Kmart's Use of Facial Recognition to Tackle Refund Fraud Unlawful
Posted3 months agoActive3 months ago
oaic.gov.auTechstoryHigh profile
heatedmixed
Debate
80/100
Facial RecognitionPrivacyRetail Security
Key topics
Facial Recognition
Privacy
Retail Security
Australia's privacy commissioner has ruled that Kmart's use of facial recognition to prevent refund fraud is unlawful, sparking a debate about the balance between security and privacy.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
1h
Peak period
61
2-4h
Avg / period
17.8
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 22, 2025 at 6:20 AM EDT
3 months ago
Step 01 - 02First comment
Sep 22, 2025 at 7:39 AM EDT
1h after posting
Step 02 - 03Peak activity
61 comments in 2-4h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 23, 2025 at 2:01 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45331370Type: storyLast synced: 11/20/2025, 8:28:07 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
And sometimes it’s just a different store that licensed the name for 100 years.
https://awrestaurants.com/locations-list/
400+ according to their wikipedia entry.
(Well, not quite inexplicably. Wikipedia cleared it up for me.)
And yes, they are all tapped and not even Orwell imagined what we’ve done to ourselves. But don’t worry, it will only get more apparent and worse once things are far beyond too late, when Minority Report will be noted for its cute and naive depiction.
It's very successful in Australia.
Which also now owned by the same owners of Kmart (Coles Group, now owned by Wesfarmers).
And both Kmart and Target Australia operations have merged (though still operating 2 separate brands)
- you can record all manner of video in your store...
- but you can't process it in this particular way.
The root comment is precisely right. Deriving data from filmed content -- the illusory private biometric data that we are leaving everywhere, constantly -- is what the purported transgression was.
Me. Unless it's clearly stated outside. It's why I wear a covid mask when shopping.
At best it degrades overall recognition but doesn't fully prevent it
Why are they covid masks anyway? Medical personnel wears them during surgery, and there were those photos of ... some asian people i think ... wearing them outdoors to protect themselves from air pollution in their city too.
Because the world is bigger than just the wishes of private businesses. I don't think there is anywhere on this planet where you as a private business can do literally whatever you want, there are always regulations about what you can and cannot do. The first thing is usually "zoning" as one example, so regardless if you own the land, if it isn't zoned for industrial/commercial usage, then you cannot use it for industrial/commercial usage.
What libertarian utopia do you live in that would allow land owners to do whatever they want?
The Australian Privacy Act falls well short of European standards, but it does encode some rights for people that businesses must abide by.
Unless you think a grocery store should be allowed to grab you and sell your organs then you agree that this private organisation should be subject to some limitations about what it can do on its own land. The question is then where the line should be between its interests and the interests of those who go on the land.
You can be absolutist about this, that’s certainly a position, but it’s extremely far from mainstream.
It generally owns more weapons than your average deluded shop owner.
The specific difference is "sensitive information". General filming with manual review isn't considered to be collecting privacy sensitive information. Automatic facial recognition is.
The blog post makes this point about how the law is applied:
> Is this a technology of convenience - is it being used only because it’s cheaper, or as an alternative to employing staff to do a particular role, and are there other less privacy-intrusive means that could be reasonably used?
https://www.oaic.gov.au/news/blog/is-there-a-place-for-facia...
Say I implement facial recognition anti-fraud via an army of super-recognizers sitting in an office, watching the camera feeds all day (collecting the sensitive information into their brains rather than into a computer system). It'd be more expensive and involve employing staff (both the "technology of convenience" criteria. From a consumer perspective the privacy impact is very similar, but somehow the privacy commissioner would interpret this differently?
Maybe that is the point the privacy commissioner is trying to make, that collecting this information through an automated computer system is fundamentally different than collecting this information through an analog/human system. But I'm not sure the line is really so clear...
At some point the numbers get big enough that you wouldn't be able to get the pictures of faces in front of the people who would recognize them fast enough.
But is a non-indiscriminate, privacy friendly solution possible? The problem is people walking in with a valid receipt for a purchased item, grabbing a matching item off the shelf, and wandering over to the returns counter and requesting their money back. The usual solution most shops use is locating the returns counter past the security controls (checkout counter). But more and more of these types of stores are putting their service counters in the middle of the store for some reason.
Similarly it seems reasonable that shops should be able to record for some purposes but not all.
I don't think it does, because it is completely unverifiable. It's like allowing people to buy drugs, but not to use them.
