Tim Hortons collected location data constantly, without consent, report finds From May 2019 through August 2020, the mobile app published by multinational restaurant chain Tim Hortons surveilled customers constantly by gathering their location data without valid consent, according to a Canadian government investigation. In a report published Wednesday, Office of the Privacy Commissioner (OPC) of Canada …
"identify when the user was visiting a Tim Hortons competitor"
Even if I were to admit that this information could be interesting, what were they doing with it ? Charging more the next time the customer came to them ?
This is a clear violation of every moral rule that exists. Tim Hortons is a restaurant chain, not the NSA. Where their customers go is not Tim Hortons' business in any way, shape or form.
Tim Hortons. Another company on my personal blacklist (not that it matters).
"This is a clear violation of every moral rule that exists. Tim Hortons is a restaurant chain, not the NSA. Where their customers go is not Tim Hortons' business in any way, shape or form."
Absolutely! At most, an app of this type might monitor location data locally within the phone and then use that when you actively use the app to tell you about nearby outlets and special deals. There's no need for any further use of location data. They don't even need to know when or for how long you enter one of their outlets. The local manager should already have enough of that information to be useful without any further fine graining. The individual outlet profits/losses will tell you if that site is popular or not.
You should add all fast food and coffee chains to that list, all of them have apps. Why do you think they are spending money developing and running apps when their business is food & drink? All those apps are tracking your location - to see how often you visit a competitor (and which) is why they are doing it.
Also add all shopping malls. They use GPS, WiFi, Bluetooth and the help of your mobile network to track your phone as you walk round the mall and see which stores you visit. They plot your route and use it to increase advertising in high traffic areas. They even track you after you leave to gather demographics data on their customers.
Speaking of your mobile network they are recording your location at all times and selling that data to public transport companies, local government, state government, civil engineering companies and more. So you might want to destroy your phone and never travel anywhere.
And then add pretty much every business, government and non-governmental organisation on the planet because they all use Google, Facebook, etc tracking cookies / pixels / etc to discover what other websites you visit.
Is there anything left not on your blacklist?
*They plot your route and use it to increase advertising in high traffic areas.
Actually some of the latest systems will look into your demographics, what purchases you may have made, run it past stores that they think are in your demographic pattern and allow them to target the advert directly as you come near to the advertising board.
Also I have seen a demo of a set up that would look at what you were shopping (this was in a DIY store), and infer what you might want to buy next (looked at worktops, looked at taps, now off to the sinks - maybe you are doing a kitchen remodel) and then route a salesperson keyed with this information to you.
"...what were they doing with it ?"
Lower the prices to try and tempt you back?
At the moment, that's quite hard to do. (Send you vouchers?) But when the menu and billing is all handled through a mobile phone, and we get individualised prices, this is exactly what will happen. Regulars will get get shafted and those who shop around will get wooed. It should be the other way around - but just look at what insurance and energy companies do.
* I keep Location turned off on my phone unless actively using it
* I don't install apps from stores/restaurants
* My apps that have Location permission are **EXTREMELY** limited
Seriously, this is a major invasion of privacy. There is NO excuse for collecting the location of users' homes or offices; if the user wants that data saved (like in a map app), the app can give an option to explicitly set it.
Say no to Big Brother!
Google is doing everything they can to "help".
Play Store appears to have removed all mention of requested "permissions" and replaced it with an utterly pointless bit about data safety (pointless because most apps say that there's no information provided).
So now we have no way of determining if some scummy app wants access to your address book, etc etc.
-> Play Store appears to have removed all mention of requested "permissions"
I noticed this a while back. Maybe it is because the permissions for far too many apps are more than what could be considered reasonable.
A huge number of popular apps are probably slurping as much as they can.
Not there any more. It used to be.
Now it's a link to "Data safety" which is pretty much useless as most haven't bothered to provide any information. Then underneath that, a new section on compatibility with my device.
Here's a screenshot of the app information for a random app: https://imgur.com/a/daIOk8g.
