Note: February 1, 2025

Auror got in touch wanting to clear up some things in this piece — which I very much appreciate.

I think these are very important points — including the fact that Auror doesn’t do live facial recognition. With that mind, I’ve removed my line about being “biometrical scanned”, which sounded cool, but wasn’t.

As noted below, Auror was not involved in the Bunnings case, and I have removed that paragraph from the article. Auror didn’t ask me to do this, but in particular I felt this point needed to be amended.

Also, Auror’s CEO has made it clear he’s open to questions and clarity from Webworm in the future — which I will take them up on.

David.

Points from Auror:

-Auror isn’t a camera system, camera analytic, nor live facial recognition software.

-Retailers do not capture and enter into Auror information of everyone or even a majority of people who enter their sites. Retailers manually input crime events that they witness in their store after they occur, such as theft, fraud, abuse, and violence.

-To say Auror is always watching is inaccurate. As above, we are not a camera system - we have no way of watching. A retailer enters only information on a case by case basis of suspected crime on their premises.

-The Bunnings Australia use of FRT and subsequent OAIC inquiry had nothing to do with Auror.

-Retailers enter information that relates to a crime event in their store (of which farting is not one). Retailers can generally only access information entered across their own store network but cannot access information entered by all other retailers.

-The reason an individual would be entered into the software by the retailer would be for retail crime. If you are an everyday shopper living a normal life, there is no reason you would ever come into contact with Auror.

-Auror does not 'hold' or own the data. Data remains under the control of the retailer. The retailer collects the information when an event occurs in their store and then they hold the data (we are their software provider). This is why Auror cannot legally provide information to individuals. The only entity that can is the retailer who has collected the information.

Hi,

Just quickly, I wanted to say thanks for all the discussion going on under the Elon Musk piece. Your commentary has helped me feel more sane. The AMA was also super fun — I’ll be emailing the 10 Flightless Bird t-shirt winners later this week.

Now, onto something else entirely.

Have you visited a supermarket, been in a shopping mall, pumped gas, or been into a shop at all recently? Parked in the car park of a big box retailer, been slightly rude to a shop clerk, or acted in a weird way while buying things?

Congratulations.

Chances are you were photographed and added to a global surveillance database (which may hold other personal information about you) without your consent.

That surveillance database can be looked up by law enforcement — and retail workers with little to no privacy training — with very few checks and balances, and hardly any oversight.

Today, Australian Webworm contributor Jackson James Wood on the plucky New Zealand company that is always watching, and always snitching.

David.

Shopping, Surveillance & Snitching: How Auror Is Watching You Shop.

by Jackson James Wood

Auror first came to my attention buried in a New Zealand Herald story about former New Zealand Member of Parliament Golriz Ghahraman being harassed while doing her groceries. A subsequent story revealed the supermarket didn’t tell the cops, but they did put it into “Auror”, a retail crime database.

Until this week, New Zealand Police refused to say how they learned about the incident or why they were even investigating it, given it wasn’t reported and would be — as a lawyer points out — exceedingly hard to prove anything since Golriz didn’t actually leave the store without paying for the goods.

This whole situation raises some pretty big questions about how Auror is being used, the implications for your privacy, and basic civil liberties in an age where the deeply authoritarian nature of Big Tech has made itself apparent.

Auror is not just being used in New Zealand. It’s in hardware stores in Australia, supermarkets in Canada, big box retailers in the UK, and gas stations across the United States.

Auror has partnered with all 28 state-level Organized Retail Crime Associations in the US. They’re in Walmart. They’ve partnered with hundreds of international brands and more than 3000 law enforcement agencies around the world.

The New Zealand police certainly use it, although their thoughts are hard to come by. In a recent Official Information Act request about their use of Auror, police redacted their own comment about how great Auror actually is.

Maybe they’re not all that confident in the product. At its core, Auror relies on staff on shop floors and security personnel to photograph, or take images from CCTV, of people who come into their stores who they think are being dodgy.

It’s so easy to report someone acting “suspicious”, Auror says it can take as little as three minutes. Staffers can upload images and video, they can describe people, and they can add your name if they know it.

All these reports, photos, videos, descriptions, car license plates, and whatever else goes into a huge shared database to become a great stalking tool.

Here is a quote which describes what happens once you’re in the database:

“My favourite feature in Auror would be the newsfeed. It gives you all the information about the offenders and the various vehicles they use. It’s all there for you. If you’re looking for the name of a person, you can put that in. If you’re looking for a particular vehicle, just put the registration in. If you’re looking for recent thefts, you can put those search criteria in and the information will just come up."

