Millions of People’s Personal Information Compromised in Surveillance Database with Images and Details
The Privacy Commissioner is currently conducting an investigation following allegations made by a bar owner against a former MP for shoplifting, which arose from accessing an unregulated retail incident database.
New Zealand bar owner and restauranteur Leo Molloy accused former Green MP Golriz Ghahraman of shoplifting, shedding light on the lack of security around a vast privately-owned retail surveillance network that houses data on millions of Australians and New Zealanders. Consequently, the Privacy Commissioner has launched an investigation.
In a recent development, Ghahraman appealed this accusation to the High Court, but Justice Geoffrey Venning upheld the original ruling, considering the theft incidents as serious offenses.
Following these events, Molloy, known for his outspoken opinions, made a social media video alleging that Ghahraman had committed another instance of shoplifting in late 2024.
Police later confirmed attempting to introduce additional evidence of a separate incident at a Pak’n Save supermarket in Auckland involving Ghahraman allegedly taking goods worth under $150.
Foodstuffs, the supermarket owner, clarified that they did not file a complaint with the police, raising questions about how both the police and Molloy had access to this incident information.
It was later discovered that someone from the supermarket had logged the incident in a system called Auror, an unregulated platform that records and matches data related to alleged retail crimes.
The Surveillance Database
Various entities such as Foodstuffs, supermarkets, service stations, shopping malls, and major retailers subscribe to the Auror system, which includes advanced features like facial and license plate recognition, offering direct access to the police.
Foodstuffs mentioned that they input details of approximately 20,000 incidents into the database each year.
The police have not disclosed how they became aware of the Ghahraman incident and distanced themselves from sharing information on social media. However, Auror confirmed that the police have unrestricted access to their database.
A spokesperson from Auror stated, “Retailers opt to make this information accessible to law enforcement and may also directly report incidents to authorities through the software. Retailers determine the data they enter.”
Related Stories
As Molloy disclosed details of the incident and the police’s access to it, concerns arose regarding potential breaches of New Zealand’s Privacy Principles. Consequently, Privacy Commissioner Michael Webster has initiated inquiries with Auror, Foodstuffs, and the police to gather more information.
Webster’s office mentioned, “It monitors platforms like Auror closely, as they present high privacy risks due to their automated surveillance and data aggregation services.”
Auror’s Expansion
Platforms like Auror pose risks concerning the accuracy of data entered and unauthorized access to and sharing of this information, potentially resulting in adverse impacts on individuals.
Auror is operational in numerous Australian stores, including major retailers like Coles and Woolworths, covering around 50% of all retailers. In New Zealand, this coverage extends to approximately 90%.
Established in 2013 by four New Zealanders, Auror aimed to combat the estimated $100 billion annual loss due to retail theft.
The system allows users to report incidents ranging from minor occurrences in store premises to serious crimes, providing details such as suspect descriptions, images, CCTV footage, license plate information, and social media content. Users can input information on a person’s appearance but are restricted from specifying race.
During investigations, users can search incident reports based on various parameters, facilitating matching of individuals across different reports using machine learning techniques.
Reports emerged suggesting that the Australian Federal Police (AFP) also utilizes Auror without any associated privacy assessments, sparking concerns from Greens Senator David Shoebridge regarding the extent and implications of the system.
Shoebridge emphasized the importance of privacy in the context of online data and facial recognition, advocating for individuals’ rights to privacy and freedom from widespread surveillance.
The Australian Information Commissioner previously conducted an investigation into Auror, providing guidance to the company to ensure compliance with privacy regulations.
Notably, previous media inquiries have uncovered uncertainties surrounding the number of CCTV cameras linked to the Auror network.
