Wednesday, January 22, 2025



How is this legal?

Leo Molloy's recent "shoplifting" smear against former MP Golriz Ghahraman has finally drawn public attention to Auror and its database. And from what's been disclosed so far, it does not look good:

The massive privately-owned retail surveillance network which recorded the shopping incident involving former MP Golriz Ghahraman is able to be searched by police even when no complaint has been made, the company co-ordinating it has confirmed.

[...]

But Auror, which hosts the surveillance network covering 90% of New Zealand retailers, has confirmed information recorded by its retail clients is available to police.

“By using Auror, retailers choose to make this information available to law enforcement and also have the option to directly report to them via the software. Retailers determine what information they enter,” a spokesman said.

This has led people to ask the obvious question: how the fuck is this legal? And its a good one. Because while the purpose of collection and general idea of tracking information on shoplifters and disclosing it to police for the purpose of prosecution seems to comply with the information privacy principles, there are clear questions around the fairness and intrusiveness of the method of collection, not to mention disclosure. Because cameras which spy on you every time you go shopping, linked to facial recognition and ANPR to ID you, all of which spy on everyone regardless of guilt or innocence seems a bit over-the-top. And while disclosure for the purposes of investigation or prosecution is legal, disclosure for any other purpose is not. And where a retailer has decided not to prosecute, then that decision undermines the entire purpose of collection and retention, and renders any subsequent storage and disclosure illegal.

The Privacy Commissioner urgently needs to investigate Auror, to ensure that they are complying with the law. And if they are not, they need to be brought into compliance or shut down.

But its not just a problem for Auror - its also a problem for police. Because using Auror's database is very clearly a "search" in terms of the BORA: people have a reasonable expectation that they won't be spied on and databased when going about their daily business, even in public places. The fact that this spying is done by a third party is irrelevant - the moment the police access it, the BORA is engaged, and they need to meet a test of reasonableness. And permitting casual searches, without any reasonable causes, clearly violates the right to be free from unreasonable search and seizure. As the article points out, the police have already had this problem with Auror's ANPR database, and been forced to impose reasonable cause requirements on searching it as a result. They will need to do the same for the retail database. The problem is how to incentivise that. There's obvious scope for a BORA class action by everyone they've unreasonably searched, but the problem is getting them to admit doing so in the first place...