Listen to this story
This ID Scanner Company is Collecting Sensitive Data on Millions of Bargoers
PatronScan says it sells security. Privacy advocates worry it’s selling mass surveillance.
We’ve all seen it, and some of us have lived it: A bar patron mouths off to a bouncer, tags a wall, gets in a fight, or is just too drunk and disorderly. They’re not just kicked out for the night, but “eighty-sixed” — permanently banned from the establishment.
Now imagine if a bar owner could flag that ejected patron digitally, documenting their transgression for other bar owners to see and placing them on a nightlife equivalent of a no fly list that stretches across city, state, and even international borders.
PatronScan allows bars to do just that. The PatronScan kiosk, placed at the entrance of a bar or nightlife establishment, can verify whether an ID is real or fake, and collect and track basic customer demographic data. For bars, accurate ID scanners are valuable tools that help weed out underage drinkers, protecting the establishments’ liquor licenses from fines and scrupulous state alcohol boards. But PatronScan’s main selling point is security.
The system allows a business to maintain a record of bad customer behavior and flag those individuals, alerting every other bar that uses PatronScan. What constitutes “bad behavior” is at a bar manager’s discretion, and ranges from “sexual assault” to “violence” to “public drunkenness” and “other.” When a bargoer visits another PatronScan bar and swipes their ID, their previously flagged transgressions will pop up on the kiosk screen. Unless patrons successfully appeal their status to PatronScan or the bar directly, their status can follow them for anywhere from a couple weeks to a few months, to much, much longer. According to a PatronScan “Public Safety Report” from May 2018, the average length of bans handed out to customers in Sacramento, California was 19 years. (The company’s “Public Safety Report” is embedded in full below.)
PatronScan claims to have a networked list of more than 40,000 banned customers.
The same report indicates that PatronScan collected and retained information on over 10,000 patrons in Sacramento in a single day. Within a five month period, that added up to information on over 500,000 bargoers. PatronScan claims to have a networked list of more than 40,000 banned customers, many of whom may not even know about their eighty-sixed status until they try to gain entry into another bar covered by the system.
To some onlookers, PatronScan’s product raises a number of concerns about privacy, surveillance, and discrimination. PatronScan’s reports reveal the company logged where customers live, the household demographics for that area, how far each customer travelled to a bar, and how many different bars they had visited. According to the company’s own policies, the company readily shares the information it collects on patrons, both banned and not, at the request of police. In addition to selling its kiosks to individual bars and nightlife establishments, PatronScan also advertises directly to cities, suggesting that they mandate the adoption of their service.
PatronScan represents an extreme example of the growing adoption of data collection at bars and restaurants. Such establishments have long had informal systems for tracking problematic patrons. Today, many bars also have internal surveillance systems, which track customer trends and catalog granular data on purchasing habits. Those tools are growing increasingly sophisticated, with obvious benefits to venue owners and law enforcement.
For bargoers, however, these systems create an uncomfortable new paradigm for partying, one in which data-sharing is a norm and technological tools can multiply the consequences of a single bad night. And once a bar adopts an ID scanning system, even innocent patrons may never know where their ID data will end up, or how it will be used.
Built by Servall Biometrics, a Calgary-based software developer, PatronScan was initially marketed in Canada in the mid-2000s. Since then, the company has expanded to the United States, Australia, and the United Kingdom. The company calls its product “the most advanced ID scanning system available,” and claims that it has scanned the IDs of more than 60 million patrons across more than 200 cities, making it the largest ID scanning company in North America. In response to queries, PatronScan provided limited documents detailing its system procedures and policies, but did not respond to specific questions or requests for comment.
Like many similar systems, the PatronScan kiosk scans a government-issued ID’s barcode to make sure it’s legitimate and that it hasn’t already been used by another customer at the bar. The company claims that its system can recognize 5,000 different types of ID from around the world. It’s a useful service — selling drinks to underage customers can cost bars thousands of dollars in fines, and, ultimately result in the loss of a pricey liquor license. PatronScan offers a range of increasingly complex models, from a smallish handheld device all the way up to a standing desk of sorts, equipped with a tablet and a camera. The company’s marketing materials suggest a standard system costs venues $4,200 per year.