I'm not worried about people collecting IPs, I'm worried about people who collect IPs being able to send those IPs out and get them associated with names, and send those names out and be supplied with dossiers.
When they start putting collecting IPs in the same bag as the rest of this, it's because they're just trying to legitimize this entire process. Collecting dossiers becomes traffic shaping, and of course people should be allowed to traffic shape - you could be getting DDOSed by terrorists!
edit: I'm not sure this comment was quite clear - it's 1) the selling of private, incidentally collected information by service providers, and 2) the accumulation, buying, and selling of dossiers on normal people whom one has no business relationship that is the problem. IPs are just temporary identifiers, unless you can resolve them through what are essentially civilian intelligence organizations.
Like, I thought a big part of why some stores do loyalty cards is because they enable tracking things that they'd get their credit card privileges revoked if they tracked that way.
Thus I’m regularly allowed to buy drugs I’m not legally allowed to use. “Using a prescription medication that was not prescribed to you is illegal under both federal and state laws.” https://legalclarity.org/is-it-illegal-to-use-someone-elses-...
Well, since you mention it: I have prescription drugs that I am allowed to buy, but I am NOT allowed to abuse them. I must take exactly 1 each day.
But this is exactly what is covered - incidentally collected information cannot be used for other purposes. That's rather the point - you must collect things for a specific use case and you can't use it without permission for other cases.
> I don't think it does, because it is completely unverifiable.
It's no less verifiable than "don't collect the data", and hiding it requires increasingly larger conspiracies the larger organisation you are looking at. People are capable of committing crimes though, sure.
And less restricted does not mean no restriction.
It's seems silly to me that you can have a human being eyeball someone and claim it's so and so, but you can't use incredibly accurate technology to streamline that process.
I personally don't like the decay of polite society. I don't like asking a worker for a key to buy some deodorant. Rather than treat everyone like a criminal, why don't we just treat criminals like criminals. It's a tiny percentage of people that abuse polite society and we pretend like it's a huge problem that can only be attacked by erecting huge inconveniences for everyone. No, just punish criminals and build systems to target criminals rather than everyone. If you look at arrests, you'll see that among persons admitted to state prison 77% had five or more prior arrests. When do you say enough is enough and we can back off this surveillance state because we're too afraid to just lock up people that don't want to live in society.
https://mleverything.substack.com/p/acceptance-of-crime-is-a...
For instance, Costco has a much lower theft rate (0.11–0.2% of sales) compared to other supermarkets (1-4%) simply because they manage to keep criminal out through membership fees. Control the entrance, target the known criminals and we can go back to a high trust society.
We are all potential criminals under tomorrow's government. Remember that!
I have data on Google. Google has a TOS that says they can use my data. This could cover even future use cases, even though those future use cases I did not anticipate. So does Google have the right to use my data in this particular way?
Many of us live in places where everyone, in the very same breath, insists everything should be welcoming to everyone (and usually free) while also insisting that enforcement of norms is unjust. You can’t have it both ways.
I'd be very surprised if refund fraud was the only POC that this facial recognition data was used for.
I get insane advertisements, even from places like YouTube that know me well. I get advertisements for Bumble featuring what looks like a teenage boy telling me you'll never know what you'll find on Bumble, which is weird considering I'm a married straight dude. Sometimes I even get ads in different languages.
If the most advanced ad network can't figure out the language that I speak, I'm less worried about Kmart doing some nefarious profiling based on my stride.
I like technology that targets fraud, because I like living in a high trust society. I'm annoyed that people abuse the system and that's why we can't have nice things. You could probably just target the worst 1% and basically go back to deodorants not being locked away behind glass.
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...
I'd be worried that they will either collaborate or get infiltrated by hackers, cops, and agencies. Then, one day I like a post on social media promoting wrongthink, and I'll be picked up.
The ad network absolutely knows you down to minute detail, but the only thing that matters is who bid the highest. Maybe the winner is the one with the most VC cash to burn?
I believe it. But it wasn't super-advanced surveillance. It was, as I recall, 2010's "machine learning" basically drawing inferences about purchase history to determine what sorts of personalized advertisements to mail to you or print on your receipts, or whatever.
