Top News

Double-double tracking: How Tim Hortons knows where you sleep, work and vacation

- Reuters

I never would have consciously volunteered my home address, work location and vacation plans to Tim Hortons, but the company found out anyway.

I haven’t been singled out for special treatment. For more than a year, the coffee chain has been tracking the movements of customers in exacting detail through its mobile ordering app.

I’ve spent months sifting through my own data, and it’s staggering how much the company knows about me.

From my home to my office to a Blue Jays game at Rogers Centre, even all the way to Morocco, where I travelled on vacation last June, the company’s app silently logged my coordinates and relayed them back to its corporate servers.

Data privacy concerns have become a mainstream issue in recent years, even more so these days with various governments and companies proposing to track the COVID-19 virus technology to keep tabs on where people go and who they might have interacted with.

But the reality is that companies have been tracking customers for years, and while Restaurant Brands International Inc., the owner of Tim Hortons, isn’t alone in this kind of corporate surveillance, the Tims app demonstrates how huge amounts of intimate data can be collected without users realizing that it’s happening at all.

Location tracking is partly dictated by user choice, and heavily influenced by a phone’s operating system, so we don’t know exactly how many people are being tracked by the company, but it’s fair to say that Tim Hortons is logging the movements of a significant portion of the millions of Canadians who use its app, in the same way the company was tracking me.

I didn’t realize how much until I saw my coordinates in a trove of data that RBI sent to me after I made a request under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) last fall.

According to the data, Tim Hortons had recorded my longitude and latitude coordinates more than 2,700 times in less than five months, and not just when I was using the app.

Tim Hortons chief corporate officer Duncan Fulton said users consent to this kind of tracking when they give the app access to the GPS on their phone.

Tim Hortons had recorded my longitude and latitude coordinates more than 2,700 times in less than five months, and not just when I was using the app

If I didn’t want the company to track my location in the background — even hours or days after I last used the app — Fulton said the onus is on me to deny the app such access.

Within the Tim Hortons app, an FAQ covering privacy issues told customers that it tracks location “only when you have the app open,” but that did not appear to be entirely true based on the data RBI provided to me.

After the Financial Post asked about the apparent discrepancy, the company changed its privacy statement to say that users’ ability to limit location tracking varies “depending on your device” and the company now states that users should “check and understand your device settings” to make sure they are comfortable with how much location information they’re sharing.

I had no idea how extensive the tracking data was until I saw it. There were readings taken at all hours of the day and night, and RBI kept tabs on me every time the app thought I was visiting one of its competitors.

RBI kept tabs on me every time the app thought I was visiting one of its competitors

The data also indicate that Tims is using a location-tracking service from a company called Radar Labs Inc. that claims on its website to ping phones carrying its technology as often as every three to five minutes.

As a reasonably tech-savvy person, I knew I’d given the app permission to access my location; it was necessary to route my daily coffee and bagel order to the nearest franchise, or for other coffee-buying-related purposes.

But I only started to suspect there was more at play in October, when I received an unfamiliar notification on my phone: “Tim Hortons got your location in the background. This app can always access your location. Tap to change.”

I began to wonder why the app would need to access my location even when I hadn’t opened it in hours. It bothered me: How many more times had Tim Hortons checked in on me? Was my coffee-ordering app tracking all my movements?

I made the PIPEDA request last fall, and the response came about a month later in an email from RBI’s director of IT Security and Compliance.

Was my coffee-ordering app tracking all my movements?

“To comply with your request, we searched for your name and email address across our Amazon Web Services servers, which hold primary user profiles. In addition, we requested a search for your information from our ancillary systems,” the email said.

“Please be advised that we searched across the Tim Hortons, Burger King, and Popeyes Louisiana Kitchen brands to locate your data.”

Along with three spreadsheets, RBI sent me a folder called “Events” that contained 12 text files, one, it turned out, for each month from November 2018 to October 2019.

