University vending machine error reveals use of secret facial recognition | A malfunctioning vending machine at a Canadian university has inadvertently revealed that a number of them have been usin...
University vending machine error reveals use of secret facial recognition | A malfunctioning vending machine at a Canadian university has inadvertently revealed that a number of them have been usin...
Snack dispenser at University of Waterloo shows facial recognition message on screen despite no prior indication
University vending machine error reveals use of secret facial recognition | A malfunctioning vending machine at a Canadian university has inadvertently revealed that a number of them have been usin...::Snack dispenser at University of Waterloo shows facial recognition message on screen despite no prior indication
The worst part of all is that no one would think of the fact that a vending machine is performing facial recognition techniques, because in general it is assumed that a vending machine is a mechanical device, as it has been in the past. There is not any user benefit in that.
I researched the manufacuter and in their brochure (see page 6) of a similar vending machine it is revealed what data can be processed:
Among the worst data sets are:
- product demographics
- measuring of foot traffic
- gender/ age/ etc.
Bonus: on page 7 of the product brochure they introduce an app which allows the customer to make purchases directly from their smatphone, with features like
- consumer engagement through gamification, interactive marketing, gifting, scratch-and-win receipts, product sampling and cross selling
"What do customers get?"
- a fun and engaging payment process
Finally! I always thought that payment is not fun enough. What a time to be alive.
gender/age/etc.
The etc. is doing a lot of work there
Well this absolutely wouldn't fly in the EU with GDPR
Can you lot in the states do something about your weird corpocracy, it's looking a bit dystopian
Bad news, the manufacturer is located in Switzerland and, as stated in the brochure, they advertise their product as "Made in EU". Probably to implicate that any data which will be collected and processed will be under the terms of GDPR.
I haven't looked up the terms regarding GDPR, but I assume that their data collection is somewhat "compliant" with GDPR, which does not necessaryly mean anything. It can just mean that data is not stored locally, albeit it will be send to the manufacturer (but probably entcrypted). However, under GDPR you can enforce your right of deletion of the collected data - that is, if you know that data about you has been collected.
What makes this issue so severe is that it would have never been detected that data has been collected and processed, if it weren't for a malfunction.
Edit: grammar, spelling
No. But also, this is Ontario, well-known for being outside US jurisdiction.
Scariest part is we'd never have known if the facial recognition software hadn't encountered an error. At least until someone curious enough looked up the machine.
This reminds me of the bit in Minority Report where Tom Cruise has to get his eyes surgically replaced so the shopping centre kiosks can't track him
AND they might have had miniature cameras in them for the past 20 years.
(The laws against this stuff are almost non-existing. Option left for those of us creeped out by constant surveillance: don't leave home, unplug that webcam. Demand privacy or lose it.)
Hey hey - y'all quit hanging around the vending machines! You're going to be late for the two minutes of hate!
This is the best summary I could come up with:
A malfunctioning vending machine at a Canadian university has inadvertently revealed that a number of them have been using facial recognition technology in secret.
Invenda, the company that produces the machines, advertises its use of “demographic detection software”, which it says can determine gender and age of customers.
It claims the technology is compliant with GDPR, the European Union’s privacy standards, but it is unclear whether it meets Canadian equivalents.
In April, the national retailer Canadian Tire ran afoul of privacy laws in British Columbia after it used facial recognition technology without notifying customers.
The government’s privacy commissioner said that even if the stores had obtained permission, the company failed to show a reasonable purpose for collecting facial information.
The University of Waterloo pledged in a statement to remove the Invenda machines “as soon as possible”, and that in the interim, it had “asked that the software be disabled”.
The original article contains 258 words, the summary contains 149 words. Saved 42%. I'm a bot and I'm open source!
Everyone seems concerned about what it could be doing, not what it is doing.
I could sit next to a vending machine and make notes on the gender and sex of each patron for demographic purposes, nothing would be illegal.
Why? Well, that's easy, I want to stock my vending machine in order to make money. Instead of testing different layouts which would take a lot of time, I could predict how well certain stock would do based on preexisting market research.
This appears to be just that, but with a camera.
Now, you can argue "but it could be worse"! That's not a valid argument. It could always be worse for things you don't know about. If it holds up to be true, as stated, it's just what it is.
If you're sitting there taking notes it is obvious what you're doing and the users of the machine can opt out of using it. With hidden cameras, not so much.
Bad analogy. If you were doing what you said, but instead of taking notes, you were using a camera, you'd quickly get a visit from the UW Special Constable Service who'd probably transfer you to WRPS.
EDIT: Even if you were just taking notes on people, it's possible you'd experience the same process.
I'm not familiar with Canadian law, but in the States, I can film someone without their permission in public. I can't do certain things with that recording, but I can record them. In this case, I see it as just that. Recording, doing some instant analysis, recording non identifying metadata, and forgetting the recording.
That would make it gdpr compliant, at least.
Fed
Lol people get so worked up and don't know shit. We're all just apes with a god complex.
This seems like an over reaction by people who don't understand the technology or associated risks. Focus on the implementation not the tech. There is no indication that the vending machine is inappropriatly storing or transmitting personally identifiable information or that its making decisions based on biased data.
Mind explaining to me why a vending machine needs to know the demographics of its users?
Likely for general marketing feedback so not targeting individuals like Facebook, Google, etc. If the vending machine is GDPR compliant then it's not storing individuals PII on the machine (it would be physically insecure) or transmitting PII without consent. And anyway, the marketing team wouldn't care about individuals, they're looking for aggregate trends. I think we should have stricter anti-marketing laws but this is not a dangerous anti-privacy vector. Online marketing is far far worse so if we're concerned with privacy, let's implement laws and policies that protect privacy instead of these BS distractions that don't actually affect people's privacy.
Hahahahahahahahahahahahajaja
Total "trust me bro" take.
I have the keys to your house, but there's no evidence I'm using them inappropriately.
I never say this, but go lick some more boot.
You obviously don't work in tech in Canada. Do a tiny bit of some research before generating strong opinions
This is a pretty "generous" take. I ask you then: if the company isn't doing communicating any of the scans/recordings, what is the purpose of the technology being installed in the first place?
There is no indication that the vending machine is inappropriatly storing or transmitting personally identifiable information or that its making decisions based on biased data.
And until the machine malfunctioned, there was no indication that the vending machine was collecting any data at all. Businesses can say whatever they want in the court of public opinion, but until these same claims are made in a court of law they should be considered lies to placate the public.
Furthermore, why even collect such data if it's not meant to be utilized? They already know what the most popular products are (since they know what they restock the most) so for what reason do they need to collect demographics?
Says a guy who doesn't hide his real name, face, and location for his online persona. You have no concept of digital privacy.
Arguing that I have no concept of digital privacy because I choose to share my name and face is an ignorant statement and demonstrates how little you understand the concept of online privacy. For context, I work in tech in Canada, I deal with GDPR and other compliances. I understand the technology, the risks, and the attack vectors. These vending machines are not a serious threat to individuals privacy. Facebook, Google, Amazon, are serious threats. Focus your energy on the actual risks instead of making uninformed comments.
This is the first step to charging a different price based on demographic.
Go back to reddit Greg.
Yikes, people here are brutal to people with differing viewpoints, heh.
Doesn't seem to matter how knowledgeable in the subject matter the person may be either.
¯\_(ツ)_/¯