University vending machine error reveals use of secret facial recognition | A malfunctioning vending machine at a Canadian university has inadvertently revealed that a number of them have been usin... (www.theguardian.com)
from L4s@lemmy.world to technology@lemmy.world on 24 Feb 2024 14:00
https://lemmy.world/post/12346787

University vending machine error reveals use of secret facial recognition | A malfunctioning vending machine at a Canadian university has inadvertently revealed that a number of them have been usin…::Snack dispenser at University of Waterloo shows facial recognition message on screen despite no prior indication

#technology

threaded - newest

autotldr@lemmings.world on 24 Feb 2024 14:00 next collapse

This is the best summary I could come up with:


A malfunctioning vending machine at a Canadian university has inadvertently revealed that a number of them have been using facial recognition technology in secret.

Invenda, the company that produces the machines, advertises its use of “demographic detection software”, which it says can determine gender and age of customers.

It claims the technology is compliant with GDPR, the European Union’s privacy standards, but it is unclear whether it meets Canadian equivalents.

In April, the national retailer Canadian Tire ran afoul of privacy laws in British Columbia after it used facial recognition technology without notifying customers.

The government’s privacy commissioner said that even if the stores had obtained permission, the company failed to show a reasonable purpose for collecting facial information.

The University of Waterloo pledged in a statement to remove the Invenda machines “as soon as possible”, and that in the interim, it had “asked that the software be disabled”.


The original article contains 258 words, the summary contains 149 words. Saved 42%. I’m a bot and I’m open source!

Greg@lemmy.ca on 24 Feb 2024 14:36 next collapse

This seems like an over reaction by people who don’t understand the technology or associated risks. Focus on the implementation not the tech. There is no indication that the vending machine is inappropriatly storing or transmitting personally identifiable information or that its making decisions based on biased data.

Shiggles@sh.itjust.works on 24 Feb 2024 14:52 next collapse

Mind explaining to me why a vending machine needs to know the demographics of its users?

Greg@lemmy.ca on 24 Feb 2024 15:48 next collapse

Likely for general marketing feedback so not targeting individuals like Facebook, Google, etc. If the vending machine is GDPR compliant then it’s not storing individuals PII on the machine (it would be physically insecure) or transmitting PII without consent. And anyway, the marketing team wouldn’t care about individuals, they’re looking for aggregate trends. I think we should have stricter anti-marketing laws but this is not a dangerous anti-privacy vector. Online marketing is far far worse so if we’re concerned with privacy, let’s implement laws and policies that protect privacy instead of these BS distractions that don’t actually affect people’s privacy.

uis@lemm.ee on 24 Feb 2024 17:08 collapse

Bananada has no GDPR

can@sh.itjust.works on 24 Feb 2024 20:18 next collapse

A damn shame too.

uis@lemm.ee on 24 Feb 2024 22:23 collapse

List of countries for EU to invade:

  1. Russia
  2. USA
  3. Canada

Who next?

DeadlineX@lemm.ee on 26 Feb 2024 04:20 collapse

That doesn’t change the claim that the vending machine is GDPR compliant, though.

666dollarfootlong@lemmy.world on 24 Feb 2024 15:49 collapse

I guess to collect data for advertisements and product development

krashmo@lemmy.world on 24 Feb 2024 15:51 next collapse

It’s installed at a university. Seems like you could make a pretty fucking good guess on the demographics of customers just based on that fact.

uis@lemm.ee on 24 Feb 2024 17:06 collapse

Best answer

ChicoSuave@lemmy.world on 24 Feb 2024 16:23 collapse

Do you see a lot of advertising for vending machines?

666dollarfootlong@lemmy.world on 24 Feb 2024 18:04 collapse

No, but for the companies that make the drinks

the_tab_key@lemmy.world on 24 Feb 2024 14:55 next collapse

This is a pretty “generous” take. I ask you then: if the company isn’t doing communicating any of the scans/recordings, what is the purpose of the technology being installed in the first place?

conciselyverbose@sh.itjust.works on 24 Feb 2024 15:47 next collapse

Cameras are one thing.

But if you can actually process it, that’s a meaningful cost per unit. The only reason you do that is if you’re planning to use it.

