Chinook Mall, one of Calgary’s most popular shopping centres, was revealed to be tracking shoppers’ personal information through facial analysis software. (Calgary Reviews, Flickr)
Andrew Jeffrey
Calgary shoppers got a rude surprise last week when they discovered two local malls used facial analysis technology hidden in mall directories this summer to track shoppers’ age and gender.
The Chinook Centre and Market Mall, two of Calgary’s major shopping centres, were found to be using facial recognition technology to track customers’ personal information without seeking consent or providing notification. This story is part of a growing trend of facial recognition software being tested in more areas across Canada.
Cadillac Fairview, the corporation that owns both centres, stated it started using the software in June to aggregate usage patterns of their mall directories. The story went public after a Chinook Centre visitor noticed a browser window left open on a mall directory that exposed facial recognition software running in the background.
The corporation’s response to privacy concerns was that because no photos or video were being stored, there was no need to ask for consent.
“That’s nonsense,” said Ann Cavoukian, Ryerson University’s Distinguished Expert-in-Residence on Privacy and Data Analytics.
“The fact that the camera captures a facial image that is detailed enough to perform the analysis to determine age and gender means that it is collecting personal information. Whether it retains it, saves it, discloses it or not doesn’t matter,” she said. “Collection obviously is happening.”
The federal Office of the Privacy Commissioner of Canada is following up with Cadillac Fairview to ensure the privacy rights of Canadians are being protected and that the company is compliant with the Personal Information Protection and Electronic Documents Act. This act regulates how private sector organizations collect, use and disclose personal information for commercial activities. It requires organizations to obtain consent for the collection, use and disclosure of personal information.
“Our office has identified facial recognition as having the potential to be the most highly invasive of the current popular biometric identifying technologies,” said Tobi Cohen, spokesperson for the Office of the Privacy Commissioner of Canada, in an email statement.
“Faces have been transformed into electronic information that can be aggregated, analyzed and categorized in unprecedented ways. What makes biometric data in general so valuable, and so sensitive, is that it is a uniquely measurable characteristic of our body and a key to our identity,” Cohen said.
Cadillac Fairview was unable to respond to a request for interview before this story’s publication deadline. The Canadian company notably owns shopping centres in the Greater Toronto Area like the Eaton Centre, Fairview Mall and Sherway Gardens.
Critics such as Brenda McPhail, director of the Privacy, Technology and Surveillance Project at the Canadian Civil Liberties Association, point out that even if Cadillac Fairview’s actions follow the letter of the law technically, they’re not in keeping with the spirit of Canadian privacy legislation.
“Technology is always going to outpace our ability to regulate it. And there should be a social responsibility, particularly from corporations who are profiting from the use of our information, to being open and transparent about the ways that they’re using it,” McPhail said.
More and more reports about new uses of facial recognition technology have flooded Canadian tech news in the last few years. For instance, the Winnipeg-based Mexia One corporation partnered with a trade show in Spain earlier this year to allow event-goers to opt into facial recognition in place of physical tickets and the federal government is currently studying using facial recognition as part of a mobile passport system at airports.
Meanwhile, Calgary police have been using facial recognition software for years to compare mugshots with crime scene photos and video.
With the rapid development of this tech sector, it can be difficult for regulators to keep up with legislation to protect Canadians. But McPhail says that shouldn’t excuse the organizations or states using personal information gathered through facial recognition.
“They should be compliant with the social values that we all hold,”McPhail said. “The reasons why we have privacy laws in the first place is because we believe individuals deserve protection. If a new technology isn’t properly covered by the law, that doesn’t obviate any organization’s ethical obligation to think carefully about how they’re using it and what they need to tell people.”
To Cavoukian, the Calgary discovery shows the need for stronger privacy legislation in Canada. In 2016, the European Union introduced the General Data Protection Regulation, which uses Cavoukian’s work to restrict private companies from using people’s information without their consent.
Her concept of privacy by design argues that privacy assurance must become an organization’s ideal mode of operation. This design is included in EU law, but not in Canadian law, despite being a Canadian creation.
“There’s no privacy, there’s no controls on the uses of the data made by these individuals,” Cavoukian said. “It’s like the wild west, they’re doing whatever they want with your information. And that’s the exact opposite direction of what people want.”
She said what’s worrisome for Canadians is the potential unauthorized uses of their facial images, should it fall in the wrong hands for crimes such as identity theft or even for seemingly legitimate purposes that breach Canadians’ privacy such as if law enforcement were to demand to use these images.
“It’s all about the unintended consequences, and that’s what these companies never think of,” Cavoukian said.
“When you use facial images, the door is wide open, and that’s one of the major problems with this,” she said. “It’s an extremely sensitive biometric.”