--- Begin Message ---
[ A valuable and well-referenced article! ]
Retailers still using facial recognition tech
Sparks workplace and consumer rights concerns.
Jeremy Nadel
Information Age
Dec 03 2025 05:04 PM
https://ia.acs.org.au/article/2025/retailers-still-using-facial-recognition-tech.html
Several Australian retailers have kept facial recognition technology
(FRT) on despite the Australian Privacy Commissioner ruling Kmart and
Bunnings’s use of the technology breached privacy laws, sparking
concerns from computer scientists, unions and privacy advocates.
Retailers still using real-time FRT range from bottle shops operating
under the national Metcash-owned Thirsty Camel brand to independent
groceries like Carlton Super Markets, whose owner, Moshen Nejad let
Information Age inspect its real-time Dahua Technology FRT system,
saying: "I promise it’s [FRT] only used to prevent crime”.
Seven days ago, a Dahua spokesperson told Information Age it would
“review the questions”, but, since then, has not replied to inquiries
about how many of its retail clients use FRT.
The manager of a Thirsty Camel store on Chapel Street in Melbourne
confirmed it currently uses Scantek’s FRT software, but Metcash did not
reply when asked about the scale of FRT’s use by the hundreds of IGAs
and Thirsty Camel businesses that include a mix of Metcash-owned stores
and independently owned stores.
Australian retailers with FRT disclosures in current privacy policies
include Drakes Supermarkets, which operates 75 groceries, liquor stores
and newsagents in South Australia and Queensland; Harris Farm Markets,
which operates 30 grocery stores in NSW, Queensland and Canberra; and
budget department store Kmart.
Drakes Supermarkets and Harris Farm Markets did not reply to requests
for comment, but a Kmart spokesperson told Information Age that the use
of real-time FRT had “ceased”.
“To tackle a growing problem of refund fraud in our stores, we conducted
a limited trial of FRT, commencing in one store, and extending to
another 27 stores with high levels of refund fraud between June 2020 to
July 2022.”
Although Kmart uses theft-prevention platform Auror, which allows its
retail clients to retain and share “anonymised” data, the Kmart
spokesperson said that “images were only retained if they matched an
image of a person of interest reasonably suspected or known to have
engaged in refund fraud.”
“All other images were deleted, and the data was never used for
marketing or any other purposes.”
Real-time and post-event FRT
In September 2025, retail theft prevention platform Auror made real-time
FRT, also called ‘live FRT’, available to Australian retailers by
“integrating” with systems like Axon and Reveal Media.
An Auror spokesperson told Information Age that live FRT products are
not "being used by [its] customers in Australia presently”, but did not
address whether its retail customers use post-event FRT, which as
Auror’s CEO Phil Thomson put it, in mid-2023, means "an image...uploaded
into the platform... can then be referenced...to see if it's the same
person" after an incident.
Auror’s customers including Drakes Supermarket, The Reject Shop and
Wesfarmers-owned Officeworks, Priceline, and Woolworths declined to comment.
Endeavour Group-owned BWS and Dan Murphy’s, which completed “Auror
system implementation to enable better sharing of data with peers”
mid-last year in 1,726 stores, according to its annual reports, did not
reply to requests for comment.
Wesfarmers-owned Auror user Bunnings told Information Age that “FRT is
currently not in use at all”.
AI blurs the meaning of ‘anonymised’
University of Sydney law lecturer Dr Zofia Bednarz told Information Age
that “the so-called ‘de-identification’ or ‘anonymisation’” of data “is
a prime example” of how “the current definition of personal information
under the Australian Privacy Act and the GDPR” have not kept up with
modern technology.
“How can you de-identify biometric data? I don’t think you can,” she said.
Peer-reviewed research published in Proceedings on Privacy Enhancing
Technologies and The Lancet last year demonstrated that de-identified
and anonymised facial data can be re-identified with both open-source
and commercially available FRT systems.
[ https://petsymposium.org/popets/2024/popets-2024-0105.pdf ]
[
https://www.thelancet.com/journals/eclinm/article/PIIS2589-5370%2824%2900509-1/fulltext
]
Platforms that use biometric data to help Australian retailers prevent
asset loss like Auror and Black.AI, which — like Scantek — did not
reply, do not define or detail how they anonymise or de-identify data,
even though they describe them as key privacy safeguards.
Macquarie University computer science lecturer Dr Hassan Asghar told
Information Age that “Data can be an asset and a liability if not
handled correctly.”
“History has taught us that data cannot be properly anonymised by simple
approaches. Blurring someone’s face for example, may impede their
identification, but does nothing to hide their clothes and body shape.
An issue with anonymising data is that it must still exist within the
system to be useful.
“For example, on Auror you can search for insights based on features
such as age and hair colour allowing for the identification of specific
individuals.”
Piotr Kulaga, who’s worked in user experience, interface design and
multiple facets of computing for over two decades told Information Age
that biometric data poses an especially "problematic" set of risks to
privacy: “like the obvious fact that we can't 'move on', the way one can
make another 'account'.”
Digital Rights Watch head of policy Tom Sulston told Information Age
that “the privacy commissioner’s recent rulings against Bunnings and
Kmart show that retail theft and fraud are not sufficiently important
problems to justify such a huge imposition on the privacy rights of the
Australian public to go about our lives without being surveilled.”
Employee performance management
The Commonwealth Bank of Australia’s recent use of its own customer
app’s FRT logs to collect data on one of its employees that it sacked
highlights how platforms’ biometric security features can be repurposed
to discipline staff.
[
https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FWC/2025/1828.html ]
In addition to FRT, Auror users can integrate the platform with human
resource systems to “access data from your organisation's staff
directory to autocomplete relevant details for internal events when the
person involved in an event is an employee.”
The Retail and Fast Food Workers Union (RAFFWU) told Information Age
that Auror is “also used for surveilling, performance managing and
disciplining employees.”
“It’s not just flagging shoplifters but workers detected for policy
breaches,” RAFFWU secretary Cullinan said.
"Management has used Auror to build cases against our members for
intervening with thieves or personal transaction discrepancies.
“We believe workers should not be responsible for theft prevention, but
the tool spies on employees and is operated in total secrecy, making it
harder to defend members when it’s weaponised to unfairly sack them.”
--
Roger Clarke mailto:[email protected]
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professorial Fellow UNSW Law & Justice
Visiting Professor in Computer Science Australian National University
--- End Message ---
_______________________________________________
apf-media-archive mailing list
[email protected]
https://lists.privacy.org.au/mailman/listinfo/apf-media-archive