Greg@lemmy.ca on 24 Feb 2024 17:23 collapse

This type of analysis is cheap nowadays. You could easily fit a model to extract demographics from an image on a Jetson Nano (basically a Raspberry Pi with a GPU). Models have gotten more efficient while hardware has also gotten cheaper.

conciselyverbose@sh.itjust.works on 24 Feb 2024 17:47 collapse

MSRP is $100. Even assuming you can cut that to $50 in bulk, $50 per unit is something that manufacturers are going to take seriously as an added cost. They’re not going to pay it without an intent to use it.

And that’s before software costs. Even leveraging open source it’s still going to take investment to tailor it to your deployment.

Greg@lemmy.ca on 24 Feb 2024 19:08 collapse

I doubt they would implement thing on every vending machine. They can still derive some useful analytic data from a smaller sample size

conciselyverbose@sh.itjust.works on 24 Feb 2024 19:09 collapse

That’s using it.

The only possible reason to have the hardware is because you intend to use it.

Greg@lemmy.ca on 24 Feb 2024 17:18 collapse

Marketing is often targeted, especially online (which is a huge privacy issue). I would guess they are using the data from these vending machines to measure the success of their marketing campaigns.

the_tab_key@lemmy.world on 25 Feb 2024 15:46 collapse

Like I said: generous. You are "guess"ing that what they are doing with it is above board. I’m not that trusting of corporations.

People trusted Boeing would put planes together with the utmost concern for safety… Then a fucking for feel off mid-flight.

Greg@lemmy.ca on 25 Feb 2024 17:00 collapse

The FAA failed to regulate Boeing. I’m pro regulation and laws that protect people’s privacy. And if this company and the individuals within it break the law they should receive appropriate punishments with fines tied to international revenue.

My point is that the laws should relate to privacy independent of the technology. The “ban face recognition” narrative misses the point and doesn’t address the threats. Facial recognition technology can be used in ways that don’t threaten individuals privacy and non facial recognition technologies can be a threat to individual privacy.

It’s cynical to assume this company is breaking privacy with no evidence. But it’s fair to say there needs to be greater punishments and regulations

BearOfaTime@lemm.ee on 24 Feb 2024 14:58 next collapse

Hahahahahahahahahahahahajaja

Total “trust me bro” take.

I have the keys to your house, but there’s no evidence I’m using them inappropriately.

I never say this, but go lick some more boot.

Greg@lemmy.ca on 24 Feb 2024 15:49 collapse

You obviously don’t work in tech in Canada. Do a tiny bit of some research before generating strong opinions

can@sh.itjust.works on 24 Feb 2024 15:05 next collapse

I’m baffled how a genuine human being could feel this way

Greg@lemmy.ca on 24 Feb 2024 15:51 next collapse

It’s because I understand the technology and the actual threats to our privacy.

can@sh.itjust.works on 24 Feb 2024 17:48 collapse

Could you expand on that?

Greg@lemmy.ca on 24 Feb 2024 19:04 collapse

I have in other sections of this thread. I don’t want to copy and paste but I’m happy to answer any specific questions.

skillissuer@discuss.tchncs.de on 24 Feb 2024 18:39 collapse

on the internet nobody knows you’re a bot (or damage control PR shill)

[deleted] on 24 Feb 2024 15:07 next collapse

.

Greg@lemmy.ca on 24 Feb 2024 15:57 collapse

There is no indication that the vending machine was collecting customer biometrics. In fact that would prevent it from being GDPR compliant.

[deleted] on 24 Feb 2024 16:02 collapse

.

Greg@lemmy.ca on 24 Feb 2024 16:16 collapse

That’s not true. They’re likely using a model that identifies some demographic attribute and associating that with a purchase. It’s 2024, this can all be done on the machine. The machine doesn’t need to store the individuals data etc. If the vending is storing enough data to identify individuals then it wouldn’t be GDPR compliant.

[deleted] on 24 Feb 2024 16:37 next collapse

.

