Smart Mirrors Handy, Fun — But Are a Data-Gathering Bonanza

By Rob Sabo

In 2017, luxury retailer Neiman Marcus introduced smart-mirror technology to its makeup counters and fitting rooms, following a path blazed by Ralph Lauren and Mango and later joined by Macy’s, J.C. Penney and other industry leaders.

Smart-mirror technology provides consumers with 360-degree views of outfits or cosmetics without trying them on.

They also are a data-gathering bonanza, experts told Digital Privacy News.

“The retail sector, especially luxury brands, are investing in smart mirrors because they get direct access to a user’s body,” said Veronica Miller, cybersecurity expert at VPN Overview in the Netherlands.

“This allows them to make recommendations to customers for beauty, treatments and more,” she added. “But this means customer data will be stored and shared with manufacturers to provide customized advice to users.”

Signing off on the collection of personal traits, habits and shopping experiences potentially exposes consumers to a range of cyberthreats, Miller said.

“Consumers should understand how these technologies are being used by retailers and how they plan to progress with them,” she told Digital Privacy News.

“In return for all the customization offered by smart products, we willingly give away a large part of our privacy.”

While several retailers did not return queries or declined to comment to Digital Privacy News, a representative of the National Retail Federation (NRF) said that smart mirrors provided greater shopper convenience and allowed for increased opportunities for retailers to cross-sell products, among other benefits.

What are Smart Mirrors?

Smart mirrors for retail and home settings include touch-screen displays behind the mirror with embedded video cameras and processors that capture a user’s likeness.

Using advanced image-recognition algorithms, smart mirrors can layer simulations of clothing, accessories or cosmetics over a user’s image so they can see how different products might look without trying them on.

“Customer data will be stored and shared with manufacturers to provide customized advice to users.”

Veronica Miller, VPN Overview.

Want to check out that cocktail dress in red rather than black? Simply touch the screen to change colors or view an entirely different outfit.

Such brands such as Sephora, Luxotica, Dior and Georgio Armani are among the retailers adopting smart-mirror augmented-reality technology manufactured by MemoMi Labs Inc. of Palo Alto, Calif.

MemoMi did not respond to an interview request from Digital Privacy News —  and Neiman Marcus and Sephora declined to comment.

Mainstream Acceptance

Susan Reda, editor at STORES media, the publishing arm of the Washington-based NRF, said that augmented-reality technology like smart mirrors were quickly moving from the fringes of retailing to mainstream acceptance. 

“A tremendous amount of innovation during the pandemic was born of the need to reduce the frequency of touch,” Reda said.

“Smart mirrors are a part of this — and AR tools like Warby Parker’s virtual try-on for glasses or Sephora’s in-app tools to try makeup allow customers to experiment with products from their own homes.

“These solutions offer greater convenience to shoppers.”

Further, these tools help reduce product-return rates, Reda added.

“These solutions offer greater convenience to shoppers.”

Susan Reda, National Retail Federation.

Retailers are bullish on smart mirrors, she said, because they provide opportunities for greater product engagement, increased cross-selling and supply-chain management efficiencies.

However, smart mirrors provide yet another opportunity for companies to gather and retain personal consumer data, said Nat Maple, general manager of ecommerce for the BullGuard cybersecurity firm in San Francisco.

“A smart mirror can track each item taken into the dressing room and track how shoppers interact with clothes,” Maple told Digital Privacy News.

“An item frequently taken into the dressing room but doesn’t sell could mean the look is popular but the fit or color is not working.

“In this sense, they can be a useful tool — but the question is, ‘Will anything be private anymore?’” he posed.

“Smart-mirror manufacturers are accessing a retail customer’s entire purchase history, lighting preferences, interactions with previous sales associates and hundreds of other data points.”

Smart Mirrors at Home

Data-collection and privacy concerns with smart mirrors are greatly amplified when the technology moves to personal residences.

For instance, Naked Labs Inc., of Redwood City, Calif., designed its smart mirror in part to replace bathroom scales.

It produces a full-body 3-D scan that measures body fat, muscle mass, waistline, weight and other personal metrics.

The idea is to help users further their fitness and weight goals by tracking the size of their shoulders, chest, arms, stomach and other body parts over time, the company says on its website.

“Will anything be private anymore?”

Nat Maple, BullGuard cybersecurity firm.

Naked Labs, which did not respond to an interview request, provides users with an app with detailed graphics and charts that analyze historical body metric data.

The company, founded in 2015, boasts more than 4 million data-collection points in its 3-D body-scanning technology — which utilizes a built-in laptop-grade processor to convert scanned data into the images.

‘Limited Security’

Smart mirrors represent a growing segment of Internet of Things devices steadily creeping into homes — and consumers using them in bedrooms or bathrooms should fully understand what these devices are doing, Pieter VanIperen, managing partner of PWV Consultants in New York, told Digital Privacy News.

“Almost every IoT device does not have significant security or limited security, so it’s imperative people implement personal security for these devices,” he said.

“Depending on the mirror, it could be collecting age, weight, location, demographics, purchase trends — so that ads and performance can be tailored to needs and likes.

“Consumers should see if they can opt-out of sharing their information with third parties and if they can opt-out of any tracking or data-point collection that they deem unneeded,” VanIperen said.

“It’s imperative people implement personal security for these devices.”

Pieter VanIperen, PWV Consultants.

But the main problem, experts said, is that IoT devices like smart mirrors typically were a “soft point” for hackers — along with the many potential privacy implications they pose because of the sensitive personal information collected and stored.

“Consumers,” VanIperen warned, “should be wary of what they share with these devices, what they have access to and how they function when not in use.”

Rob Sabo is a Nevada writer.

Potential Security Issues

Data-privacy experts cautioned consumers to be wary of smart mirrors and other newer technologies, as stringent — and costly — cybersecurity measures were rarely at the forefront of the developmental process.

Nir Kshetri, a professor at the Bryan School of Business and Economics at the University of North Carolina at Greensboro, called smart mirrors a “privacy nightmare.”

“Cybersecurity is a big concern with products such as smart mirrors,” he told Digital Privacy News.

“In general, the Internet of Things such as smart mirrors evolved from vertical industries in which vendors’ devices are specific to an industry — and there was no provision for security.

Nir Ksherti

“Most IoT manufacturers use common open-source software, which leaves the devices vulnerable.

“They lack dedicated IT staff monitoring and managing of these devices,” Kshetri added.

“Suppliers of most IoT devices, such as smart mirrors, also do not provide a software bill of materials, which makes it difficult to determine if vulnerable software is used in a device.” 

Others experts concurred.

Pieter VanIperen of PWV Consultants in New York said the future of smart mirrors and other augmented-reality technology remained unknown.

“This type of technology can go a long way towards making our lives easier, but it must be secured before we can implement other uses,” he said.

“We cannot rely on vendors to secure and correctly configure devices to our comfort levels,” VanIperen said, noting that consumers must “develop a healthy paranoia around devices of convenience.”

Rob Sabo