Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks

from the small-privacy-breach-with-larger-repercussions dept

Of all the places to come across illegal facial recognition tech deployment, a convenience store chain is certainly one of the strangest. The tech wasn’t deployed to stop shoplifting or keep unwanted people off the premises. Instead, somewhat ironically, it was deployed to help 7-Eleven convenience stores quantify how well it was doing in the customer service department.

Here’s Campbell Kawn for ZDNet (via Slashdot):

In Australia, the country’s information commissioner has found that 7-Eleven breached customers’ privacy by collecting their sensitive biometric information without adequate notice or consent.

From June 2020 to August 2021, 7-Eleven conducted surveys that required customers to fill out information on tablets with built-in cameras. These tablets, which were installed in 700 stores, captured customers’ facial images at two points during the survey-taking process — when the individual first engaged with the tablet, and after they completed the survey.

After becoming aware of this activity in July last year, the Office of the Australian Information Commissioner (OAIC) commenced an investigation into 7-Eleven’s survey.

The investigation [PDF] says 7-Eleven handled pretty much everything about this badly. It also shows the company tried to distance itself from its own tablet-based survey by blaming the third-party vendor handling the survey on its behalf.

The facial images were collected twice during the survey and stored locally on the tablets for about 20 seconds. After that, they went to the third party’s servers, where they were processed and converted into an algorithmic representation of the face. The original images were then deleted from the device used to perform the survey.

These “representations” were then used to check for matches on other surveys. This was done to detect any potential gaming of the system by individuals repeatedly performing surveys and to make guesses about the age and gender of survey takers. All of that data was deleted after seven days. In total, 1.6 million surveys were performed.

7-Eleven argued this was not a violation of Australian law because the images were not used to identify, track, or monitor respondents. It also said it had no access to facial images on the local device, nor any access to images once they had been moved to the third party servers.

Wrong, says the information commissioner. The problem isn’t how the collected information was handled. The problem is how it was collected. 7-Eleven needed consent from survey takers and didn’t get it. The commissioner found “no evidence” individuals “expressly” agreed to have their biometric information collected by 7-Eleven.

7-Eleven argued it did get at least implied consent. As evidence of this it offered the blanket notice displayed in front of all stores:

Site is under constant video surveillance.

By entering the store you consent to facial recognition cameras capturing and storing your image.

It also pointed to its privacy policy on its website — something survey takers weren’t presented with when taking surveys.

7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification.

None of this is sufficient, says the commissioner.

Consent may not be implied if an individual’s consent is ambiguous or there is reasonable doubt about the individual’s intention. While I accept that use of the tablet was voluntary, I am not satisfied that the act of using the tablet unambiguously indicated an individual’s agreement to collect their facial image and faceprint, in circumstances where:

There was no information provided on or in the vicinity of the tablet, or during the process of completing the survey, about the respondent’s collection of facial images and faceprints.

The Store Notices were unclear, and, given the prevalence of these kind of notices in stores and public places, may have created an impression that the respondent captured customers’ images using a facial recognition CCTV camera as part of surveillance of the store.

The respondent’s Privacy Policy did not link the collection of photographic or biometric information to the use of in-store ‘feedback kiosks’.

Non-specific blanket statements about possible collections are not the same thing as informing survey takers prior to taking a survey that their biometric information will definitely be collected if they fill out a survey.

That’s some lawbreaking right there. The company that processed the facial images on behalf of 7-Eleven is ordered to destroy all faceprints collected by this survey. It’s also forbidden from engaging in this sort of thing again without securing explicit permission from clients’ customers. How much of a deterrent this is remains to be seen since the third party already declared all facial recognition data was deleted seven days after it was collected and processed.

The greater benefit of a ruling like this — especially one that deals with information gathered irresponsibly but apparently handled with more care once it was harvested — is the official reminder it sends to all Australian entities that may currently believe a link to a privacy policy buried on the bottom of a corporation’s website home page is all that’s needed to obtain “consent” for collection of personal info.

Filed Under: , , ,
Companies: 7-eleven

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks”

Subscribe: RSS Leave a comment
8 Comments
PaulTsays:

"This was done to detect any potential gaming of the system by individuals repeatedly performing surveys and to make guesses about the age and gender of survey takers"

Truly bizarre. I can understand why they want to remove repeat users, but why were people using them in the first place? I’d imagine that they were directed to use them by staff, who would surely be able to recognise if people were coming back regularly enough to skew the survey. Then, I’m sure that there must be some standard statistical methods to account for this with paper surveys that would be applicable here.

Then, having a system try to guess demographics rather than relying on self-reporting? Maybe some people would lie, but surely the vast majority of people will just volunteer that information if they’re already willing to fill in a random survey. There’s no value to them personally by lying, and I’m not sure if the percentage of users who might deliberately lie would be offset by the error rate inherent in guesswork based on facial recognition in its current state, especially among minority populations among whom facial recognition is already highly suspect.

Other than "ooh new toys", I don’t see the value in implementing this, although I can certainly understand why people accepting such tech for security purposes would object to its use for something as trivial as a survey.