Greg@lemmy.ca on 24 Feb 2024 17:01 collapse

Consent is a requirement for GDPR compliance. They are likely taking an image from the camera, extracting semantic attributes from the image, and then discarding the image. The length of time the individual is standing there making the purchase is likely longer than the image is stored in memory while extracting the attributes.

uis@lemm.ee on 24 Feb 2024 17:10 collapse

I bet there is no button “consent to biometrics collection”

CucumberFetish@lemm.ee on 24 Feb 2024 18:22 collapse

And it most definitely isn’t. GDPR requires explicit consent for collecting OR processing personal information. As per the European Commission, just taking the picture and extracting some metrics off of it already counts as processing personal information:

…europa.eu/…/what-constitutes-data-processing_en

Luci@lemmy.ca on 24 Feb 2024 15:31 next collapse

This is the first step to charging a different price based on demographic.

Greg@lemmy.ca on 24 Feb 2024 16:09 collapse

The Canadian Human Rights Act protects Canadians from discrimination based on race, national or ethnic origin, colour, religion, age, sex, sexual orientation, gender identity or expression, marital status, family status, genetic characteristics, disability etc.

uis@lemm.ee on 24 Feb 2024 17:16 next collapse

This is not the last step to charging a different price based on demographic.

Luci@lemmy.ca on 24 Feb 2024 17:51 collapse

Yeaaa and?

nodsocket@lemmy.world on 24 Feb 2024 15:33 next collapse

Go back to reddit Greg.

bionicjoey@lemmy.ca on 24 Feb 2024 16:11 next collapse

Says a guy who doesn’t hide his real name, face, and location for his online persona. You have no concept of digital privacy.

Greg@lemmy.ca on 24 Feb 2024 16:50 collapse

Arguing that I have no concept of digital privacy because I choose to share my name and face is an ignorant statement and demonstrates how little you understand the concept of online privacy. For context, I work in tech in Canada, I deal with GDPR and other compliances. I understand the technology, the risks, and the attack vectors. These vending machines are not a serious threat to individuals privacy. Facebook, Google, Amazon, are serious threats. Focus your energy on the actual risks instead of making uninformed comments.

bionicjoey@lemmy.ca on 24 Feb 2024 16:58 collapse

Did 2yo Marisol also make an informed choice to share her identity and location on the fediverse?

This vending machine is taking biometrics off of everyone who walks past it and you don’t think that’s the least bit concerning?

GDPR doesn’t apply in Canada unless you are trying to operate business in Europe.

Compliance only matters if you can’t afford a fine. If you can make more money violating regulations than the cost of the fine, it’s just a business expense.

Greg@lemmy.ca on 24 Feb 2024 19:02 collapse

You pretend to care about consent and privacy and then mention my daughter by name here. You’ll notice I share photos and details about my daughter from accounts on servers I control. There is an implicit agreement in the fediverse to respect people’s privacy. I obviously don’t rely on that implicit agreement because some people do unethical things as demonstrated in your post. I protect my daughter from legitimate online privacy and security threats, I don’t play privacy and security theatre.

This vending machine is taking biometrics off of everyone who walks past

You have no evidence of this and there is no mention of this in the article. This also doesn’t make any sense from an implementation perspective.

GDPR doesn’t apply in Canada unless you are trying to operate business in Europe.

You’re correct that GDPR doesn’t apply in Canada, it’s just that GDPR is usually the strictest compliance so it’s usual for companies to meet that compliance as a minimum.

Compliance only matters if you can’t afford a fine.

GDPR fines can be tied to global revenue.

When your beliefs don’t align with the facts, consider changing your beliefs instead of doubling down on your opinions, making things up, and doing unethical things. Please try better.

min_fapper@iusearchlinux.fyi on 24 Feb 2024 16:21 next collapse

Yikes, people here are brutal to people with differing viewpoints, heh.

Doesn’t seem to matter how knowledgeable in the subject matter the person may be either.

¯\_(ツ)_/¯

Greg@lemmy.ca on 24 Feb 2024 17:31 collapse

Lol yeah, if the easily checked facts don’t align with beliefs then groupthink-people double down on their beliefs. Denying reality is easier than changing beliefs. It’s the same reasoning skills that Trump supporters use 😅

can@sh.itjust.works on 24 Feb 2024 20:21 collapse

Which really checked facts are you referring to? It appears to be a matter of differing opinions.

billiam0202@lemmy.world on 24 Feb 2024 16:41 collapse

There is no indication that the vending machine is inappropriatly storing or transmitting personally identifiable information or that its making decisions based on biased data.

