Column by Jason Thomas, managing director and founder of AusComply
With NSW imminently poised to introduce the use of facial recognition in gaming venues to enhance the gambling harm minimisation qualities of self-exclusion (MVSE – Multi Venue Self Exclusion), the potential for a repeat of the pink batt and solar scandals of the past is high. Already some technology providers are peddling inferior, problematic and deficient facial recognition systems that may or may not be approved for use to unwitting venues.
How we got here
In late 2019 Victor Dominello introduced a Bill to parliament that, if not defeated at the time, would have imposed massive fines on venues who were unable to demonstrate how they were effectively identifying and stopping self-excluded patrons from using poker machines. Although ultimately defeated, with the Bill suggesting the use of facial recognition to help identify self-excluded patrons and proposing fines up to $20,000 for those who couldn’t demonstrate due diligence, it certainly got the industry’s attention.
Key stakeholders put the current system under the microscope and sought a better, more robust, system. Despite, or more likely because of, industry best efforts, the MVSE program has become a victim of its own success. With awareness of gambling harm within the community and support programs available at an all-time high, the program now caters for more self-excluded patrons than many venues can reasonably identify.
Since 2020 AusComply has worked with key industry stakeholders to demonstrate the capabilities of modern facial recognition technology and prove its effectiveness as a robust method of identifying self-excluded patrons. In 2021/2022 AusComply and others continued to work with stakeholders conducting extensive in venue trials. Work is currently underway on the privacy, security and operative conditional requirements facial recognition systems will need to meet in order to be used in venues for the MVSE program.
Worrying trends emerging in venues
Travelling the country talking to customers, especially recently across NSW, there’s some glaring and very worrying trends emerging. Some venues (both clubs and pubs) having sought improved solutions to identify self-excluded patrons, have unwittingly installed facial recognition technology without fully researching their options.
Not all facial recognition is the same and many solutions may not comply with the strict MVSE requirements (that are yet to be published). Some facial recognition suppliers have talked, and sometimes scared, vulnerable or desperate venues into spending tens of thousands of dollars on new cameras and other alleged facial recognition technology. With no guarantees of program compliance, these systems may ultimately need to be thrown in the bin if they can’t meet the stringent privacy and efficacy requirements the new state-wide NSW MVSE program will likely require.
Not all facial recognition integrators are the same. The MVSE program and use of facial recognition will rightly be under the microscope with the rollout, execution and introduction closely scrutinised. With both venues and concerned family members also soon able to request self-exclusion, MVSE enrollee privacy must be of paramount importance. In addition, those patrons not on a self-exclusion list should be afforded the right to privacy and anonymity.
A recent Choice magazine investigation into the use of facial recognition by Kmart, Bunnings and The Good Guys served to highlight the very real risks associated with the use of inferior facial recognition technology.
What features should an ethical and compliant facial recognition system include?
- Number one should be the adoption of a ‘Privacy By Design’ approach
The use of facial recognition should be conducted ethically and in the public interest at all times. If venue, patron safety and harm minimisation are the key goals, these need to be achieved with minimal impact on the privacy and anonymity of patrons and staff wherever possible. Facial recognition companies who adopt a ‘Privacy by Design’ approach to their programming and features should be the first stop on your facial recognition journey.
Key questions to ask:
- Does the facial recognition technology and provider have a comprehensive privacy policy?
- Does the system have a privacy mode or settings to protect patrons NOT on a watchlist?
- If so how long is the data stored for and how soon is it deleted if not needed?
- Can this be adjusted or set to meet differing locations or situations?
- Can privacy settings differ camera to camera and location to location based on situational needs?
- Can the facial recognition system assign different watchlists to different cameras and locations? For example, a self-excluded patron should be able to attend your venue for a meal or drinks with family and friends without tripping your facial recognition system –unless of course they enter the gaming room.
- Is system access restricted to authorised users only?
- What information is captured and/or sent upon identification of a self-excluded patron?
- What controls are there to ensure only authorised users receive notifications?
- Do notifications leave an audit trail with the ability to record actions taken and the ability to automate third party notifications such as those required by the MVSE program?
