After finding an error message from a facial recognition app on one of the machines, the students began investigating if their privacy was breached.
In this digital world, escaping the eyes of technology is quite challenging. May it be paying a restaurant bill or doing self-checkouts in supermarkets, almost every business runs with the aid of software. So, people can not help but wonder if their data are compromised without their consent. This February, the story of Canadian students from the University of Waterloo, Ontario, investigating the presence of facial recognition software in their campus vending machine made rounds on the internet. It all started when a student, who goes by u/SquidKid47 on Reddit, shared a picture of an error message on the machine.
The student shared a picture of the error message from an application on the machine that read, "Invenda.Vending.FacialRecognitionApp.exe Application Error." Asking the users of their university's subreddit, they wrote, "Hey, so why do the stupid M&M machines have facial recognition?" Since then, the students became wary and began examining the demographic data detection potential of the machine. They even published their findings in an article in their university's publication, mathNEWS. Fourth-year student River Stanley, who investigated the machines, told CTV News, "We wouldn't have known if it weren't for the application error. There's no warning here," and added, "People are finding these sales processes where you can see this particular model vending machine comes with demographic data sensing capabilities."
The university's article also referred to a similar instance in Canada six years ago. A company called Cadillac Fairview, which owned several shopping malls across Canada, became controversial for using facial recognition software on its customers. Hidden within the informational kiosks of the malls, the software collected data on 5,061,324 patrons using secret cameras. After investigation, it was known that the company's vendor had a database containing facial scan data of more than five million nonconsenting Canadians. Having known about this, the students weren't ready to let the software record their data. They began covering a small hole in the machine, which they believed might be where the camera was. They used chewing gums, sticky notes, sticky tacks and other objects to shut the hole.
As this news reached the university authorities, they assured the students that it would be dealt with. Rebecca Elming, University of Waterloo spokesperson, told the news channel, "The university has asked that these machines be removed from campus as soon as possible. In the meantime, we've asked that the software be disabled." The director of technology services at Adaria Vending Services, who operated the machines, responded, "What’s most important to understand is that the machines do not take or store any photos or images, and an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface - never taking or storing images of customers."
Also, the machine's original manufacturer, Invenda, responded to the student investigators, "We formally warrant that the demographic detection software integrated into the smart vending machine operates entirely locally. It does not engage in the storage, communication, or transmission of any imagery or personally identifiable information." They added, "Invenda's smart vending machines and its software are compliant with the General Data Protection Regulation and equivalent data privacy policies." However, the students were concerned that their campus vending machine operators might as well store data without consent just like in the Cadillac Fairview case.