Retailers Are Rapidly Scaling Surveillance of Australian Consumers — Why This Is a Red Flag – Source: www.techrepublic.com

IT professionals across sectors that interact with consumers, and retail in particular, need to make themselves aware of the implications of surveillance capitalism because, while there are many legitimate uses that surveillance is being used for, there’s also the concern that poor data shepherding processes could lead to inadvertent misuse by third parties.

At a time when Australians are more sensitive to the use of their data than ever, this carries with it a real reputational and potential regulatory risk to businesses. Essentially, consumers expect to be able to trust what businesses are doing to safeguard the data they’re collecting from Australian consumers.

Businesses will naturally want to do what they can to prevent shoplifting. However, this enthusiasm for monitoring consumers is going to face a backlash, which more businesses across the country should consider when rolling out these solutions.

Jump to:

• Is surveillance necessary? Australian supermarkets battling shoplifting despite growing profits
• Where this surveillance technology comes from
• The potential for surveillance tech to go off-scope
• The need to improve governance strategies while Australian data regulation catches up

Is surveillance necessary? Australian supermarkets battling shoplifting despite growing profits

One recent example of these surveillance trends in action is a recent report highlighting that one of the two major Australian supermarket chains, Woolworths, has 62 CCTV cameras throughout the store.

SEE: Data privacy concerns from consumers aren’t new.

Meanwhile, Coles — despite posting increased profits of 4.8%, or AU $1.09 billion (US $700 million) — saw an increase in shoplifting so significant that the company feels the need to greatly accelerate its own surveillance strategy. Just days ago, the company announced it was “aggressively” rolling out new technology that tracks a shopper’s every movement in-store.

This is a growing concern in Australia among those sensitive to their privacy, given that people do need food to live, and the two supermarket chains enjoy an effective monopoly, meaning that few have any choice but to submit to the surveillance.

“Once you start using CCTV or any sort of imaging, they’ve got the raw data from which various biometric mechanisms might be applied,” said Chair of the Australian Privacy Foundation David Vaile. “It’s not just facial recognition or iris recognition; it could be gait recognition or voice, depending on what the sensor is picking up.

“You don’t get to know what a company is doing, so you can’t even decide if you don’t want to be paranoid.”

IT’s role in surveillance

The lack of transparency on consumer data use brings up questions about whether the IT professionals setting up these solutions at Coles, Woolworths and any other retailer are doing their due diligence in ensuring the solutions are installed ethically.

SEE: Learn how to protect and secure your data.

There are broad risks that surveillance solutions can cause trouble for users above and beyond the question of privacy, including:

• Risk of discrimination: The pervasive monitoring could enable exploitative and potentially discriminatory practices, resulting in the business gaining a negative reputation among customers (and potentially exposing itself to legal risk should the discriminatory behaviour result in a negative outcome to a customer).
• Negative impact on behaviour: Monitoring customers could possibly make them more likely to break rules. For instance, a study about employee monitoring found that “monitored employees were found to be substantially more likely to take unapproved actions, disregard instructions, damage workplace property, steal equipment and purposefully work at a slow pace.”

These are all situations that any team tasked with rolling out surveillance solutions needs to be prepared for.

Where this surveillance technology comes from

The single largest concern with surveillance that needs to be built into any system is the way the data will be used. Supermarkets and other retail outlets, including petrol stations, pharmacies and more, use a blend of technologies in their surveillance.

One of the core underpinning solutions — and a significant reason why people have concerns with the kinds of companies involved in surveillance — is a New Zealand-based firm called Auror that works with 40% of Australia’s retail market.

Its core capabilities include the ability to use machine learning to identify shoplifters and other thieves before sending alerts to shop managers. It doesn’t matter if the individual has shoplifted at this specific store, because Auror’s tracking capabilities come from a deep, centralised database of images and profile information.

If this sounds rather militant, it’s because it is. Auror works closely with police forces, and its website content includes articles that highlight how the military’s approach to data supports the approach that Auror takes. It is just one example of why privacy rights advocates are increasingly concerned with what the customer’s data is being used for.

Taking steps to prevent shoplifting by capturing on-camera attempts to do so is one thing. Feeding that data into giant algorithms that are operated by third parties — with no ability for the consumer to opt out or even be aware of where their data is ending up — is quite another. It’s something that may start to expose a company to risk as regulation in Australia starts to catch up.

The potential for surveillance tech to go off-scope

Another concern for those setting up surveillance strategies for their businesses is the potential for the data use for surveillance purposes to go off-scope. While consumers may be fine with retailers using surveillance as a countermeasure for shoplifting, they may not be so keen on the idea of it being used for marketing or to derive behavioural analytics, as some propose.

This then enters a grey area in Australia’s laws for data use. Under current laws, data must be deleted after it has been used for its original purpose. If the purpose is surveillance, then it is reasonable to assume a company should delete the data once the need for that video footage for law enforcement purposes is no longer likely to be needed.

However, if the retailer is partnered with third parties that also handle the data, the scope of the “original purpose” can be expanded in a significant way, and consumers might not know just what their data is being used for or have any recourse to take action against it.

Australians don’t have a right to data erasure as consumers do in many other jurisdictions. They do have a right to ensure that company data about them is correct, which offers some protection if, for example, the Auror platform has falsely identified someone as a shoplifter. But that’s the extent of it, and it assumes the customer is aware of why they have been falsely identified when retailers aren’t broadcasting their third-party data sharing partnerships.

The need to improve governance strategies while Australian data regulation catches up

As the number of Australians advocating for the right to have their data erased as a first priority rises, retailers that use surveillance equipment should be obligated to be transparent in how that data is used, stored and who it is shared with. Consumers should know where their data is being held, even if the law needs to catch up in this area.

SEE: Explore our GDPR cheat sheet.

IT security teams should also take it upon themselves to ensure the responsible use of data. As noted in the AFR, the recent high-profile cyber attacks on organisations such as Optus highlight how frequently organisations are too casual with data retention.

“I would suggest the majority of companies do not have established practices for deleting personal information that is no longer required,” said Cameron Abbott, a PK&L Gates partner. “Indeed, the desire to retain such information to seek to reacquire customers is compelling for many companies.”

With the rollouts of mass surveillance in-store still relatively new, IT security teams should take this as an opportunity to champion better data shepherding practices and ensure people’s data is only being used for a narrow, intended purpose and responsibly disposed of thereafter.