A Vending Machine in A Canada-based University Was Secretly Stealing Student’s Facial Recognition Data

Students of the Canada-based University of Waterloo were outraged after they found that the vending machines in their university were secretly stealing their facial recognition data.

The incident came to light when a student from the university, nicknamed SquidKid47 posted a picture on Reddit showing the vending machine displaying this message Invenda.Vending.FacialRecognitionApp.exe,".

Taking a quirky take on the incident, the student captioned the image Hey, so why do the stupid M&M machines have facial recognition?"

It basically meant that a facial recognition app within the system failed to start up for that transaction.However, that's what raised that student's concerns, a facial recognition app shouldn't be a part of a vending machine, at least not naturally.

Soon after the news spread, another 4th year student from the university named River Stanley, who writes for a university publication called MathNEWS, started investigating the matter.

What's worse is that there was no obvious sign of data mining, There was no camera, notification, or formal consent request for the users. Stanley said that without the error in the machine, they would never find out what the vending machine was up to.

The first solid evidence came with the Invenda sales brochures that said that the machines are capable of recording and transmitting the approximate age and gender of each user without needing consent from them.

Upon learning about the incident, the university promised to take swift action and replace all the vending machines on the campus as soon as possible. And in the meantime, it has asked the company to disable the software.

Students of the University also took the initiative to cover the hole which they believe to be the camera with gum and paper.

What Does Invenda Have To Say About This?

Invenda (the manufacturer of the machine) and Adaria Vending Services (responsible for smart vending machines on the University of Waterloo's campus) both said the students have nothing to worry about.

The machine neither takes pictures of the user nor has the capacity to retain any information that can be used to recognize them. The motion sensor is only in place to detect an incoming user and activate the demographic detector tool.

According to them Invenda's vending machines are GDPR compliant and the data they collected are protected by some of the strongest data privacy laws.

But the question is, GDPR labels any type of face image data as very sensitive" which often requires direct consent from the user. So it's unclear how these machines can meet such guidelines without obtaining user consent.

In a separate statement, Adaria confirmed that their only job is to restock and carry out the logistics of the vending machines. Any user data that is collected by Invenda is not available to them.

However, these justifications were not enough to sway the students. Both Stanley and the university are now questioning the company's commitment to maintaining transparency with its customers.

Also, Stanley said that no matter what standards they claim to meet, they are certainly violating Canadian privacy laws.

The post A Vending Machine in A Canada-based University Was Secretly Stealing Student's Facial Recognition Data appeared first on The Tech Report.