PatronScan’s services extend beyond just spotting fake IDs, however. In its promotional material, PatronScan claims — without citing a source — that “95% of incidents are caused by 1% of patrons.” When a patron allegedly misbehaves, a staffer can flag their scanned ID in the system, and tag their indiscretion from PatronScan’s list of banned acts: “Assault,” “disturbance,” “drug possession,” “drug trafficking,” “fake ID,” “fighting,” “gang violence,” “public intoxication,” “sexual assault,” “theft,” “private,” or “other.” The staffer has the option to include details about the incident, but they are not required to do so. Once a manager approves the ban, and sets an expiration date, it’s logged in the PatronScan network. Unless a patron successfully appeals their ban to PatronScan directly, or pleads for forgiveness from the bar where the alleged incident occurred, a ban across the company’s entire network of establishments can last for years.
According to a “Public Safety Report,” the average length of bans handed out to customers in Sacramento, California was 19 years.
PatronScan’s marketing materials say the system “gives police officers powerful tools to remove dangerous people from the nightlife[sic], such as gang members and drug dealers.” Aside from the ban list, PatronScan makes scanner data available to local law enforcement on a case-by-case basis, with no warrant necessary. According to the company, police in Sacramento, California — where PatronScan is used by more than two dozen bars and venues — have requested data, or “extractions,” from the system at least 53 times since 2016. “We use it along with traditional investigative methods,” says Sacramento Police Sergeant Kristi Morse, who supports the adoption of PatronScan in local bars. “Besides the obvious benefits of verifying ID cards and deterring underage drinking, the system provides a sense of personal accountability to the patron, which makes nightlife safer and more enjoyable for the entire community.”
Morse also said that police departments don’t have a backdoor into the PatronScan database, but instead rely on PatronScan and individual establishments for data. “[The police] don’t have access — they have to come to us and ask permission,” says Johnathan Cameron, manager of Badlands, a Sacramento LGBTQ bar and dance club that uses PatronScan. “Generally we don’t have a problem with it. It really does hold people liable for their actions.”
Civil liberties advocates are more skeptical about the PatronScan model. The system is inherently subjective: Banning criteria are nebulous and determined on an individual basis by thousands of different bar employees with a variety of standards and motivations. There’s essentially nothing to stop a bad-actor business from using PatronScan for discriminatory purposes under the guise of security.
“Contrary to popular belief, businesses don’t have an unfettered right to refuse service to anyone,” says Matt Cagle, a technology and civil liberties attorney with the ACLU of Northern California. “When you create a confidential ban list, that’s an invitation for businesses to pretextually exclude people because of who they are.” In fact, the May 2018 “Public Safety Report” indicates that of over 1,100 banned Sacramento patrons, more than 60 percent were banned for “private” reasons, with no explanation of what rule they had violated or how they had transgressed.
Bargoers likely have no idea that the PatronScan kiosks used to verify their IDs do anything other than check the age of the patron, and the validity of the ID. That’s because PatronScan makes no suggestion that establishments publicly disclose how the system works, or how the collected data will be used.
“What if sensitive locations [use PatronScan] without understanding that the people who attend are potentially going to be databased and networked?” asks Cagle. PatronScan’s data-sharing policy with law enforcement is ostensibly meant to help in criminal investigations, but it also runs the risk of exposing undocumented people, individuals with court orders to refrain from alcohol, people visiting gay bars or political events, or those more generally averse to the police knowing where and when they go out drinking. “It’s hard to see how that makes anyone more safe,” says Cagle.
Lindsey Barrett, an attorney at Georgetown Law’s Communications and Technology Law Clinic, calls that assertion “crazy.”
“What is the value of my birthday as just a single data point? Of course probably not very much,” says Barrett. “But that depends on who you’re giving it to and the other information you’re supplying.” A name paired with a picture, a location, and bar-going history — whether they were accused of bad behavior or not — could be immensely valuable to employers, insurers, lenders, advertisers, and data brokers. “There’s an enormous economy that’s grown up around trading exactly this kind of information.”
Though some stories about the implementation of PatronScan and other scanning services have appeared on local TV news in Sacramento, Pittsburgh, and Hoboken, New Jersey, much of the debate over PatronScan has played out on social networks and message boards, where concerned residents are noting the rise of ID scanning in their local bar scene.
Data collection doesn’t always go over well with the bar-going public. In a subreddit for Sacramento, bargoers crowdsourced a list of the venues using the scanners; in Raleigh, North Carolina, a few Reddit users suggested a boycott. Many patrons don’t seem to learn about how PatronScan works until they’ve been on the receiving end of a network ban — one bargoer reports being banned as “a nuisance who threw a temper tantrum” after a dispute with a bouncer. Another says they were flagged for a “high severity theft” after drunkenly conspiring with a friend to swipe a plush Furby off the back bar, though they were caught and returned the toy. Banned patrons did not respond to requests for comment, or declined to speak on the record.
