Don’t Take Candy From Strange Vending Machines

Not long ago, implementing facial recognition technology was a complex and expensive undertaking. Between the algorithms, and the infrastructure required to run them at scale, it was mainly the fear of state-sponsored snooping that raised most privacy-related concerns in the past. And that concern is still valid, with debates about facial recognition and its appropriate uses still raging on. However, technological advancements have changed the landscape of the field dramatically in recent years. Now, just about any machine could be scanning your face, even, as it turns out, machines that dispense junk food.

In a tragedy of epic proportions, students at the University of Waterloo must now lean more heavily on campus dining options after the revelation that their once-beloved M&M vending machines have been — to some degree — spying on them. Lured by the sweet treats contained within, a student at the school recently stopped by one of these machines, only to be greeted by a very odd error message reading: “Invenda.Vending.FacialRecognitionApp.exe Application Error.” What? Facial recognition? All we wanted was some chocolate!

This set off a cascade of events that led to an investigation of the companies behind these vending machines, and ultimately, the removal of the machines from campus. It did not exactly require a special forces operation to uncover what was going on. The manufacturer of the vending machines, a company called Invenda, boasts in their own marketing materials that the machines can capture the estimated age and gender of everyone using them.

Invenda claims that no images leave the machine, and that individuals cannot be recognized using their technology. This may well be the truth, with nothing more than age and gender information being collected for marketing purposes. But some people are skeptical, especially since the company operating the machines, Adaria Vending Services, was contradicted by Invenda in saying that the cameras and facial recognition technology are used for nothing more than motion sensing, to know when to turn on the purchasing interface. If that is the case, maybe they should take a look at a few tutorials on Hackster to learn about PIR motion sensors. It would save them a lot of cash and prevent future public relations nightmares.

Wherever the truth may lie, this event has ignited a firestorm of debate around the proper use of facial recognition technologies. Even if the intent is only to capture age and gender, there is no expectation that this information will be collected when we buy a candy bar. After all, the machine does not ask each buyer for their consent. Moreover, including the technology in an Internet-connected device opens the door to exploitation by third parties, and with many thousands of vending machines in locations all over the world, that could go bad quickly.

Perhaps the most shocking part of this series of events is that the presence of facial recognition technology was only uncovered by an accident. Without the error being noticed, how long might this have continued. And more importantly, where else might this technology be lurking without our knowledge?