![](\"https:\/\/media.wired.com\/photos\/65d91d8d6248d84bf2a999c2\/master\/pass\/vending%20machine%20facial%20recognition.png\"\/)
<\/p>\n<\/p>\n
Credit to Author: Ashley Belanger, Ars Technica| Date: Sat, 24 Feb 2024 22:02:00 +0000<\/strong><\/p>\n Ashley Belanger, Ars Technica<\/a><\/span><\/span><\/p>\n Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting face recognition data<\/a> without their consent.<\/p>\n The scandal started when a student using the alias SquidKid47 posted<\/a> an image on Reddit showing a campus vending machine error message, \u201cInvenda.Vending.FacialRecognitionApp.exe,\u201d displayed after the machine failed to launch a face recognition application that nobody expected to be part of the process of using a vending machine.<\/p>\n "Hey, so why do the stupid M&M machines have facial recognition?" SquidKid47 pondered.<\/p>\n The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS<\/a>.<\/p>\n Stanley sounded the alarm after consulting Invenda sales brochures that promised \u201cthe machines are capable of sending estimated ages and genders\u201d of every person who used the machines\u2014without ever requesting consent.<\/p>\n This frustrated Stanley, who discovered that Canada's privacy commissioner had years ago investigated a shopping mall operator called Cadillac Fairview after discovering some of the malls' informational kiosks were secretly \u201cusing facial recognition software on unsuspecting patrons.\u201d<\/p>\n This story originally appeared on Ars Technica<\/a>, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Cond\u00e9 Nast.<\/p>\n Only because of that official investigation did Canadians learn that \u201cover 5 million nonconsenting Canadians\u201d were scanned into Cadillac Fairview's database, Stanley reported. Where Cadillac Fairview was ultimately forced to delete the entire database, Stanley wrote that consequences for collecting similarly sensitive face recognition data without consent for Invenda clients like Mars remain unclear.<\/p>\n Stanley's report ended with a call for students to demand that the university \u201cbar facial recognition vending machines from campus.\u201d<\/p>\n A University of Waterloo spokesperson, Rebecca Elming, eventually responded, confirming to CTV News<\/a> that the school had asked to disable the vending machine software until the machines could be removed.<\/p>\n Students told CTV News that their confidence in the university's administration was shaken by the controversy. Some students claimed on Reddit<\/a> that they attempted to cover the vending machine cameras while waiting for the school to respond, using gum or Post-it notes. One student pondered whether \u201cthere are other places this technology could be being used\u201d on campus.<\/p>\n Elming was not able to confirm the exact timeline for when the machines would be removed, other than telling Ars it would happen \u201cas soon as possible.\u201d Elming declined Ars' request to clarify if there are other areas of campus collecting face recognition data. She also wouldn't confirm, for any casual snackers on campus, when, if ever, students could expect the vending machines to be replaced with snack dispensers not equipped with surveillance cameras.<\/p>\n MathNEWS' investigation tracked down responses from companies responsible for smart vending machines on the University of Waterloo's campus.<\/p>\n Adaria Vending Services told MathNEWS that \u201cwhat\u2019s most important to understand is that the machines do not take or store any photos or images, and an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface\u2014never taking or storing images of customers.\u201d<\/p>\n According to Adaria and Invenda, students shouldn't worry about data privacy because the vending machines are \u201cfully compliant\u201d with the world's toughest data privacy law, the European Union's General Data Protection Regulation (GDPR).<\/p>\n \u201cThese machines are fully GDPR compliant and are in use in many facilities across North America,\u201d Adaria's statement said. \u201cAt the University of Waterloo, Adaria manages last mile fulfillment services\u2014we handle restocking and logistics for the snack vending machines. Adaria does not collect any data about its users and does not have any access to identify users of these M&M vending machines.\u201d<\/p>\n Byron Tau<\/span><\/span><\/p>\n Julian Chokkattu<\/span><\/span><\/p>\n David Nield<\/span><\/span><\/p>\n Kate Knibbs<\/span><\/span><\/p>\n Under the GDPR, face image data is considered among the most sensitive data that can be collected, typically requiring<\/a> explicit consent to collect, so it's unclear how the machines may meet that high bar based on the Canadian students' experiences.<\/p>\n According to a press release<\/a> from Invenda, the maker of M&M candies, Mars, was a key part of Invenda's expansion into North America. It was only after closing a $7 million funding round, including deals with Mars and other major clients like Coca-Cola, that Invenda could push for expansive global growth that seemingly vastly expands its smart vending machines' data collection and surveillance opportunities.<\/p>\n \u201cThe funding round indicates confidence among Invenda\u2019s core investors in both Invenda\u2019s corporate culture, with its commitment to transparency, and the drive to expand global growth,\u201d Invenda's press release said.<\/p>\n But University of Waterloo students like Stanley now question Invenda's \u201ccommitment to transparency\u201d in North American markets, especially since the company is seemingly openly violating Canadian privacy law, Stanley told CTV News.<\/p>\n On Reddit, while some students joked that SquidKid47's face \u201ccrashed\u201d the machine, others asked if \u201cany pre-law students wanna start up a class-action lawsuit?\u201d One commenter summed up students' frustration by typing in all caps, \u201cI HATE THESE MACHINES!\u00a0I HATE THESE MACHINES!\u00a0I HATE THESE MACHINES!\u201d<\/p>\n This story originally appeared on<\/em> Ars Technica<\/a>.<\/em><\/p>\n