And until the machine malfunctioned, there was no indication that the vending machine was collecting any data at all. Businesses can say whatever they want in the court of public opinion, but until these same claims are made in a court of law they should be considered lies to placate the public.

Furthermore, why even collect such data if it’s not meant to be utilized? They already know what the most popular products are (since they know what they restock the most) so for what reason do they need to collect demographics?

TrumpetX@programming.dev on 24 Feb 2024 16:36 next collapse

Everyone seems concerned about what it could be doing, not what it is doing.

I could sit next to a vending machine and make notes on the gender and sex of each patron for demographic purposes, nothing would be illegal.

Why? Well, that’s easy, I want to stock my vending machine in order to make money. Instead of testing different layouts which would take a lot of time, I could predict how well certain stock would do based on preexisting market research.

This appears to be just that, but with a camera.

Now, you can argue “but it could be worse”! That’s not a valid argument. It could always be worse for things you don’t know about. If it holds up to be true, as stated, it’s just what it is.

Bridger@sh.itjust.works on 24 Feb 2024 16:40 next collapse

If you’re sitting there taking notes it is obvious what you’re doing and the users of the machine can opt out of using it. With hidden cameras, not so much.

TrumpetX@programming.dev on 24 Feb 2024 16:52 collapse

It’s a public space. You have no expectation of privacy. It’s the same reason license plate scanners are a thing.

It’s the automated equivalent of eyes.

variants@possumpat.io on 24 Feb 2024 17:30 next collapse

I rather the company just restock their machine based on what sold and what didn’t instead of what percentage of people blink a certain amount of times while browsing the vending machine.

Not to mention the data they collect about you will be sold to other companies who will combine it with several other data points they collect about you to determine your personality and decide how much more money they can charge you on services or deny medical insurance based on your estimated health by your patterns. And while it might not end up affecting your life the data will still be around to affect the next generation

TrumpetX@programming.dev on 24 Feb 2024 18:25 collapse

I mean, I don’t disagree. I’d rather that too! But you’re arguing if it’s good policy to do this or not, that’s a different argument vs. whether they legally and ethically can.

keefshape@lemmy.ca on 24 Feb 2024 19:27 collapse

You don’t disagree, but you are spending a lot of breath and effort to indicate otherwise.

OrderedChaos@lemmy.world on 24 Feb 2024 20:24 next collapse

Yeah. I hate the idea of license plate scanners.

jdhdbdk@lemmy.world on 25 Feb 2024 08:34 collapse

Not every country has those laws, and in a lot of them you have expectation of privacy in public!

n2burns@lemmy.ca on 24 Feb 2024 16:45 next collapse

Bad analogy. If you were doing what you said, but instead of taking notes, you were using a camera, you’d quickly get a visit from the UW Special Constable Service who’d probably transfer you to WRPS.

EDIT: Even if you were just taking notes on people, it’s possible you’d experience the same process.

TrumpetX@programming.dev on 24 Feb 2024 16:56 collapse

I’m not familiar with Canadian law, but in the States, I can film someone without their permission in public. I can’t do certain things with that recording, but I can record them. In this case, I see it as just that. Recording, doing some instant analysis, recording non identifying metadata, and forgetting the recording.

That would make it gdpr compliant, at least.

bluemite@lemmy.world on 24 Feb 2024 22:38 collapse

People would be able to see you filming and maybe decide not to use that machine

kebabslob@lemmy.blahaj.zone on 24 Feb 2024 18:45 next collapse

Fed

markon@lemmy.world on 25 Feb 2024 17:20 collapse

Lol people get so worked up and don’t know shit. We’re all just apes with a god complex.

nicerdicer2@sh.itjust.works on 24 Feb 2024 16:40 next collapse

The worst part of all is that no one would think of the fact that a vending machine is performing facial recognition techniques, because in general it is assumed that a vending machine is a mechanical device, as it has been in the past. There is not any user benefit in that.

