3 days ago
Privacy commissioner says smart vending machines went ‘over and above what you needed to sell snacks'
Ontario's privacy watchdog is sharing new insight on the investigation into the so-called smart vending machines that collected the personal data of users at the University of Waterloo.
'[They] went over and above what you needed to sell snacks,' the privacy commissioner told CTV News.
Those machines should have never been installed, she said, if the school had followed proper procedures.
History of the case
Students were alarmed last year when they saw an error message displayed on a machine in the Modern Languages building that read: ' – Application Error.'
vending machine facial recognition
A vending machine at University of Waterloo displays a facial recognition app error. (Reddit)
They filed a formal complaint with the Office of the Information and Privacy Commissioner of Ontario (IPC) in Feb. 2024, alleging the vending machines were using facial recognition technology to collect images without their consent.
The ensuing investigation determined the university had signed an agreement with Adaria to provide, maintain, monitor and stock the vending machines in Oct. 2023. The University of Waterloo told the IPC that Adaria had purchased or leased the machines from candymaker MARS and MARS contracted another company, Invenda to build and supply the machines.
smart intelligent vending machine uw university of waterloo
Intelligent Vending Machine (IVM) at the University of Waterloo. (Colton Wiens/CTV News)
The school insisted they were not aware they contained facial recognition technology, and the machines were removed from campus when they learned about the students' concerns.
smart intelligent vending machine uw university of waterloo
Intelligent Vending Machines (IVMs) after being removed from the University of Waterloo. (Source: UW)
According to IPC's report, the vending machines recorded purchase and demographic data.
'There was no dispute that the IVMs [Intelligent Vending Machines] captured video images of individuals' faces on the university's campus,' the report read. 'However, the university argued that the resolution of the optical sensor in the IVMs was too low for the device to be considered a camera or create identifiable images of individuals.'
The investigator noted the images were of 'photographic quality' but were only held for milliseconds before being converted into grayscale images and numeric descriptors.
facial recognition
An example of the photos taken by facial recognition software (left) and conversion into grayscale images (right). (Source: Canadian Legal Information Institute)
'Our investigation into this matter has found no evidence to suggest that personal information, beyond the initial temporary capture of facial images, was retained and further used by these vendors,' the report said.
The IPC ruled the university violated the Freedom of Information and Protection of Privacy Act, as it failed to do its due diligence to identify potential risks.
More from the investigation
Ontario's privacy commissioner spoke exclusively with CTV News about the investigation.
Patricia Kosseim said the 'over-collection' of personal information was concerning.
'There were other optional features that, to our knowledge, we did not find were turned on in this case,' she said. 'These machines could also detect student's moods, from very happy to very sad, and facial features like a beard or a mustache, or if somebody was wearing sunglasses or not.'
vending machine facial recognition
Fourth-year University of Waterloo student River Stanley explains where students have been trying to cover a hole on a vending machine that they believe houses a camera. (Colton Wiens/CTV Kitchener)
The University of Waterloo, the privacy commissioner added, was not the only school to use the vending machines.
'We've gotten a lot of emails from people that have seen them all over the province.'
vending machine facial recognition
Students believe there is a camera inside this hole on the vending machine. (Colton Wiens/CTV Kitchener)
For Kosseim, the problem started before the contract was signed for the smart vending machines.
'Had they had proper due diligence in the course of their procurement practice… they would have probably twigged onto the fact that there was technology behind them, smart technology, that should have prompted the university to conduct a privacy impact assessment and then, unpack all of these features which would have given them the choice, the option to say, 'No, you can't do this,'' she explained. 'Then they would have seen that there were quite significant risks and… either mitigated the risks by not turning on those features or maybe going with another vendor altogether and avoiding all these problems.'
Public institutions in Ontario have limitations on what personal information they can collect.
'They can only do it for a lawfully authorized activity,' Kosseim said. 'Universities are allowed to have cafeteria services and vending machines and provide food for its students on campus, and to collect payment information to pay for those services. But they were not lawfully authorized to go beyond that and collect all this additional information, which was not necessary for the purpose of buying a can of Coke or a bag of chips. That's where the law really draws the line in Ontario for public institutions.'
She said the IPC's investigation should serve as a warning to other schools.
'Despite the best intentions, and sometimes unbeknownst to the institution itself, there could be these technologies in the background, in the dark so to speak, which really undermine students' trust or public trust more generally,' Kosseim explained. 'One of our strong recommendations to the institution, the university, going forward was to follow that guidance in the future so that similar oversights won't happen again.'
Changes to privacy rules
The investigation by the IPC only focused on what the university should have done to avoid potential privacy problems.
'We did not investigate the vending machine manufacturer or the provider or supplier,' Kosseim said. 'Those commercial activities fall under the jurisdiction of the federal commission.'
The IPC also does not have the ability to do anything more than provide recommendations.
That will change, however, on July 1.
'I'll have the ability, the authority, to exchange information with my federal counterparts or, in fact, any of my provincial or territorial counterparts,' Kosseim explained, adding that the federal commission could then investigate commercial or third-party vendors. 'A joint investigation can come up with consistent findings and work together, which is good for the institution as well.'
The privacy commissioner can also go beyond recommendations.
'There are provisions that will come into force that will allow my office to conduct investigations with quite extensive investigative powers,' said Kosseim. 'And the power to issue binding orders, including to order institutions to stop certain practices or to change their practice, or to modify [their practice].'
Institutions will also be required to do more due diligence.
'They will have to conduct privacy impact assessments… before collecting personal information or before making significant changes, to the purpose for which they will use or disclose that personal information,' Kosseim said. '[They] have an obligation to notify the students in this case, or the public or citizens or users of government services, of these collection practices and of these technologies. So, there is a positive obligation on institutions to provide public notice of what they're doing and explain the information practice.'
The smart vending machine investigation is one of the last she will participate in before the new rules go into effect.
Kosseim also praised those who first raised privacy concerns, saying they should be 'proud' of their efforts in this case.
'I want to just highlight how fortunate we were that the students brought this issue to our attention,' she said. 'That kind of proactivity on the part of everyday Ontarians is really important, to stand up for the rights of everybody.'
MARS, Invenda and Adaria did not respond to requests for comment from CTV News.
- With reporting from Colton Wiens
