[HN Gopher] Tim Hortons app violated laws in collection of 'vast... ___________________________________________________________________ Tim Hortons app violated laws in collection of 'vast amounts' of location data Author : danso Score : 393 points Date : 2022-06-01 17:59 UTC (5 hours ago) (HTM) web link (www.priv.gc.ca) (TXT) w3m dump (www.priv.gc.ca) | kornhole wrote: | Based on my surveys of people in the US, 97-99% of people with | handsets are location tracked nearly 24/7. I am in the 1% with my | hardened phone free of Goople and on airplane mode 99% of the | time. I hope these companies continue to be exposed and help | people choose where to buy our coffee and not give up their | freedom for coupons. | wly_cdgr wrote: | Everyone needs to chill, they are just market testing their new | Chocolate Frosted With Chocolate Sprinkles Tracking Donut | Vladimof wrote: | What are those weird lines on the background of this web page? I | thought my kids misused crayons for a bit... | curt15 wrote: | This is why I always use a retail store's mobile website and | never download their "app". The browser sandbox saves me from | having to worry about these shenangians. | travisporter wrote: | How do the apple app clips work in this regard? Can they | collect location info? | hooksfordays wrote: | According to Apple's support site[0] App Clips can request | your location, and permission's automatically revoked after 1 | day, and only works while the apple clip is in use. So, | better in theory. | | [0] https://support.apple.com/en-us/HT212238 | mikestew wrote: | Because there is a setting for it, I assume that app clips | can request location info. I have to assume, as there | apparently is no app clip that has ever requested such. Come | to think of it, I don't know that I've used an app clip. | | But the setting is there. | switchbak wrote: | I assume that at least one of the apps I have is probably | sharing all my data right now. Be it the flashlight or the | guitar tuner, or that menu planner thing. | | I remember a time when app developers weren't the user's enemy, | but that was a long time ago. | Fauntleroy wrote: | ...until they decide they'll make more money by forcing mobile | users to use the app and start kneecapping the mobile web | experience left and right. We need strict regulation for this | or it'll never end. | 0daystock wrote: | A lot of people are rightfully upset over this, but a more | nuanced point: if your phone is capable of installing "apps" from | a "store" - there is far, far more insidious data collection | going on by significantly more capable adversaries. | version_five wrote: | I assume every app that has location permission does this. I | can't imagine google doesn't, or the phone company. I don't think | it's right (and even less right that apparently google will | provide this information to law enforcement). I just think the | only practical thing to do is assume you are being tracked and | don't install apps unless you're ok with the tradeoff. | | The flip side of this, is why would I ever install a Tim Hortons | app, why do I think they are offering an app, and what possible | meaningful benefit (even assuming I went there regularly) would I | drive from having an app? | bstar77 wrote: | Clearly you've never bought coffee from a chain after 2015. | davidkuennen wrote: | Most store apps I know offer some kind of discount or | membership program with points if they use the app. I guess | something like that. | monkeybutton wrote: | Afaik they made Roll Up The Rim digital and in-app only | because of covid. | ChoGGi wrote: | I used their website for rolling up, worked mostly alright. | stanmancan wrote: | I have the app and it's surprisingly useful, mostly because Tim | Hortons can have pretty long, slow lines. I'll usually place my | order when I'm a few minutes away so that I can simply grab my | order and walk out. | | It can also be helpful if you show up and there's a long | lineup. Mobile orders get pushed to the front of the line, so | instead of waiting in line you can place a mobile order and go | grab it right away. I feel a bit guilty doing that though. | gnabgib wrote: | It isn't really an app though, it's one of those half arsed | SPA in an webview that CONSTANTLY updates the large JS | payload whenever you open it. Agree about the line bypass | feature.. Tims can be insanely slow at rush hours. | | They also switched Roll Up the rim to REQUIRE the app if you | want to roll (2? 3 years ago?) - I hope a successful lawsuit | comes out of that given this privacy ruling.. a lot of people | were forced to install the app just so they could collect an | occasional free coffee/doughnut. If they did that last minute | at the counter they wouldn't even have read the permissions | (a similar argument to that which renders many EULA invalid | in Canada). | elevaet wrote: | > Mobile orders get pushed to the front of the line, so | instead of waiting in line you can place a mobile order and | go grab it right away. | | Interesting, so customers pay for queue priority with their | location data. Except the problem is it's not a fully | consentual agreement, customers aren't explicitly aware of | the arrangement. | | My apathetic side says we're entering a world where it's so | inconvenient to have privacy that we'll probably not bother. | frosted-flakes wrote: | Location data is not required to use the app. You can just | select No at the permissions prompt. | | For me, the only options are "Allow only while using the | app", "Ask every time", and "Don't allow". Background | tracking isn't even an option. | interestica wrote: | >guilty | | Do we need... App neutrality laws? Ha | leviathan wrote: | My anecdote is that once I was traveling on the 401 and | stopped at an ONroute to grab a coffee. The line was | extremely long and not moving at all, I had time to download | the app, register, place an order, see it print out at the | register and someone took it an made my coffee before the | line even moved. I just quit the line, moved to the empty | section where the mobile orders are and picked up the coffee | as I was deleting the app. | Li7h wrote: | Smart assumption to make. | | On the flip side, people install the app because they usually | are how the rewards programs are implemented now. | | From the app page: | | _Mobile Order & Pay | | Select and customize your favourite food and drinks, choose | your preferred Tim Hortons location, and pay from the app. It's | now that easy to order your favourite Tim Hortons items from | your phone. | | Personalized Menu | | Add recently ordered items with one tap. Customized orders are | saved on your menu so you can get your order just the way you | like it. | | Tims(r) Rewards | | After just seven eligible purchases, receive your choice of a | FREE coffee, tea or baked good. Keep checking for more special | offers to come. It's time to reward your routine! | | Scan for Tims(r) Rewards | | A digital version of your loyalty card that you can scan easily | when ordering in the restaurant - never miss an opportunity to | earn rewards. | | Scan to Pay | | Save time and pay for your order right from the app -- no need | to carry cash or a credit card! | | Take Out, Dine In or Drive Thru | | Choose your pick-up method. Payment is completed in-app, so you | can grab your order to go, or dine in with us. Your choice._ | version_five wrote: | I must be an outlier. On the remote ordering side, I feel | like inevitably it won't work out and will end up taking as | much time as just ordering - but I do see the the appeal if | it works well enough that it doesn't leave me pissed off once | a week because they gave away my order or something. | | For the rest of it, it's just a meaningless distraction to | me. I have enough going on without caring about tracking | coffee rewards, or managing yet another payment method. I | just don't find they make my life easier, and they take time | and focus, plus nudge me to buy stuff I don't need or load | money onto cards or whatever. I have frequent flyer | memberships for the perks, but otherwise I've always found | loyalty cards to be a gimmick, even more so when they want me | to install a data harvesting app. | runevault wrote: | This is why I install so few apps. Yes granular permissions are | a thing, but I always ask myself am I okay with this app | potentially getting my data even if I saw no thanks to some | yet-unknown side channel attack? Google apps are whatever | because obviously they already have my data since I'm on | Android. | heleninboodler wrote: | Yes, I am waiting patiently for the backlash against everyone | and their brother "needing" you to install an app. Every | device you buy, every new service you sign up for, they all | want you to install an app that easily could have been a web | page. My phone contains none of this (ok, I have 6 apps that | I consider essential and they all have permissions as | restrictive as possible, and I honestly even feel a little | dirty with a few of those). My old phone, which spends 99% of | its life in a drawer in airplane mode, is riddled with trash | apps like my Asus router setup app and any app that is forced | down my throat by a product that I want to use and can't be | properly set up without installing an app. Loyalty program | app? Not a chance. I have no idea what group of clowns wrote | that thing, but one thing I do know is that it was outsourced | most of the time. | | I look forward to the day when we've reverted back to simple | web-based interfaces and most of the general public says | "install an app? yeah, right" because they've learned not to | trust that shit. | runevault wrote: | Yup completely agreed. Restaurant chains badly wanting | everyone to install apps is one that really annoys me. Mind | you the general hunger for data even beyond mobile bugs me. | I went and bought shoes a few weeks ago and they needed my | email address as that was how I would get my receipt. So