— Gillian Harrop, Security Manager, Mitre10 MEGA Westgate

It will all just “come up”.

By “come up” Gillian means all the times you’ve been into any store, your license plate number, your full name, maybe your address where you were previously… all go to someone who is the security manager at a hardware store.

So if Gillian’s added you to the database because you farted in the aisle while you were checking out power tools, what happens next? Nothing as far as you’re concerned. But maybe when you go into an electronics store a bit later in the day, you might notice a security guard trailing you around.

And it’s not just the electronics store, because in New Zealand almost all shops — and I’m not exaggerating here — literally 90% of retailers, use Auror. You cannot, if you want to live a vaguely normal life, avoid it.

A big part of this is because many retailers do not even tell you they are using this technology.

Auror has robbed you of your agency to consent to handing over very private information. You can’t change your face, and they’ve made it available to people who seem to froth over the power it gives them. You don’t even get the chance to scroll through an End User Licence Agreement and hit accept. You just have to want to buy something and suddenly that random store you walked into knows you like Snickers bars and went into a book store earlier and maybe where you live.

As far as I can tell, there is no real way to see if you are in their database. They say on their site you can ask them to remove you, if you’ve had no luck asking a retailer. Their very optimistically named “Trust Center” makes it clear “Auror cannot make a decision on your request”.

Which is wild because they’re the ones holding all the data.

Because many retailers are using it… what, you’ve got to go to every single store you’ve been into for the past 12 years (that’s how long Auror has been operating) and ask them to delete you, only for them to re-add you next time you go in?

There is seemingly no way to opt out other than to not go into physical shops.

They’ve gamified it, too.

Doug Rawson, the unsettlingly titled “Profit Protection Manager” for Woolworths New Zealand, is an illustrative case. Rawson recently was nominated for The Retail Risk Manager of The Year Award. Here’s what his nomination has to say:

“One of Doug’s standout achievements is his recognition as New Zealand’s top “dot connector,” having connected almost 3,000 profiles on the Auror platform this year.“

3000 people… just branded as quasi-criminals by a man tasked with protecting the profits of a company which made almost $100 million dollars in profit in New Zealand.

But were all these people actually doing anything wrong, or were many of them, like Gharaman, labelled as potential robbing ne’er-do-wells for something as normal as placing their shopping in a tote bag?

And even if a few of them were running portobello mushrooms through the self checkout as brown onions, do the marginal benefits of intrusive mass data driven surveillance somehow outweigh the very real costs in privacy to you and me?

When you get the law enforcement side of things, it gets even murkier.

In New Zealand, police are already looking up the database more than 600 times a day.

I am not alleging anything here, but here are some interesting facts about the Gharaman case:

1. The supermarket didn’t report the incident.

2. The police can search the Auror database.

3. They just happened to come across the report amongst the 200,000 reports logged every year in New Zealand

You can draw your own conclusions.

It’s not just the actions of the New Zealand police that raise questions about the use of Auror. In Australia the Federal Police were found to be misusing Auror in 2023. It doesn’t seem like Auror or the AFP cared until someone started writing about it, and it’s not clear whether Auror has put in better protections to stop misuse.

By crowdsourcing all this “intelligence” the police have basically sub-contracted part of their jobs to store clerks, and Auror is there to profit off of this devolution of a quite serious amount of state power to people like Gillian and Doug.

Just this week, the CEO of Auror went on a New Zealand radio station saying “we’re not a surveillance company.”

And I agree.

They’re way creepier.

A more accurate description would be that Auror is a privately held crowdsourced tracking and information database that allows police to farm out large chunks of their responsibilities to private security and potentially criminalise or at least breach the privacy of people who’ve simply had the temerity to walk into a shop.

But I bet that description wouldn't attract $76 million investment.

-Jackson James Wood
with additional reporting from Ira Bailey

David here again. If you have any information about Auror, we’d love to hear from you. You can contact Webworm in confidence at: davidfarrier@protonmail.com.

Perhaps you’ve used it, or seen a colleague embracing it. Maybe your boss has encouraged you to snitch on a customer. Maybe the police have used Auror’s information against you. Maybe you’ve been harassed because of it. Let me know.

Before I go, I enjoyed a Wikipedia entry someone sent me over the weekend. It’s found under a piece about computer worms (usually bad) — but it briefly touches on “worms with good intent.”

I thought this was quite applicable here.

David.