I believe it because I worked at another large American retailer similar to Target at the time and though I was not directly involved, I was aware that other departments in our company were working on similar things. It wasn't that advanced or outlandish, it was just finding trends in the huge amount of historical purchase data we had. I can absolutely believe that it was similar at Target. People who bought these things typically bought baby-related stuff 3-6 months later, so lets send them some coupons for that baby-related stuff in 2 months. It's unlikely the fact it was baby-related was actually relevant, it probably just sent coupons for whatever the predicted purchases were.
An individuals purchase history was probably correlated either by rewards program membership (preferred) or credit cards used. If you just paid cash and didn't use swipe your membership card, it was unlikely the purchase would be associated to you.
Person of Color?
Point of Contact?
The only conceivably legal POC.
As a counter-example: Australian clubbing venues use facial recognition and id verification to identify banned individuals and detect fake documentation. This is required on condition of entry (therefore, opt-in), and this information is shared across all partner venues.
https://scantek.com/facial-biometric-matching-technology-sca...
Big Brother is not watching you. Instead, thousands of Little Brothers are patiently watching their little corner of the world, recording license plates, logging phone locations, tracking credit card usage. Big Brother doesn’t need to see you, he just asks them to tell him what he wants to know.
You can’t really call something opt-in if opting out means that you are barred from participating in an entire class of activity unrelated to what you opted out of.
As a counter example, the TSA in the US is now starting to use facial scans for ID, but you can opt out by telling the agent. It does not mean that you cannot go flying, it means that they use a human to identify you without the use of computerized facial scans.
Where is the difference?
Going to see a movie is obviously not unrelated to buying a movie ticket.
For one, I don’t have to buy a ticket. Many theaters participate in programs where you can get a ticket as a reward for other activities (credit card points, eg). The ticket sale is determined by the theater, and is not part of a government supported scheme to prevent some people from ever seeing a movie in any theater, ever.
Finally, the sale of a ticket is necessary for the operation of many movie theaters. It is intrinsic to the business model. The nightclub could operate the service, and even work with ban lists without the centralized biometric database.
Networked, centralised facial recognition is the ultimate "papers, please."
Everyone trying to enter K-mart is trying to enter K-mart just like the night club. Everyone going into the night club is not there to drink/meet someone/dance/use the restroom/make a drug deal Just like not everyone going into K-Mart is there to shop/browse/by a snack/get a refund/steal something
The result is we're going to all get punished for it. Increasingly we're going to see a return policy that is less and less flexible until one day it is eliminated altogether.
You can't really do anything about shoplifting until after it happens. It's not a crime until it's been committed, then you can prosecute. The issue is there is a base level cost to do so, and it's going to take a very large amount of shoplifting to balance that. We as a society have basically accepted that certain crimes don't go punished, and it seems like low value shoplifting largely fits that category.
In turn, large companies have decided that they will instead collect data on their own until they have enough to make it a high value issue, with proof. Then the state will prosecute. The issue here is that companies do not get to illegally collect data, they still would have to do so within the bounds of the law. So what are those bounds? We say the Government can surveil us with impunity, but only for terrorism or whatever else gets brought under that umbrella. For "petty" crimes the government would need permission to collect the amount of data that these companies are and then build their case with that.
This isn't to say that shoplifting is okay, just that society doesn't seem to care all that much. Our reaction to companies taking actions like these will also show how much we seem to care about them as well. Spoiler on that last one: we don't seem to care (in the US).
That's what Trump/MAGA america wants. They want to see some dude who steal stuff get shot for their crime. They will gleeful cheer it on.
The way to solve this problem is to make the cost significantly higher than the benefit. Suggested reading: Lee Kuan Yew’s memoirs. Of any person who has ever run any country, he solved this problem in the most effective way.
1) Execution for drug trafficking without violence
2) A slight majority of the populace eligible for public housing gets it via essentially a regressive tax system where a gigantic slice of the populace (immigrants) fund the housing they can't use, creating a very bizarre government-imposed scenario where housing actually becomes radically cheaper the better positioned you are to be wealthy.
Of course there are arguments for both.
2. Same as in USA. I fund a lot of housing I cannot use via my taxes.
Singapore's is regressive; they tax their massive % of population of ineligible immigrants so the citizens can have it essentially without means testing. It functions largely as a transfer of wealth from less rich to more rich.
That's already the law in a huge part of the country.
> They want to see some dude who steal stuff get shot for their crime.
Places like Qt (gas station chain) in AZ have armed guys that are trained to shoot if lawful (armed robbery, etc).
