November 10, 2024
Education News Canada

UNIVERSITY OF WATERLOO
Meet the students that broke the vending machine story

May 9, 2024

By Regina Ashna Singh Cybersecurity and Privacy Institute and Office of the Vice-President, Research and International

"It won't get any bigger than this," says River Stanley, a fourth-year University of Waterloo student in the Computer Science program, as they reminisce about the story they uncovered with three fellow undergraduates that would go on to make national and international headlines. 

What started as a walk home led to the discovery of a breach in human privacy and security on campus, and soon after, a resolution. Twenty-nine smart vending machines, manufactured by Invenda Group and operated by Adaria Vending Services Limited, were removed across the University's grounds in March 2024 due to concerns over the use of pin-hole cameras and user data collection unbeknownst to students and Waterloo's administration.  

Lucas Di Pietro 
Student, Faculty of Mathematics

Lucas Di Pietro, a fourth-year Waterloo student in the Applied Science program, also known as SquidKid47 on Reddit, was heading back to his place when he came across one of the MARS-owned snack-dispensers in the Modern Languages (ML) building on campus and noticed an error message on the screen that read:

"Invenda.Vending.FacialRecognition.App - Application Error."   

According to Di Pietro, the pop-up clearly implied that facial recognition technology was being used. However, it was not disclosed prior to users engaging with the machines or bystanders. 

He immediately took to the 96,000-member unofficial University of Waterloo subreddit group to expose this unruly surveillance and posted a photo of the now infamous error message. 

"I think anyone who saw that [error message] and really looked into it, and saw facial recognition app has crashed would think What facial recognition? And what is it being used for?'", Di Pietro says. 

But Di Pietro is only one of four key players responsible for bringing this issue to light - dreadfuldreadnaught and firstie, who both prefer to remain anonymous, were also instrumental in breaking the case that drew worldwide attention across the media. 

Second-year Waterloo student in the Gender and Social Justice program and Reddit user, dreadfuldreadnaught, was seemingly the first to locate and point out the pin-hole cameras on the machines by commenting on SquidKid47's Reddit thread, which sparked even more discussion in the forum. 

"After seeing the [SquidKid47] post, I wanted to see if I could find the camera, so I went and checked out the one in ML. I used a trick I learned on 4chan to find hidden cameras in Airbnbs, which is to turn the surrounding lights off and shine your phone flashlight at suspected pinholes. If you see a reflection, it's quite possibly [that it is] a camera," dreadfuldreadnaught says.  

"When I found a suspected camera pinhole, top right of the machines, I went around to check other machines to see if they had the same suspicious hole. They did. So I did some additional testing, like taping the hole up and seeing if the machine still detected me walking towards it. What I saw convinced me that it was indeed a camera." 

firstie, a member of the Cybersecurity and Privacy Institute (CPI) and first-year student in the Faculty of Mathematics, also learned about the situation from SquidKid47's Reddit post. " I did some more research on the machines, primarily finding sales brochures from the manufacturer that explained just how much personal data the machines were able to collect from customers."  

River Stanley
Student, Faculty of Mathematics

As an investigative journalist for mathNEWS a student-run publication on campus firstie then informed mathNEWS writers, including Stanley, of these details and contacted Waterloo's Plant Ops who confirmed they did not operate the machines. 

Receiving this information combined with the commotion on Reddit, prompted Stanley to conduct further investigations and publish a story in mathNEWS with the first-ever statements from Adaria and Invenda, which was eventually picked up by CTV News Kitchener.  CTV's article put Stanley and the University on the radar of journalists and citizens everywhere, leading to coverage by media giants such as BlogTO, CBC and The Guardian. The tale even made a video segment on TechLinkedin a popular tech news podcast which had 356,000 views at the time of writing this piece.  

The vending machines story has further ignited global discussions about surveillance and concerns of human privacy. Fast Company, a monthly American business magazine, cited the incident in an article examining the rise of "consumer surveillance" via technological advances (i.e. artificial intelligence) in the food service industry. 

Diogo Barradas
Acting associate director, Cybersecurity and Privacy Institute

Diogo Barradas, professor and acting associate director of CPI, supports the notion that companies need to be cognizant of people being able to exercise their human agency when it comes to technology, especially facial recognition.  In a statement provided by the company, Invenda said, "People detection solely identifies the presence of individuals whereas, facial recognition goes further to discern and specify individual persons "  

Invenda went on to say the machines can "only determine if an anonymous individual faces the device, for what duration, and approximates basic demographic attributes [some of which include age and gender] unidentifiably." 

While Barradas confirmed the legitimacy of the above definitions provided by Invenda, he notes that, "Should the system be misconfigured or hacked, and a malicious attacker had access to the machine, it is possible that the images could be exfiltrated to someone and used for surveillance purposes. For example, vulnerable IP cameras can be found using Shodan, a search engine designed for finding a plethora of network connected devices, such as IoT devices." 

In the face of digital and cyber threats, consumers can consider protecting their privacy through the usage of certain cutting-edge technology. Barradas says several anti-facial recognition tools are already being proposed. For example, invisible mask is a hat  designed to project infrared lights that disrupt the way cameras view faces. 

"I think companies should start thinking about data minimization so what is the minimum and necessary set of information that I need from consumers in order to provide good service," Barradas says. 

Back on campus, Stanley is still in awe on this ever-evolving conversation across the globe that began with student journalism.   

"mathNEWS as a collective was perfectly positioned for the story," Stanley says. "There's very few other people on campus that would have had the ability to pick up this story as well as the scope to notice that it was happening."

For more information

University of Waterloo
200 University Avenue West
Waterloo Ontario
Canada N2L 3G1
uwaterloo.ca/


From the same organization :
303 Press releases