A recent report by the Australian Consumer Organisation Choice has identified that a number of Retail companies have begun using Facial Recognition software in their stores with both minimal consent notices, and unclear purpose. A link to the article is here:
This article has generated a lot of discussion, but two broad themes of responses have dominated over the last few days:
- Heightened alarm that facial recognition is being used by commercial organisations, and that so little is known about their short and long term planned use and as importantly, storage of data harvested.
- On the other hand, some have responded in a relatively “benign” way, with comments such as, “Well, if I haven’t been shop-lifting, what have I got to worry about?”.
I consider myself very firmly in the first camp!
As someone who works in Information Technology, with a strong concern for security, I think the biggest issue with the increasing use of this technology, is the management of the data. And if one considers a closely related realm, privacy legislation and regulation, it was only when this was introduced over recent years, that organisations were forced to consider how they should handle, and more importantly could handle people’s private information. Depending on the jurisdiction, they were often required to institute processes and procedures to allow people to, for example:
- Obtain a complete view of all data held about them by that organisation, or
- If appropriate, request the complete deletion of all data held about them by that organisation.
When we talk about facial recognition, we might initially think in images, but the data associated with facial recognition, is simply bits and bytes. And the trail of events and times retained by organisations using it, is as invasive and sensitive as any data about you. When it is collected, simply as a result of you entering a retail premises, with no more than an inconspicuous and far from clear sign at the front of the store saying it might happen, I certainly don’t consider that explicit consent.
I am also critically aware of how careless some organisations can be with data. Most will protest, that their data is stored in Provider X’s exceptionally Secure Cloud storage. It’s a shame the developer building the software that maintains that data, forgot Step 49 of 51 in his development plan, and didn’t change the anonymous access to the dev database (initially setup to make development easier), to the secured access required in production, when the application went live, isn’t it?
It only means that the database in which the Facial Recognition images, data and events are stored can be accessed by … anyone, or anyone with a modicum of patience.
Now that is a fictitious example, but loosely based on mistakes I’ve seen in my many years in the industry, so I’m certainly not suggesting any of the retail organisations who have been identified as using Facial Recognition of being lax with their data security – simply highlighting how exceptionally important it is.
And unless there is either legislation or regulation compelling organisations to meet standards for
- Data security,
- Constraints on the Specific and Acceptable (Single) purpose for which the Facial Recognition data can be used,
- Aggressive limits on data retention,
- Provisions for access by the Individuals who are the subjects of the recognition – inline with other data privacy regulation,
… Then the proliferation of this technology, is a significant step backwards for our privacy.