“Contrary to popular belief, businesses don’t have an unfettered right to refuse service to anyone.”
In 2017, networked ID scanning was mandated in Queensland, Australia, and PatronScan and similar competing systems were installed across more than a dozen nightlife districts, supposedly to prevent alcohol-fueled crime. While local officials suggested crime trends remained unchanged in the area, some club managers said the scanners hurt business, scaring off customers entirely. One tavern owner reported a 30% drop in business over the first year of scanner use.
Meanwhile, bar managers in the U.S. say they haven’t heard much protest from their clientele.
“I’ve had a few people that were pretty upset about it,” says Eric Martinez, manager of Coin-Op, a bar and arcade in Sacramento that uses PatronScan. “For the most part we just let them know why we’re doing it: To keep us and our other patrons safe.”
While PatronScan advertises its services to bars and nightclubs, the company also appears to have its eyes on influencing public policy.
Sacramento seems like an unlikely testing ground for networked ID scanning — the California state capital of 500,000 people is not a wild nightlife destination, nor does it have unusual problems with underage drinking or crime. Nonetheless, in 2016 the city, at the suggestion of local law enforcement, began requiring some businesses that had both alcohol and entertainment permits to start using PatronScan.
Safety and security requirements “are really unique to each venue,” says Tina Lee-Vogt, Sacramento’s entertainment program administrator, noting the city requires about 30 of 80 venues in the city to use PatronScan. “We’re very cognizant of the costs. We’re not going to have a smaller business burdened by this system — that wouldn’t be appropriate.”
Lee-Vogt argues that the PatronScan dragnet actually prevents the discrimination that civil liberties watchdogs fear. “There’s a consistency,” Lee-Vogt says. “Every patron is scanned, so you can’t say, I’m only going to scan this group of African Americans.” According to statistics PatronScan shared with California legislators, the company collected and retained the information of 561,087 customers in the first five months of 2018 in Sacramento — a number greater than the entire population of the city.
PatronScan collected and retained the information of 561,087 customers in the first five months of 2018 in Sacramento — more than the entire population of the city.
PatronScan’s network is particularly valuable to businesses and law enforcement when used in multiple venues within the same community. The company markets directly to cities with a toolkit outlining how to institute municipal-wide ID scanner adoption. That includes a ready-made “request for information” template to start a contract bidding process that will presumably be PatronScan-friendly. The company’s founders have said that many municipalities have mandated the use of their scanners, though it’s unclear which ones. In its marketing materials, PatronScan includes price quotes for widescale ID scanning implementation in Austin, Seattle, and Charleston. Representatives for Austin and Seattle said those cities had no such contract or mandate. Officials from Charleston did not respond to requests for comment.
Among other municipalities, Sacramento and Pomona, California both require certain bars to use ID scanners. The entire state of Utah also requires an ID scan of any customer who appears to be under 35. But the majority of states do not have laws specifically regulating how and when IDs can be scanned, or how that data can be retained or used.
In 2014, Multnomah County, Oregon launched a program implementing ID scanners made by PatronScan’s parent company Servall Biometrics in downtown bars. The scanners were purchased by a nonprofit with a county contract, with the stated goal of reducing alcohol abuse. A few bars refused to implement the system, but many relented, stating to local media that they were pressured by police and local authorities. The program was suspended after just a few weeks, when local media questioned the scanners’ legality under a 2009 Oregon state law, which states that scanner technology is not to be used to compile individuals’ personal data into “private databases of transactional information.”
In 2018, California passed a law that updated existing rules limiting the data collection powers of ID scanner services and the businesses that use them. The legislation was written and championed by Assemblymember Jim Cooper, who was alarmed by PatronScan’s roll-out in Sacramento. In effect, the bill added “scan” to a law already on the books that regulated each ID “swipe.”
The Coalition for Humane Immigrant Rights supported the bill, stating that “placing individuals on a database that labels them a ‘threat to public safety’ has significant immigration consequences that could lead to deportation, revoking of current status, or denial of future immigration relief.” The city of Sacramento and PatronScan formally opposed the bill, and hired lobbyists to work against it.
In a statement released when the legislation was passed, Assemblymember Cooper said the Personal Information Protection Act “will help protect your personal information from your driver’s license or identification card from being collected, stored, or shared when your driver’s license or ID is scanned or swiped for age verification purposes.”