The spreadsheets contained only basic profile information, but the text files were huge, containing thousands of pages of computer code in a format known as JavaScript Object Notation (JSON).

Altogether, the files contained 2,843 lines of code, with each line recording a “batch” of information pulled off my phone and logged in RBI servers.

Even the most benign batches revealed an impressive level of detail.

Many of them recorded my interactions with the Tim Hortons app, from launching the app through to checkout.

For each interaction, the app recorded that I was using a Pixel 3XL running the Android operating system. The app routinely logged my IP address, Android Advertising ID and carrier (Telus) and that I had enabled Bluetooth. Many lines of code would list the amount of free disk space on my device and even how much charge the battery was holding.

The first few months of the data set did not include any location information.

But in March 2019, longitude and latitude readings began to appear in a handful of batches. All seemed to refer to specific Tim Hortons locations and to be tied to orders.

Two months later, things escalated.

In the spring of 2019, Tim Hortons launched a new version of its app and started using the services of Radar Labs, a Brooklyn, N.Y.-based company whose website states it is “unlocking the next generation of location-aware product and service experiences.”

According to Radar’s website, which lists Burger King as a client, it tracks the phones that have apps employing its technology, pinging them “usually every 3-5 minutes” when the user is in motion.

Beginning on May 14, 2019 — about a week before Tim Hortons introduced a loyalty program — a new “radar” section began to appear within each JSON batch of data the company was collecting on me.

Those sections contained longitude and latitude readings, as well as a series of other observations, indicating RBI was using at least two of Radar’s products: “Places” and “Insights.”

Using Places, Radar generated a JSON batch when the app thought I was at one of Tim Hortons’ competitors. There are snippets in the JSON code that read “event_name: user.entered_place,” and, a couple lines down, “place_chain_name: Starbucks.”

According to these batches, Tim Hortons was using the Radar service to track me every time it thought I might have entered a Starbucks, Second Cup, McDonald’s, Pizza Pizza, A&W, KFC or Subway.

Notably, those fast-food outlets appear to be competition for Tim Hortons, as well as Burger King and Popeyes Louisiana Kitchen, two other fast-food chains owned by RBI.

The Tim Hortons data recorded hundreds of user.entered_place or user.exited_place events.

Fulton said the company has been using Radar to track users who opt in for location permissions, and that the company only uses the information to tailor marketing and promotional offers to users inside the Tim Hortons app.

The data, he added, is not shared between Tim Hortons, Popeyes and Burger King.

But the app wasn’t just tracking me when I was visiting the competition. Using “Insights,” Radar figured out where I live and work.

For example, data from early June 2019 contained a JSON event that included this statement: “radar_insights_state_home:True.” The corresponding longitude and latitude coordinates recorded a location just outside my apartment building.

Based on the data provided by RBI, it’s not possible to know how many times Radar pinged my phone in the background while I was at home, but the JSON data lists 582 “radar_insights_state_home:True” statements in about four months from June to early October, which suggests the company believed I was at home each time one of those batches was logged in RBI’s servers.

The data also included more than 400 JSON records placing me at my office, with many longitude and latitude entries that pinpoint the southwest corner of the building, which is where my desk is located.

At 11:08 p.m. one Tuesday evening, Radar created a user.exited_office event, and logged my location at an address Tim Hortons wouldn’t recognize, but I certainly did: my ex-girlfriend’s house. I certainly wasn’t using the Tim Hortons app to buy a coffee at that time.

Digging deeper, plenty of other places I visited had been recorded.

On Aug. 9, 2019, at 7:14 p.m., Radar generated a user.entered_place JSON event for the Rogers Centre. I was at the Blue Jays game that night. The opening pitch was thrown at 7:07 p.m., and the home side beat the New York Yankees 8-2.

Around 11:10 p.m. that night, there’s a line of JSON code noting user.exited_place, with longitude and latitude coordinates placing me about a five-minute walk from my home. Again, I did not have the app open to order a coffee.

Radar Insights also created an event every time I travelled more than 100 kilometres from my home.

