According to reporter James McLeod from The Financial Post, the Tim Hortons mobile app has been tracking the background location of older Android users extensively, only revealed after a Personal Information Protection and Electronic Documents Act (PIPEDA) request was made to the coffee chain’s parent company, RBI.
McLeod made the request for information last fall and soon found out the Tim Hortons app had been tracking his Google Pixel 3XL smartphone over 2,700 times in the background in under five months, even when the app was not being used. He only discovered the app was tracking his background after he had updated to Android 10, which limits background location use of apps.
The reason the Tim Hortons mobile app was able to track in the background was that Android smartphones running software versions older than Android 10, do not have granular location permissions for apps, as it’s either just allow or deny. The latest Android 10 update has a setting for apps to only use location data when the app is currently in use, a feature made available to iPhone users since 2014.
In McLeod’s extensive investigation into the Tim Hortons app, the app tracked him in the background while he was sleeping, would sense location data when he was near competitors such as McDonald’s, Starbucks and more, while also send his data back to third-party companies used by RBI.
The data he received showed the Tim Hortons app knew his IP address, carrier, free space on his phone, battery levels and even phone settings such as Bluetooth, according to lines of code in 12 text files he received, showing his location data from November 2018 to October 2019.
According to Tim Hortons chief corporate officer Duncan Fulton, he said users consent to GPS tracking when they grant permissions on their device, as this is needed to use the store locator feature of the app.
“We are not on the cutting edge of this. We are the blunt edge of a butter knife compared to cutting-edge collection and use of data,” said Fulton, when asked about the coffee chain’s tracking methodology. He also said it will not be possible to opt out of tracking for marketing purposes, if users wish to use the store finder feature.
Tim Hortons only changed its privacy statement due to The Financial Post’s investigation, now adding users need to “check and understand your device settings” when it comes to location use in the background.
The Financial Post provided its Tim Hortons location data to Erinn Atwater from Vancouver-based non-profit, Open Privacy, to interpret the results.
According to the research and funding director at Open Privacy, the Google Pixel 3XL was constantly streaming location data to a remote server via the Tim Hortons app. “It’s unexpected. It’s certainly far more invasive than I would consider acceptable for a coffee shop app. I don’t think any of us want corporations watching every single move we make without any insight into it,” said Atwater.
The Tim Hortons app was found to use a tracking service from company Radar Labs, which pings data every three to five minutes. Another company, Amplitude Inc. in San Francisco was also being deployed, along with two other companies named mParticle Inc. and Braze Inc., based in New York City.
According to Tim Hortons, data tracked by Radar Labs is deleted every 12 months on a rolling basis. Tim Hortons also said it does not sell user data, even in anonymized form.
Google will force developers to update apps to include more specific controls for location use in the background, with compliance required by November.
As for McLeod? He says despite realizing the treasure trove of data collected by Tim Hortons via the mobile app, he still uses the latter to order his daily breakfast from the coffee chain, due to its convenience, but the app can’t track him in the background anymore.