My S9 is still on Android 8!
But that's kind of irrelevant as this stuff is part of the Google Play Services stuff, isn't it?
Perhaps it is being rolled out to different countries at different times? My Google Play Store is 30.6.16-21 [0] [PR] and a bunch of numbers that my dyscalculia doesn't want to let me remember...
One of the things I really dislike about mobile phones is the lack of ease in ensuring that an application is actually closed down - and not just hiding in the background either waiting for activation or still running silently doing whatever it is that it is doing.
It really should not be necessary to perform the equivalent of kill -9 via the applications management services to get rid of an application which is not currently required.
It really should not be necessary to perform the equivalent of kill -9 via the applications management services to get rid of an application which is not currently required just to have it start again in a couple of seconds.
I can't wait for xda to publish a working root method for my current phone so I can benefit from DeviceControl and DisableServices.
I only ever wanted my "smartphone" to be a computer, non-shitty please.
All I require from the "phone" part of "smartphone" is a cellular data connection. If it can make phone calls and do SMS stuff, well, I suppose that's handy too. I could live without it.
What I never wanted was a closed app ecosystem that encourages "free" download in return for constant surveillance.
I willingly paid money for PalmOS apps that did useful stuff on my Treo devices. I was impressed by the number of genuinely free apps available on Maemo.
I was, and remain, shocked by the abuses considered normal on Android.
I despair. What to do? (Don't suggest Apple devices without reading the first sentence.)
-A.
I heard that those automated traffic signs on the freeway track your phone’s unique Bluetooth identifier to work out how long it takes to travel to certain exit ramps. Shopping malls are known to use that same info to track where people go and presumably what they’re shopping for and how frequently they use the restroom. Companies that control cell towers could presumably use the same technique to determine how many people there are, where they all live, work, and what they’re up to in their off-hours, who they travel with, and who precisely are their friends, associates, colleagues.
So it’s not your head that needs the tinfoil hat, it’s your cellular device!
… as Osama Bin Laden famously found out.
It's both (either/or) the Bluetooth and the Wifi mac on whatever device(s) you have. Whatever they can fix on.
Of course, if your car has built in Wifi, you may be out of luck, when on the road.
If the shops workers have actually placed the clothes, toys and other items where they should, retailers know exactly which items you've stopped to look at and/or grab. And what you looked at next. And if a bunch of devices were together, they may indicate a family (or carrying a lot of tech) - but both carry meaning for the retailer. If one purchases tampons, chocolates and sanitary products regularly, and then stops for one month, then bam! Start pushing the baby products.
>Companies that control cell towers could presumably use the same technique
They do, our local authority buys the data to analyse rush hour traffic patterns.
The data is anonymised by the cell company. Mostly because the phone companies have to work closely with govt and know that they would get stamped on, and the traffic engineers don't care who you are - just that somebody went from A-B and took C minutes.
There's one near me, on one of those "retail parks" with the big sheds full of sofas. It opened with a minor fanfare in the local paper - the usual "hey, this brand you've seen on the internet is now available around here!" stuff.
Within weeks, there were staff standing on the road outside holding arrow signs pointing in, with "MEALS £2.99" emblazoned on them. Not the sign of a business that's doing a roaring trade.
I suspect it'll be here today, gone tomorrow. We've reached market saturation with these "famous" junk food/coffee brands - they all seem to be arriving at once, with Tim Horton's, Krispy Kreme, Dunkin' Donuts, Taco Bell, and even Cinnabon and Wendy's in town now. There just aren't the numbers to support them all.
I remember Cinnabon being in Cambridge years ago, outside one of the entrances to Grand Arcade, but they’ve gone maybe 5 years ago. There also one in Milton Keynes shopping centre, but that went over 10 years ago.
There have been Taco Bell attempts for decades, but they fizzle out, then after a pause, try again.
I remember after I first had Taco Bell in the US in the 90s, I found one in Uxbridge. Dunkin’s have attempted to survive in London for years.