of | course now they keep sending me all their sales bullshit. | It is all incredibly frustrating and stupid. | SoftTalker wrote: | Same, also on Android. I have maybe half a dozen apps | installed that did not come with my phone. Most of the apps | that _did_ come with my phone I have removed or disabled. | | I also keep location turned off unless I am actively | navigating in Google Maps. I know that doesn't eliminate all | tracking but it's an easy thing to do. | LegitShady wrote: | >The flip side of this, is why would I ever install a Tim | Hortons app, why do I think they are offering an app, and what | possible meaningful benefit (even assuming I went there | regularly) would I drive from having an app? | | All of the fast food restaurants now offer "deals" and/or | points only available through the app. Tims popular game "Roll | up the Rim to Win" used to be printed on the cups, and is now | only available through the app. | | I wouldn't install them anyways, but lots of people have no | idea how compromising these applications are to their privacy, | and wouldn't infer the amount of information collected even if | they read the privacy policy. | | These sorts of spying applications should just be banned. | | Nothing will change due to this investigation, and I doubt Tims | will be fined any amount that would actually stop them from | doing it, and no one will go to jail. | kjs3 wrote: | _why would I ever install a Tim Hortons app_ | | Discounts, freebees, coupons, loyalty club benefits and other | financial incentives, usually. Pretty much the only reason you | want it, because all these kinds of things usually do otherwise | is nag you that you're near one of their locations. | JacobThreeThree wrote: | You can get all of these benefits by using the Tim Hortons | mobile website with an account. | dylan604 wrote: | But that's like not native and so unhip. I'm convinced the | whole push to get away from mobile web to native app is | solely for the personal data hovering for the vast majority | of apps. | | For example, a friend just downloaded the Wayfair app. Why | is that necessary? She saved a couple of items, and now the | app relentlessly notifies her about things even with | notfications off. Doesn't happen with a mobile website. | hydrok9 wrote: | Yes, this is the entire corporate rational behind | everything "mobile" and "cloud." | moron4hire wrote: | You can't win either way. Push for web apps and the | necessary capabilities in the browser to make rich web | apps and you get hit with "but browser fingerprinting!" | malarkey from the privacy fetishists. | peterkos wrote: | I used to go there a ton and I wanted to see if there were any | good deals, see if my go-to was in stock, accumulate rewards, | and check hours if I went to a new store. The app theoretically | provides the "best" experience as well -- I've yet to see a | mobile website recently for something I use day-to-day that | _isn 't_ trying to push me towards the mobile app, or was | clearly never tested on a real device. (Obviously, that's the | ideal, but such is the state of things.) | | The website didn't really suffice because the UX was bad, and | wrestling with it got tiring. Apple+Google's hours were never | quite correct. | midislack wrote: | In retrospect you probably feel pretty silly for falling for | such a stupid ploy to rape your privacy just so you can save | a nickel on a donut. I know Canada's in a food crisis but is | it worth your soul? | dave5104 wrote: | Unless you want to unplug your modem, turn off your cell | service, and live life as a luddite, your privacy on the | internet doesn't exist. | Forbo wrote: | I strongly disagree with the way people just throw up | their hands and accept defeat. It _is_ possible to have | privacy on the Internet. Projects like Tor, I2P, and Nym | are working to make this a reality. Fight back against | the surveillance capitalist dystopia. Normalize privacy. | pueblito wrote: | I'm strongly considering it | varenc wrote: | You can use the app with the location permission disabled | no problem. (On iOS at least) | seanalltogether wrote: | This is the reason I've been so frustrated with working with | bluetooth devices on Android. Android places all bluetooth | usage under Location permissions, and if you need talk to | bluetooth devices in the background, users have to manually | consent to background location tracking, even though that's not | what we want to actually do. | mormegil wrote: | IIANM, this is only when _scanning_: as soon as you pair/bond | with a device, the app can communicate with it even with the | location permission switched off. | gnabgib wrote: | Unless I'm misunderstanding you, none of this is true for the | Android devices I've owned. Vendor specific perhaps? Devious | way to do it. Doesn't Apple suffer with the same problem | (location+bluetooth tied?) | lern_too_spel wrote: | It depends on the targetSdkVersion. | https://www.androidpolice.com/2021/05/19/android-12-apps- | won... | mirntyfirty wrote: | Is this because it automatically becomes possible to obtain | location when accessing Bluetooth? | lern_too_spel wrote: | This is in fact what most iOS apps that ask for Bluetooth | permission use it for. https://www.theverge.com/2019/9/19/2 | 0867286/ios-13-bluetooth... | alephxyz wrote: | It's because it's easy to estimate someone's location from | nearby Bluetooth beacons or wifi access points. | brailsafe wrote: | It's their attempt at keeping up with Starbucks, who locked in | the app game years ago. A better question is why would anyone | go to Tim Hortons in the first place | jeroenhd wrote: | Not just the location permission; apps have been found to scan | pictures taken to build a location history out of the location | metadata that is stored in pictures and such. | | Practically speaking, unless you disable location tagging in | pictures, any app with media access can track your coarse | location history, depending on how many pictures you tend to | take throughout the week. | CobrastanJorji wrote: | I don't see why Google would sell your location data to others. | Store your location data? Absolutely. Use your location data? | Absolutely. Target ads to you based on your location data? | Absolutely. | | Sell it to others, though? No way. Why would they give away | their valuable advantage? It's very much in their interest to | stop anybody else from getting that information, and I trust | them to be self-interested. | rdxm wrote: | user3939382 wrote: | Slap on the wrist for willfully violating the privacy of a | massive amount of people. Par for the course in the US as well. | Yet try violating the Wiretap Act as an individual, even | accidentally, and see how it works out for you. | | That difference in results between giant corporations and | individuals should give you a strong clue about who the "justice" | system works for. | system16 wrote: | I wouldn't say it's a slap on the wrist. It's not even a | scolding. Tim Hortons was literally found guilty of spying on | millions of Canadians, and the only consequence they face is | that they have to stop doing it. | autoexec wrote: | > That difference in results between giant corporations and | individuals should give you a strong clue about who the | "justice" system works for. | | It's not just the justice system either. It's also | representation in government. We have research showing that the | average citizen has effectively zero influence on public policy | and that our government caters exclusively to corporations and | a small number of extremely wealthy individuals. The only time | the rest of us get something we something we want is when our | interests just happen to align with the interests of the | powerful. (see https://scholar.princeton.edu/sites/default/file | s/mgilens/fi...) | sharmin123 wrote: | jordemort wrote: | "Timbits? More like Timbots!" | midislack wrote: | Listen I know this wide-mouth VC fueled orgy of a web site will | disagree but IF YOU INSTALL AN APP YOU CAN KISS YOUR PRIVACY GOOD | BYE. It doesn't help if, eventually, after the fact, some | government body hands down a paltry fine, if even. Your privacy | has been raped and you will never get it back. | | So just stop installing stupid apps and you don't have to worry | about issues like this. | autoexec wrote: | > So just stop installing stupid apps and you don't have to | worry about issues like this. | | I agreed with you up until that last line. The problem is that | this sort of invasive tracking isn't limited to the apps on | your devices. The devices themselves are spying on you, and the | lack of meaningful privacy protections leaves us vulnerable | even if we left our cell phones sitting in lead lined boxes. | | Without installing any apps on our phones at all this kind of | pervasive tracking data could be collected using bluetooth | beacons, using cell phone tower data, using facial recognition | technology, using license plate readers, using the GPS/OnStar | systems in our cars or using radar systems that see through the | walls of our homes. | | This isn't a problem our personal choices can solve. We only | have the power to make choices that hurt us in different ways. | We need real regulation and laws with many rows of very sharp | teeth. | 2OEH8eoCRo0 wrote: | What? You can't live like God Emperor Stallman smugly using | your flip phone and eating toe jam? | hnburnsy wrote: | Thanks Google for not allowing us users the ability to stop apps | from starting up or not allowing apps to run in the background. | Dicks. | | Every granted app permission should have the ability for the user | of the device to revoke that permission. | minsc_and_boo wrote: | Google reviews all background location requests for apps: | https://support.google.com/googleplay/android-developer/answ... | | The app from the article was collecting the data up until 2020, | when Google launched this new app approval process. | hnburnsy wrote: | Don't they get around