The Privacy Commissioner is investigating after a bar owner accused a former MP of shoplifting after he accessed an unregulated retail incident database.
When New Zealand bar owner and restauranteur Leo Molloy accused former Green MP Golriz Ghahraman of shoplifting, he inadvertently revealed the lack of security around a massive privately-owned retail surveillance network that holds data on millions of Australians and New Zealanders. The Privacy Commissioner is now investigating.
Last year, Gharaman was convicted of taking around $9,000 (US$5,100) worth of clothing from high-end boutiques in Auckland and Wellington and was fined $1,600. The former lawyer requested a discharge without conviction so she could return to her profession, but the judge denied the application.
A few days ago, she appealed that decision to the High Court, but Justice Geoffrey Venning also ruled against her, noting that the offending, which took place on four separate occasions, was “rightly regarded as an example of serious theft.”
And there it may have ended. Except Molloy, known for his outspoken views on various issues, made a social media video claiming Ghahraman had shoplifted again in late 2024.
Police later confirmed that, in opposing Ghahraman’s application, they had attempted to introduce evidence of another incident at a Pak’n Save supermarket in Auckland, where she is alleged to have taken goods worth less than $150.
She was observed on CCTV placing items in a tote bag that was in a shopping trolley. When security stopped her and asked her to empty her bags before she reached the checkout, she told them she intended to pay for the items but then left the store without them.
The supermarket’s owner, Foodstuffs, confirmed they had not complained to the police.
This raised two questions: How did the police know about the incident? And how did Molloy?
It turns out someone from the supermarket had logged the incident in a system known as Auror, which logs and data-matches alleged retail crime.
The Surveillance Database
Foodstuffs, other supermarkets, service stations, shopping malls, and major retailers all subscribe to the system, which includes facial and licence plate recognition and provides access to the police.
Foodstuffs says it adds the details of about 20,000 incidents to the database every year.
The police will not say how they learned of the incident involving Ghahraman. They also say they don’t know how the information came to be shared on social media, but Auror has confirmed that the police can freely access the database.
“Retailers choose to make this information available to law enforcement and also have the option to directly report to them via the software. Retailers determine what information they enter,” a spokesperson said.
Molloy’s release of details about the incident and the police’s access to it could have breached New Zealand’s Privacy Principles, so the Privacy Commissioner, Michael Webster, has now stepped in to seek more information from Auror, Foodstuffs, and the police.
In a statement, Webster’s office said it “keeps a watching brief on data aggregation platforms like Auror that provide automated number plate recognition and CCTV surveillance services due to the high potential privacy risk.”
Auror’s Expansion
Platforms such as Auror carried risks around the accuracy of information entered into them, as well as inappropriate access to and disclosure of that information, which carried “the potential for significant adverse impacts to individuals.”
Auror is used in thousands of stores across Australia, including Coles and Woolworths, and claims to cover 50 percent of retailers. That rises to 90 percent in New Zealand.
The company of the same name was started in 2013 by four New Zealanders who claimed it would help prevent the $100 billion lost to retail theft each year.
It’s now estimated to be worth $500 million and has begun a push into the United States, where it has signed up retail giant Walmart as a customer.
The system allows users to upload information about any incident in their store, from a minor accident in their carpark to a hate crime.
This includes descriptions of the suspect, images, CCTV footage, licence plate information, and even social media content. Users can also input details of a person’s appearance, such as hair colour, age, and build (but not, apparently, race).
When investigating an incident, they can search through reports by people’s names and by products stolen, location, time, and other parameters.
While the company says it isn’t using real-time facial recognition, it says “machine learning” helps identify individuals across different reports.
Used by AFP
In Australia, Auror has also faced questions after it emerged it was being used by the Australian Federal Police (AFP) without any privacy assessments.
Greens Senator David Shoebridge has expressed concerns about the system.
“One of the real dangers in this space about online data and facial recognition is this push by those who are trying to profit from it that it is inevitable, that we have to give up on any kind of privacy,” he said. “That’s patently false. This is not inevitable.”
Shoebridge said Australians and New Zealanders “should be able to go about their daily lives without being secretly surveilled by private entities and the state.”
The Office of the Australian Information Commissioner opened an investigation into Auror in February last year. That has ended, and the OAIC had “provided guidance to Auror to assist it in meeting its privacy obligations,” a spokesperson said.
Media inquiries in the past have revealed that neither police nor privacy officials know how many CCTV cameras are linked to the Auror network.