A million Australian pubgoers wake up to find personal info listed on leak site Over a million records describing Australians who visited local pubs and clubs have apparently been posted online. An anonymously published leak site claims the records came from a tech services company called Outabox. The leak site, which The Register has visited but will not name or link to for legal reasons, offers a …
So, one step further down the road to biometrics being used for the most mundane things.
Why does a club require you to give up your face to some datacenter that gives no guarantee that it knows how to manage that data securely and is not under legal obligation to do so ?
The sooner we treat biometrics with the same level of care and security that we treat financial data, the better.
Banks are under serious obligations to have the right to handle our money. Firms using biometrics should be as well, because I can't change my face if you foul up.
Because that information is valuable. It isn't as though a system that NFC built into all smartphones would be expensive to implement. Just pull up the wallet app on your and hold it to a scanner when you walk in and it could identify you as a member, without having to provide any personal information other than what they might collect at signup like your name and age (to prove you're old enough to drink) and maybe a credit card number if there is billing involved for membership.
The reason they implement it with facial recognition that is undoubtedly much more expensive is because then it can gather a lot more information. Not just when you enter, but when you leave, how much you spend etc. That's really valuable if either the place you frequent wants to send you offers or other places want to advertise your way. Ideally from the pub owner's perspective the service would be "free" to them, with the profit made by the sale of all the personal info on your customers you allow them to collect!
If you read the article, you might also have spotted the point that some of these clubs are set up to cater to military vets, and offer discounts to the same. So before offering you half off on your drinks, the business should verify that you actually served.
Still doesn't explain why they would keep the license or such on hand afterwards, but I do understand why they would need this information (providing it should be voluntary, obviously - you might well think that your privacy isn't worth the discount even if you *are* a vet).
"Because that information is valuable."
Those who thought it was are now discovering that the correct word is "toxic".
This is why Europe has customer protection protection regulations some commentard recently described as "Stalinist". This is what happens when you don't have them or don't follow them.
Because one can't claim copyright on facts, like that they have two kids, own their own home, have a below average credit rating, set chocolate chip cookies and four two liter bottles of Pepsi as a weekly subscription on Amazon, and went on a Disney cruise in January.
Copyright requires creation of an original work, and that original work be fixed in a particular medium. You'd have better luck copyrighting some weird name you give your kid so you can make him the only one who has it than you would copyrighting the type of information that companies collect and sell about you.
Hang on, let me try again on this angle.
What about selling the "data" without a license ?
Surely selling personal data without asking, is selling data without a license.?
The binary for MS SQL server is a fact, its just numbers, just like personal data like a birthday...
Where's the law that says you need a "license" to sell my birthday or yearly income to another company? Who issues that license, and how do you apply?
You're just making stuff up now.
I'm not defending sale of personal data, I wish there was a law against it. But in the US at least, there is not.
What private information "belongs" to a person? Do I own the number that represents my taxable income for 2023? Do I own the number of children I have, or my birthdate?
You can't own facts. That's why laws are needed if you want to control what facts that a company has learned about you (or you have provided to them, willingly or not) is allowed to sell or give to others.
As shown by this Australian Information Commissioner Privacy Case in 2011....
https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/AICmrCN/2011/2.html?context=1;query=registered%20club;mask_path=au/cases/cth/AICmrCN
The complainant alleged that a registered club interfered with their privacy by scanning their driver licence and, in doing so, recording unnecessary information. The complainant conceded that the club was required to collect their name, address and signature. However, the complainant considered the collection of the other information on the licence, including their date of birth, driver’s licence number, driver’s licence type and photograph to be unnecessary.
The complainant also raised concerns that the registered club ’s notice and security procedures were insufficient.
"The leak site further alleges that Outabox didn't pay its outsourced contractors.
1 : Is there any evidence to suggest that Outabox were ever anything but a bunch of cowboys.
2 : What advantage does facial recognition actually offer, other than being more expensive and far more intrusive.
3 : That sounds like an awful lot of data required just to enter a club.
About 30 years ago I used to go out underage drinking with friends (in the UK, not Australia). There was a club where they had an unwritten rule that they'd allow slightly underage people in, on the proviso that they signed up for "membership". Membership in this case was free, and they *posted* you physical vouchers every few months with drinks offers. These were valuable because as a teenager you didn't typically earn much money - if any at all.
Of course the reason they did that was because that way they had your address. Where you lived with your parents. So the chances of people causing fights or doing anything too stupid was reduced. It did actually work.
At the time some people questioned how legit this was and even whether it was legal. Well of course it wasn't because they were serving underage drinkers but nobody back then really cared. The greater good was that it reduced problems in the town.
I think this is more sinister though. It's blatantly holding way more data than is really necessary for any reasonable purpose. The question shouldn't just be about how or why the data was leaked, but WTF it was really being stored and used for in the first place.
Pint icon, for obvious reasons.
In UK, decades ago, when I was underage drinking, and no ID needed, seemed to be a pub per town where "blind eye" was turned (so long as you were not obviously taking the mickey age wise with your appearance ).
So long as there was no trouble, everyone was happy, local police were aware (back in the days when local police stations still existed in many places, in this case was about 200 m away from the "underage pub")
Sensible behaviour was essentially self policed, underage drinkers knew to behave to keep the privilege going & other pubs did not have to worry about age of punters.
.. Nowadays, it is fake IDs instead - benefits the pubs / clubs as so long as they ID check (seemingly no matter how poor the fake ID!) they can tick their no U18s box, but means "underage" drinkers spread around more venues & that "self policing" ethos is gone..
Demanding that everyone collect data on everyone, all the time, everywhere so glorious leaders can monitor them at the click of a mouse is just a trainwreck in practice.
All you should need to enter these places is a membership card, shown to someone on the door. No need to record it. Strewth, lose the fascist overreach, mate.
As to what Australians do in drinking establishments, I think we can all hazard a guess without visiting sites that we cannot be told about, being mere children, protected by our political elite from knowledge harms.
The Stasi would die from wet dream pleasure overload at the amount of people who willingly sign up to be tracked.
Every government in the world that has not put strict consumer data protection in place is laughing their ass off all the way to the bank.
Over New Year, 2024, was in Canberra visiting family. The hotel breakfast room was hosted in the restaurant of the attached club. Did not need to register for that brekky, but walked past where one does register for public entrance.
Registration program had crashed on registration terminal. Showing Windows 7 desktop. Was able to use touchscreen to bring up Command prompt and verified that I was indeed local Administrator and there were networked drives. Could even start PINGging to my hearts content. Also, the desktop was like that for the better part of two hours.
I declined to go there at the end of the day for a cleansing or two, because I saw that security of my PII was going to be lax to non existent. No photocopy of my passport was going to them.
Also, security codes, phone numbers, security safe words and delivery times were clearly pinned up on reception desk of the club. (Patron reception desk, where one enters the club, not even administrative reception).
Always disliked the whole sign in process for clubs in Australia, typically I'd just give them rubbish info if it was a written entry form, don't like them scanning my drivers license. Had no idea it was to do with some sort of legislation and discounts. Surely the requirement needs to be re-investigated to see if it is adding any value.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