- How timely are the notifications?
- Notifications should be received within 30 seconds of a match. 20 minutes to two hours as some venues have reported is inadequate and does nothing to protect the self-excluded patron seeking help.
- Notifications should be available in a variety of ways including SMS, email, push and of course within the system itself.
- Private, secure and Australian cloud-based (off-site) storage of watchlists and data is critical
In recent times there’s been a few very high-profile data breaches and, with around 3,200 venues in NSW currently operating gaming machines and likely to soon require facial recognition, only facial recognition providers who apply a sufficiently secure cloud watchlist should be considered.
Put simply it’s easier to ensure the security of four or five provider’s watchlists in the cloud than potentially duplicating the MVSE watchlist 3,200 times on servers across venues. Let’s face it, venues already have an unmanageably vast array of differing network structures and security profiles making it logistically impossible to ensure watchlist data safety if stored locally.
Key questions to ask:
- Are your watchlists in the cloud or on a local server, device or camera?
- If the response is stored locally on your server, device or camera my advice would be to politely thank the provider for their time, decline their services and move on.
- If stored in the cloud, where are they stored?
- Commercial data centre?
- Central server (at the provider’s office)?
- Is it stored in Australia or overseas?
- What security is applied to the watchlist and your interactions with it?
- A good facial recognition provider should be able to confirm the following;
- No on-site storage of watchlists or data.
- Cloud storage in an Australian Commercial Data Centre.
- All data should be encrypted at rest and in transit to at least 256-bit.
- Patron data captured (biometric algorithms) not matched to a watchlist should be deleted within a configurable timeframe and not retained on-site or in the cloud.
- A good facial recognition provider should also have the ability to talk you through any other layers of security used to protect your patrons and staff, including relevant firewalls, secure APIs, system access and, importantly, support.
- Comprehensive access, data, features and suitability
While facial recognition technology has come a long way in recent years, so have online systems and the subsequent integrations of that technology. You should expect more than a one trick pony from your facial recognition provider. Identification against a watchlist is just one attribute. Modern integrations should provide you with more than just an identification (match) and notification.
The key questions to ask:
- What else is it doing for you?
- What features does it have? To complete the harm minimisation cycle any facial recognition product should:
- the MVSE program
- identifying banned or barred patrons
- the ability to replace your ID scanners at the front door if you use them
- allowing shared watchlists between venues to cater for your liquor accords BFOBFA (Barred From One, Barred From All) program
- How does it fit in with your general operations?
- What is its error rate, i.e. how many false positives are you likely to receive? Anything greater than a 0.05% rate is too high. Ideally it should at least be less than one in a thousand to ensure you’re not unnecessarily disrupting patrons.
- And a very big question: Can I use my existing CCTV cameras?
- This is probably one of the biggest questions we receive and the largest problem we’re finding. A good facial recognition system should be able to minimise your costs by using your existing CCTV cameras wherever possible.
What’s the next step for venues?
Like most technologies these days there are several options available to customers, some good and some not so good. Price is not always the best indicator of quality; there’s some quite dated systems around with limited functionality but big implementation costs.
The best advice is to do your homework, ask the hard questions (listed above) and make sure you get the answers you’re after BEFORE proceeding. Remember these three basic requirements:
- Is or will this system meet required MVSE privacy, access and security standards?
- Are watchlists stored in the cloud (Aust Data Centre) and not onsite?
- What additional features do I get and can I use my existing CCTV where possible?
If in doubt, continued due diligence is the answer.
Jason Thomas is the Founder and Managing Director of AusComply, Australia’s first truly digital incident register for the liquor & Security Industry. Jason is a retired Inspector of Police (NSW) including five years in corporate audit where he designed and programmed the NSW Police Audit Tool, with a subsequent post policing role as NSW BDM, Training and Compliance Manager for The Drug detection Agency. Jason founded AusComply in 2013 applying his extensive compliance background to the design and programming of AusComply’s comprehensive and growing digital offering. Jason holds numerous relevant qualifications in training, compliance, business and government.