It’s a bit like trying to grow tropical plants in our climate.
I guess these places have saturated their home markets and their (presumably) private equity owners are desperate for more "growth", so here they come. They don't seem to have a USP beyond "it's a famous brand, you've seen it on the telly or internet, now try our famous Timbits/Cinnabon/tacos/Dunkin' coffee/whatever the hell it is that Wendy's sells".
20 years ago, there might have been a local market where I live for "famous" US/Canadian food brands because the offerings were limited to McDonald's or a terrible local pizza/burger/kebab dump, but not now. The local food scene is light years ahead of where it was, even at the low end that these brands inhabit, and these places can't compete on quality or on price.
It's an interesting distinction that I make here.
Tim Horton's Coffee(tm), as coffee, is utterly detestable.
Tim Horton's Coffee(tm), as a warm, caffeinated beverage isn't half bad and I've been known to enjoy it on occasion. It tastes nothing whatsoever like coffee and shouldn't be considered as such. But as a hot drink to go with a bit of pep juice in it, there are worse things.
Fried dough is fried dough. I don't find them better or worse than any other company that specialises in such things, and far better than what the supermarkets turn out. It's basically a question of whether fried, sweet dough is appealing to you or not.
I haven't tried it in the UK because they're studiously avoiding London. And I suspect I know why - their MSP in their home country is that it's acceptable food for cheap. Since London and cheap are an impossible pairing, they've kept out because no-one is going to pay silly amounts for their food and drink. They also started out up in Scotland, presumably because if they couldn't sell fried dough to the Scots then their entire business plan would be null and void.
There is definitely a quality gradient for fried dough products. Tim’s Hortons is very slightly cheaper than Kristy Kreme, which most consider to be expensive in the UK, especially as they are not particularly good, but at least fresh. I found Hortons to be dried out, almost stale.
The ones from the Krispy Kreme shop here are fresh as you can see them actually being made in the store. They're okay, but there are better local places.
The ones in the glass cases in supermarkets 40 miles from the nearest Krispy Kreme store? I've never even been close to being tempted. Goodness knows how long they've spent in the back of a van, and then in the glass case.
> They also started out up in Scotland, presumably because if they couldn't sell fried dough to the Scots then their entire business plan would be null and void.
Fair enough you sassenach but the real reason would be because the founder is "Scottish" (in that way Canadians and Americans like to think they are).
As a current resident of the Vancouver/Lower mainland I have to say that compared to Starbucks (which are pretty much on every corner), I do find that pretty much all the Timmies that I have been into seem very low-rent, scruffy and dirty.
Not really sure why that is. It just seems that the Starbucks places are better maintained and cleaner. They just feel like nicer places to be in.
Starbucks brand is that they are upmarket but chain-store predictable. You know it will be fancy but your drink will be identical wherever you are.
Timmies are franchise. But in Vancouver they can only compete by cheap sites and using the minimum of cheap staff, typically family. None of their customers care about the cleanliness and nice decor.
"Radar's customers are responsible for obtaining appropriate consent"
Indeed they are, but surely Radar are responsible for ensuring that their customers provide proof of such consent?
If Radar had just provided software for Hortons to use, then maybe they could argue that Hortons bear full responsibilty for its misuse, but it seems that they actively collected and stored the data, so they should bear equal (or even greater) responsibility.
Radar: "Radar's customers are responsible for obtaining appropriate consent. We are not aware of any other situations in which our customers have not obtained appropriate consent for the collection and use of location data."
Hmm, I wonder whether 'Radar' has even asked any of their customers whether they have obtained informed consent from the end users about collection of location data. Not being aware and trying a blind eye* are two different things.
The clause in the Radar contract that explains who is liable under what laws and jurisdictions could prove interesting.
*Horatio Nelson famously put his telescope to his blind eye at Trafalgar and proclaimed "I see no ships."
