Vending machines at the University of Waterloo violated privacy act

Ontario's privacy watchdog has ruled vending machines on campus at the University of Waterloo violated the Freedom of Information and Protection of Privacy Act.
Students lodged a formal complaint with the Office of the Information and Privacy Commissioner of Ontario (IPC) in Feb. 2024 after the 'smart' vending machines were installed by a third-party provider. They claimed the machines were using facial recognition technology to collect images without consent or notice.
The students said they were alarmed when one of the machines, located in the Modern Languages building, malfunctioned and displayed an error message reading, 'Invenda.Vending.FacialRecognition.App.exe – Application Error.'
'We wouldn't have known if it weren't for the application error. There's no warning here,' said River Stanley, a fourth-year student at UW, who investigated the machines for an article in the university publication, mathNEWS.
Stanley told CTV News students then started putting sticky tack, chewing gum, or Post It Notes over the machines' sensors.
vending machine facial recognition
Fourth-year University of Waterloo student River Stanley explains where students have been trying to cover a hole on a vending machine that they believe houses a camera. (Colton Wiens/CTV Kitchener)
The investigation
An IPC investigator learned the university had signed an agreement with the company that owns the machines, Adaria, in Oct. 2023. Adaria was to provide 29 vending machines and be responsible for maintaining, monitoring and stocking them. They were installed in Dec. 2023 and removed from campus in Feb. 2024 when the school learned of the privacy concerns.
The university said Adaria either purchased or leased the machines from candy maker MARS and MARS contracted Invenda to build and supply the machines.
The school told the IPC it had no knowledge that facial detection technology was being used to collect demographic data.
According to an IPC report, when a sale was made, the machine would record a timestamp, the item purchased and demographic data, including facial detection. The technology would then estimate the buyer's gender and age range.
'There was no dispute that the IVMs [Intelligent Vending Machines] captured video images of individuals' faces on the university's campus,' the report read. 'However, the university argued that the resolution of the optical sensor in the IVMs was too low for the device to be considered a camera or create identifiable images of individuals.'
The IPC said an investigator deemed the images were of 'photographic quality' but noted those images were held for milliseconds before they were converted into abstract grayscale images and then into numeric descriptors describing the demographic data.
'Our investigation into this matter has found no evidence to suggest that personal information, beyond the initial temporary capture of facial images, was retained and further used by these vendors,' the report said.
vending machine facial recognition
A vending machine at University of Waterloo displays a facial recognition app error. (Reddit)
Did the university know?
The IPC report noted the agreement between the University of Waterloo and the vending machine company contained 'all the appropriate standard clauses necessary to protect personal information.'
It also determined the university was not aware the machines had facial detection technology that was collecting personal information and had not asked for vending machines with that capability.
However, Adaria's proposal did mention a collaboration with MARS to test new product innovations, including MARS Intelligent Vending Machines.
The investigators stated that, although the university had reasonable contractual measures in place, it failed to carry out the necessary due diligence that would have uncovered the potential privacy concerns.
Report recommendations
The IPC report concluded with two recommendations: the university should review its privacy policies to ensure any future collection of personal information complies with the Freedom of Information and Protection of Privacy Act, and the university should ensure it carries out all necessary due diligence to identify, assess and mitigate any potential risks to personal information when entering into new agreements with third-party providers.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

