The Canada-based University of Waterloo is moving to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were secretly collecting facial recognition data without their consent.
The scandal began when a student using the pseudonym SquidKid47 posted an image on Reddit showing a campus vending machine's “Invenda.Vending.FacialRecognitionApp.exe” error message after the machine failed to launch a facial recognition application that no one expected it is part of the process of using a vending machine.
“Hey, why do the stupid M&M machines have facial recognition?” SquidKid47 wondered.
The Reddit post sparked an investigation by a fourth-grader named River Stanley, who wrote for a university publication called MathNEWS.
Stanley raised the alarm after consulting Invenda sales brochures, which said: “The machines are capable of sending estimated age and gender details” of anyone using the machines – without ever seeking their consent.
This frustrated Stanley, who discovered that Canada's privacy commissioner had investigated the operator of a shopping center called Cadillac Fairview years ago after discovering that some of the mall's information kiosks were secretly “using facial recognition software on unsuspecting customers.”
It was only because of this official investigation that Canadians learned that “over 5 million non-consenting Canadians” had been scanned into the Cadillac Fairview's database, Stanley reported. While Cadillac Fairview was ultimately forced to delete the entire database, Stanley wrote that the consequences for collecting similarly sensitive facial recognition data without consent were unclear for Invenda customers like Mars.
Stanley's report ended with a call for students to demand the university “ban facial recognition machines from campus.”
A spokeswoman for the University of Waterloo, Rebecca Elming, eventually responded, confirming to CTV News that the school had asked that the vending machine software be disabled until the vending machines could be removed.
Students told CTV News their trust in university administration has been shaken by the controversy. Some students claimed on Reddit that they tried to cover the machines' cameras while waiting for the school's response by using gum or sticky notes. One student wondered if there were “other places on campus where this technology could be used.”
Elming couldn't confirm the exact timeline for the machines' removal, other than telling Ars that it would happen “as soon as possible.” Elming declined Ars' request to clarify whether there are other areas of campus that collect facial recognition data. She also would not confirm when, if ever, students on campus can expect to see vending machines replaced with snack machines that are not equipped with surveillance cameras.
Invenda claims machines are GDPR compliant
MathNEWS' investigation tracked down responses from companies responsible for smart vending machines on the University of Waterloo campus.
Adaria Vending Services told MathNEWS: “The most important thing to understand is that the machines do not take or store photos or images, and an individual person cannot be identified using the technology in the machines.” The technology acts as a motion sensor that detects faces , so the machine knows when to activate the shopping interface – without taking or storing images of customers.”
According to Adaria and Invenda, students should not worry about data protection as the vending machines are “fully compliant” with the world’s strictest data protection law, the European Union’s General Data Protection Regulation (GDPR).
“These machines are fully GDPR compliant and are used in many facilities across North America,” Adaria’s statement said. “At the University of Waterloo, Adaria manages last-mile fulfillment services – we handle the restocking and logistics of the snack machines. Adaria does not collect data about its users and has no access to identify users of these M&M vending machines.”