The app recorded my location 28 times at my parents’ farm in rural Ontario, a 20-minute drive from the nearest Tim Hortons. It also tracked me in August to a location near a hotel in Winnipeg, where I was staying when I visited Manitoba for my cousin’s wedding.

The app even tracked me beyond Canada’s borders.

On June 5, 2019, I boarded an overnight flight from Toronto to Amsterdam’s Schiphol Airport, a stopover on a much-needed eight-day vacation. At exactly 11:25 a.m. local time, just before the plane landed, the Tim Hortons app logged my location off the coast of the Netherlands: “event_name: user.started_traveling.”

The app even tracked me beyond Canada’s borders

The app picked me up 45 minutes later as I walked past a Starbucks in Schiphol: “event_name: user.entered_place.”

The following day, at my final destination of Morocco, I took a cab to the Marrakech Railway Station, and spent a couple hours sipping sweet mint tea on a patio, waiting for my train to depart for Fes.

Unbeknownst to me, the Tim Hortons app was checking in on me yet again. Apparently I had walked past a KFC in the train station: “user.entered_place,” the data noted, before watering down the observation with “confidence:low.”

———

Sifting through the data, I was able to find a user.exited_office event on Oct. 2 at 6:12 p.m., the event that appears to have triggered the original notification on my phone that piqued my interest about Tim Hortons’ tracking habits.

I was in the kitchen cooking dinner when the Android operating system notification about the app arrived.

The notification was because an update to my phone’s Android operating system introduced a new feature that allows users to limit apps’ access to location information. Previously, it was all or nothing, but the update gave the option to block apps from grabbing location data in the background. I immediately curtailed the Tim Hortons app so it could only see my location when the app is in use.

From Oct. 2-10, after I denied the app access to my location, the number of JSON events exploded. On one evening, the app created dozens of logs, with a burst of activity around 6:34 p.m., another at 11:26 p.m. and then again throughout the wee hours of the morning, at 12:11, 1:40, 2:49, 4:22 and so on.

Erinn Atwater, research and funding director at Open Privacy, a non-profit organization based in Vancouver that advocates for better privacy and security practices, took a look at the data Tim Hortons collected on me.

Atwater confirmed my understanding of the JSON data, but was surprised to learn that Radar is performing what is known as server-side location processing. The Tim Hortons app was sending a stream of location info to Radar, which then did the analysis and sent items of interest back to RBI.

“Radar, as described, is turning your phone into a device that’s constantly streaming your location to a remote server,” Atwater said. “It’s unexpected. It’s certainly far more invasive than I would consider acceptable for a coffee shop app. I don’t think any of us want corporations watching every single move we make without any insight into it.”

It’s unexpected. It’s certainly far more invasive than I would consider acceptable for a coffee shop app

Erinn Atwater, Open Privacy

The data also raised the question of whether Radar is storing location data in its servers over and above what RBI gave to me.

Radar chief executive Nick Patrick declined to answer a series of questions from the Financial Post, saying in an email, “As a practice, we don’t comment on any of our individual customers.”

Fulton, Tim Hortons’ chief corporate officer, initially said he wasn’t aware of whether Radar is storing more data on me, but said he’d check. In a follow-up email, he said, “Radar deletes GPS location data on a rolling 12-month basis.”

In analyzing the data, Atwater pulled out all the timestamps from the data set, and then organized them by day of the week and time. She found that Tim Hortons logged information from my phone dozens of times between midnight and 5 a.m.

“Even just the graph of events, I can see that you start heading out from work on Fridays at 2 p.m.,” Atwater said, without knowing that it’s already a running joke at work that I like to leave the office a bit early on Fridays.

“Like, if I wanted to assassinate you, this would be absolutely perfect.”

Fulton said the company only collects location data if users opt in and allow the app to access the GPS on the phone. Until this week, the company’s privacy FAQ stated “the app uses your location only while you have the app open,” but in response to my inquiries, the company acknowledged that statement was misleading.

