CALGARY (660 NEWS) – An investigation by provincial and federal privacy commissioners has found a major mall operator collected images from five million shoppers, without their knowledge or consent.
The report found that Cadillac Fairview embedded cameras inside its digital information kiosks at 12 shopping malls across Canada, using facial recognition technology without their customers’ knowledge or consent. This includes Chinook Centre and Market Mall in Calgary.
The company said it was to analyze the age and gender of shoppers and not identify anyone and that they were deleting the information.
However, the investigation found the data was also being stored by a third party.
Cadillac Fairview has since stopped using the technology but the commissioners are concerned that the company refused their request that it commit to ensuring consent is obtained from shoppers if it chooses to use the cameras again in the future.
The investigation also found the following: pic.twitter.com/7HcatGp6qp
— Jeff Slack (@Jeffslack660) October 29, 2020
“Shoppers had no reason to expect their image was being collected by an inconspicuous camera, or that it would be used, with facial recognition technology, for analysis,” said Privacy Commissioner of Canada Daniel Therrien. “The lack of meaningful consent was particularly concerning given the sensitivity of biometric data, which is a unique and permanent characteristic of our body and a key to our identity.”
This investigation exposes how opaque certain personal information business practices have become,” added Jill Clayton, Information and Privacy Commissioner of Alberta. “Not only must organizations be clear and upfront when customers’ personal information is being collected, but they must also have proper controls in place to know what their service providers are doing behind the scenes with that information.”
The regulators launched the investigation following media reports that raised questions about the Toronto-based company’s practices.
Also affected in the breach were five malls in Ontario, two in British Columbia, two in Quebec and one in Manitoba.
Cybersecurity expert David Shipley, CEO and co-founder of Beauceron Security in New Brunswick, said this breach posed many potential problems.
“Biometric data is probably the biggest risk,” he said. “They could unlock your phone, and if you tied your phone to your financial accounts or your social media accounts, that’s bad news bears. But also, the ability to impersonate you and steal your face, create social media accounts, commit other forms of fraud. Your face matters.”
The fact Cadillac Fairview was also not aware data was being stored by a third party is a big red flag, because the operator needed to have a close watch on all the data being collected.
“This one is huge,” Shipley said. “You can’t sort of pass off your obligations to that provider.”
Additionally, the unfortunate piece is that even though the privacy commissioners have spent a long time drafting the report and finding many problems with the data collection, there’s not much else that can be done.
“There is a vital, pressing, desperate and absolute need for our privacy legislation to catch up to where the business world is today,” he said. “The commission lacks any real accountability measures, there’s no fines. If this had gone down in Europe? There would have been potentially fines in the millions of dollars for this activity.”