this with wifi scanning, viewing | network connections and bluetooth scanning? | theptip wrote: | Don't all of those things come under the "location | services" permission? | ls15 wrote: | And I should be able to provide fake data to apps out of the | box. Some location that I can set manually, an address book | with fake contacts, an image/video of my choice instead of | camera access, audio for microphone, a directory of my choice | for file/media access... | | All of these apps are not entitled to collect accurate data. | | I think there is an app on f-droid that does this. | CosmicShadow wrote: | Is there any sort of app (android) I can download that will tell | me what other apps are constantly tracking my location and | reporting back when they are not open? I'd also love that for | anything that's constantly listening to what I say and reporting | back. | johndhi wrote: | Don't really care about stupidly drafted privacy laws being | violated. They do nothing for me. | Karawebnetwork wrote: | 5M+ downloads according to Play Store. More on Apple. | walrus01 wrote: | in my experience the ordinary android or ios end user will | automatically click "yes/accept/allow permission" on almost | anything that pops up on their screen. | revolvingocelot wrote: | >"This investigation sends a strong message to organizations that | you can't spy on your customers just because it fits in your | marketing strategy. Not only is this kind of collection of | information a violation of the law, it is a complete breach of | customers' trust. The good news in this case is that Tim Hortons | has agreed to follow the recommendations we set out, and I hope | other organizations can learn from the results of this | investigation." - Michael McEvoy, Information and Privacy | Commissioner for British Columbia | | Insane that there isn't any more forceful enforcement for "a | violation of the law" than setting out "recommendations" and | trusting that the guys under investigation for "violation" of | the, presumably, privacy "law" will implement it. | [deleted] | airstrike wrote: | You'd need a lawsuit for that. The investigation FTA was by | "privacy agencies" which have no ability to enforce anything | more severe than recommendations | [deleted] | revolvingocelot wrote: | I actually did read the article; I even grabbed a quote from | it! Still, the governmental privacy authorities suggest that | the law was broken; I'm aware that they aren't enforcement, | because I read the article, but the language is pretty clear | that they think these actions broke the law. | | >You'd need a lawsuit for that | | Can you elaborate? Is there Canadian privacy law being | violated here that doesn't stipulate any penalty other than | exposing Tim Hortons to private lawsuits? Forgive the | directness of my question, your comment reads like you'd | know. | | edit: reading the Report of Findings [0] on the page itself | suggests that because the violations ceased once, er, the | violating entity had been informed of the investigation and | had suggested that it'd delete the harvested data, the joint | investigation "therefore found this matter to be well-founded | and conditionally resolved". So, nobody really cares | | [0] https://www.priv.gc.ca/en/opc-actions-and- | decisions/investig... | throwaway_95283 wrote: | Yeah Canada isn't the US, we have remedies available to us | other than sending people to jail. | revolvingocelot wrote: | >Yeah Canada isn't the US, we have remedies available to | us other than sending people to jail | | Can you elaborate? Is there Canadian privacy law being | violated here that doesn't stipulate any penalty other | than exposing Tim Hortons to private lawsuits? Forgive | the directness of my question, your comment reads like | you'd know. | | ...to be perfectly honest, "launch a civil suit and get | pennies!" sounds much more American than throwing people | in jail for privacy violations. The data is already out | there. | throwaway_95283 wrote: | Yeah I can, the The Office of the Privacy Commissioner of | Canada, Commission d'acces a l'information du Quebec, | Office of the Information and Privacy Commissioner for | British Columbia, and Office of the Information and | Privacy Commissioner of Alberta collectively and | individually do not have the power to imprison people. | There is no determination they can make under the law | that results in people or corporations going to jail. | deathanatos wrote: | I mean, given the article, it doesn't seem like Canada | has availed itself of _any_ remedy, let alone sending | people to jail, which is the point in this thread. | | Like, in America, we might slap the company on the wrist, | fine them something like the equivalent of $1 for a | normal person. And then business continues as usual. | | There's not even an ineffectual fine, here. | mardifoufs wrote: | What are they in this case? And I guess your comment is | true as long as you ignore the incarceration rates for | First Nations. Which is coincidentally something we | canadians really like to do whenever it's time to feel | smug about our southern neighbors. | [deleted] | dragonwriter wrote: | > And I guess your comment is true as long as you ignore | the incarceration rates for First Nations. Which is | coincidentally something we canadians really like to do | whenever it's time to feel smug about our southern | neighbors. | | The US is at least as bad, absolutely and even relative | to the White population, with Native Americans, though it | gets less attention because Native Americans get less | attention in US politics than First Nations do in Canada, | and because it's further masked by the attention to both | the general runaway incarceration in the US and the | racial impact on Blacks of unequal incarceration. | [deleted] | autoexec wrote: | Surely, there's no "stronger message" than a company getting to | make money hand over fist by exploiting their customers and | then getting away with nothing but a slap on the wrist. That'll | make sure no company ever decides to do that same thing since | they'd obviously hate making tons of money and getting | "recommendations" after a stern talking to. | | Talk to me about "strong messages" when CEOs are sent to prison | and a company's assets are seized. | bozhark wrote: | edit: Jail? Asset seizure? Nah, you want to make it non- | viable as a business decision. Something like... | | Revoke their license retroactively to when they started doing | this to consumers. | | Charge them for all individual incidents at maximum | allocation per law. | | Allow the option of reduced fees per incident based on how | quickly the business responds. | | Hold a minimum value per incident that you do not go under. | | Increase their tax responsibility by 15% for the next 5 | years. | autoexec wrote: | Why not do most of that too? Yes, it should be non-viable | as a business decision, but also something that will result | in very personal and life altering consequences for those | running the company. If I spied on even just a single | person like this I'd be thrown in prison as a stalker. | "Charge them for all individual incidents at maximum | allocation per law." would mean a life sentence for CEOs | when really just a decade or two behind bars would be | enough to ensure that companies don't risk it. | bozhark wrote: | ?Por que no los dos? | | The individual goes to jail, not the company. So how much | does a fall guy cost a company? That's just cost of | business if responsibility is only held by the | individual. | malfist wrote: | Why do we have to make sure the company doesn't go under | with our fines? | | We don't make sure criminals aren't too impacted by jail, | why should corporations be different? | m12k wrote: | I think the GDPR has shown that all you need to do is set | fines as a % of revenue, and they'll be taken seriously. | bozhark wrote: | I would make a shell corp that held all revenue. | | No obligation to fines. | | The key is to set multiple avenues of responsibility. It | may be easy to find loopholes individually, but | collectively it would become too burdensome. At least, | for the company, make skirting the charges be as costly | as following suit. | autoexec wrote: | There is a very long list of companies who have been | fined for GDPR violations, and several which have been | fined repeatedly. It's not working. Show me a list of | companies which have been dissolved or were broken up and | sold off after GDPR violations. Then it _might_ be enough | to be taken seriously. | clairity wrote: | for something like this, jail time plus asset seizures is | surely too extreme (purdue pharma, on the other hand...). | however a severe financial penalty for both company and | executives (VPs and up, plus legal counsel) makes a ton of | sense. for execs, you'd want to especially financially negate | at least some past and future bonuses and stock compensation, | because it makes up the bulk of most executive comp. | autoexec wrote: | > for something like this, jail time plus asset seizures is | surely too extreme | | If you'd go to jail for acting that way, why is that | suddenly too extreme for CEOs? The fact is that very very | personal details including things like sexual preferences, | the medical history, the political views, the sexual | partners, and the religious practices of millions of people | were exposed by this data collection and that can't be | taken back. All that data will exist forever and will | likely be used against these people for the rest of their | lives. | | I don't want Canada to become the dystopian prison-nation | that the US is. The "Land of the Free" has more of its | population behind bars than any other country on Earth, but | some jail time (not life behind bars) is completely | appropriate for the scale and scope of what was done here | and it is necessary to prevent it from happening again. | clairity wrote: | you'd be wont to find anyone who'd support exective | prison time more than me, but i'm against prison time as | a _de facto_ punishment for exactly the reason that it | results in too many people being locked up frivolously. i | agree that the scale and scope here are atrocious, but | again, take away all their gains and more, especially in | regards to prestige and esteem, and you 'll deter this | type of behavior as effectively as incarceration without | any of the downsides of prisons (especially the perverse | incentives and the exhorbitant costs). | | the punishment should fit the crime. that's why i'd throw | the sacklers in prison (because they ruined countless | lives, up to and including death), but not these | executives. | autoexec wrote: | > take away all their gains and more, especially in | regards to prestige and esteem, and you'll deter this | type of behavior as effectively as incarceration | | I guess that'll have be left to speculation until | somebody actually manages to convince their government to | try it, but I suspect that any financial penalties that | don't outright end a company will rarely be enough on its | own to act as a deterrent, and that absolving CEOs of any | responsibility or accountability and placing the | financial burden of fines for violating the rights of | millions on the company as a whole will just cause it to | be seen as an acceptable gamble for CEOs. It's not even a | bad one. The gains to be made exploiting people are very | high after all, and the risk of being caught fairly low. | | CEOs certainly don't care about prestige and esteem. They | are often sociopaths and psychopaths who care very little | about others or how they are viewed. Even when their | actions do destroy a company they'll just deploy their | golden parachutes and happily drift off to another one. | As much as our legal systems fail to hold CEOs | accountable corporations themselves are certainly no | better at it. | sdfhdhjdw3 wrote: | > Talk to me about "strong messages" when CEOs are sent to | prison and a company's assets are seized. | | +1 | | I love capitalism, but the fact that laws are so meek towards | companies is a flaw of our implementation of it. | timsco wrote: | Agreed - especially when you consider the provincial and | federal tax dollars needed to prop up the various privacy | commissions and launch an investigation like this one. | colpabar wrote: | Ah you know, it's a multimillion dollar corporation, so laws | are just tough to enforce, because reasons. It's not like if a | regular person was caught doing this, because then it'd be | simple: that person would go to jail. | | Also, there's no way that every other fast food app isn't doing | the exact same thing. There's no way that mcdonald's is going | to give me a free big mac just for having the app installed if | they aren't collecting as much data as they can access on my | device. | nopeNopeNooope wrote: | sitkack wrote: | The fact that was labeled just means that they were inferring it | on the client. Given any location stream from a person and POI | data you can infer all of this stuff, including if they have | kids, a mistress, if they are gay or straight, if they are | religious, friends, age, sex, nationality. | | I think Tim Hortons should be required to analyze and publish the | data from questions supplied by the public. | | What is the likelihood that I will have to visit a bathroom | within X minutes after consuming a Tim Hortons? Visit a hospital? | Get in a car crash? | | What percentage of Tim Hortons customers also visit strip clubs? | | What is the average waiting time in line for a TH visitor? | | Thoughts? | DwnVoteHoneyPot wrote: | > The Tim Hortons app asked for permission to access the mobile | device's geolocation functions, but misled many users to believe | information would only be accessed when the app was in use. In | reality, the app tracked users as long as the device was on, | continually collecting their location data. | | How does this work on an iPhone? If in Location Services and I | have app set as "While Using the App", I'm assuming it's not | possible for Tim Horton's app to collect data "as long as devices | was on". Did it somehow bypass these settings? | gnabgib wrote: | As others have noted the app works fine without location on. | (Android also has "only when using App" settings) It does | default full location access all the time which is where the | problem starts. Sane defaults required. | LeoPanthera wrote: | That setting cannot be bypassed on iOS. | barbazoo wrote: | Can it be bypassed on Android? Until now I assumed "While | using the app" means exactly that. | minsc_and_boo wrote: | No, it can't. Google reviews every Android app that is | requesting special permission for background location | access. | | Tim Hortons was doing this back prior to 2020 when Google | started requiring approval. | rfwhyte wrote: | Wildly disappointing that this massive, and blatantly illegal | collection of user location data has (of course) merely resulted | in a slap on the wrist for the perpetrators here. | | There should be huge (multi millions) fines and probably even | jail time for the execs who approved / managed this app, but as | per usual our corporate overlords get off with a "Stern warning" | and a promise not to do it again. | evandale wrote: | I'm reminded of the corporation taken to arbitration story | yesterday. I'm curious if you would be able to get anything from | Tim Hortons if you did that. | blorenz wrote: | I recently attended an automotive dealership conference where I | was being pitched for a product that would let me know if my | customers were at rival dealerships. I poked and prodded to | understand if these were legitimate claims or just marketing | hype. They revealed that they purchased location data from app | developers. I was shocked and surprised -- I don't know why I was | because this should have been expected. It really enlightened me | on the exploitation and misuse of data by crappy apps. | paulmd wrote: | Is there a simple way to buy this information for yourself? | I've always been curious what information is out there on me. | soared wrote: | This info is anonymized and barring extreme measures you | can't be identified individually in a data set. It's sold | with very specific usage rights, and for advertising uses a | cpm (cost per thousand) fee. You can't ever buy the data set, | but just the ability to target users who exist in it. | | For example Visa has an exclusive deal with oracle. So only | oracle can buy audiences with visa data, and visa has super | strict requirements and only builds them in house. If you say | "I want users who purchased x product" the size must be 5mm | users minimum (I think) and visa models it up using | lookalikes/etc to 20mm+ users (maybe slightly off on sizes). | Then it's like $4 cpm to use at a dsp. Brands/agencies etc | have to go through oracle to get visa data. | Cd00d wrote: | My team used to buy location data that we packaged up into | reports for equities investors - the premise being the more | foot-traffic your brand had, the more revenue you're likely to | have. | | Tons of apps sell this info. I think a lot of the 3rd party | weather apps have been the traditional worst offenders because | everyone wants to know the weather where they actually are in | the moment. | kennywinker wrote: | I know the "best" way to stop this kind of privacy violation | is good consumer protection and privacy laws, but I wonder if | we couldn't also regulate the downstream market. I.e. make | the sale and resale of personal data, as Cd00d is describing, | illegal. It seems pretty proven that the humans doing that | buying and selling aren't going to stop doing it out of civic | responsibility or moral disgust | minsc_and_boo wrote: | That's still whack-a-mole. Even if you changed the rules to | selling user data, these apps would just update it in their | TOS that consumers agree to without reading. | | Even laws have this problem. There are so many cookie bars | on websites that users just click through them anyways. | kennywinker wrote: | Whack-a-mole by the way the laws are written. You can | write laws that aren't whack-a-mole. E.g. "it is illegal | to sell or transfer user's data to another company | without positive informed consent from the user within 1 | month of the transfer" | | Every time a company wants to sell on your data, they | have to email you and ask permission. Not responding to | that message isn't consent. | | Find a loophole in that. | runnerup wrote: | > Find a loophole in that. | | Enforcement. | mattnewton wrote: | They'll just come up with some aggregated form of the | data they claim doesn't violate the letter of the law, | sell that, and be in business for years before anyone | finds out let alone tries to enforce the rules and find | out of they are violating it. | | This would honestly still be a huge improvement imo, as | even forcing data brokers to anonymize or aggregate the | data, even if it is ultimately not actually providing | privacy, is still a recognition of the problem over the | current system in most states. | mr_toad wrote: | You can't agree to something illegal. If the law makes it | illegal for third parties to use location data then it | doesn't matter what the TOS are. | verisimi wrote: | > I know the "best" way to stop this kind of privacy | violation is good consumer protection and privacy laws | | But I don't want any of my data collected or shared! | | The laws you are hoping for won't allow that - if they | existed, at best they would only allow those companies to | whom you have consented. Ie the mega-corporations. Local | shops would be the ones without the data. Which would be | pretty much exactly the opposite way I would choose to | share my data, if I were forced to by law. | amluto wrote: | I think the best way is to attack the market from all | sides. | | - GDPR-like legislation to try to prevent the inappropriate | collection of this