From the “no matter how bad you think it is, it’s worse” department.
🤖 I’m a bot that provides automatic summaries for articles:
Click here to see the summary
The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS.
Where Cadillac Fairview was ultimately forced to delete the entire database, Stanley wrote that consequences for collecting similarly sensitive facial recognition data without consent for Invenda clients like Mars remain unclear.
Stanley’s report ended with a call for students to demand that the university “bar facial recognition vending machines from campus.”
Some students claimed on Reddit that they attempted to cover the vending machine cameras while waiting for the school to respond, using gum or Post-it notes.
The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface—never taking or storing images of customers."
It was only after closing a $7 million funding round, including deals with Mars and other major clients like Coca-Cola, that Invenda could push for expansive global growth that seemingly vastly expands its smart vending machines’ data collection and surveillance opportunities.
Saved 79% of original text.
The company will fix the issue by renaming “FacialRecognitionApp.exe” to “TotallyNotFacialRecognitionApp.exe”
But they haven’t found the facial database and Invenda claims they don’t have one, right? Their story is that the machine takes an image, runs some local processing to determine demographic info about the user/customer/target/victim, and then stores that instead of storing the image or biometrics.
There’s a good chance they’re lying but claiming the database has been “revealed” when no one has found it yet seems like sensationalism.
Edit: “Secret demographic database derived from facial recognition” would be true but sounds less snappy, I guess?
According to Adaria and Invenda, students shouldn’t worry about data privacy because the vending machines are “fully compliant” with the world’s toughest data privacy law, the European Union’s General Data Protection Regulation (GDPR).
Then they should have no issues releasing the source code for independent public audit, right?
How does GDPR mandate a public audit of the code base? Is there such a provision in it? (Not a confrontational question)
It doesn’t. You can check the full text at:
https://eur-lex.europa.eu/eli/reg/2016/679/oj
The only references to audits, are that supervisors can require an audit, processors need to allow audits by controllers, DPOs need to prepare for audits, and corporations or groups of enterprises need to have audit procedures in place.
It doesn’t say anything about what kind of audits these need to be, other than to ensure compliance with the law.
The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface
This sounds like an excuse to me. I’m a university student in the UK. Our vending machines use a very effective means of letting the machine know we’re ready to buy something without using any facial recognition software at all. What we do, right, is press the letter and number buttons that match up to what we want to buy. The machine says how much money the item costs, and then we tap our bank/credit cards to the contactless card reader, just like we would in any other shop. Then the machine dispenses the item.
It’s really, really clever how they’ve invented this way for us to purchase afternoon snacks to help us cope with how annoying our classmates are, and we don’t even have to have our faces scanned! Truly the kind of innovative technology you’d expect to find in a university.
I suspect that’s a lie. From a technical point of view there are way easier and cheaper ways to detect potential customers. A simple LDR would probably do a better and more reliable job and cost hundreds of times less.
The spokesdroid also stated that the machines do not take pictures. Duh. It’s a camera, what else would it do. May they meant it doesn’t store images, but the statements made so far don’t exactly instill trust.
I say sue them into oblivion. Make an example out of them.
Exactly. Vending machines have never needed complex ways of detecting when a customer is ready to buy something, because there’s really no need for anything beyond having a button available for customers to communicate to the machine “I’d like to buy something”. What it sounds like to me is they’re using the facial recognition technology to track the demographics of who buys what and how often. Do men like X snack more than Y? Do women buy more in the morning or afternoon? Stuff like that.
Devil’s advocate: they don’t need to track demographics, but a “bonus feature” would be to start playing some ad when they detect someone looking at the machine. Not a random leaf or shadow, so it doesn’t start playing annoying ads at random in the background, but an actual face. Or do play a random ad in the background when nobody has looked at the machine in a while.
Of course the temptation of using demographic data to target the ads, could be too big to resist for the company. The temptation of also storing statistical data, might follow.