I researched the manufacuter and in their brochure (see page 6) of a similar vending machine it is revealed what data can be processed:

Among the worst data sets are:

  • product demographics
  • measuring of foot traffic
  • gender/ age/ etc.

Bonus: on page 7 of the product brochure they introduce an app which allows the customer to make purchases directly from their smatphone, with features like

  • consumer engagement through gamification, interactive marketing, gifting, scratch-and-win receipts, product sampling and cross selling

"What do customers get?"

  • a fun and engaging payment process

Finally! I always thought that payment is not fun enough. What a time to be alive.

Couldbealeotard@lemmy.world on 24 Feb 2024 18:21 next collapse

This reminds me of the bit in Minority Report where Tom Cruise has to get his eyes surgically replaced so the shopping centre kiosks can’t track him

homesweethomeMrL@lemmy.world on 24 Feb 2024 18:54 next collapse

gender/age/etc.

The etc. is doing a lot of work there

can@sh.itjust.works on 24 Feb 2024 20:00 next collapse

Scariest part is we’d never have known if the facial recognition software hadn’t encountered an error. At least until someone curious enough looked up the machine.

9point6@lemmy.world on 25 Feb 2024 00:07 collapse

Well this absolutely wouldn’t fly in the EU with GDPR

Can you lot in the states do something about your weird corpocracy, it’s looking a bit dystopian

nicerdicer2@sh.itjust.works on 25 Feb 2024 00:23 next collapse

Bad news, the manufacturer is located in Switzerland and, as stated in the brochure, they advertise their product as “Made in EU”. Probably to implicate that any data which will be collected and processed will be under the terms of GDPR.

I haven’t looked up the terms regarding GDPR, but I assume that their data collection is somewhat “compliant” with GDPR, which does not necessaryly mean anything. It can just mean that data is not stored locally, albeit it will be send to the manufacturer (but probably entcrypted). However, under GDPR you can enforce your right of deletion of the collected data - that is, if you know that data about you has been collected.

What makes this issue so severe is that it would have never been detected that data has been collected and processed, if it weren’t for a malfunction.

Edit: grammar, spelling

9point6@lemmy.world on 25 Feb 2024 08:11 next collapse

Under GDPR you also need explicit consent for data collection, right?

nicerdicer2@sh.itjust.works on 25 Feb 2024 10:54 collapse

Correct. The said vending machine was collecting data without users consent. And because it was facial recognition data it means that the collected data can be tied to an individual.

It would have been different if the collected data was just a counter which indcated the number of users of that machine. These kind of data could not have been tied to a specific individual.

fatalError@lemmy.sdf.org on 25 Feb 2024 08:41 collapse

Switzerland is not in the EU. Also even if it was, it’s not illegal to design/manufacture solutions that don’t comply with GDPR. They just can’t be sold in the EU.

Also, data collection absolutely requires consent, it’s why cookie popups exist on every website.

nicerdicer2@sh.itjust.works on 25 Feb 2024 10:49 collapse

That is correct. Switzerland is not a part of the European Union. The manufacturer, Invenda, is located in Switzerland. That is where their headquarters are. It might be possible that their vending machines are produced within the EU (another country where production costs are lower). It might be possible that these specific models (those who offer data collection) are designed for markets outside of EU.

They advertise their product as “Made in EU” (see brochure). This could be made on purpose to implicate that their data collection meets GDPR requirements, leading to believe that everything is compliant with the law.

seaweedsheep@literature.cafe on 25 Feb 2024 12:04 collapse

No. But also, this is Ontario, well-known for being outside US jurisdiction.

homesweethomeMrL@lemmy.world on 24 Feb 2024 18:54 next collapse

Hey hey - y’all quit hanging around the vending machines! You’re going to be late for the two minutes of hate!

kalkulat@lemmy.world on 25 Feb 2024 06:30 collapse

AND they might have had miniature cameras in them for the past 20 years.

(The laws against this stuff are almost non-existing. Option left for those of us creeped out by constant surveillance: don’t leave home, unplug that webcam. Demand privacy or lose it.)