A set of smart vending machines at the University of Waterloo is expected to be removed from campus after students raised privacy concerns about their software.
The machines have M&M artwork on them and sell chocolate and other candy. They are located throughout campus, including in the Modern Languages building and Hagey Hall.
Earlier this month, a student noticed an error message on one of the machines in the Modern Languages building. It appeared to indicate there was a problem with a facial recognition application.
“We wouldn’t have known if it weren’t for the application error. There’s no warning here,” said River Stanley, a fourth-year student, who investigated the machines for an article in the university publication, mathNEWS.
It gets worse :/
I looked up the brand (Invenda). Their PDF includes “using AI”, “measuring foot traffic”, and gathering “gender/age/etc” e.g. facial recognition to estimate a persons age and gender
And in terms of “stored locally” this is straight from their website
The marketing also so fricken backwards that it reads like satire:
“Welcome back, consumer unit number 74665!”
That’s specifically what they don’t do. They collect statistics, not individuals.
I’m dreading for the day they introduce dynamic pricing based on who’s buying and refuses to sell without a full face scan.
What really bothers me is the “measuring foot traffic”. I already refuse to use vending-machines because of the pricing and unhealthyness, but you’re telling me I need to make GDPR takedown requests just for walking to class?
Also this is data that any reasonable company could get in like half an hour of searching and asking.
There is data on how many meals are sold a day at the mensa, how many students are enrolled, how many students live on campus…
Unless the vending machine is in the last corner of the third floor of an half empty building, all this information can be puzzled together to get a good estimate of how many people are passing the machine on a day to day basis.
GDPR desperately needed on the other side of the pond…
Article says they claim to be GDPR compliant.