University vending machine error reveals use of secret facial recognition | A malfunctioning vending machine at a Canadian university has inadvertently revealed that a number of them have been usin…::Snack dispenser at University of Waterloo shows facial recognition message on screen despite no prior indication

  • Greg Clarke@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    11
    ·
    9 months ago

    There is no indication that the vending machine was collecting customer biometrics. In fact that would prevent it from being GDPR compliant.

    • Vanth@reddthat.com
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      9 months ago

      If they’re taking enough data to determine age, gender, race, they’re taking enough data to uniquely identify individual people.

      • Greg Clarke@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        10
        ·
        9 months ago

        That’s not true. They’re likely using a model that identifies some demographic attribute and associating that with a purchase. It’s 2024, this can all be done on the machine. The machine doesn’t need to store the individuals data etc. If the vending is storing enough data to identify individuals then it wouldn’t be GDPR compliant.

        • Vanth@reddthat.com
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          9 months ago

          I said collecting, as in taking photo/video closeup of faces and eyes. Whether they are storing and cataloguing against individual profiles is another question, and must be checked against how GDPR requirements are actually written about personal data being processed.

          “We’re GDPR compliant” means absolutely nothing coming from a company’s PR response to this sort of event.

          • Greg Clarke@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            8
            ·
            9 months ago

            Consent is a requirement for GDPR compliance. They are likely taking an image from the camera, extracting semantic attributes from the image, and then discarding the image. The length of time the individual is standing there making the purchase is likely longer than the image is stored in memory while extracting the attributes.

            • uis@lemm.ee
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              1
              ·
              9 months ago

              I bet there is no button “consent to biometrics collection”