5
minute read
Waterloo University in Ontario, Canada wants 29 'smart' vending machines removed from campus after students raise privacy concerns.
Students at Canada’s Waterloo University were stunned to find their M&M-branded vending machine used what it called 'facial recognition' technology to gather user data without their consent.
A student, known on Reddit as SquidKid47, initially posted a photo displaying the machine’s error code and asked a question that has since been repeated worldwide: “hey so why do the stupid m&m machines have facial recognition?”
The vending machine error message triggered an investigation by student newspaper mathNEWS, which dubbed the revelation “the whole ‘Big Brother Massive M&M is Watching’ scandal.”
Student journalist River Stanley revealed that Adaria Vending Services provided machines manufactured by Invenda Group and collected 'facial recognition' data: “What students have been doing over the past two weeks is coming up with sticky tack, with chewing gum, with Post-it notes, doing anything to cover these sensors."
Some students joked on Reddit that SquidKid47's face ‘crashed’ the machine while others wondered if "any pre-law students wanna start up a class-action lawsuit?"
Waterloo University wants the software disabled and 29 vending machines removed, spokeswoman Rebecca Elming told SPYSCAPE in an emailed statement: "Waterloo did not know about the technology. We’ve asked the machine be removed as soon as possible. There are 29 in total."
Who runs M&M vending machines?
The vending machines are ultimately owned by Mars, the company behind M&M's, who responded to SPYSCAPE questions with a statement: "Mars takes the privacy of personal identifiable information extremely seriously and strictly complies to local, federal, and global privacy regulations and therefore, Mars only engages with partners who also meet this same standard. The vending machine technology, which uses motion sensors without collecting personal identifiable information, focuses solely on detecting presence, analyzing foot traffic patterns, and transactional conversion rates."
Adaria Vending Services and Invenda Group emphasized that the technology functions as a motion sensor to activate the purchasing interface without capturing or retaining customer photos. Although the vending machine error statement uses the exact words 'Facial Recognition', Invenda said their software relies on 'people detection' and 'facial analysis', not facial recognition.
"Invenda operates under strict policy and does not collect any user data or photos, ensuring individual identification via machine technology is unattainable. The software relies on people detection and facial analysis, not face recognition. This means, people detection solely identifies the presence of individuals whereas facial recognition goes further to discern and specify individual persons," Invenda said in an email.
"Additionally, the Invenda solution can only determine if an anonymous individual faces the device, for what duration, and approximates basic demographic attributes unidentifiably. The vending machine technology functions as a motion sensor, activating the purchasing interface upon detecting individuals, without the capability to capture, retain, or transmit imagery. Data acquisition is limited to assessing foot traffic at the vending machine and transactional conversion rates. These systems adhere rigorously to GDPR regulations and refrain expressly from managing, retaining, or processing any personally identifiable information."
While the machines may be GDPR compliant, adhering to the European Union's data protection regulations, some Canadians aren’t satisfied. As one Reddit user commented: "I HATE THESE MACHINES! I HATE THESE MACHINES! I HATE THESE MACHINES!"