information. | | - Ban the sale of or trafficking in illegally collected | personal information. Apply serious monetary penalties to | anyone who sells such information improperly. Additionally, | anyone who sells such information and subsequently learns | that it was improperly collected or was GDPR-deleted must | tell their buyers, who must then delete it. | | - Buyers are liable if sellers are found to have violated | the rules and don't pay. They are also liable if they fail | to honor delete requests. Buyers who consider this | liability unacceptable may attempt to purchase or require | insurance. | jonhohle wrote: | > Ban the sale of or trafficking in illegally collected | personal information. | | In the US isn't the sale of illegally acquired data | already illegal under 18 U.S. Code SS 2315? | | I wonder if any existing stalking laws would cover | existing data collection practices. Most people are upset | when they learn there are records of their location down | to a meter or so wherever they go that are sold to anyone | who wants it. Does that meet the bar of "emotional | distress"? | Cd00d wrote: | Honestly, I'm not sure it needs to be illegal. I'm not sure | it shouldn't be either. | | I wholeheartedly admit, some of our data providers are | shady, and there's no way I would go work for them. I don't | like the way they mislead people. | | That said, the data we get is anonymous. Sure, if I know | enough about you, and you're in one of my panels, it's | feasible that I might be able to figure out which panelist | you are. I know there's been some kerfuffle there with less | than upstanding "private investigators" and bounty hunters | in the past. But, the data we deal with is far too | expensive for those sorts. | | We find valuable consumer behavior insights the data at | regional levels. That creates information that's valuable | not only on Wall St, but to retailers and brands, who are | desperate for anything to help them understand market share | and loyalty. | | I dunno. It's a weird world. It's also a very commoditized | world. Just having access to the data is no longer the main | value add - you have to provide the meaning of it as well. | ProjectArcturis wrote: | There's no way to anonymize location data. Where does | your phone spend the night plus where does your phone | spend the weekday equals a unique identifier when cross- | referenced with an address database. | bisby wrote: | "We need your location to give you accurate weather readings | for where you are. We need internet access to fetch the | weather data." | | Weather apps also have plausible excuses for requesting | permissions. | derefr wrote: | Weather data is so tiny that there's no good reason to not | just fetch the whole weather point-map for your country and | then select from it client side. | SoftTalker wrote: | I can look out the window and see what the weather is where | I am now. Beyond that I am interested in the weather for my | general area over the next couple of days, which is | imprecise enough anyway that my exact location doesn't | matter. | maccard wrote: | Can you tell whether it's going to be raining in 30 | minutes? Can you tell whether it's going to be 10 or 22 | degrees later today when you're up at 7am? | | I definitely can't do either, and ive been wrong enough | times to know that | Cd00d wrote: | I use the 6 and 12 hour forecasts every single day, | personally. Simple stuff like - is it going to rain while | we go to the playground, what's the UV going to be while | we're at that outdoor thing, how cold is it going to be | after I go to bed and do I need to close some windows... | that sort of thing. | Scoundreller wrote: | Though I enjoy that apple at least let's me give imprecise | location to most maps. Would be nice if I could set it | myself to X kilometres. | kayodelycaon wrote: | The amount of data available in the automotive world is | incredible. License plates connect VINs with everyone who owned | the car. Driver's licenses can be inferred if not directly | connected. History of fines tied to person or vehicle. | Dealerships and insurance have records tied to the VIN. Who | financed loans for how much... | | It just doesn't stop. | daniel-cussen wrote: | That's part of why I refuse to own a car. Walking is much | better. I love walking. | | Plus the whole thing is highly conspiratorial, like you talk | about. Getting you to the bargaining table ie into the | dealership. Then they work you, edmunds.com has an article | about all the shitty little defeating tactics car dealerships | do, at the direct verbal instructions of the dealership | owner, and him directly under orders from the car companies. | | Plus it's oil, American soldiers die every day for that oil | in the Middle East, and many local people with them. It's no | joke, in fact one time a military man I knew told me he just | drove slower on the highway, like 30 mph under the limit, | strictly because that oil is American blood, and you use much | less driving slower to reach the same place. Like the lower | speed limits of the 70's, but under his own volition. | | In WW2, there was propaganda (not being negative, I don't | consider it a negative thing, means words to be spread, | spread the word) saying if you drive alone, you're driving | with Hitler. Later, if you drive alone, you're driving with | terrorists. There would be no war, at all, in the whole | Middle East if it weren't about oil exploitation. That's the | whole deal. Israel a little bit, but oil all the way. The | Middle East had, up until I think 1947, including Iran, a | very high opinion of America, blue jeans rock and roll, | pizza, inventions, California, Cadillacs, what's not to love. | Then came the Israeli War of Independence, then grossest of | all the coup in Iran in 1953 which was just disgusting, and | things changed very quickly. | throwaway0a5e wrote: | All these advertisers get to do all sorts of creepy stuff and | yet I, a normal person, can't go from plate to name. I just | wanna offer to buy cool old shitboxes I see driving around. | monkeybutton wrote: | If you have money, is there anything really stopping you? | Just set up a fake corporate-looking website and start | contacting vendors! You will have to meet minimum order | volumes though. | throwaway0a5e wrote: | I don't do enough sales volume anymore for it to be worth | it. | | And even if I did I don't exactly want to lead a trail of | breadcrumbs straight to a title floating operation. | yial wrote: | I think you can actually. | | In Pennsylvania for example, | https://pennsylvania.staterecords.org/licenseplate | | There's a form to fill out. Looking at the instructions | it's E or F, so in theory if you can fulfill one of the | reasons in F, I suppose you don't need the owners | information. | | Outside of the US, you can also request similar information | - Ontario for example. | | http://www.ontario.ca/page/uncertified-vehicle-record | throwaway0a5e wrote: | There's a federal law that restricts the info to a list | of specific purposes (basically that list) and states are | slowly updating their processing accordingly so you | generally have to lie on the forms. Different states go | to different lengths to do their due diligence. | walrus01 wrote: | runnerup wrote: | Houston tracks every car on the major highways by their built | in Bluetooth interfaces. Even if you do t have a Bluetooth | phone, the car has Bluetooth and will give up its ID to large | antennas on the light posts along the highway. | daniel-cussen wrote: | License plates also. It's not new. | | I think it's fine, if you're going that fast, you can't be | anonymous. Airplanes aren't, missiles sure as shit aren't, | the whole atmosphere is under surveillance for anything | larger than a baseball. | runnerup wrote: | Being able to track passengers is a bit new | shadowgovt wrote: | Specifically for cars, that's not actually surprising. | They're between several-to-tens-of-thousand dollar highly- | mobile multi-ton pieces of hardware that are both incredibly | valuable should they be stolen and incredibly dangerous | should they be misused. | | The tracking probably shouldn't extend to customer marketing | uses, but the fact that VINs tie to plates tie to drivers' | licenses is a system built out of hard decades of experience | on the kind of damage people can do if the system isn't | tracked and audited. | parineum wrote: | > Specifically for cars, that's not actually surprising. | They're between several-to-tens-of-thousand dollar highly- | mobile multi-ton pieces of hardware that are both | incredibly valuable should they be stolen and incredibly | dangerous should they be misused. | | How does this data prevent either of those things? | shadowgovt wrote: | It doesn't. It's incredibly hard to stop a first-time bad | actor in the general case. To a first approximation: | that's what the car key is for, but if that fails (or an | authorized user is the one doing the damage)... | | The key is part of the sentence is tracked _and audited._ | It helps to make people whole after-the-fact and minimize | repeat harm. | | To give a few concrete examples: commit a crime while | operating a car? Your plate is, in modern times, now in | the databases of multiple police precincts. You will now | find it difficult to operate on public roads without | getting pulled over (which also impinges on your ability | to easily flee from the scene of the crime). Steal a | whole car and ditch or replace the plate? Your VIN is now | flagged stolen, so good luck getting any legit operator | to do work on that car. Crash a car and try to repair it | and re-sell it with a damaged frame? Again, the VIN is | logged if you had any professional do major repairs on | the car. And if the cops pull you over on a public road | and you aren't licensed to operate a vehicle on a public | road... Oh boy, hope you didn't have plans this week. | parineum wrote: | None of that requires a maintained historical