“We absolutely agree that our FAQ on location data could have been more clear,” Fulton said, adding that the company was planning to send an updated statement to customers.

The Tim Hortons app now states: “It’s up to you to decide if you want to share your location data. Depending on your device, you will have different options about how to share this data… Make sure you check and understand your device settings to be sure they reflect your preference.”

Tim Hortons on Thursday also sent an email to its app users informing them that in addition to using location data to route orders to the nearest restaurant, “we’ll use your location data to provide you with tailored offers and choices. For example, we may provide you different offers depending on the community where you live, or we may send you a tailored offer on your morning commute.”

Fulton said he believes the kind of data collection that RBI is doing is commonplace.

“We are not on the cutting edge of this. We are the blunt edge of a butter knife compared to cutting-edge collection and use of data,” he said.

We are not on the cutting edge of this. We are the blunt edge of a butter knife compared to cutting-edge collection and use of data

Duncan Fulton

“It’s not a location-specific thing,” he added when asked why the app tracked me to Morocco. “It’s the permission that you allowed when you sign up for the app, and that you confirm on your phone.”

Fulton said customer location data is typically kept for 12 months, and the company has safeguards in place so that not all employees can access detailed customer location information.

“There’s actually only a very few number of people in the company that would have access to all the different information silos,” he said. “And we routinely run a monthly audit on every access to every part of our information databases. So we can see on a monthly basis who is accessing which data for what reason.”

This level of data collection at Restaurant Brands International is no accident. RBI executives have made data a major part of the business plan during the past couple of years. The app, which is inexorably tied to the Tim Hortons loyalty program, is a huge part of it.

“We’re going to strongly encourage our guests to register with the program and we’re going to provide a lot of encouragement to guests to interact with us on the mobile app,” Joshua Kobza, RBI’s chief operating officer, said on the company’s February earnings call.

“And I think that’s going to allow us to better understand how our guests interact with our brand and use our brand. And, I think, also allow us to provide even better benefits as we understand how our guests interact with our brand and provide more personalized benefits to those guests.”

Earlier this year, Tim Hortons was planning to use its famous Roll Up The Rim promotion to encourage people to install the app, even giving customers more chances to win prizes by rolling up virtual rims through their smartphone.

Due to COVID-19 concerns, RBI announced it would overhaul Roll Up The Rim to eliminate the use of paper cups in the contest, which put an even larger emphasis on the app and the Tims Rewards loyalty program.

The push to get more customers onto the app lines up with what RBI chief executive Jose Cil told analysts on the company’s third-quarter earnings call on Oct. 28, 2019.

“We’re already collecting a tremendous amount of insight through the program and in the future, we expect to be able to leverage this information to engage one-to-one with our guests and provide promotions tailored to their preferences,” he said of the mobile app and the loyalty program. “We’re working hard to put these tools in place and believe they will provide us with a unique advantage to establish deeper relationships with our guests over time.”

In May, when the company reported first-quarter earnings for 2020, much of the discussion shifted to focus on how the company was navigating through the disruptions caused by the pandemic. But in response to one question, Cil said the company is planning on using data to drive “the next phase of loyalty, which has a big component of one-on-one marketing as we get registrations up and get more information from our loyal guests in Canada.”

We expect to be able to leverage this information to engage one-to-one with our guests

RBI chief executive Jose Cil

The Tim Hortons app on my phone has also been unusually active during the COVID-19 crisis, regularly popping up new notifications to tell me about promotions and delivery options, even though I haven’t opened the app in months.

Fulton confirmed that the app and the loyalty program are a big part of Tim Hortons’ plan to jump-start its business in the wake of COVID-19 social distancing restrictions.

Tim Hortons would not disclose how many users it has on the app, but Fulton said “a few million Canadians” use it. He also said RBI has “a few million” active American users of each of its Burger King and Popeyes apps.

Market intelligence firm Sensor Tower believes roughly six million people have downloaded the Tim Hortons app worldwide, including 150,000 in the month of May alone.

