Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks

from the small-privacy-breach-with-larger-repercussions dept

Of all the places to come across illegal facial recognition tech deployment, a convenience store chain is certainly one of the strangest. The tech wasn't deployed to stop shoplifting or keep unwanted people off the premises. Instead, somewhat ironically, it was deployed to help 7-Eleven convenience stores quantify how well it was doing in the customer service department.

Here's Campbell Kawn for ZDNet (via Slashdot):

In Australia, the country's information commissioner has found that 7-Eleven breached customers' privacy by collecting their sensitive biometric information without adequate notice or consent.

From June 2020 to August 2021, 7-Eleven conducted surveys that required customers to fill out information on tablets with built-in cameras. These tablets, which were installed in 700 stores, captured customers' facial images at two points during the survey-taking process -- when the individual first engaged with the tablet, and after they completed the survey.

After becoming aware of this activity in July last year, the Office of the Australian Information Commissioner (OAIC) commenced an investigation into 7-Eleven's survey.

The investigation [PDF] says 7-Eleven handled pretty much everything about this badly. It also shows the company tried to distance itself from its own tablet-based survey by blaming the third-party vendor handling the survey on its behalf.

The facial images were collected twice during the survey and stored locally on the tablets for about 20 seconds. After that, they went to the third party's servers, where they were processed and converted into an algorithmic representation of the face. The original images were then deleted from the device used to perform the survey.

These "representations" were then used to check for matches on other surveys. This was done to detect any potential gaming of the system by individuals repeatedly performing surveys and to make guesses about the age and gender of survey takers. All of that data was deleted after seven days. In total, 1.6 million surveys were performed.

7-Eleven argued this was not a violation of Australian law because the images were not used to identify, track, or monitor respondents. It also said it had no access to facial images on the local device, nor any access to images once they had been moved to the third party servers.

Wrong, says the information commissioner. The problem isn't how the collected information was handled. The problem is how it was collected. 7-Eleven needed consent from survey takers and didn't get it. The commissioner found "no evidence" individuals "expressly" agreed to have their biometric information collected by 7-Eleven.

7-Eleven argued it did get at least implied consent. As evidence of this it offered the blanket notice displayed in front of all stores:

Site is under constant video surveillance.

By entering the store you consent to facial recognition cameras capturing and storing your image.

It also pointed to its privacy policy on its website -- something survey takers weren't presented with when taking surveys.

7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification.

None of this is sufficient, says the commissioner.

Consent may not be implied if an individual’s consent is ambiguous or there is reasonable doubt about the individual’s intention. While I accept that use of the tablet was voluntary, I am not satisfied that the act of using the tablet unambiguously indicated an individual’s agreement to collect their facial image and faceprint, in circumstances where:

There was no information provided on or in the vicinity of the tablet, or during the process of completing the survey, about the respondent’s collection of facial images and faceprints.

The Store Notices were unclear, and, given the prevalence of these kind of notices in stores and public places, may have created an impression that the respondent captured customers’ images using a facial recognition CCTV camera as part of surveillance of the store.

The respondent’s Privacy Policy did not link the collection of photographic or biometric information to the use of in-store ‘feedback kiosks’.

Non-specific blanket statements about possible collections are not the same thing as informing survey takers prior to taking a survey that their biometric information will definitely be collected if they fill out a survey.

That's some lawbreaking right there. The company that processed the facial images on behalf of 7-Eleven is ordered to destroy all faceprints collected by this survey. It's also forbidden from engaging in this sort of thing again without securing explicit permission from clients' customers. How much of a deterrent this is remains to be seen since the third party already declared all facial recognition data was deleted seven days after it was collected and processed.

The greater benefit of a ruling like this -- especially one that deals with information gathered irresponsibly but apparently handled with more care once it was harvested -- is the official reminder it sends to all Australian entities that may currently believe a link to a privacy policy buried on the bottom of a corporation's website home page is all that's needed to obtain "consent" for collection of personal info.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: australia, convenience stores, facial recognition, privacy
Companies: 7-eleven


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    PaulT (profile), 22 Oct 2021 @ 1:04pm

    "This was done to detect any potential gaming of the system by individuals repeatedly performing surveys and to make guesses about the age and gender of survey takers"

    Truly bizarre. I can understand why they want to remove repeat users, but why were people using them in the first place? I'd imagine that they were directed to use them by staff, who would surely be able to recognise if people were coming back regularly enough to skew the survey. Then, I'm sure that there must be some standard statistical methods to account for this with paper surveys that would be applicable here.

