differently when faces are partially obscured, moving or captured by ceiling-mounted cameras.

The base rate also matters. In a store visited by thousands of people, only a very small proportion may appear on a legitimate watchlist. Even a system with a low false-match rate can produce more incorrect alerts than correct ones when the target population is rare.

Retailers should request testing under their actual conditions, not only the provider’s benchmark. They should know the false-positive and false-negative rates, broken down where legally appropriate, and monitor how often alerts lead to confirmed identification.

Every incorrect alert should be treated as an operational incident. Patterns can reveal poor camera placement, flawed source images, demographic disparities or watchlist entries that should have expired.

The organisation also needs a process through which a customer can challenge an identification. A biometric system with no meaningful correction mechanism can turn one error into repeated exclusion.

The regulatory environment is fragmenting

There is no single global rule governing retail facial recognition or commercial surveillance.

In the United States, requirements vary by state and city. Some jurisdictions impose consent, notice, retention or deletion obligations for biometric information, while others rely more heavily on general consumer-protection law. The Federal Trade Commission has demonstrated that it can act when companies make misleading claims or deploy automated systems without reasonable safeguards.

Europe applies a more restrictive data-protection framework, with biometric identification generally treated as sensitive personal data. The EU Artificial Intelligence Act adds further restrictions and governance obligations, particularly for certain forms of biometric categorisation and remote identification, although the exact treatment depends on the use case and actor.

Retailers operating internationally cannot therefore deploy one global surveillance policy without local analysis. A system lawful in one market may be prohibited, require explicit consent or create significant litigation risk in another.

The absence of a specific biometric law should not be treated as permission to proceed without controls. General privacy, discrimination, employment and consumer-protection rules may still apply, while public reaction can move faster than legislation.

Boards should expect the regulatory direction to favour stronger notice, defined purpose, shorter retention and greater individual control.

What boards and investors should ask

A biometric or behavioural-surveillance programme should receive more scrutiny than an ordinary security-software purchase.

The board should begin with necessity. Management should explain the harm being addressed, the evidence supporting deployment and why the scope is proportionate.

The second question concerns the data. What is collected, where is it stored, how long is it retained and who can access it? Does the system create a biometric template for every visitor, or only when a possible match occurs? Can information be used for marketing, employee monitoring or product development?

Vendor exposure comes next. The company should identify every subcontractor, hosting provider and external database involved, as well as the provider’s government and law-enforcement business. Contractual restrictions on secondary use, model training and disclosure should be explicit and auditable.

Accuracy and intervention rules must also be understood. How was the system tested in actual stores? What happens after an alert? Is a second source of evidence required? Are employees trained not to treat the software as proof?

Finally, the company should model failure. What would happen after a data breach, discriminatory error or disclosure that information had been shared beyond its stated purpose? The reputational cost may be far greater than the value of the losses the technology was intended to prevent.

Investors should be equally sceptical of vendors describing access to both retail and defence markets as an uncomplicated advantage. Government contracting can provide revenue and credibility, but it also creates export controls, procurement scrutiny, human-rights questions and dependence on politically sensitive customers.

Retailers need a surveillance inventory

Many large organisations cannot state confidently how many tracking technologies operate across their stores, applications, websites and security contractors.

A surveillance inventory should document cameras, facial-recognition systems, licence-plate readers, Wi-Fi tracking, mobile-app permissions, advertising identifiers, loyalty analytics and third-party loss-prevention tools. For each system, the retailer should record the purpose, data collected, vendor, retention period, access rights and legal basis.

This is not simply a compliance exercise. It allows management to identify duplicated systems, inconsistent policies and data collected without a continuing commercial need.

The organisation should then classify tools by risk. Basic video recording may require conventional security controls. Biometric identification, persistent location tracking and automated risk scoring deserve enhanced approval, testing and board oversight.

Customer communication should be understandable before collection occurs. A small sign referring generally to “security technology” does not allow a person to appreciate that a biometric template may be created. Notice should explain what the technology does, why it is used and where further information or a complaints process can be found.

Some retailers may conclude that the technology is justified in a limited number of locations. Others may find that staffing, store design, conventional cameras and better incident coordination provide a more defensible response.

The correct outcome is not universal adoption or prohibition. It is a decision that can survive scrutiny from customers, regulators and employees.

The real complex is built from incentives

The convergence of retail and national-security technology is not the result of one coordinated industry plan. It is the product of aligned incentives.

Retailers want to reduce losses and labour-intensive monitoring. Technology vendors want to sell one platform across several large markets. Government agencies want access to commercial innovation and data without developing every capability internally. Investors favour products that can serve both civilian and defence customers.

Each decision can appear rational in isolation. Together, they create an infrastructure capable of identifying, profiling and following people across commercial and public settings.

That infrastructure may prevent genuine harm. It may also normalise forms of surveillance that would have faced greater resistance had they first appeared under a government programme rather than above a grocery aisle.

The phrase “military-retail industrial complex” is useful only when it directs attention towards that convergence rather than becoming another dramatic market label. There is no credible $50 billion sector to forecast under that name. There is, however, a growing commercial-surveillance economy whose data, suppliers and methods increasingly intersect with national security.

For businesses, the central question is no longer whether the technology can identify a person. It is whether the organisation can justify doing so, govern the resulting power and contain the information once it has been created.

 
The Rise of the Military Retail Industrial Complex