Sign in / up

back to article Hardware barn denies that .004 seconds of facial recognition violated privacy

Australian hardware chain Bunnings Warehouse will challenge a ruling by local regulators who found it violated shoppers' privacy by checking their identities with facial recognition tech. Australia's privacy commissioner Carly Kind on Tuesday found "Bunnings collected individuals' sensitive information without consent, failed …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Phil Kingston

    Anyone know the specs/systems they used? Because, as I understood it, a lot of the privacy concerns were that Shane and Kylie could be accessing the unsecured video feeds and storage while snaffling sangas and xxxx at lunchtime.

    Maybe now they could get back to looking at their website and "app". It's been so slow as to be unusable for several years now. Quicker to drive to Mitre10 and get something than search on the Bunnings site.

    8 0 Reply
  2. Filippo Silver badge

    It will only hurt for a moment

    A great excuse! Think of all the crimes it could be applied to. Can I electrocute you, but just for a moment? Is it okay for someone to cop a feel, if he's real quick about it? How about detonating a large firecracker in front of your house without warning, surely it's not a problem?

    13 15 Reply
  3. Anonymous Coward
    Anonymous Coward

    Dumb argument

    So it only becomes facial recognition when your computer is slower? How much slower?

    12 4 Reply
    1. John Brown (no body) Silver badge
      Reply Icon

      Re: Dumb argument

      To be fair, it sounds like it's only an issue because it's not been properly documented and customers not properly informed. The actual process, if as described in the article, actually sounds like the right way do this sort of thing. Images are gathered, checked and immediately discarded in a way that it sounds like the data never goes into any form of permanent storage, only RAM. "Personal Information" is just that one facial image, not linked to names, addresses or any other PII that might identify who the person is and is immediately discarded such that there is no danger of it being misused. Unlike here in the UK were it seems to be ok for ANPR and Police to gather and keep images for as long as they like just in case the data might be useful later.

      18 1 Reply
      1. OldSod
        Reply Icon

        Re: Dumb argument

        I'm privacy-minded, but I have trouble labeling the behavior (as described) as collecting anything. If I'm at the beach, looking for a particular kind of rock, I'm going to pick up a lot of rocks, examine them, and toss them away unless the rock is the one that I want. Did I "collect" all of the rocks I discarded because I held them briefly? I don't think so. I only "collected" the ones that I decided to keep.

        The store has a valid use case - keeping persons banned from the store from entering the store, or at least detecting when they have entered so as to be able to intercept them and escort them back out. Is the argument that the banned people need to be warned before their information is "collected" for the purpose of enforcing the ban? Do the banned people's right not to have their data collected supersede the store's right to enforce the ban?

        The main risk to the general public here that I see is false positives - people who haven't been banned from the store being incorrectly identified as being banned. Their data will be "collected", and they will face either an immediate action from store personnel intercepting them and escorting them out, or a delayed action from a claim that they violated their ban in some legal proceeding. I would focus on how strong the protections are in the system for people who are incorrectly identified as having been banned. Is their "collected" information quickly and thoroughly deleted completely from the system once it is recognized that it was a false positive or (better yet) if it can not be proven within a short period of time that it was a correct identification?

        13 1 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Dumb argument

          I would hope that if someone was flagged, a security guard would check the image to confirm it looked like the banned person before asking them to leave.and if it isn't them the image is deleted.

          I have to admit to having some skin in this game though. My teenage daughter works at Bunnings and any system that can reduce the number of arseholes she has to deal with is worth considering.

          15 0 Reply
  4. Mentat74
    Trollface

    "less than the blink of an eye"

    This bullet will enter and leave your body in less than the blink of an eye...

    Mind if I fire this gun at you ?

    It will only hurt for a small fraction of time...

    13 15 Reply
    1. Wang Cores
      Reply Icon

      Re: "less than the blink of an eye"

      Maybe this is my American showing, but yeah, same effect. You've committed to a damaging course of action on me with minimal provocation and without my consent. Shooting me may actually be more honest!

      3 4 Reply
      1. david 12 Silver badge
        Reply Icon

        Hey, are you looking at me?