A Walmart in AZ has sent gigantic bouncers after me to detain me on suspicion of shoplifting a $5 bag of cat litter. In my state they are allowed to kidnap/imprison you until police arrive if they have 'reasonable suspicion' you're in the act of shoplifting, so yeah have fun guessing whether the guy with the walmart badge is actually security or just a rapist.
Also many stores have shot themselves in the foot by placing items for sale outside the front doors... thus a shoplifter could claim they just stuck something in their pocket because they forgot they needed a pumpkin and thus needed a cart, or something to that effect.
If you stop someone and can't document these four points, they can challenge the stop, and you're up for a LOT more losses from the unlawful detainment suit.
So basically, they value upselling people at entrances more than limiting liability, and a savvy shoplifter can sue for a lot of money if the store allows reusable bags, since that removes the ability to charge for "concealment" given that by selling Safeway or whatever branded opaque bags, you have implicitly consented to "concealment" of merchandise.
AZ:
>C. A merchant, or a merchant's agent or employee, with reasonable cause, may detain on the premises in a reasonable manner and for a reasonable time any person who is suspected of shoplifting as prescribed in subsection A of this section for questioning or summoning a law enforcement officer.
https://www.azleg.gov/ars/13/01805.htm
i.e. all they need is reasonable cause to suspect you are shoplifting. When I was detained no one ever saw me steal anything, I openly grabbed the cat litter, scanned it at the machine, paid for it, grabbed the receipt, then refused to show it to the receipt-checker (not about to slow down for that bullshit since it is now my property) so they just sent some dudes out to grab the cart out of my hands.
The store here almost certainly overstepped the law, and you allowed it to happen.
Unless by "let it happen" you mean I didn't let it happen then sue walmart, which would have zero deterrence effect on them as any lawsuit for a few minutes unlawful detention would be a rounding error on their balance sheet, and likely at my own expense since it's basically my word against another's and his army of corporate lawyers.
Makes me wonder if maybe you're being accurate, since you'll telling an unusual story and inventing reasons not to seek redress.
Also it'd be a criminal matter, not just a civil one -- having their LP have to get bailed out of the county jail sends a message.
First of all; in times long past, retailers had zero shoplifting incidents, because every order was fulfilled by their employees, who would pick from the stock room and present the customer with a ready-to-take bag of their goods, and a purchase receipt. Shoplifting in this context was basically impossible.
The advent of customers picking out their own goods let to the introduction of customers attempting to leave the store without paying, but it also saved retailers incredible amounts of money, not having to pay to have employees both stock and pull orders.
However, because nothing is ever profitable enough, much further down the line (and, worth noting, when crimes are at historic lows) we get self checkouts, which are basically honor boxes with speakers. And that's fine, I love self checkout and my only complaint with it is now retailers are over-reliant on it, and, again in the name of cost-cutting, have 6 to 10 registers overseen by one worker, who has to sprint between them to sort out when the stupid things can't detect a light item, or have a conniption fit when you don't place a 75" television on them, and of course they have to also make sure all of those registers are ringing up the correct items, which has itself then given rise to bag checkers at the door.
And to be clear, I'm not like, endorsing any particular system here. I don't care how stores want to convey products to me terribly, just make it clear what the fuck I'm supposed to do, and I'll do it. What I am saying is retail theft is largely enabled by retailers who do nothing but chase the bottom line and constantly try and make their stores work with fewer and fewer people who are less and less skilled over time and are then SHOCKED when someone just takes something, because their ludicrously under-staffed stores are incredibly easy to steal from, if you want to.
And I would ALSO point out that throughout this long history, the cost of slippage has been built into the business, because theft is far, far from the only reason a product that is purchased wholesale may not make it all the way to a paying customer. Retail supply chains and especially grocery ones are simply AWASH in waste, and somehow, all the time, these stores make money.
So no, as a customer and taxpayer, I don't particularly give much of a shit about shoplifting.
This is a wrongheaded way of looking at it, since in a competitive market, those cost savings will eventually be passed onto the consumer.
If you think they just kept those new profits forever -- where did they go? Because grocery is an infamously low-margin business to be in, even now.
Depends how you count. If suddenly any theft below $900 is now a misdemeanor (as opposed to, say, 100 previously), then sure, the crime stats will show the crime is low because many retailer simply won’t bother to report it.
I think once this whole idea of crime became a political issue recently, all these stats should be taken with a huge grain of salt
103 more comments available on Hacker News