"
The greater benefit of a ruling like this — especially one that deals with information gathered irresponsibly but apparently handled with more care once it was harvested — is the official reminder it sends to all Australian entities that may currently believe a link to a privacy policy buried on the bottom of a corporation’s website home page is all that’s needed to obtain "consent" for collection of personal info."

Yeah… if a physical store is doing something that requires you to go online and read a legal document for you to understand what they’re doing while you’re there, that’s incredibly suspect. EULAs are bad enough when you’re accessing a specific website, let alone if you’re expected to understand them in order to pop in and grab a can of Coke on your way somewhere.

Anonymoussays:

I’d imagine that they were directed to use them by staff, who would surely be able to recognize if people were coming back regularly enough to skew the survey.

And I, in turn, imagine that 7-11 staff are neither part of a hive mind nor permanently on duty. (Though the thought of an Emergency Holographic Cashier ("What is the nature of your purchasing emergency?") amusing.) I’ve no idea how many visits might be required to skew stats, but coming in three times during a week, to each of 10 different 7-11s might be a start.

More, I can’t see why anyone would care enough to skew the survey results. Unless they were a disgruntled former employee.

PaulTsays:

Re:

"I’ve no idea how many visits might be required to skew stats, but coming in three times during a week, to each of 10 different 7-11s might be a start."

Given that 1.6 million surveys were performed, I’d imagine that if someone was determined to try and skew the results they would be noticed.

"More, I can’t see why anyone would care enough to skew the survey results. Unless they were a disgruntled former employee."

I’d imagine competitor more than that, but I certainly don’t see anything that wouldn’t have been accounted for by pre-facial recognition surveys.

Anonymoussays:

The company that processed the facial images on behalf of 7-Eleven is ordered to destroy all faceprints collected by this survey.

It is useful to report WHERE these faceprints are, given that "they were destroyed after 7 days"…

  1. I have taken account of the respondent’s submissions that facial images are stored
    for 20 seconds on tablets before being transferred to the Server and that facial images are
    stored on the Server for only 7 days. As more than 7 days have passed since the
    respondent ceased collecting these images, I am satisfied that the respondent no longer
    holds any facial images collected by the Facial Recognition Tool. Accordingly, I do not
    need to make a declaration that those images are deleted.

  2. While acknowledging these proactive steps, I remain concerned that faceprints
    collected by the Facial Recognition Tool in breach of APPs 3.3 and 5, have not been
    deleted. I am not satisfied that de-identification is a viable step in the circumstances,
    noting that the purpose of the Facial Recognition Tool is to enable automated biometric
    identification of individuals.

And the WHY:

… However, given the respondent did not make any submissions in
relation to the draft declaration requiring it to destroy faceprints, there is insufficient
evidence before me to be satisfied that the faceprints have been irretrievably destroyed,
or if this is not possible, put beyond use.

In other words, 7-Eleven didn’t fill in a particular box.

Anonymoussays:

The company that processed the facial images on behalf of 7-Eleven is ordered to destroy all faceprints collected by this survey.

It is useful to report WHERE these faceprints are, given that "they were destroyed after 7 days"…

  1. I have taken account of the respondent’s submissions that facial images are stored
    for 20 seconds on tablets before being transferred to the Server and that facial images are
    stored on the Server for only 7 days. As more than 7 days have passed since the
    respondent ceased collecting these images, I am satisfied that the respondent no longer
    holds any facial images collected by the Facial Recognition Tool. Accordingly, I do not
    need to make a declaration that those images are deleted.

  2. While acknowledging these proactive steps, I remain concerned that faceprints
    collected by the Facial Recognition Tool in breach of APPs 3.3 and 5, have not been
    deleted. I am not satisfied that de-identification is a viable step in the circumstances,
    noting that the purpose of the Facial Recognition Tool is to enable automated biometric
    identification of individuals.

And the WHY:

… However, given the respondent did not make any submissions in
relation to the draft declaration requiring it to destroy faceprints, there is insufficient
evidence before me to be satisfied that the faceprints have been irretrievably destroyed,
or if this is not possible, put beyond use.

In other words, 7-Eleven didn’t fill in a particular box.

Anonymoussays:

This reeks of the government thinking they are entitled to a monopoly on the sketchy collection of this type of data. Will Australian police and intelligence be alerting people and asking their consent to obtain biometric data too?

I looked it up. You will not be surprised by the answer:

SYDNEY, Sept 16 (Reuters) – Australia’s two most populous states are trialling facial recognition software that lets police check people are home during COVID-19 quarantine

My main concern with 7-11 or any other private business utilizing facial recognition technology is that their database will fall into the government’s hands where the real violations of your privacy/rights will occur.

PaulTsays:

Re:

"I’ve no idea how many visits might be required to skew stats, but coming in three times during a week, to each of 10 different 7-11s might be a start."

Given that 1.6 million surveys were performed, I’d imagine that if someone was determined to try and skew the results they would be noticed.

"More, I can’t see why anyone would care enough to skew the survey results. Unless they were a disgruntled former employee."

I’d imagine competitor more than that, but I certainly don’t see anything that wouldn’t have been accounted for by pre-facial recognition surveys.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it