University vending machine error reveals use of secret facial recognition | A malfunctioning vending machine at a Canadian university has inadvertently revealed that a number of them have been usin…::Snack dispenser at University of Waterloo shows facial recognition message on screen despite no prior indication

  • nicerdicer
    link
    fedilink
    English
    3910 months ago

    The worst part of all is that no one would think of the fact that a vending machine is performing facial recognition techniques, because in general it is assumed that a vending machine is a mechanical device, as it has been in the past. There is not any user benefit in that.

    I researched the manufacuter and in their brochure (see page 6) of a similar vending machine it is revealed what data can be processed:

    Among the worst data sets are:

    • product demographics
    • measuring of foot traffic
    • gender/ age/ etc.

    Bonus: on page 7 of the product brochure they introduce an app which allows the customer to make purchases directly from their smatphone, with features like

    • consumer engagement through gamification, interactive marketing, gifting, scratch-and-win receipts, product sampling and cross selling

    “What do customers get?”

    • a fun and engaging payment process

    Finally! I always thought that payment is not fun enough. What a time to be alive.

    • @9point6@lemmy.world
      link
      fedilink
      English
      1610 months ago

      Well this absolutely wouldn’t fly in the EU with GDPR

      Can you lot in the states do something about your weird corpocracy, it’s looking a bit dystopian

      • nicerdicer
        link
        fedilink
        English
        11
        edit-2
        10 months ago

        Bad news, the manufacturer is located in Switzerland and, as stated in the brochure, they advertise their product as “Made in EU”. Probably to implicate that any data which will be collected and processed will be under the terms of GDPR.

        I haven’t looked up the terms regarding GDPR, but I assume that their data collection is somewhat “compliant” with GDPR, which does not necessaryly mean anything. It can just mean that data is not stored locally, albeit it will be send to the manufacturer (but probably entcrypted). However, under GDPR you can enforce your right of deletion of the collected data - that is, if you know that data about you has been collected.

        What makes this issue so severe is that it would have never been detected that data has been collected and processed, if it weren’t for a malfunction.

        Edit: grammar, spelling

        • @fatalError@lemmy.sdf.org
          link
          fedilink
          English
          1010 months ago

          Switzerland is not in the EU. Also even if it was, it’s not illegal to design/manufacture solutions that don’t comply with GDPR. They just can’t be sold in the EU.

          Also, data collection absolutely requires consent, it’s why cookie popups exist on every website.

          • nicerdicer
            link
            fedilink
            English
            510 months ago

            That is correct. Switzerland is not a part of the European Union. The manufacturer, Invenda, is located in Switzerland. That is where their headquarters are. It might be possible that their vending machines are produced within the EU (another country where production costs are lower). It might be possible that these specific models (those who offer data collection) are designed for markets outside of EU.

            They advertise their product as “Made in EU” (see brochure). This could be made on purpose to implicate that their data collection meets GDPR requirements, leading to believe that everything is compliant with the law.

          • nicerdicer
            link
            fedilink
            English
            110 months ago

            Correct. The said vending machine was collecting data without users consent. And because it was facial recognition data it means that the collected data can be tied to an individual.

            It would have been different if the collected data was just a counter which indcated the number of users of that machine. These kind of data could not have been tied to a specific individual.

    • Optional
      link
      fedilink
      English
      1410 months ago

      gender/age/etc.

      The etc. is doing a lot of work there

    • @can@sh.itjust.works
      link
      fedilink
      English
      510 months ago

      Scariest part is we’d never have known if the facial recognition software hadn’t encountered an error. At least until someone curious enough looked up the machine.

    • @Couldbealeotard@lemmy.world
      link
      fedilink
      English
      210 months ago

      This reminds me of the bit in Minority Report where Tom Cruise has to get his eyes surgically replaced so the shopping centre kiosks can’t track him