database | except for the totalled. | | Your car gets stolen, you report the VIN and the plate to | the police, they get a warrant. No Database required. | | Your parent was talking about a load of historical data | that's available via your VIN number. | | > History of fines tied to person or vehicle. Dealerships | and insurance have records tied to the VIN. Who financed | loans for how much... | | If that's all true, that's absurd. All that is required | for what you're talking about is, at best, a database of | current owners. | hnburnsy wrote: | Interesting...what's the end game, play hard ball if they are | not rival shopping or give in if they are? | dylan604 wrote: | Everything in auto sales is a game. The more information on | you they have, the more they can "persuade" you to buy at | numbers more favorable to them. They look at the status of | your car. If it's clean, they think you're more serious to | buy and might not have to negotiate as low. If doesn't look | like you've made the effort to clean it out before getting | rid of it, they might think you're just shopping. | | If they know you're looking at other dealers, then yes, they | might think they need to play harder. If they know you're | looking at accessories for this new car, then they can think | you're more ready to buy. Every bit of detail they can get, | they will use. | hnburnsy wrote: | Seems like rival shopping is on the margin and recouping | the location service tracking costs feels unlikely or at | least untraceable in terms of tying it back to an ROI. | sitkack wrote: | Not just app data, but you can also purchase celltower data, | https://airsage.com/ | | It is easy to fuse with other sources. | Yhippa wrote: | Someone more informed might know this better than me: are all | mobile apps constantly collecting as much data on you as they | can and reselling it? I had this realization sometime during | COVID (I know, I'm late to the party). I assume any free (as in | beer) app is doing this and possibly even paid apps. | lisper wrote: | Yes. Of course. Did you really think people develop these | apps as philanthropic endeavors? | aftbit wrote: | <s>Right, just like the Linux kernel and OpenSSL.</s> Just | because something is free doesn't _automatically_ mean you | are the product. That said, I agree in this case - lots of | free scammy apps are free because they make more money that | way than selling the app. | minsc_and_boo wrote: | Sure, but these free mobile apps typically are not open | sourced projects. | | Even so, a not-insignificant number of OS software is | also a business strategy to buy B2B consulting services. | Terry_Roll wrote: | Not all mobile apps, but your mobile phone is your own | personal surveillance device. So when mobiles first came out | they didnt have any background noise cancelling algo's so if | someone's phone "accidentally" called the last person whilst | it was in their pocket, you could listen into everything they | were discussing and identify the other people they were | talking to. The Edward Snowden leaks, showed the phone's can | be remotely activated if switched off, a bit like the Intel | Management Engine is for PC's, so to defeat that you need a | phone you can take the battery out of. If you want to analyse | it in greater detail, do a replay attack on the transmission | from your phone, like you can with wifi and then pick apart | the data that is being transmitted. You might have to write | your own software and get a suitable SDR dongle to listen in | to a smart phone, but its doable. About a decade ago, you | could get apps for android which allowed your phone to | override the cell traffic management, in other words you | could make you phone use a particular cell mast when there | was a choice, as this can also be used for triangulation | purposes, it offered a level of privacy by ignoring the other | masts so triangulation couldnt take place. The smart thing to | do is roll your own OS for your devices, you can even use | wifi to identify whether someone is carrying a gun or knife | on their person because different alloys react differently to | RF signals like wifi, so you could have one of the new Garmin | Fenix 7 Super Sapphire's with your own OS working with a | smart phone on you that is also running your own OS scanning | for metals. Anybody doing a concealed carry near you gets | found out. Hacking firmware like the OnePlus 8 Camera which | see's through plastic also removes privacy for people, | because nylon is plastic and plastics are being used more and | more in clothes, like winter Fleece jackets. | https://twitter.com/MaxWinebach/status/1260564386546094081 | https://twitter.com/BenGeskin/status/1260607594395250690 | | Science is stealing everyone's privacy and I stopped carrying | a mobile years ago! | roywiggins wrote: | This investigation from a couple years ago in the NYT was | pretty good: | | https://www.nytimes.com/interactive/2019/12/19/opinion/locat... | jonhohle wrote: | It's funny that when the story is about their political | allies, that data becomes much less concerning: | | > "It's really, really hard to assign even what side of the | street you're on when you're using this kind of data," said | Paul Schmitt, a research scientist and professor at the | University of Southern California. | | https://www.nytimes.com/2022/05/29/us/politics/2000-mules- | tr... | neuronexmachina wrote: | Looking at the preceding paragraphs, I'm not sure I | understand what point you're trying to make: | | > Mr. Phillips and Ms. Engelbrecht's case is largely built | on cellphone data. A report created by the group includes | an appendix that claims to list "IMEI" numbers of the | tracked devices -- 15-digit codes unique to each cellphone. | But each entry on the list is a 20-character string of | numbers and letters followed by a lot of x's. Mr. Phillips | said new IDs had been created "to obfuscate the numbers." | | >"The same report says the group "purchased 25 terabytes of | cellphone signal data emitted by devices" in the Milwaukee | area in a two-week period before the 2020 election. They | claim to have isolated 107 unique devices that made "20 or | more visits to drop boxes" and "multiple visits to | nongovernmental organizations" that were involved in get | out the vote efforts. | | >A number of researchers have said that while cellphone | data is fairly precise, it cannot determine if someone is | depositing ballots in a drop box or just passing by the | area. | | >"It's really, really hard to assign even what side of the | street you're on when you're using this kind of data," said | Paul Schmitt, a research scientist and professor at the | University of Southern California. | jonhohle wrote: | The parent posted a NYT article about cell phone data | being used to inferring an individual activity based on | their location. Recently, the NYT is implying that the | data isn't really all that accurate and can't be used to | infer an individuals activity. | sirsinsalot wrote: | Even though as a software developer in Europe, it makes my life | much more complicated, I hope more GDPR-like measures are | implemented and enforced. | | I know that might be at odds with many on HN's opinions, but | government/regulatory protection for consumers has a place. | brundolf wrote: | Reminder that in addition to denying location permissions, on iOS | you'll also want to turn off "Background activity" for apps that | don't have a reason to need it. There was an article a couple | years ago where some apps were polling your course location in | the background based off of your IP address. | sys_64738 wrote: | This is why I don't install garbage apps on my iPhone. | darepublic wrote: | I should stop going to Tim's. Not just because of this, in fact | the thought was already in my mind this morning as I was in a | huge car lineup for morning drive-thru that extended out of the | Tim Horton's parking lot and into the side street, barring entry | to other businesses. And the garbage bins were overflowing with | discarded coffee cups and dripping with spilt coffee. A rare but | not insignificant minority of drive-thru workers can be downright | authoritarian, once you pick up your order from the window some | of them will bark at you to gtfo, even if you just take a moment | to settle your coffee cup into it's holder. | gjsman-1000 wrote: | Uh huh - if I am Tim Hortons, the slap of the wrist was just the | price of this valuable information and the insights retrieved | from it. | thfuran wrote: | And it was a steal. | theptip wrote: | Say what you will about the pains of implementing GDPR, I think | it mostly got the core concepts right. We should implement | something similar in the USA. California's CCPA is a step in the | right direction, but it seems to lack any teeth. | | Apps should not be allowed to collect data on you without your | consent. And, they should not be able to just claim they need | everything; without a legitimate need you should be able to opt | out of tracking like the OP. And finally, the fines should have | teeth so that offenders are actually incentivized to avoid | infringing, instead of getting a slap on the wrist and profiting | from violations. | emptybits wrote: | > "This investigation sends a strong message to organizations..." | | Canadian here. Sorry, sending a sternly worded message to law | breakers isn't enough. | | > " The good news in this case is that Tim Hortons has agreed to | follow the recommendations we set out," | | No. GOOD news in such a case isn't an agreement to follow the law | in the future. Didn't they already do that and then break the | law?! | | Good news in such a case might be, oh let me think ... a | temporary loss of business license for violation of laws and | customer trust, and then fines (or revenue loss due to license | suspension) of a magnitude that shareholders or the parent | company feel which can then inform the board, executive | responsibility, policy