    Then, having a system try to guess demographics rather than relying on self-reporting? Maybe some people would lie, but surely the vast majority of people will just volunteer that information if they're already willing to fill in a random survey. There's no value to them personally by lying, and I'm not sure if the percentage of users who might deliberately lie would be offset by the error rate inherent in guesswork based on facial recognition in its current state, especially among minority populations among whom facial recognition is already highly suspect.

    Other than "ooh new toys", I don't see the value in implementing this, although I can certainly understand why people accepting such tech for security purposes would object to its use for something as trivial as a survey.

    "
    The greater benefit of a ruling like this -- especially one that deals with information gathered irresponsibly but apparently handled with more care once it was harvested -- is the official reminder it sends to all Australian entities that may currently believe a link to a privacy policy buried on the bottom of a corporation's website home page is all that's needed to obtain "consent" for collection of personal info."

    Yeah... if a physical store is doing something that requires you to go online and read a legal document for you to understand what they're doing while you're there, that's incredibly suspect. EULAs are bad enough when you're accessing a specific website, let alone if you're expected to understand them in order to pop in and grab a can of Coke on your way somewhere.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Oct 2021 @ 1:16pm

    I'd imagine that they were directed to use them by staff, who would surely be able to recognize if people were coming back regularly enough to skew the survey.

    And I, in turn, imagine that 7-11 staff are neither part of a hive mind nor permanently on duty. (Though the thought of an Emergency Holographic Cashier ("What is the nature of your purchasing emergency?") amusing.) I've no idea how many visits might be required to skew stats, but coming in three times during a week, to each of 10 different 7-11s might be a start.

    More, I can't see why anyone would care enough to skew the survey results. Unless they were a disgruntled former employee.

    link to this | view in chronology ]

    • icon
      PaulT (profile), 22 Oct 2021 @ 2:32pm

      Re:

      "I've no idea how many visits might be required to skew stats, but coming in three times during a week, to each of 10 different 7-11s might be a start."

      Given that 1.6 million surveys were performed, I'd imagine that if someone was determined to try and skew the results they would be noticed.

      "More, I can't see why anyone would care enough to skew the survey results. Unless they were a disgruntled former employee."

      I'd imagine competitor more than that, but I certainly don't see anything that wouldn't have been accounted for by pre-facial recognition surveys.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Oct 2021 @ 1:26pm

    Hey, only the government is allowed to do that!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Oct 2021 @ 1:30pm

    The company that processed the facial images on behalf of 7-Eleven is ordered to destroy all faceprints collected by this survey.

    It is useful to report WHERE these faceprints are, given that "they were destroyed after 7 days"...

    1. I have taken account of the respondent’s submissions that facial images are stored
      for 20 seconds on tablets before being transferred to the Server and that facial images are
      stored on the Server for only 7 days. As more than 7 days have passed since the
      respondent ceased collecting these images, I am satisfied that the respondent no longer
      holds any facial images collected by the Facial Recognition Tool. Accordingly, I do not
      need to make a declaration that those images are deleted.

    2. While acknowledging these proactive steps, I remain concerned that faceprints
      collected by the Facial Recognition Tool in breach of APPs 3.3 and 5, have not been
      deleted. I am not satisfied that de-identification is a viable step in the circumstances,
      noting that the purpose of the Facial Recognition Tool is to enable automated biometric
      identification of individuals.

    And the WHY:

    ... However, given the respondent did not make any submissions in
    relation to the draft declaration requiring it to destroy faceprints, there is insufficient
    evidence before me to be satisfied that the faceprints have been irretrievably destroyed,
    or if this is not possible, put beyond use.

    In other words, 7-Eleven didn't fill in a particular box.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Oct 2021 @ 1:32am

    This reeks of the government thinking they are entitled to a monopoly on the sketchy collection of this type of data. Will Australian police and intelligence be alerting people and asking their consent to obtain biometric data too?

    I looked it up. You will not be surprised by the answer:

    SYDNEY, Sept 16 (Reuters) - Australia's two most populous states are trialling facial recognition software that lets police check people are home during COVID-19 quarantine

    My main concern with 7-11 or any other private business utilizing facial recognition technology is that their database will fall into the government's hands where the real violations of your privacy/rights will occur.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.