Hardware barn denies that .004 seconds of facial recognition violated privacy
- Reference: 1731994335
- News link: https://www.theregister.co.uk/2024/11/19/facial_recognition_privacy_appeal_bunnings_australia/
- Source link:
Australia's privacy commissioner Carly Kind on Tuesday [1]found "Bunnings collected individuals' sensitive information without consent, failed to take reasonable steps to notify individuals that their personal information was being collected, and did not include required information in its privacy policy."
The chain's sin was in using CCTV to capture the face of everyone who entered 63 of its stores between November 2018 and November 2021.
[2]
"Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology (FRT) was in use and especially that their sensitive information was being collected, even if briefly," stated commissioner Kind.
[3]
[4]
Note the "briefly" in that canned quote – it's a big part of why Bunnings has decided to seek a review of the decision.
"The electronic data of the vast majority of people was processed and deleted in 0.00417 seconds – less than the blink of an eye," stated Bunnings managing director Mike Schneider in a [5]company statement .
[6]
Schneider wrote that Bunnings only used FRT "to protect our team, customers, and suppliers against the ongoing and increasing exposure to violent and organized crime, perpetrated by a small number of known and repeat offenders."
"While we can physically ban them from our stores, with thousands of daily visitors, it is virtually impossible to enforce these bans," Schneider added. FRT gave Bunnings "the fastest and most accurate way of identifying these individuals and quickly removing them from our stores."
Shoppers who weren't suspected of being among those individuals were scanned by CCTV, had their mugshots compared to a database of suspected perpetrators of violence, before images were swiftly deleted if a match was not made.
[7]
'We believe that customer privacy was not at risk," Schneider therefore argued, adding that "electronic data was never used for marketing purposes or to track customer behavior." And only six Bunnings staff could see the database of suspected violent shoppers - but reviews of the list were sporadic and not documented. Further, images captured using CCTV were of sufficient quality to be used in the database.
The GM expressed his disappointment that examples of violence against Bunnings staff didn't sway the commissioner's view.
But in her [8]decision , commissioner Kind found Bunnings could not "have reasonably believed that collecting, via the FRT system, the personal information of all individuals who entered a relevant store was necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety."
She also felt that the hardware megastore's big mistake was not informing customers about the FRT tests – even with a sign at the front of stores.
Such signs are often packed with dense text. When your correspondent briefly studied law, lecturers advised us to stop and read them – even if doing so could cause delays at the entrance to facilities like carparks – to make a point about taking terms and conditions seriously.
[9]Australia tells tots: No TikTok till you're 16... or X, Instagram and Facebook
[10]Elon Musk's X mashed by Australian court for evading child protection reporting
[11]Australian Police conducted supply chain attack on criminal collaborationware
[12]Australia’s government spent the week boxing Big Tech
Privacy is a hot topic in Australia, thanks to recent [13]high-profile data breaches and debate about [14]shielding children from the worst of social media.
Bunnings, however, has achieved strangely iconic status in Australian life. Despite being owned by a ruthlessly profit-seeking megacorp and utterly dominating its industry, the chain is celebrated for hosting community group barbecues on weekends – a fundraising gimme that sporting clubs and charities covet. So pervasive is the chain that it was parodied in TV show Bluey – the [15]most viewed program in the US last year – which re-named it "Hammerbarn."
Bluey is so popular that Bunnings temporarily re-named some of its stores "Hammerbarn" as part of a cross-promotion that won it reams of good press.
But we digress: the regulator has told Bunnings not to do this again, and the chain is happy to comply. But that's not going to stop it appealing the decision it breached its privacy obligations. When it's all over, hopefully we'll have a better idea of whether .004 seconds of data retention really does amount to a breach of privacy. ®
Get our [16]Tech Resources
[1] https://www.oaic.gov.au/news/media-centre/bunnings-breached-australians-privacy-with-facial-recognition-tool
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zzxv2YV9VxBt4bCF0GpEmAAAAJc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zzxv2YV9VxBt4bCF0GpEmAAAAJc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zzxv2YV9VxBt4bCF0GpEmAAAAJc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://media.bunnings.com.au/api/public/content/897d1a4f8ef0458ca3d3ba18d6a4255f?v=055a00e0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zzxv2YV9VxBt4bCF0GpEmAAAAJc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zzxv2YV9VxBt4bCF0GpEmAAAAJc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/AICmr/2024/230.html
[9] https://www.theregister.com/2024/11/11/australia_social_media_ban/
[10] https://www.theregister.com/2024/10/04/x_loses_australian_child_safety_case/
[11] https://www.theregister.com/2024/09/18/afp_operation_kraken_ghost_crimeware_app/
[12] https://www.theregister.com/2024/09/13/australia_vs_big_tech/
[13] https://www.theregister.com/2024/01/23/australia_medibank_private_attacker_named/
[14] https://www.theregister.com/2024/11/11/australia_social_media_ban/
[15] https://au.variety.com/2024/tv/news/bluey-most-watched-show-united-states-2024-17465/
[16] https://whitepapers.theregister.com/
It will only hurt for a moment
A great excuse! Think of all the crimes it could be applied to. Can I electrocute you, but just for a moment? Is it okay for someone to cop a feel, if he's real quick about it? How about detonating a large firecracker in front of your house without warning, surely it's not a problem?
Dumb argument
So it only becomes facial recognition when your computer is slower? How much slower?
"less than the blink of an eye"
This bullet will enter and leave your body in less than the blink of an eye...