CTV News

an hour ago

• CTV News

SAAQclic: Former CEO says his confidence in IT VP has been shaken

Commissioner Denis Gallant of the Commission of Inquiry into the Management of the Modernization of the Société de l'assurance automobile (SAAQ) IT Systems is awaiting the start of the public inquiry into the failures of the SAAQclic platform in Montreal on Thursday, April 24 2025. A public inquiry into the SAAQ's costly digital transformation has revealed that it could cost the province nearly half a billion dollars more than originally anticipated. (Christinne Muschi/The Canadian Press) The former president and CEO of Quebec's auto insurance board (SAAQ) says his confidence in his IT leader 'seriously eroded' after the failed launch of the SAAQclic platform, but he was not ready to fire him. On Friday, Denis Marsolais testified about the first weeks of the crisis that followed the disastrous rollout of the new interface in February 2023. He was the one who found himself in the spotlight 'defending his organization' in the media. He relied on the words of his vice-president of information technology (IT), Karl Malenfant. Marsolais gave the example of a radio interview with host Paul Arcand in the early days of the crisis. 'I told him, 'Rest assured, Mr. Arcand, I'm told that the problems (with) the software will be resolved within two to three months.'' 'Again, I'm not making this up. I'm not the expert. I was told that the problems would be resolved within three months,' Marsolais told the Gallant Commission. 'Who told you that?' asked Commissioner Denis Gallant. Malenfant, replied the former CEO. 'Mr. Malenfant, he's selling you the seventh wonder of the world, and you end up with a system that doesn't work,' said the commissioner. Gallant asked him if he still trust his VP of IT, even though there were endless queues in front of the branches and people were not signing up for the platform. 'Now it's starting to seriously fall apart,' Marsolais acknowledged. Yet in the weeks and days leading up to the launch of SAAQclic, he said he was confident about the project, despite some warnings. 'Everyone was not only confident, but agreed to roll it out and that we were ready for deployment. So I trusted the experts around the table,' he said. 'I wasn't told everything' Marsolais suggested that he ultimately felt betrayed by Malenfant. 'Throughout my career, I have always had associate deputy ministers and vice-presidents in my inner circle. I have always trusted these people. They have always been loyal to me. They have never betrayed my trust,' he said. 'Today, I have to tell you that I think there is an exception to the rule,' he added. Marsolais felt that Malenfant did not give him 'all the information at the right time.' 'I am increasingly certain that I was not told everything,' he said, adding that he 'should have been more vigilant.' The executive revealed that someone had suggested he dismiss his IT boss in March 2023. He felt that replacing Malenfant in the middle of a mess would have been 'even more dramatic.' 'I told him that Mr. Malenfant is theoretically retiring in December. (...) I said, 'Give me until June. In June, he will take early retirement and that's it,'' explained Marsolais. Instead, it was Marsolais who left first, when he 'left his role' in April. He is now president of the Office de la protection du consommateur (consumer protection agency). Summer break The conclusion of Marsolais' testimony on Friday marked the end of the eighth week of hearings by the Gallant Commission, which aims to shed light on the setbacks encountered during the SAAQ's digital transformation. Public hearings are suspended until Aug. 18 for a summer break. In the meantime, the commission team will continue its investigation. Tens of thousands of documents must be reviewed. To date, more than 300 exhibits have been filed and 45 witnesses have been heard during the public hearings. 'One thing is already clear: the overall budget for the project has grown to immeasurable proportions,' said the commission's chief prosecutor, Simon Tremblay. The SAAQ's failed digital transition is expected to cost taxpayers at least $1.1 billion, or $500 million more than anticipated, according to calculations by the Auditor General of Quebec. One of the next areas the commission is expected to examine is 'who knew what.' 'We got a taste of it this week. This is the beginning of that part,' said Tremblay. There are still several key players to be questioned, including former CEO Nathalie Tremblay and the current CEO, Éric Ducharme, as well as Malenfant, whose name has come up repeatedly since the testimony began. The latter submitted a request this week to obtain participant status, which would allow him to cross-examine witnesses. His request is currently under review. CAQ ministers François Bonnardel and Geneviève Guilbeault have also not been heard so far. The commission will have to hear them before the National Assembly resumes its work in mid-September. The Legault government has granted the Gallant commission a two-and-a-half-month extension to complete its mandate. The commissioner must submit his report by Dec. 15 at the latest, according to the new schedule. This report by The Canadian Press was first published in French June 20, 2025. Frédéric Lacroix-Couture, The Canadian Press

CTV News

2 hours ago

• CTV News

CTV National News: What the passing of the 'One Canadian Economy' Act means

Watch The Liberal government's contentious 'One Canadian Economy' bill cleared the House of Commons thanks to votes from Conservatives. Rachel Aiello explains.

CTV News

2 hours ago

• CTV News

Police provide update on fatal Brampton shooting

Video Peel police give an update on the investigation into the fatal shooting of a man in Brampton on Friday evening.