@ Tim Maher, you are entirely correct:
https://www.ldoceonline.com/dictionary/copenhagen-the-battle-of
My memories from being a mixed infant at Chambersbury Primary School in the 1960's are clearly failing (because no primary school teacher would ever tell us little kiddies anything untrue).
Also, 'Copenhagen' was the name of the Duke of Wellington's horse that he rode all day at what we Brits call the battle of Waterloo (https://en.wikipedia.org/wiki/Copenhagen_(horse)).
History is so confusing at times.
Radar is off the hook here.
Tim Hortons is responsible for the collection of data and they should have clearly define in the contract what Radar can and can not do with the collected data. They didn't do it and they now must face the consequences. Even the most inept lawyer could have told TH that, but it seems it was mostly a deal between developers and nobody bothered analyzing the potential risks. Now the management is in hot water and the reputation of TH is at stake.
"it seems it was mostly a deal between developers"
Why do you assume it was a developer that came up with the idea to include the radar stuff?
I think it is more likely some greedy PHB saw a chance to make some extra money - and as a typical PHB knows it all there was no need to evalutate any risk or ask a lawyer.
This is what really annoys me about mobile devices. Exactly what justification does ANY company meed to know where I am, where I go, how I get there, how I use something etc, etc?
The correct answer is absolutely none!
There shouldn't be any "without permission" or "but we had permission" it just should not happen at all.
As it states in the article the app didn't collect data when it was closed, thr issue is far, far too many apps autorun, when you move from mobile data to WiFi for example, half.of them you have no idea they are running. As others have said should be away to cloose down apps so they cannot restart unless the user specifically chooses to.
Most of the mobile games are just ways for companies to collect data, most apps are just ways for companies to collect data. There is absolutely no pushback on these companies, and a general acceptance of that's just how it is from the general public. Where is the outcry?
On android, "FORCE STOP", though if you ever use the app again, you have to re force-stop it after use.
There is also the app "greenify" (and others) which is meant to stop apps running in the background.
On my rooted device, I have a simple script that runs at startup that basically force-stops every installed app (excluding apps on a whitelist). It works alot better than any "greenify" app I've tried, but of course, requires root.
Again, if you have root, you can install one of the many "intent" blockers that trigger app starts for various reasons (boot completed, wifi activated, wifi deacrivated, app installed, day of week has 'd" in it etc.)
Another frequent android abuse is that without root, not only can you still not block apps that are configured to autostart on boot, you can't even tell which apps request it. Without an autostart blocker, all sorts of shite start on boot (random games etc.... they start backgrounded so don't even appear to have started by the user)
These would be SIMPLE to block - Googles omission is obviously intentional.
Intentional. Yup. Just like for how long the permission "is the user in a phone call" also leaked full information of who was calling, phone identity, etc etc. Maybe an accident in Android 1. That it persisted for many builds suggests it was purely intentional.
And, as I mentioned above, you can't even see what permissions an app would ask for any more, which is a pretty big thing to do away with.
This is what really annoys me about mobile devices. Exactly what justification does ANY company meed to know where I am, where I go, how I get there, how I use something etc, etc?
It's so the company can provide you with exciting new services! Your phone detects that you're awake because it knows what time you set your alarm for. It can then msg you a reminder that a 1l espresso would be great right about now, and a donut.
It can measure the time taken between alarm going off, message being opened and use the phone's accelerometers to know you're in motion. So it can send you another exciting offer reminding you that a coffee and a donut would taste great right about now.
It can detect you using your keyless entry to get in your car. It can send the location of the nearest shop to your autonav, because you'd really like a coffee & donut right about now. It can even optimise your route so you pass ever shop in the state, and remind you when you're say, 500m away that you're in proximity to Canada's best coffee and donuts, and doesn't that sound like a great start to your day?
And as you enter the store, Mr Splurg, your coffee and donut will be ready and waiting for you, just the way our AI has determined you'd like it.
So it's all good.
