2 days ago
Vending machines at the University of Waterloo violated privacy act
Ontario's privacy watchdog has ruled vending machines on campus at the University of Waterloo violated the Freedom of Information and Protection of Privacy Act.
Students lodged a formal complaint with the Office of the Information and Privacy Commissioner of Ontario (IPC) in Feb. 2024 after the 'smart' vending machines were installed by a third-party provider. They claimed the machines were using facial recognition technology to collect images without consent or notice.
The students said they were alarmed when one of the machines, located in the Modern Languages building, malfunctioned and displayed an error message reading, ' – Application Error.'
'We wouldn't have known if it weren't for the application error. There's no warning here,' said River Stanley, a fourth-year student at UW, who investigated the machines for an article in the university publication, mathNEWS.
Stanley told CTV News students then started putting sticky tack, chewing gum, or Post It Notes over the machines' sensors.
vending machine facial recognition
Fourth-year University of Waterloo student River Stanley explains where students have been trying to cover a hole on a vending machine that they believe houses a camera. (Colton Wiens/CTV Kitchener)
The investigation
An IPC investigator learned the university had signed an agreement with the company that owns the machines, Adaria, in Oct. 2023. Adaria was to provide 29 vending machines and be responsible for maintaining, monitoring and stocking them. They were installed in Dec. 2023 and removed from campus in Feb. 2024 when the school learned of the privacy concerns.
The university said Adaria either purchased or leased the machines from candy maker MARS and MARS contracted Invenda to build and supply the machines.
The school told the IPC it had no knowledge that facial detection technology was being used to collect demographic data.
According to an IPC report, when a sale was made, the machine would record a timestamp, the item purchased and demographic data, including facial detection. The technology would then estimate the buyer's gender and age range.
'There was no dispute that the IVMs [Intelligent Vending Machines] captured video images of individuals' faces on the university's campus,' the report read. 'However, the university argued that the resolution of the optical sensor in the IVMs was too low for the device to be considered a camera or create identifiable images of individuals.'
The IPC said an investigator deemed the images were of 'photographic quality' but noted those images were held for milliseconds before they were converted into abstract grayscale images and then into numeric descriptors describing the demographic data.
'Our investigation into this matter has found no evidence to suggest that personal information, beyond the initial temporary capture of facial images, was retained and further used by these vendors,' the report said.
vending machine facial recognition
A vending machine at University of Waterloo displays a facial recognition app error. (Reddit)
Did the university know?
The IPC report noted the agreement between the University of Waterloo and the vending machine company contained 'all the appropriate standard clauses necessary to protect personal information.'
It also determined the university was not aware the machines had facial detection technology that was collecting personal information and had not asked for vending machines with that capability.
However, Adaria's proposal did mention a collaboration with MARS to test new product innovations, including MARS Intelligent Vending Machines.
The investigators stated that, although the university had reasonable contractual measures in place, it failed to carry out the necessary due diligence that would have uncovered the potential privacy concerns.
Report recommendations
The IPC report concluded with two recommendations: the university should review its privacy policies to ensure any future collection of personal information complies with the Freedom of Information and Protection of Privacy Act, and the university should ensure it carries out all necessary due diligence to identify, assess and mitigate any potential risks to personal information when entering into new agreements with third-party providers.
