Coffee app in hot water for constant tracking of user location

Coffee app in hot water for constant tracking of user location

A mobile app violated Canada’s privacy lawsvia some pretty significant overreach with its tracking of device owners. The violation will apparently not bring the app owners, Tim Hortons, any form of punishment. However, the fallout from this incident may hopefully serve as a warning to others with an app soon to launch. That’s onetheory, anyway. In reality, this level of data collection is not as uncommon as is being suggested.

The app collects how muchdata?

It all begins in June 2020, when a reporter finds the Tim Hortons app is going above and beyondwhat one would expect as a reasonable level of tracking. Despite an FAQ claiming tracking only takes place “with the app open”, reporter James McCleod submits a request under Canada’s Personal Information protection and Electronic Documents Act. He discovers the app has recorded his longitude and latitude coordinates “more than 2,700 times in less than five months”, and not just when the app was in use.

In fact, he’d never have known this level of tracking was taking place save for a notification saying the app had collected his location. The twist: he hadn’t used the app in hours. This one tiny mobile notification quickly snowballed into the story we have today.

The notification was due to an Android system update giving users the option to limit an app’s access to location information. When people and organisations say it’s a good idea to update your device, this story is a perfect example of why that is.

How can apps collect data?

We’ve previously covered Bluetooth beaconsand geofencing on this site. These are a staple diet of Out of Home (OOH) advertising. If you’re unfamiliar with how this technology typically operates, here’s a brief rundown:

  1. You enable Bluetooth on your phone. It’s not a major battery drain and becoming more useful to mobile users than ever before so this isn’t a hassle for most people.
  2. Stores you enter may have a Bluetooth beacon which fires out a rapid pulse signal. If you have an app for the store you’re in and have granted it permission to interact, this is where the fun begins. The store can track your movements, and figure out which items you hovered in front of and which you ignored completely. The store can then offer discounts, flash sales, and even optimal item placement based on this data.
  3. Geofencing will help get you to the store in the first place. With app and permissions enabled, you may well have adverts sent directly to your phone when driving. You may even experience digital billboard Geofence marketing.

It’s not just about coffee

The biggest concern here for McCleod wasn’t that the app was tracking him on coffee runs. That was expected behaviour. What really stood out was the kind of deep-dive data collection that was generating “events” everywhere he went and building up a picture of his daily life.

The app, which made use of Geofencing platform Radar, flagged trips in and out of the home. It tried to distinguish between home and office. There was even an event fired for walking past a KFC in Morocco. In fact, the app seemed to spring into life any time McCleod walked past a rival business. McDonald’s, Starbucks, A&W, and more all triggered events.

A spokesperson for Tim Hortons said this was to “tailor marketing and promotional offers” inside the app, and that no data was shared with the other companies. This wouldn’t be enough to avert some pretty serious conclusions made from the app investigation.

The investigation findings

Tim Hortons stopped continuous tracking in 2020 after Government investigations began, but there were still concerns over the data collected. Tim Hortons’ contract with a third-party location services supplier allowed for the possibility of selling “de-identified” data. De-anonymisation is a big problem.

Despite explanations from Tim Hortons, the investigation concludedthat

“…continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.”

It also found the app continued collecting large amounts of location data for a year after deciding against using it for targeted data, despite there being no need to do so. The four privacy authorities involved recommended Tim Hortons:

  • Delete any remaining location data and direct third-party service providers to do the same;
  • Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and
  • Report back with the details of measures it has taken to comply with the recommendations.

Tim Hortons agreed.

The full findings on this case can be seen in the report here.

Climbing under the fences: Tips for avoiding tracking

There are several ways to avoid or opt-out from tracking which you may feel is overly invasive.

  1. Keep your mobile device up to date. It’s the difference between having basic “on/off” privacy settings or waking up to find you have multiple granular controls for all aspects of app use.
  2. Not using Bluetooth? Turn it off. You won’t enjoy a massive battery bump, but you will go some way towards staying below the beacon radar.
  3. Think carefully about agreeing to GPS permissions for apps. It’s as specific a way to track your movements as can be, and some apps/services save this data online for you to view at a later date. This isn’t great if the service or account is compromised, so always ensure there’s an option to delete historical data. Depending on mobile device or OS, you may have very basic location options or several options tied to different services. It’s well worth taking some time to see what’s in there.
  4. Introduce some security to your mobile ecosystem. Mobile ad blockers, privacy and anonymity tools will all help with regard prevention of advertising profiles tied to your real world location and identity. It may not just be the app, but the other sites, services, and ad networks it plugs into which you have to consider.
  5. Always read the EULA. It’s a pain, but it’s really worth checking out the privacy policies and EULAs of the apps you use. See how they share data, how long information is stored for, and which advertising networks the apps partner with. Of course, this may have limited use considering portions of the Tim Hortons app FAQ were incorrect but it’s a good way to get up to speed on an app more broadly.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.