        If they take your image, they steal part of your soul. If you break the mirror, you get 7 years bad luck (until your soul heals again)

        And if there is an image analysis, it's cause damage, in principle equivalent to being shot.

        1 4 Reply

  5. This post has been deleted by its author

    1. Anonymous Coward Silver badge
      Reply Icon
      Unhappy

      Re: Alexa, please explain...

      IANAL but...

      > commissioner Kind found Bunnings could not "have reasonably believed that collecting, via the FRT system

      ... they were not "collecting" facial data. It was transient processing. Had they been storing everyone's likeness in a database, that would be collecting.

      And

      I don't know what the law is like in Oz, but here in the UK there's the "expectation of privacy" - if it's a busy public place, you have to expect to be seen and caught on camera.

      29 5 Reply
      1. I ain't Spartacus Gold badge
        Reply Icon

        Re: Alexa, please explain...

        On reflection, I wonder if the collecting user data regards their actual rogues gallery? The article said that there CCTV was of good enough quality to give mugshots for future use - so possibly they'd built their list of barred customers from their own CCTV. Hence they might need permission - or at least to have signage granting them permission.

        It seems to me that the data commissioner has got it wrong here. The company seem to have behaved reasonably. They've built their list of barred users - which any company is allowed to use by just writing a list. They've automated it, but aren't keeping the photos of everyone else.

        You're not allowed to keep out-of-date or erroneous data on your systems, so I guess you could argue they should have some kind of regular review of their blacklist (rather than it being haphazard). But the law allows them to arbitrarily refuse custom to people, as long as that isn't done for the purposes of discrimination, so why can't they do it with face recognition?

        15 2 Reply
        1. John Brown (no body) Silver badge
          Reply Icon

          Re: Alexa, please explain...

          "isn't done for the purposes of discrimination, so why can't they do it with face recognition?"

          I wonder if, somewhere in the background of this case, that discrimination is actually part of the problem here? It's well documented that many facial recognition systems have "issues" with non-white faces and AU has issues with local native inhabitants not being white and being more likely to be accused and convicted of crimes. Do we have any info on the "black list" (appropriate usage here? Dunno) composition and false positives/negatives behaviour of the system?

          3 3 Reply
        2. JoeCool Silver badge
          Reply Icon

          Re: Alexa, please explain...

          "No Harm No Foul" is not an actual legal concept, at least where it comes to privacy and the breaking of those laws.

          1 0 Reply
        3. Falmari Silver badge
          Reply Icon

          Re: Alexa, please explain...

          @I ain't Spartacus "It seems to me that the data commissioner has got it wrong here."

          It does, doesn't it. How is it any different from a human operator viewing the live CCTV feed for faces that match photos of barred individuals. Data capture is CCTV, the information being collected is the same, FR or human operator.

          What personal information is being captured and stored as an image for .004 seconds that is not being captured and stored on CCTV video for a lot longer?

          The FR processing is collecting no more personal information than CCTV has already collected

          8 0 Reply
      2. The Indomitable Gall
        Reply Icon

        Re: Alexa, please explain...

        Which is all well and good, but it's not about whether capturing the personal data (your image) using a security camera is reasonable, but rather the processing of that data. In the UK, we have the GDPR that talks about processing of personal data, and I'm not personally sure where this sits in regards to that.

        If a security camera captures someone committing a crime, processing the images to identify the person is fair game, but is analysing everyone to verify they're not a known trouble-maker legitimate here...? This is stuff testing the borders of laws....

        2 1 Reply
        1. John Brown (no body) Silver badge
          Reply Icon

          Re: Alexa, please explain...

          Under GDPR, collection of data has to be proportional and for specified purposes and then disposed of when no longer needed. I suspect GDPR would be fine with the system as described in the article if properly documented, the only bit that might lead to a judicial decision being whether processing images of all customers is proportional, which would probably be balanced by the fact they discard it immediately.

          5 0 Reply
        2. The man with a spanner
          Reply Icon

          Re: Alexa, please explain...

          Ok, so it is fair game for a security camera to monitor for criminal actvity. In doing so it must logicaly monitor the scene overall and identify NOT criminal activity. If monitoring to identifying non-criminals and ne'er-do-wells is not permisable then the whole secutity monitoring bussiness dies. This seems like an over reaction to me.