Many of those users probably don’t know exactly how much tracking they’re signing up for.

Under PIPEDA, the same data privacy law that gave me the right to request my data from RBI, companies are only allowed to collect personal information if they have consent from individuals.

“To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed,” PIPEDA states.

In October 2019, when the Tim Hortons app was installed on a co-worker’s Android phone, it appeared to indicate that the app would only access customer location information while the app was in use.

But deep in the 4,400-word privacy policy that covers the Tim Hortons, Burger King and Popeyes apps, RBI gives itself broad latitude as to how it will collect and use personal information from customers.

“In the course of providing the Services, we may collect information on our users’ demographics, interests and behaviour and analyze that data,” the privacy policy said.

The use of partners raises questions, too.

In addition to Radar, Open Privacy’s Atwater pointed out several other companies providing services to Tim Hortons, all of which were confirmed by Fulton.

The JSON data uses an “Amplitude Device ID,” which means it’s working with Amplitude Inc., a San Francisco-based company that offers services to track unique users across multiple devices, Atwater said.

The data also contain customer data tracking code from New York-based mParticle Inc. and from Braze Inc., another New York company that describes itself as “a comprehensive customer engagement platform that powers relevant and memorable experiences between consumers and the brands they love.”

Tim Hortons said it does not sell user data, even in anonymized form, but Fulton said the company does buy other data sets to provide greater insights into consumer activity. For example, weather data can be used to see how customers’ orders change when it’s hot or cold outside.

Such usage of user data seems relatively benign, but privacy experts have long raised questions about how companies collect and use location data, and companies are responding to those concerns.

Only RBI knows how many people are being tracked in the same way the Tim Hortons app was tracking me, because it depends on which operating system a customer’s phone is using, and how the data privacy permissions are presented.

Location permission was a blanket all-or-nothing choice on Android when I signed up for the Tim Hortons app, but Apple Inc. has since 2014 given iPhone users the ability to limit how apps can access location data.

And Android 10, the latest version of the operating system built by Google LLC, introduced more granular location permissions, so users can now give apps location permission only when the app is in use. This is the update that tipped me off to Tim Hortons’ background snooping in the first place.

Moreover, Google has said it will be enacting a new policy to limit apps that access user location in the background.

“An app with a store locator feature would work just fine by only accessing location when the app is visible to the user,” the Android Developers Blog post said, announcing the upcoming policy. “In this scenario, the app would not have a strong case to request background location under the new policy.”

By this November, all existing apps that access location in the background will need to be approved by Google, or they will be removed from the Google Play store.

“That’s where Google is going,” Fulton said. “I think that’s a design function that we need to look at. We only want to be able to collect and use data that you want us to, so if that kind of function helps in that, then we’re totally supportive.”

In spite of this, Fulton said RBI has no plans to make it possible for users to opt out of tracking for marketing purposes if they enable location services for the store locator function.

“I don’t think that’s on our road map today,” he said.

As a result, users running older versions of Android have no choice but to give blanket access to background tracking, or deny location permission which would make the app significantly more cumbersome to use.

For me, at least, there’s no going back. Tim Hortons knows where I live and where I work, even though I never would have knowingly agreed to give the company that information.

I haven’t used the app regularly since early March, when the COVID-19 social distancing measures forced me to work from home.

But in the months after I obtained this data from Tim Hortons, and started digesting the full scope of its tracking efforts, I didn’t stop using the app.

My medium coffee with two cream plus a toasted everything bagel with herb and garlic cream cheese have been my default breakfast for close to two decades. The app is convenient. Since I started blocking location, Tim Hortons can’t track me in real time anymore. At least now I’m accepting the trade-off with open eyes.

Financial Post

• Email: jmcleod@nationalpost.com | Twitter:

Copyright Postmedia Network Inc., 2020

RELATED:

Did this story inform or enhance your perspective on this subject?
1 being least likely, and 10 being most likely

Recent Stories