Or just sadly inevitable. Especially as the OS vendors discovered gold in the data mining hills. In a perfect world, there'd be an easy way for normal users to retain privacy. But that means the OS vendors would lose a revenue stream from collecting and flogging all our private data. And despite apparently increasing awareness and concerns around privacy, OS and app vendors still feel ethically and morally obligated to perform data rape.
It's a bit like on dear'ol Windows. Once upon a time, hitting the 'x' in the top right of a window would close the app. Now, despite there being a seperate button to minimise it, closing often just minimises the app to the tray. And if you close the app there, you'll probably notice it keeps innocent sounding 'web helper' processes running. And you may even notice that if you've run multiple apps, multiple web helpers will still be in the background, waiting to intercept your privates even as you type them into your browser.
I still think the simplest solution is that every company that thinks it's ok to exfiltrate our personal data should be required to publish the data classes it collects for it's executives and board. If they think it's ok to follow us as we go about our lives, we should see how they go about theirs. So near real-time geolocation data, browsing and email history, apps installed and used etc.
And not only OS vendors (except Linux/BSD (except Ubuntu's attempts of course) of course).
These days, each and every thing you can attach a chip to (cars, tractors, kitchen appliances, street lights, traffic lights, mirrors, tooth brushes, toilet seats, other - and the list is constantly and rapidly growing) do this by design.
Your data is sitting there warm and fresh to collected as many times it takes, the collection costs are decreasing and the profits of using it are increasing. What's not to like it ?
Governments could have stopped this but they profit from it too so they decided not to do it (innovation, economy, child protection, law enforcement etc.)
All this tracking, and dystopian manipulating of people via the app is all very well and 'good', but what happens when Starbucks, Costa, McDonalds and the others also try to do it on the same phone at the same time?
Will the apps slug it out to see which one can get me to drive within 50metres of their outlet first? I'm guessing that either my phone will burst into flames or battery life will reduce to 10 minutes.
As for "every company that thinks it's ok to exfiltrate our personal data should be required to publish the data classes it collects for it's executives and board" that's not going to happen. When the 'Marlboro Man' was on an advertising shoot, he offered one of the executives a cigarette. He received the response "Those things are for dummies." I very much doubt that the Radar or Horton's executives 'drink their own champagne'. Much like I doubt any executive of Purdue Pharma (the Sackler family) ever took oxycontin for medicinal purposes. But then I guess I'm a cynical old git.
"Where is the outcry?"
Probably lost somewhere between "it's so easy to use" and having no idea whatsoever about the scale of data collection that actually happens.
Secretly I'm hoping that the EU eventually get fed up with the pathetic Schrems yo-yo and decide that any and all data collection that isn't entirely and specifically authorised by the user (with clear easy to read explanation of what and why) will automatically result in custodial sentences for the directors of companies responsible for the apps. Trust me, this shit will come to a screeching halt if and when that happens.
"Hey, wait a minute! It's for the first time I agree with one of your posts. I even gave you an up vote. What's going on here ?"
Is the heady atmosphere of the celebrations of Her Britannic Majesty Queen Elizabeth II's 70 year reign going to your head?
(I have great respect for HMQE2, but frankly all we really know about her is that she can keep her mouth shut, although, and here I am dicing with downvotes, even President Trump realised that conversations with HMQE2 are private, TV interview of him by, I think it was Piers Morgan, where he almost blabbed, so she cannot be all bad.)
Two days of celebrations left, where did I leave the brandy?
As a Canadian, I'm here to tell you... Fuck Tim Hortons. They are like a cancer, spreading to your countries too. Their end goal is to displace everything else in smaller communities. Don't let them.
Overpriced, cheaply made (with fake ingredients, fillers), garbage and their coffee isn't anything special. It'll do in a pinch, it's drinkable and has caffeine, but almost anywhere else or any other brand from the grocery store is better than that. It's all marketing brainwashing.
Here you've got idiots that won't drink any coffee but Tim Hortons. (kind of like the psy-op Heinz ketchup has done on the population for more than half a century)
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
