Facial recognition surveillance coming to Accor and CommBank stadiums
Oasis and Metallica concert ticketholders could be among the first to experience major surveillance upgrades at two Sydney stadiums.
NSW
Don't miss out on the headlines from NSW. Followed categories will be added to My News.
Oasis and Metallica fans could be among hundreds of thousands of Sydneysiders scanned for their faceprints without explicit consent, as the NSW Government plans surveillance upgrades at Accor and CommBank Stadiums.
The Daily Telegraph can reveal that facial recognition technology is coming soon, with a project tender expected to open by the end of the year.
The stadiums will join a growing list of venues that already use the technology and typically only notify patrons with a small note in their conditions of entry - including Sydney Cricket Ground, Allianz Stadium, Qudos Bank Arena, and The Star.
It comes as US cities are increasingly moving in the other direction and outlawing facial recognition capabilities.
Although Venues NSW stressed that only banned individuals would be targeted by the software at Accor and CommBank Stadiums, cyber experts have raised privacy and hacking concerns for the wider community.
“Facial recognition software is used for one purpose only – to intervene and stop an attempt by a person to enter our venues where that person has been banned from doing so. Only banned persons are enrolled in our facial recognition system,” a Venues NSW spokesman said.
“These cameras serve as a crucial tool in maintaining a safe environment at sporting and entertainment events.
“No personal data, such as names or biometric identifying information, is captured or stored unless an individual has committed an offence and subsequently been banned from our venue.”
However, this was challenged by Macquarie University director of information security and privacy research Dali Kaafar.
Prof Kaafar said facial recognition systems had to capture identifying information from all faces scanned in order to match them to the database of banned individuals.
“Technically speaking, there is a short period of time where the individual’s data is collected by the system,” he said.
“The vendors could have promised that no personal data is being stored, but (the accuracy of that claim) really depends on their definition of ‘how long’ … In terms of computer processing, it could be less than a second, or it could be hours and days.”
Similarly, Australian Privacy Foundation chair and UNSW cyber law expert David Vaile said biometric data belonging to “every person” that enters the stadium was “definitely” being captured and stored for some period of time.
And this meant the data could be hacked.
“No-one anymore can credibly promise to keep out a motivated intruder on any digital data system,” he said.
Mr Vaile called on Venues NSW to be more transparent about its facial recognition technology and the external companies involved.
“There will be a tiny notice on the door that says ‘if you come by here you agree to our privacy policy’,” he said.
“Stadiums are projecting risk onto their customers – the data subjects – and assuming the cost of that risk is nothing because Australia has really weak privacy laws and the current reviews don’t really fix it so they can do it with impunity.”
He said collecting biometric data, such as faceprints, had potential lifelong ramifications.
“If it gets hacked and they feed it into an artificial intelligence system or there is identity theft or it’s used as the last chink in the puzzle to identify you in another system, you may never know or it may be years in advance,” he said.
“They are relying on that ambiguity and uncertainty and complexity of the problem to make you think ‘it’s too much trouble, I’ll just put up with it’.”
The Australian National University’s Dr Vanessa Teague said it was “very common for corporations to pretend that they’re not collecting personal information when they actually are”.
NSW acting privacy commissioner Sonia Minutillo said “any data collected for the purposes of FRT (facial recognition technology) should be appropriate and lawful and secure, and while no mandated period for data destruction, consistent with the privacy principles any data collected for the purposes of FRT should not be held for longer than is necessary.”
Do you have a story for The Daily Telegraph? Message 0481 056 618 or email tips@dailytelegraph.com.au