Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks

from the small-privacy-breach-with-larger-repercussions dept

Of all the places to come across illegal facial recognition tech deployment, a convenience store chain is certainly one of the strangest. The tech wasn't deployed to stop shoplifting or keep unwanted people off the premises. Instead, somewhat ironically, it was deployed to help 7-Eleven convenience stores quantify how well it was doing in the customer service department.

Here's Campbell Kawn for ZDNet (via Slashdot):

In Australia, the country's information commissioner has found that 7-Eleven breached customers' privacy by collecting their sensitive biometric information without adequate notice or consent.

From June 2020 to August 2021, 7-Eleven conducted surveys that required customers to fill out information on tablets with built-in cameras. These tablets, which were installed in 700 stores, captured customers' facial images at two points during the survey-taking process -- when the individual first engaged with the tablet, and after they completed the survey.

After becoming aware of this activity in July last year, the Office of the Australian Information Commissioner (OAIC) commenced an investigation into 7-Eleven's survey.

The investigation [PDF] says 7-Eleven handled pretty much everything about this badly. It also shows the company tried to distance itself from its own tablet-based survey by blaming the third-party vendor handling the survey on its behalf.

The facial images were collected twice during the survey and stored locally on the tablets for about 20 seconds. After that, they went to the third party's servers, where they were processed and converted into an algorithmic representation of the face. The original images were then deleted from the device used to perform the survey.

These "representations" were then used to check for matches on other surveys. This was done to detect any potential gaming of the system by individuals repeatedly performing surveys and to make guesses about the age and gender of survey takers. All of that data was deleted after seven days. In total, 1.6 million surveys were performed.

7-Eleven argued this was not a violation of Australian law because the images were not used to identify, track, or monitor respondents. It also said it had no access to facial images on the local device, nor any access to images once they had been moved to the third party servers.

Wrong, says the information commissioner. The problem isn't how the collected information was handled. The problem is how it was collected. 7-Eleven needed consent from survey takers and didn't get it. The commissioner found "no evidence" individuals "expressly" agreed to have their biometric information collected by 7-Eleven.

7-Eleven argued it did get at least implied consent. As evidence of this it offered the blanket notice displayed in front of all stores:

Site is under constant video surveillance.

By entering the store you consent to facial recognition cameras capturing and storing your image.

It also pointed to its privacy policy on its website -- something survey takers weren't presented with when taking surveys.

7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification.

None of this is sufficient, says the commissioner.

Consent may not be implied if an individual’s consent is ambiguous or there is reasonable doubt about the individual’s intention. While I accept that use of the tablet was voluntary, I am not satisfied that the act of using the tablet unambiguously indicated an individual’s agreement to collect their facial image and faceprint, in circumstances where:

There was no information provided on or in the vicinity of the tablet, or during the process of completing the survey, about the respondent’s collection of facial images and faceprints.

The Store Notices were unclear, and, given the prevalence of these kind of notices in stores and public places, may have created an impression that the respondent captured customers’ images using a facial recognition CCTV camera as part of surveillance of the store.

The respondent’s Privacy Policy did not link the collection of photographic or biometric information to the use of in-store ‘feedback kiosks’.

Non-specific blanket statements about possible collections are not the same thing as informing survey takers prior to taking a survey that their biometric information will definitely be collected if they fill out a survey.

That's some lawbreaking right there. The company that processed the facial images on behalf of 7-Eleven is ordered to destroy all faceprints collected by this survey. It's also forbidden from engaging in this sort of thing again without securing explicit permission from clients' customers. How much of a deterrent this is remains to be seen since the third party already declared all facial recognition data was deleted seven days after it was collected and processed.

The greater benefit of a ruling like this -- especially one that deals with information gathered irresponsibly but apparently handled with more care once it was harvested -- is the official reminder it sends to all Australian entities that may currently believe a link to a privacy policy buried on the bottom of a corporation's website home page is all that's needed to obtain "consent" for collection of personal info.

Filed Under: australia, convenience stores, facial recognition, privacy
Companies: 7-eleven

No Shirt, No Shoes, No Facescan, No Service: Welcome To 21st Century Convenience Store Shopping

from the say-cheese-snacks dept

Developers of facial recognition software and their customers are finding new and uninventive ways to use unproven tech to keep people out of places. Law enforcement just wants to watch everyone who's out in the open and strays too close to the right cameras. Security agencies just want to watch everyone leaving or entering the country.

Private businesses, on the other hand, want to limit their interactions with certain people. Landlords are replacing keys/locks with cameras and phone apps. Retailers are implementing facial recognition tech to create digital barriers to entry. Given the tech's error rate, the chance of misidentifying someone as a shoplifter is omnipresent, leaving would-be shoppers in the awkward position of attempting to prove a negative just for the opportunity to give a retailer money.

Large retailers have already played around with the tech, but it's now finding a new home at the smaller end of the retail spectrum. The Seattle Times reports a convenience store chain is kicking the facerec tires.

Jacksons Food Store customer Denise Diharce was surprised to learn that the Tacoma location she frequents for odds and ends is testing a high-tech system that, prior to entry, will compare her to images of previous crime suspects.

Before patrons can enter the basic convenience store at the corner of South 38th Street and Pacific Avenue, a camera under a red awning will take a picture and use artificial intelligence (AI) to decide whether the image matches any in a database of known robbers and shoplifters at that location.

This was during the chain's test run. But it's moving forward with full deployment, seeking to have the systems run during night hours to keep criminals out of its stores. When the system is on, customers will be informed of the system's use -- something they will have a hard time not noticing when a speaker asks them to stand still and point their faces in the direction of the camera.

The system used by the convenience store chain is very much DIY, which probably keeps it at an affordable price point. There's no link to existing criminal databases. Every undesirable member of the public must be hand-flagged by store staff to be added to the database. Limiting the number of faces in the database should help decrease both false positives and false negatives -- something that's a commonly-observed problem with larger deployments linked to much bigger databases composed of both criminal and non-criminal face photos.

In isolation, this use may seem justified. Convenience stores tend to get robbed more frequently than other retailers and anything that adds a bit of safety for employees is probably a good thing. But it can't be viewed in isolation -- not when government agencies at all levels are snapping up facial recognition software from a handful of vendors who are creating massive databases of photos for use by almost anyone -- public or private -- that can afford to purchase the tech.

The steady creep of surveillance tech makes people more accepting of even more serious encroachments on their privacy -- or just their ability to move around in public without being "noticed" by dozens of cameras linked to dozens of databases.

Filed Under: convenience stores, crime, facial recognition, law enforcement, privacy, shoplifting