          2 0 Reply
      3. Cynical Pie
        Reply Icon

        Re: Alexa, please explain...

        Au contraire. In the UK there may be the expectation that you will be caught on CCTV but the use of FRT without notification is a clear case of unauthorised processing, particularly by a private entity, and so whether it takes 0.004 of a second or 4000 seconds to process the image its still unlawful.

        Also for the purposes of DP law the data is still 'collected' even if the whole lifecycle of the process from collection to disposal is a fraction of a second.

        Of course the easiest solution is proper signage but why would a multi million/billion AUS$ business bother with that as it will cost them to put the signs up and eat into their profit.

        1 0 Reply
  6. elsergiovolador Silver badge

    Skulls

    Here in the UK supermarkets are measuring skulls ("recognising faces") without a challenge.

    Some shops even proudly display live feed of AI looking for nappers and if you have a green square around yours, then you are good.

    3 0 Reply
  7. Bebu sa Ware
    Windows

    While agreeing with the decision...

    it is ironic whenever a serious offence is reported in a suburban street the police quickly appear to the surrounding householders for any footage from their security cameras which by implication must be capturing faces etc, vehicle number plates etc etc 24x7 almost always without any warning signage.

    Ditto for vehicle dash cameras.

    If Bunnings had a large graphic at their stores' entrances depicting a camera directed at face icon with:

    "WARNING: Facial Recognition in Use!"

    in large bold lettering I am fairly sure the commissioner and I would have been satisfied.

    It would help if the camera and facial recognition system were a sealed unit into which only the banned individuals' facial parameters were loaded and when operating the only output was the banned individual's identity when recognised (in real time) so that it is immediately clear nothing apart from the uploaded parameters are ever stored in the recognition system.

    The Hammerbarn enjoys ambivalent relationship with Australian consumers. The hardware merchant's near 400 stores means they are convenient but their near monopoly has meant that a fair proportion of their products are overpriced and of inferior quality - mostly sourced (but rebranded) from the PRC as one might have expected.

    Generally, if you can be arsed, it is worthwhile seeking out one of the smaller retailers to source a branded alternative which while more expensive but of a better quality than the corresponding Hammerbarn branded offering but generally a little cheaper than the same branded item if Hammerbarn offers it.

    Unfortunately most hardware including power tools is now considered by consumers to be disposable - used for the project in hand then binned. I would be surprised if anyone cleans paint brushes nowadays or sharpens or resets handsaws.

    Cory Doctorow again I suppose.

    12 0 Reply
  8. Doctor Syntax Silver badge

    Data is being collected for long enough to be processed. As a general member of the public entering the place I'd have wanted to know what was being done during that time and in particular, could it put be in the way of some sort of harm or disadvantage? What if it made a false identification of me? What would then happen?

    If they tried to answer "nothing" I, and, presumably the court, wouldn't believe them because in that case there'd be not point in having the kit installed.

    2 2 Reply

    1. This post has been deleted by its author

      1. Anonymous Coward Silver badge
        Reply Icon
        Big Brother

        Most likely the security would just pay more attention to that individual, so when they put something in a pocket rather than a trolley it is noticed and THAT can be acted upon. They do that with known shoplifters anyway, so having a system to highlight potential offenders is likely to save some effort and reduce wasted time.

        1 0 Reply

        1. This post has been deleted by its author

        2. The Indomitable Gall
          Reply Icon

          Most likely you have never heard the phrase "computer says no".

          Here, the Hammerbarn are trying to identify people who have been banned from their shops. Even if it's not an issue now, there will absolutely come a time when the security are confident enough in it that they'll assume it correct by default.

          Now, note that I said "Even if it's not an issue now", because... well why did the authorities start investigating? There is nothing in the story to tell us why, but presumably someone complained, but simply hadn't tweeted about it or spoken to local papers.

          We can only speculate about what happened, but I personally think it's a reasonable assumption that a customer was stopped by a security guard and would have been expected to provide proof that he wasn't the person the computer thought he was. i.e. he would have had to provide sensitive personal information to even just go in and buy a roll of masking tape, which doesn't really seem particularly fair, because no-one else does. If I have to prove I'm not someone who bears a passing resemblance to me, that's basically presumed guilty until proven innocent.