decisions right down the chain, etc. | | This is law-breaking for profit. | [deleted] | brailsafe wrote: | Good thing they were fined into oblivion! Oh wait, they weren't? | They were just asked to accept some suggestions you say? | jeffwask wrote: | - Install our app get $5 off your next purchase - Web special; | only can only be order via the app - Free fries when ordering via | our app | | They only want your data. Fuck your business. Fuck the food. It's | all about your data. | Cipater wrote: | Hang on. | | >The Tim Hortons app asked for permission to access the mobile | device's geolocation functions, but misled many users to believe | information would only be accessed when the app was in use. In | reality, the app tracked users as long as the device was on, | continually collecting their location data. | | Does this mean that the prompt is completely useless? | Cd00d wrote: | Not sure why this is getting downvoted. I think it's a good and | reasonable question. | | I suspect it's the difference between an app's prompt and the | OS's prompt. | thepasswordis wrote: | It's so interesting seeing this. | | There is currently a film making the rounds in right | wing/election-interested circles called 2000 Mules. | | In the film, the narrator/host purport to have purchased several | trillions of points of tracing data from the time around the 2020 | election, and _claim_ to have identified "ballot mules", that | is: people who appeared to be going from various Democrat | affiliated non-profits to many different ballot boxes in their | city. | | The conclusion being: these people were stuffing ballot boxes. | | However, the "technical" take downs of these claims are that this | location data is not accurate enough to support them. | | But then articles like _this_ come out, or many of the comments | below, which _do_ support the idea that you could purchase highly | accurate GPS tracking data of "anonymized" cell phone users. | | It's just interesting how the technical analysis on these things | seems to change so dramatically based on what the context is. | jordanmorgan10 wrote: | You wanna believe that your data is safe with your donut chain of | choice. Everyone wants to believe that. | UI_at_80x24 wrote: | For those of you who don't know who/what "Tim Horton's" is allow | me to educate and enlighten. | | https://en.wikipedia.org/wiki/Tim_Hortons | | It's a 'fast food/coffee' chain that really was made popular by a | recurring skit on a TV show called: Royal Canadian Air Farce | (Sketch based usually heavy on the political satire) | | The skit had 3 people sitting around a table drinking coffee and | cracking jokes about current-events and mostly political fiascos. | It was this lampooning of 'typical Canadian behaviour' of art | imitating life that caused more people to show up and start | hanging out at the corner coffee shop. In my small home town | (40,000 people) there were maybe 3 shops (aka Timmies). During | this boom to it's popularity that number increased by atleast 10. | They made their doughnuts in-house every morning, and the coffee | was tolerated as being acceptable. | | As the franchise grew in popularity it became something of a joke | and expectation that a person could find a Timmies on nearly | every block, and you would never need to drive more then 10 | minutes to get to the closest one. | | Throughout it's financial hardships and ownership changes there | has been a lot of complaints that "The coffee isn't as good as it | used to be." And rumours that McDonalds (with it's McCafee push) | bought Timmies old supplier of beans. | | Now the food is no longer made in store, and my impression is | that the coffee is worse. There have been other cost-cutting | measures like making the popular contest "Roll up the Rim" (where | a person could unroll the lip of the cup of coffee to reveal a | prize from free confections, to money and a car); becoming an | APP-only prize (more like a lottery style jackpot then a winning | cup). | | In total, I am not surprised. Their quality has gone downhill, | and the treatment of staff is horrendous. | hbn wrote: | The street near where I live has 3 Tim Horton's locations | within less than a 1km distance (~800m according to a quick | check on Google Maps) | mdm_ wrote: | Downtown Hamilton, or downtown Toronto? | greenshackle2 wrote: | Downtown Montreal has 7 Tim Hortons in 1 square kilometer. | angst_ridden wrote: | I can see one Timmies from my balcony. There's another | around the corner. | hydrok9 wrote: | Downtown Winnipeg has two right across the street from | each other! | mattkrause wrote: | There are at least three within a short walk of my | apartment. | hbn wrote: | There are provinces other than Ontario despite what | Ontarians might believe ;) | | (Relatively) larger city in Saskatchewan. Not downtown | either! | beloch wrote: | Tim Hortons is _everywhere_ in Canada and they _used_ to be | decent. The current owners are subsisting on brand recognition | and market inertia. | | Once enough negative associations form with the brand, it'll be | the work of a generation to turn things around. Tracking user | locations probably won't have a huge impact on the Tim Horton's | brand. Most people just don't care enough about privacy issues. | | Tim Horton's _real_ problem is that they are becoming known for | bad coffee, bad donuts, and bad food, while similarly | ubiquitous chains, like McDonalds, now have decent coffee and | have added donuts to their menus. If I have to choose between a | McDonalds burger and a microwaved chicken-finger with a shelf- | stabilized tortilla wrapped around it from Tim Horton 's, the | choice is easy. Practically every truck-stop town that has a | Tim Horton's _also_ has a McDonald 's very close by, so it | really is just market inertia propping Tim Horton's up at this | point. | stewx wrote: | Also, the chain is named after its former NHL player founder, | who died after crashing his car while drunk and on drugs. | rejectfinite wrote: | Sounds like a based guy tbh | UI_at_80x24 wrote: | I'll be honest I assumed that information was in wikipedia. | jamal-kumar wrote: | A friend of mine back in Canada is a cop and he told me that | ever since they switched from Costa Rican beans around 2010 the | coffee has been bad. I remember a friend of mine got a job | there and he was like the only things that are fresh on the | menu are the tomatoes and lettuce, literally everything else | comes shipped into the store frozen - yet their tagline, on the | sign of every store and on every cup of coffee, is 'always | fresh'. heh | qball wrote: | >ever since they switched from Costa Rican beans around 2010 | the coffee has been bad | | The unfortunate problem for Tim Horton's in Canada is that | going to McDonalds (of all places) is better in every single | way- their basic coffee is miles ahead in quality, their cups | and lids are better, and their food is too. | | Sadly, their coffee in the US is absolutely atrocious, to the | point where I'm not convinced it even qualifies as "coffee". | parineum wrote: | > Sadly, their coffee in the US is absolutely atrocious, to | the point where I'm not convinced it even qualifies as | "coffee". | | I prefer it to starbucks. | | I typically make my own coffee but if I'm looking for a | drip coffee and I'm out, I got to McDonalds. | jamal-kumar wrote: | I don't patronize ANY of these chain places. Like I might | get a donut and a coffee at the airport from tim hortons | because that's literally all there is open at 2am but | i've just never been impressed by literally any big | franchise and kinda feel more cheated I spent 10$ on some | meal or whatever that really doesn't cost that much. It | blows me away that people compare them cause they're | literally all atrocious. I had a girlfriend come to | Canada at one point and she was so un-impressed by the | fact that people act like timmy's is some national | treasure. | | A friend of mine in Costa Rica knows Starbucks has a | pretty funny trick to say they have coffee from there | (Higher altitude begets better coffee). They actually | just ship it in these big bags with the 'hecho en mexico' | eagle on them and then re-bag it in Costa Rica. It's | incredibly non-sustainable. | parineum wrote: | Well, you're at the airport at 2am and there's a Tim | Horton's, a Starbucks and a McDonald's next to each | other. This is the situation I'm talking about (though I | was thinking on a road trip and wanting a quick coffee). | I'd choose McDonald's. | | I'm not super picky with coffee but whenever I've had | Starbucks drip, it's tasted burnt. They make their money | on the coffee milkshakes and it shows. | brailsafe wrote: | This is the only reference I've ever seen to Air Farce outside | of my own childhood, in which I'd watch it with my grandmother. | Incredible summary | rileyphone wrote: | Tim Horton's was bought by RBI, which also includes Burger King | and Popeye's. They run things super lean, though quality at the | restaurant is going to be mostly up to the franchisee. For | Tim's, I got the feeling that they don't really understand the | customer; business seems to be doing fine since the | acquisition, though the grumbling doesn't stop. | loceng wrote: | "becoming an APP-only prize (more like a lottery style jackpot | then a winning cup)." | | Sooo they could track exactly where their customers were going? | skipants wrote: | >Consistent with this explanation, our Offices confirmed that the | SDK tracked, as Events, home, office, geofenced locations | (including its competitors), and travel in and out of Canada. For | example, news articles had noted that an event was recorded with | computer code such as "user.entered.place" with "place.name": | "Rogers Centre", or "user.entered.office".Footnote 16 Using open- | source resources and tools, the investigative team's technology | analysts determined that the SDK programming code included the | following: