| Title | Vending Machine Error Reveals Secret Face Image Database of College Students | |
| Date | Wednesday February 28 2024, @01:02AM | |
| Author | hubie | |
| Topic | ||
| from the dept. | ||
Facial-recognition data is typically used to prompt more vending machine sales:
Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting facial-recognition data without their consent.
The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, "Invenda.Vending.FacialRecognitionApp.exe," displayed after the machine failed to launch a facial recognition application that nobody expected to be part of the process of using a vending machine.
"Hey, so why do the stupid M&M machines have facial recognition?" SquidKid47 pondered.
The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS.
Stanley sounded alarm after consulting Invenda sales brochures that promised "the machines are capable of sending estimated ages and genders" of every person who used the machines without ever requesting consent.
[...] A University of Waterloo spokesperson, Rebecca Elming, eventually responded, confirming to CTV News that the school had asked to disable the vending machine software until the machines could be removed.
[...] Adaria Vending Services told MathNEWS that "what's most important to understand is that the machines do not take or store any photos or images, and an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface—never taking or storing images of customers."
According to Adaria and Invenda, students shouldn't worry about data privacy because the vending machines are "fully compliant" with the world's toughest data privacy law, the European Union's General Data Protection Regulation (GDPR).
"These machines are fully GDPR compliant and are in use in many facilities across North America," Adaria's statement said. "At the University of Waterloo, Adaria manages last mile fulfillment services—we handle restocking and logistics for the snack vending machines. Adaria does not collect any data about its users and does not have any access to identify users of these M&M vending machines."
Under the GDPR, face image data is considered among the most sensitive data that can be collected, typically requiring explicit consent to collect, so it's unclear how the machines may meet that high bar based on the Canadian students' experiences.
According to a press release from Invenda, the maker of M&M candies, Mars, was a key part of Invenda's expansion into North America. It was only after closing a $7 million funding round, including deals with Mars and other major clients like Coca-Cola, that Invenda could push for expansive global growth that seemingly vastly expands its smart vending machines' data collection and surveillance opportunities.
"The funding round indicates confidence among Invenda's core investors in both Invenda's corporate culture, with its commitment to transparency, and the drive to expand global growth," Invenda's press release said.
But University of Waterloo students like Stanley now question Invenda's "commitment to transparency" in North American markets, especially since the company is seemingly openly violating Canadian privacy law, Stanley told CTV News.
| Links |
printed from SoylentNews, Vending Machine Error Reveals Secret Face Image Database of College Students on 2025-03-27 17:35:28