Mind if I fire this gun at you ?
It will only hurt for a small fraction of time...
Alexa, please explain...
It seems to me that the issue would've been avoided by appropriate signage.
While the legality regarding transient data processing is still in debate, no IP was stolen and no systems were evolved ("educated") - the subject hasn't contributed to anything long term or suffered. Nothing has been processed beyond a comparison to known faces. No different to a CCTV operator doing the same - other than not employing an operator in the first place (a different issue entirely). Absolutely no impact on the (innocent) individual, and they didn't improve or profit the Bunny Barn beyond that.
Time of retention seems academic here. To compare to "instantaneous" physical and consequential events (being shot or electrocuted) is formal fallacy.
Many are happy to have devices in their own homes that are far more invasive, the difference being that they're informed, so say.
I'm happy to be convinced otherwise, but I can't see it from here. It's just replacing wettware with automation, and the fault is with disclosure and implied consent.
Edit: I can't say I like it so much though, because FRT throws more wobblers than the out of work operator probably would've.
Re: Alexa, please explain...
IANAL but...
> commissioner Kind found Bunnings could not "have reasonably believed that collecting, via the FRT system
... they were not "collecting" facial data. It was transient processing. Had they been storing everyone's likeness in a database, that would be collecting.
And
I don't know what the law is like in Oz, but here in the UK there's the "expectation of privacy" - if it's a busy public place, you have to expect to be seen and caught on camera.
Skulls
Here in the UK supermarkets are measuring skulls ("recognising faces") without a challenge.
Some shops even proudly display live feed of AI looking for nappers and if you have a green square around yours, then you are good.
While agreeing with the decision...
it is ironic whenever a serious offence is reported in a suburban street the police quickly appear to the surrounding householders for any footage from their security cameras which by implication must be capturing faces etc, vehicle number plates etc etc 24x7 almost always without any warning signage.
Ditto for vehicle dash cameras.
If Bunnings had a large graphic at their stores' entrances depicting a camera directed at face icon with:
" WARNING : Facial Recognition in Use! "
in large bold lettering I am fairly sure the commissioner and I would have been satisfied.
It would help if the camera and facial recognition system were a sealed unit into which only the banned individuals' facial parameters were loaded and when operating the only output was the banned individual's identity when recognised (in real time) so that it is immediately clear nothing apart from the uploaded parameters are ever stored in the recognition system.
The Hammerbarn enjoys ambivalent relationship with Australian consumers. The hardware merchant's near 400 stores means they are convenient but their near monopoly has meant that a fair proportion of their products are overpriced and of inferior quality - mostly sourced (but rebranded) from the PRC as one might have expected.
Generally, if you can be arsed, it is worthwhile seeking out one of the smaller retailers to source a branded alternative which while more expensive but of a better quality than the corresponding Hammerbarn branded offering but generally a little cheaper than the same branded item if Hammerbarn offers it.
Unfortunately most hardware including power tools is now considered by consumers to be disposable - used for the project in hand then binned. I would be surprised if anyone cleans paint brushes nowadays or sharpens or resets handsaws.
Cory Doctorow again I suppose.
Data is being collected for long enough to be processed. As a general member of the public entering the place I'd have wanted to know what was being done during that time and in particular, could it put be in the way of some sort of harm or disadvantage? What if it made a false identification of me? What would then happen?
If they tried to answer "nothing" I, and, presumably the court, wouldn't believe them because in that case there'd be not point in having the kit installed.
Yeah, the reaction to the automated system's output is significant. A sanity check would be necessary to avoid false positives having a negative impact on the innocent (in context!). An automated "call the po-po" would be bonkers. A security guard going in heavy handed would be nuts. If security were alerted to a potential positive ID, then they firstly went to passively ID the subject (ie. from a distance: "is that the ne'er-do-well?") or then escalated to direct interaction to confirm the subject's ID that shouldn't be a problem - given the correct handling.
Humans can make a misidentification to, for numerous reasons.
Cue anecdote!
I have a friend called (Regomized) Billy Arthur Warwick. A lovely hard-working and law abiding chap. Unfortunately for him, he has a half brother called Billy Warwick (yeah, the dad wasn't very creative when it came to names). This half brother was pretty much scum, a gangster wannabe undertaking lots and lots of petty crimes. I've lost count the number of times my friend got visits from the police for the other's doings. Once they were both picked up and in the back of the same police car on the way to the nick, regarding a stolen item. On the way to the cop shop, the item was spotted in the window of a pawn shop - everyone goes in to the shop and the proprietor IDs then naughty brother as the person selling the item. That saved my friend some cell time!
Irrelevant
" processed and deleted in 0.00417 seconds – less than the blink of an eye "
How long it took is completely irrelevant.
However, for the sake of argument: My phone can happily construct a FullHD full colour scene for a game fast enough to animate it all in real-time. Imagine doing that on a BBC Micro (or four our leftpondian friends, an Apple II).
Technology moves on, things get faster. Stuff that was thought impossible (like 1GBit direct to your home) is now the possible. So how fast that machine processed the images is not relevant. That it did, is.
Anyone know the specs/systems they used? Because, as I understood it, a lot of the privacy concerns were that Shane and Kylie could be accessing the unsecured video feeds and storage while snaffling sangas and xxxx at lunchtime.
Maybe now they could get back to looking at their website and "app". It's been so slow as to be unusable for several years now. Quicker to drive to Mitre10 and get something than search on the Bunnings site.