          People may talk harsh about public bodies sticking their noses in where it's not necessary, but public bodies generally don't do anything until and unless asked to. We don't know what the complaint was, and I think my speculation probably describes a likely scenario that is definitely far from the worst case scenario. The fact that the authorities didn't give out details shows that they consider the complainant's data protection rights to be important -- more so than the retailer does!

          But on a tangent... we are, as a culture, too quick to judge people who make decisions we do not immediately agree with. As a result, we're developing a situation where people are more and more having to justify their stance, and while that sounds good in theory, when we start having to publish the public complaints that started it off, we're only going to start discouraging the complaints in the first place.

          2 0 Reply
        3. John Brown (no body) Silver badge
          Reply Icon

          "having a system to highlight potential offenders "

          FTFY. "potential" offenders are not offenders and must be presumed innocent and therefore NOT in the database.

          0 0 Reply
  9. heyrick Silver badge

    Irrelevant

    "processed and deleted in 0.00417 seconds – less than the blink of an eye"

    How long it took is completely irrelevant.

    However, for the sake of argument: My phone can happily construct a FullHD full colour scene for a game fast enough to animate it all in real-time. Imagine doing that on a BBC Micro (or four our leftpondian friends, an Apple II).

    Technology moves on, things get faster. Stuff that was thought impossible (like 1GBit direct to your home) is now the possible. So how fast that machine processed the images is not relevant. That it did, is.

    9 6 Reply
  10. Winkypop Silver badge
    Devil

    Cathedral of hardware

    Most Aussies visit Bunnings more often than they go to church (citation needed, but I’m pretty confident that it’s true)

    The smell of snags and onions, the rows and rows of hardware goodness………., anyway I digress.

    They can shove their Facial Recognition up their plumbing section.

    5 4 Reply
  11. Nerf Herder

    Where are all the downvotes coming from? Who is actually in favour of ubiquitous facial recognition technology (being used on them, of course, as well as everyone else)?

    4 1 Reply
    1. heyrick Silver badge
      Reply Icon

      This is a world where facts are optional and a lot of unpleasant crazies are crawling out of the woodwork and running countries.

      A few incomprehensible downvotes are the least of our worries...

      8 1 Reply
  12. Snowy Silver badge
    Coat

    Punishment

    From what I can see their punishment was little more than do not do it again. I am somewhat puzzled why they are appealing against it given they said they would not do it again anyway.

    3 0 Reply
  13. Randesigner

    Many US retailers do this

    It's legal here to monitor communications of law enforcement. I've heard of reports of Home Depot recognizing known shoplifters entering their stores and calling the cops. I can only imagine that they are using facial recognition to sort through the thousands of people entering their stores daily. I haven't read their un-privacy policy, but I suspect it's allowed.

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Many US retailers do this

      Yeah, but US is like the Wild West. Particularly now that the Wild West is in charge of the whole US. Of course, it's impossible to come to any logical decisions when the Wild West is actually geographically in the middle of the country and simultaneously pretty far right, but west is on the left of a map...

      3 1 Reply
  14. Hazmoid

    Hammerbarn is go

    I'm a bit biased here having had a son working in retail who was abused and told to F off when he asked the customer to pay for the stuff loaded in their trolley.

    Based on the video shown on the news last night in relation to this story (various scum attacking staff and customers), I feel that Bunnings Duty of care to their customers and staff overrides any qualms I have about my face being recognised. I think the area they fell down on was not having signs up saying that you agree to be filmed on entering the premises. Having setup up surveilance systems for a number of clients, I'm sure that having FR would be a boon as in most security systems, the video is stored and re-visited after the event.

    If this prevents someone with a known proclivity for theft and violence from entering a store, myself as a customer welcome it. It saves me money ( not having to pay more to allow for "leakage") and prevents me being placed in a situation where I may be injured.

    https://7news.com.au/news/bunnings-shares-cctv-of-attacks-on-staff-after-facial-recognition-cameras-breached-privacy-c-16802827

    1 0 Reply

    1. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like