USER_ENTERED_HOME; USER_EXITED_HOME; | USER_ENTERED_OFFICE; USER_EXITED_OFFICE; | USER_STARTED_TRAVELING; USER_STOPPED_TRAVELING; and | USER_ENTERED_GEOFENCE; USER_EXITED_GEOFENCE. | | This is just downright appalling. | Gak2 wrote: | quick google search... looks like the LiveShopper SDK | [deleted] | cs702 wrote: | The industrial data-gathering complex is expanding into ever more | ethically dubious, ever more ridiculously unjustifiable niches. | | For an instant, I thought the OP might be a link to a fake story | in _The Onion_. | | I mean, it wouldn't be out of place there: "Fast-food chains | collecting vast amounts of location data." | | And yet, no one is shocked. | juice_bus wrote: | > The app also used location data to infer where users lived, | where they worked, and whether they were travelling. It generated | an "event" every time users entered or left a Tim Hortons | competitor, a major sports venue, or their home or workplace. | | yikes | [deleted] | micah63 wrote: | When Burger King "bought" Tim Hortons in 2014 (I believe this was | a tax evasion effort by Burger King to leave US and "merge" with | a Canadian food company), the whole experience went to pot. This | was a Canadian institution. I won't even step foot in a Tims | anymore, the food, the customer experience, the app, it's all | junk. | midasuni wrote: | Interesting. My first trip outside of Europe was my honeymoon | in 2008 to Canada. Various tour guides told us that Tim Hortons | ("Timmy's") was a Canadian institution. | | Since then I've travelled a fair bit in US cities and a little | in Canada and the only real difference I can see is that Canada | has a Tim Hortons on the corner. | Marsymars wrote: | I mean, I'd still call it a Canadian institution, but it's | not _good_. | | > Since then I've travelled a fair bit in US cities and a | little in Canada and the only real difference I can see is | that Canada has a Tim Hortons on the corner. | | Depends where you go. There's probably more of a different | cultural feel in Quebec and the Atlantic provinces. e.g. Cafe | Olimpico is a Montreal institution that feels | quintessentially Montreal. (And the US has places with very | different cultural feels to each other - of places I've | visited, Honolulu isn't very similar to Billings - but I'm | less familiar with the US than Canada.) | midasuni wrote: | I was amazed by many things with our 3 weeks in Canada, | including how cheap car hire for a massive (Ford escape) | car was, how wide the roads were, how off road logging | roads were | | But one thing that stuck with me was seeing things I'd only | ever heard of in tv/movies - Wendy's and Dairy Queen come | to mind. | | But I'd heard of them. And of course Starbucks (which we | had in the U.K.) | | Never heard of Tim Hortons though, which I guess shows the | relative strength of a medic an cultural exports vs | Canadian cultural exports. | jjkaczor wrote: | It got even worse when it was sold (and re-sold?) - don't ever | go back. | LegitShady wrote: | counterpoint - Tim Hortons quality has been in serious decline | for far longer - when they stopped baking goods in-store in | 2002. | ShroudedNight wrote: | > when they stopped baking goods in-store | | Technically, I believe they still bake things, but they | certainly don't prepare the doughnuts from scratch on-site | anymore. Indeed, quality declined spectacularly when their | slogan changed from "Doughnuts" to "Always Fresh". | LegitShady wrote: | No you're incorrect here - they don't bake them in store | anymore at all - the donuts etc are shipped baked and | frozen and are defrosted only. | octobus2021 wrote: | I'm against companies tracking my whereabouts and wanting to know | everything about my personal life. However. Here's what the | "charges" are as per the statement: | | >The investigation concluded that Tim Hortons' continual and vast | collection of location information was not proportional to the | benefits Tim Hortons may have hoped to gain from better targeted | promotion of its coffee and other products. | | So it's obviously ok for a business to collect information. This | includes information _legally_ collected from customers' phones | (I'm sure everybody just clicks OK agreeing to the terms when | installing the app). So what's the issue? That the amount is | "vast"? That it's "continuous"? That it's "not proportional to | the benefits"? Who decides what's vast and what's not, what's | proportional and what's not? I'm really not getting what they're | being accused of doing. They got a lot of data and had no clue | what to do with it (missed opportunity if you ask me), is that a | crime now? | DebtDeflation wrote: | I may be in the minority here but IMO the only really | legitimate purpose a "Tim Horton's app" would have for | accessing location data would be to push offers to you when | you're near one of their stores, and that should be opt-in not | a default. Also, there's no legitimate reason for them to | actually be storing the data - it's an app that you use to | purchase coffee from retail locations, it doesn't need to track | me 24/7 and store the info in a database. The number of apps | that ask me for permission to access my Location, Contacts, | Phone, Microphone, Camera, etc. is appalling. I feel like we | need to revisit the whole idea of telemetry in mobile apps, | like start over from scratch. | MiddleEndian wrote: | >I feel like we need to revisit the whole idea of telemetry | in mobile apps, like start over from scratch. | | Also the operating systems. You get a new Android phone, | Google Maps randomly comes up and tells you "Hey you're at | this location, want to do this check-in bullshit?" even | though it wasn't previously open. And yet, the app list | button only shows a few things that have viewable windows, no | easy way to see every background task that's running adn | presumably spying on you. It's designed like this | deliberately. | octobus2021 wrote: | There're ways to get rid of all of it already. Get a | dumbphone/featurephone, install open source OS, or even get | a phone with one installed. Yes, they're more expensive and | way less polished. Android is way more developed, has a | large number of apps, and it's free (at least Android OS | itself). Why do you think that is? Who do you think is | paying for all that? | hughw wrote: | Yes, it is a crime. | octobus2021 wrote: | In case if it was not clear from the way I phrased my | question, it doesn't make any sense. The business _legally_ | collected marketing information and then got fined because | they collected too much, did it for too long, or didn't make | a good use of it. I just don't get it. | LegitShady wrote: | >Who decides what's vast and what's not, what's proportional | and what's not? | | The people who conducted the investigation - the Office of the | Privacy Commissioner of Canada | lykahb wrote: | Is there any other purpose of making an app other than | surveillance and ads? | indymike wrote: | In this case, taking an order from a consumer and collecting a | payment comes to mind. | | Just because you have a useful app doesn't mean you have to | sell the user's location data to make money, ESPECIALLY if you | are ALREADY making money with the app. | gruez wrote: | > In this case, taking an order from a consumer and | collecting a payment comes to mind. | | all of this can be done in a web app, including the payment | (apple pay). | unfocused wrote: | The actual detailed report can be found here: | https://www.priv.gc.ca/en/opc-actions-and-decisions/investig... | | Essentially, both Android and iOS apps were collecting data. Also | interesting to note, that Ontario accounted for 54% of purchases | in May 2020, of people that used this app. I wonder how close it | to actual sales. | | Full disclosure, I just used this app today in Ottawa. Doh! | tossstone wrote: | Ontario contains almost half of Canada's population so that | seems very plausible | paxys wrote: | Ontario makes up ~40% of Canada's population, so that isn't too | far off. It probably goes up to >50% when you filter on young | urban professionals, who are the target demographic of Tim | Hortons. | mb7733 wrote: | What kind of yuppie goes to Tim Hortons? | hydrok9 wrote: | I think there's lots, certainly doesn't seem to be thought | badly of among the young adults I know | brailsafe wrote: | Are you urban though or suburban? The suburbs have | basically no options for anything that they serve. | brailsafe wrote: | Not even yuppies in MB go to Tims | tempest_ wrote: | Aha that might be their target but young urban professionals | are not likely to be the largest demographic. | | That demographic prefers Starbucks, and more likely some hip | 3rd wave place over timmies. | brailsafe wrote: | Ya that surprised me. I'm sure as hell not going to Tims if | I can help it. | 3qz wrote: | > young urban professionals, who are the target demographic | of Tim Hortons | | Are you sure? Tim's is always full of blue collar guys and | old people whenever I go in. Starbucks is for yuppies. | brailsafe wrote: | Tim Hortons is a place for people with either no taste, no | money, or no choice in where they get their various coffee | and snack fixes. | davidkuennen wrote: | Crazy. I suppose they stopped after Google and Apple tightened | their rules in 2020 regarding location tracking and not because | of a change of heart. | LegitShady wrote: | they don't say exactly when and why they disabled the tracking | except "in 2020", but in june 2020 when the original expose on | their trackign appeared in the Financial Post, tims had no | plans to disable the tracking, just to edit their privacy and | other policy texts so that it wasn't outright them lying. | | https://financialpost.com/technology/tim-hortons-app-trackin... | | There is the above privacy investigation but also a bunch of | class action lawsuits filed in multiple provinces. ___________________________________________________________________ (page generated 2022-06-01 23:00 UTC)