Well, to start with they could lock the API down correctly so you had to supply a number plate to get 2-3 likely matches. And fuzz the photos they send a bit more so it is legible enough to identify your car, but not to read the license plate itself. And remove superfluous data from the IP results, like time of entry.
As compared to the current system where you can immediately get a list of every car in the carpark, with its location, entry time, and photos where the license plates are discernable.
And they could institute per-IP throttling of requests (no more than 5 an hour or something) to stop someone brute-forcing number plate combinations to get a "map" of the centre.
Finally they could have locked out the admin interface so that random members of the public couldn't do other things as well. ;)
But you're right in general - even implemented correctly, this feature has an interesting privacy implication - at any given time, anyone with a license plate number and a vague description of the vehicle can check if that car is parked at a Westfield, and where it is parked.
Some people have talked about "crypto" and I can see lot of ways you could add some level of encryption or auth to make things slightly more obfuscated (perhaps require pre-registration of your car), but I can't see a any way that would change the fundamentals.
The app is essentially designed to let people look up car locations by license plate numbers, and as long as it does that it seems to me there will be some level of privacy issue.
As compared to the current system where you can immediately get a list of every car in the carpark, with its location, entry time, and photos where the license plates are discernable.
And they could institute per-IP throttling of requests (no more than 5 an hour or something) to stop someone brute-forcing number plate combinations to get a "map" of the centre.
Finally they could have locked out the admin interface so that random members of the public couldn't do other things as well. ;)
But you're right in general - even implemented correctly, this feature has an interesting privacy implication - at any given time, anyone with a license plate number and a vague description of the vehicle can check if that car is parked at a Westfield, and where it is parked.