Kmart's use of facial recognition to tackle refund fraud unlawful
60 comments
·September 22, 20254ndr3vv
contravariant
Of course, but fraud/theft prevention is easier to defend legally. There are exceptions for exactly those use cases.
darylteo
Either their CISO was shut out of the decision making, the SLT decided it was a risk worth taking, or their CISO was absolutely asleep at the wheel.
darylteo
The main judgement here seems to be: not everyone was there to get a refund, therefore, just entering the store is not an opt-in consent to biometric scans.
As a counter-example: Australian clubbing venues use facial recognition and id verification to identify banned individuals and detect fake documentation. This is required on condition of entry (therefore, opt-in), and this information is shared across all partner venues.
https://scantek.com/facial-biometric-matching-technology-sca...
coreyzzp
Do you believe it? I once had to use facial recognition at a train station to get free toilet paper, which was labeled for "environmental protection," avoiding waste of paper. At that time, I was in pain and urgently had to sell my face just for a piece of toilet paper
siva7
Just take toilet paper all the time with you. Saves me the stress from having to think about if a public toilet has some.
stronglikedan
[delayed]
bonoboTP
Somewhere in China, you have to watch ads to get the toilet paper. It made the rounds a few days ago (https://www.ndtv.com/offbeat/chinas-public-toilets-require-w...)
avsteele
Interesting line to draw:
- you can record all manner of video in your store...
- but you can't process it in this particular way.
IanCal
This should be very familiar to people working with data in a lot of jurisdictions. I can speak to Europe but I think similar things exist elsewhere - data is less restricted in how and what you collect than it is how you use it. This makes a lot of sense, you should be able to have a basic record of ip addresses and access times for rate limiting, but that shouldn’t mean you can use it for advertising.
Similarly it seems reasonable that shops should be able to record for some purposes but not all.
detaro
I don't think "less restricted" is a good framing. How you are using it is the core, and you get to collect and store what's necessary for your legal uses, and use it for those uses.
pessimizer
> This makes a lot of sense
I don't think it does, because it is completely unverifiable. It's like allowing people to buy drugs, but not to use them.
I'm not worried about people collecting IPs, I'm worried about people who collect IPs being able to send those IPs out and get them associated with names, and send those names out and be supplied with dossiers.
When they start putting collecting IPs in the same bag as the rest of this, it's because they're just trying to legitimize this entire process. Collecting dossiers becomes traffic shaping, and of course people should be allowed to traffic shape - you could be getting DDOSed by terrorists!
consp
You forget store. This depends a lot on the type of data. Duration, specific laws related to it and protection are very different for randomised numbers vs medical as an example.
nenenejej
This is good. It means we have laws and rulings that understand the technology. That balance the need for business to protect their stores with people's privacy.
bko
I noticed that as well, it's a bit frustrating. I personally think if you're allowed to do something legally, you should be allowed to do it using technology.
It's seems silly to me that you can have a human being eyeball someone and claim it's so and so, but you can't use incredibly accurate technology to streamline that process.
I personally don't like the decay of polite society. I don't like asking a worker for a key to buy some deodorant. Rather than treat everyone like a criminal, why don't we just treat criminals like criminals. It's a tiny percentage of people that abuse polite society and we pretend like it's a huge problem that can only be attacked by erecting huge inconveniences for everyone. No, just punish criminals and build systems to target criminals rather than everyone. If you look at arrests, you'll see that among persons admitted to state prison 77% had five or more prior arrests. When do you say enough is enough and we can back off this surveillance state because we're too afraid to just lock up people that don't want to live in society.
https://mleverything.substack.com/p/acceptance-of-crime-is-a...
BolexNOLA
First paragraphs pretty clearly read to me like the issue isn’t “processing it,” it’s the indiscriminate filming of everybody who enters the store without consent that’s the problem.
nl
Security filming is common in Australia and not outlawed by this ruling. It is specifically the non-discriminate use of facial recognition technology this ruling applies to.
The specific difference is "sensitive information". General filming with manual review isn't considered to be collecting privacy sensitive information. Automatic facial recognition is.
The blog post makes this point about how the law is applied:
> Is this a technology of convenience - is it being used only because it’s cheaper, or as an alternative to employing staff to do a particular role, and are there other less privacy-intrusive means that could be reasonably used?
https://www.oaic.gov.au/news/blog/is-there-a-place-for-facia...
llm_nerd
Everyone who enters almost any store is "filmed" with their implicit consent. Cameras are everywhere, and certainly are everywhere in every Australian court as well.
The root comment is precisely right. Deriving data from filmed content -- the illusory private biometric data that we are leaving everywhere, constantly -- is what the purported transgression was.
BolexNOLA
I’m just stating what the opening paragraphs seem to say. Could be I am misreading them
mrits
Is this from the 90s? Who doesn't expect to be recorded when entering a retail chain? How the hell does the government have the right to decide what this private company can do on their private land? If you enter onto someone else's property you should play by their rules.
nl
In Australia we expect companies to follow the rule of law, which encodes the expectations of society.
The Australian Privacy Act falls well short of European standards, but it does encode some rights for people that businesses must abide by.
IanCal
> How the hell does the government have the right to decide what this private company can do on their private land?
Unless you think a grocery store should be allowed to grab you and sell your organs then you agree that this private organisation should be subject to some limitations about what it can do on its own land. The question is then where the line should be between its interests and the interests of those who go on the land.
