Westfield operator Scentre Group has removed the SMS notification feature of its ticketless parking service after being alerted to a potential privacy breach that could have allowed anyone to track someone else's vehicle.
Over the past few years Westfield has progressively rolled out ticketless parking to four of its 35 shopping centres around the country.
The service means vehicle license plates are scanned upon entry and exit by Park Assist technology, eschewing the need for a physical ticket.
The shopping centre operator also recently began offering a feature for users to receive free SMS notifications outlining the time they entered the car park and an alert when they approach their free parking limit.
The SMS service is currently available at the Miranda, Hurstville and Bondi Junction Westfield centres in NSW, and Doncaster in Victoria. Around 10 percent of carpark users at the centres have registered for the service.
To sign up, users need only enter a name, license plate number and mobile phone number.
But concerns were raised by privacy experts who noted there was no requirement for a user to prove the license plate number they enter is their own.
It meant an individual could enter any license plate number and receive notifications on when the vehicle enters a specific Westfield centre, providing its physical location.
Privacy experts said the feature was particularly concerning when considering the implications for domestic violence victims or those with an apprehended violence order.
Scentre Group has now decided to "temporarily suspend" the SMS reminder service after being notified of the privacy concerns by iTnews as part of responsible disclosure.
"While the rest of the [ticketless parking] system will continue to operate we made a decision that a risk, no matter how small, was more than we were comfortable with when it came to the privacy of our shoppers," a company spokesperson said.
"Privacy is a priority for us - as is the confidence of our shoppers - and if we don’t believe one of our systems measures up, we’ll continue to make adjustments until it does."
The company confirmed it had not undertaken a privacy impact assessment prior to releasing the service.
It said it was currently working through a number of options for the future of the SMS feature.
"Some of them are short to medium-term and some are more long-term, depending on the level of complexity – technical or otherwise," the spokesperson said.
"While we look forward to reinstating the service we’d like to be as sure as possible that the risk of any privacy breach is mitigated."
Principal analyst at Constellation Research Steve Wilson said the service had potentially breached the Australian Privacy Act.
"I should think that [using the service to get alerts] about the movement of a car from a car park's CCTV, without the driver agreeing or even knowing, would breach the Privacy Act," he said.
Whether the license plate was already in the public domain is "irrelevant" in the eyes of the Act, he said.
"One of the counter inuitive aspects of our Privacy Act is it doesn't contain the words "public" and "private". It is a data protection statute, which concerns itself with restraining the collection and use of any personal information, regardless of where it comes from."
Westfield's ticketless parking service made headlines in 2011 after similar privacy implications were raised with Bondi Westfield's "find my car" feature.
The company's mobile application was found to be leaking customers' license plate numbers on the public internet, allowing anyone with "rudimentary programming knowledge" to monitor when cars entered and exited the car park.
Scentre Group was using an unprotected API to power the search function of the app, meaning the information contained with in the app was accessible on the public internet.
Independent security expert Troy Hunt identified the issue in 2011, and today said he was surprised Scentre Group had not fully thought through the implications of the SMS alert feature given the company's experience five years ago.
"... but often organisations rush into rolling out systems as they focus on the potential upside without giving due consideration to the potential risks," he told iTnews.