The bill was signed into law in September 2018, and took effect January 1, 2019. Though it represents a step toward regulation, its impact is unclear. The law states that scanners can be used to verify a customer’s age, and “to collect or disclose personal information that is required for reporting, investigating, or preventing fraud, abuse, or material misrepresentation.” The law also stipulates that the data should not be retained or used for any other purpose.
PatronScan claims that it is compliant with the new law, and that patron privacy is of “utmost importance.”
In California, PatronScan now only retains individual data for 30 days instead of the default 90 days. Patrons in California can no longer receive “private” or “other” bans, and there’s a new online process for filing and resolving disputes more quickly than in other jurisdictions.
But those changes weren’t required by law, and they don’t satisfy privacy advocates. “The rule is don’t retain and don’t share,” says Joe Mullin, policy analyst for the Electronic Frontier Foundation, which supported the California law. Mullin says that despite its new policies, PatronScan may be violating the legislation, and not being regulated accordingly. “There is sometimes a real enforcement problem with privacy laws. [If the system is] ok with the bars, it’s certainly ok with the service provider that’s making a lot of money, and if it’s ok with the police, who’s there to stop it?”
According to PatronScan’s own marketing material and bars that use the system, the company continues to maintain a centralized database and banned patron list in California. Establishments in Sacramento that use PatronScan said the reforms hadn’t noticeably changed their use of the devices. “Basically it’s just a robot checking an ID to make sure you’re cool — and then something that we can keep track of for future reference,” says Martinez of Coin-Op. “It helps wean out the kinds of patrons we don’t want in our bar.”
PatronScan is far from the only company hawking restaurant and nightlife surveillance services, but other firms in the sector mostly focus on business services rather than law enforcement aid. Several competing ID scanner services and point of sale system add-ons, such as TokenWorks and Vemos, also allow a venue to create and maintain internal digitized ban lists.
“It’s just another level of security that hopefully makes people feel more safe and not like their privacy is being infringed upon,” says Benjamin Cukierman, an owner of bars Mad Oak and Room 389 in Oakland, California, who uses TokenWorks and says he does not share ID scanner data with law enforcement. That internal ban list just makes his life easier, he says, but he wouldn’t necessarily trust another venue’s judgment. “If you’re tied into a network of people getting eighty-sixed, it might just be a bartender having a bad day, and that’s not very fair. We know what we’re catching — it’s not a ‘he said she said’ situation.”
One of PatronScan’s competitors, IDScan.net, also allows bars to set and maintain internal ban lists, though that data is not normally networked between IDScan.net customers.
“We can configure the software how people want, but it would be totally up to owners if they feel comfortable sharing the information they’re collecting,” says Nicholas Peddle, marketing manager for IDScan.net.
PatronScan and IDScan.net represent the frontier of ID-scanning: Helping police and helping business. In both scenarios, consumer privacy comes in a distant third.
Where IDSscan.net differentiates itself is in its creative and extensive use of customer data — its tagline is “Scan, Verify, Collect, Analyze.” The company’s Bar Bundle product captures demographic information such as age, gender, and zip code, and allows staff to also track customer behaviors, such as what they like to drink and where they like to sit in a bar, in order to improve marketing and service. An ID can be tied to a form of payment, so that the next time a patron visits a bar, the owner has data on their habits and preferences before they even step inside.
“We are in the business of empowering our customers to be able to create a safer and smarter environment,” says Peddle.
PatronScan and IDScan.net represent the frontier of ID-scanning: Helping police and helping business. In both scenarios, consumer privacy comes in a distant third.
“When it first started, I was not all for it, but now I see the positives outweigh the negatives,” says Johnathan Cameron, the Badlands bar manager. “Like everybody else, I thought, ‘Well they’re gonna have my information.’ But they’re not tracking you.”
Except, of course, they are.
Handing over an ID for inspection and scanning is data collection laid far more bare than usual. But in the context of bar-hopping, it’s become almost wholly normalized. After all, people already give up their information in exchange for access and convenience several times every day, readily and witlessly, obviously and obliviously.
As data collection systems continue to proliferate throughout everyday life, it’s likely that networked bar ID surveillance systems like PatronScan will roll out in even more cities. And with the addition of more biometric tools, demographic data gathering, and machine learning, your favorite bar could soon wave you in to your favorite seat and hand you your favorite cocktail, all without glancing at your ID.
They might, one day, just as easily let your health insurer, your boss, and the police know that you’re there — and whether you were suddenly, and unfortunately, eighty-sixed.
Disclosure: The author’s partner owns and operates a California bar that does not use an ID scanning system.