You can be absolutist about this, that’s certainly a position, but it’s extremely far from mainstream.
josefx
> How the hell does the government have the right to decide
It generally owns more weapons than your average deluded shop owner.
CaptainOfCoit
> How the hell does the government have the right to decide what this private company can do on their private land?
Because the world is bigger than just the wishes of private businesses. I don't think there is anywhere on this planet where you as a private business can do literally whatever you want, there are always regulations about what you can and cannot do. The first thing is usually "zoning" as one example, so regardless if you own the land, if it isn't zoned for industrial/commercial usage, then you cannot use it for industrial/commercial usage.
What libertarian utopia do you live in that would allow land owners to do whatever they want?
Ylpertnodi
>Who doesn't expect to be recorded when entering a retail chain?
Me. Unless it's clearly stated outside. It's why I wear a covid mask when shopping.
SirFatty
What's more surprising is that Kmart still exists...
nl
Kmart in Australia has been owned by Coles Australia since 1978, and since 1994 has had no association with the US Kmart.
It's very successful in Australia.
darylteo
Additional, Australia has a Target that isn't at all related to Target US.
Which also now owned by the same owners of Kmart (Coles Group, now owned by Wesfarmers).
And both Kmart and Target Australia operations have merged (though still operating 2 separate brands)
eej71
Kmart in Australia is best thought of as a fork from the original. The original in the United States is effectively defunct now.
bombcar
This is more common than you’d think - often subsidiaries are distinct enough that the Canadian or Australian version survives the US parent’s bankruptcy.
And sometimes it’s just a different store that licensed the name for 100 years.
Klonoar
Australia also still has E.B Games.
eej71
My other favorite example of this is the A&W Restaurants which in the states was a bit more of a fast food establishment. It was never that successful, but you'd see them every so often. Gone now in the states, but I believe its Canadian successor is still going strong.
ha-shine
Kmart in Australia is pretty good to be fair. Cheap goods with good enough quality. I put them above Temu or Shein. For toys or pet accessories, they are unmatched in price anywhere else.
nenenejej
My house is full of kmart dog toys. I keep forgetting we got them there as they are good quality. It's a place you get everything, fairly cheap but good quality for the price. Notwithstanding TFA.
Gigachad
For stuff like cups, power boards, tooth brush holders, etc they are basically the best. The furniture is pretty garbage though and not really that cheap compared to something much better at ikea.
hodgehog11
As an Australian, I can say that Kmart here is an absolute powerhouse. They sell highly curated goods made in China for very cheap, it's a dream for young people on a budget. Poor delivery services here pushes people toward brick and mortar stores too.
nenenejej
Amazon is not too strong in Australia in terms of variety or price. So kmart is great and free delivery over a small amount makes it convenient.
onetokeoverthe
[dead]
hopelite
Even more astonishing to me is that we’ve not just simply allowed something like ubiquitous camera surveillance and facial recognition, increasingly with effectively 100% coverage, but most people have actively participated in it with all their various cameras they even installed inside their home, let alone set up neighborhood surveillance systems.
And yes, they are all tapped and not even Orwell imagined what we’ve done to ourselves. But don’t worry, it will only get more apparent and worse once things are far beyond too late, when Minority Report will be noted for its cute and naive depiction.
spicyusername
Orwell never imagined that the surveillance data would be worth so much money or that every single technological advancement could only be accessed once one agreed to surrender all of their privacy.
tech234a
This is Australia
SirFatty
Yes, I saw that in the article. What's your point, that if in Australia it's not real?
carefulfungi
I was curious so read the Kmart wikipedia article over morning coffee. Seems like these (no longer) share any ownership with the original. Which I guess raises a philosophical question about names and existence that will require at least a second cup of coffee :-)
null
bombcar
to be fair, Australia does kind of seem like a made up place with made up animals
lemonteaau
too cheap to die
zenmac
Yeah remember a decade or two ago they filed bankruptcy. Guess that is the wonders of Chapter 13 bankruptcy law in USA. And thanks to obfuscation of owner ship for corporations, god knows who owns them now.
nla
Good to see Kmart back in action.
_qua
I get the desire to limit data collection, but banning tech that deters and punishes crime is bad policy.
kijjure
Sorry but anti-racism trumps fraud deterrence. If your tech might identify racial trends in criminality then you have a moral obligation to avoid it.
bpt3
Burying your head in the sand is an excellent policy, because the root cause always just vanishes at some point.
delfinom
I can't tell if this brain rot statement is sarcasm or not.
If technology is identifying a real trend, that isn't due to some training bias in the machine learning, then it is a real trend.
And in this case, Kmart is not targeting individuals based on race as a result, simply refusing refunds on individuals identified.
billy99k
I'm fine with not allowing it, as long as the government pays for:
1. Kmart security 2. Any money lost from retail fraud.
Update: LOL. I always have to chuckle at people that want want corporations to have no real way to defend against retail fraud, no real security, and then complain when they can't afford anything.
whstl
> no real way
The commissioner found this to not be the case. From the article: "There were other less privacy intrusive methods available to Kmart to address refund fraud."
jbellis
this sounds like wishful thinking to me
oldjim798
I don't want large corporations to have security or protection from retail fraud. Stealing from big box stores is a victimless crime.
Sounds like the tech wasn't deployed for "Refund Fraud" (it would be easier to just use facial recognition when a refund was made) but instead deployed across all stores to see what they could do with the data.
I'd be very surprised if refund fraud was the only POC that this facial recognition data was used for.