[HN Gopher] Tim Hortons app violated laws in collection of 'vast...
___________________________________________________________________
Tim Hortons app violated laws in collection of 'vast amounts' of
location data
Author : danso
Score : 393 points
Date : 2022-06-01 17:59 UTC (5 hours ago)
(HTM) web link (www.priv.gc.ca)
(TXT) w3m dump (www.priv.gc.ca)
| kornhole wrote:
| Based on my surveys of people in the US, 97-99% of people with
| handsets are location tracked nearly 24/7. I am in the 1% with my
| hardened phone free of Goople and on airplane mode 99% of the
| time. I hope these companies continue to be exposed and help
| people choose where to buy our coffee and not give up their
| freedom for coupons.
| wly_cdgr wrote:
| Everyone needs to chill, they are just market testing their new
| Chocolate Frosted With Chocolate Sprinkles Tracking Donut
| Vladimof wrote:
| What are those weird lines on the background of this web page? I
| thought my kids misused crayons for a bit...
| curt15 wrote:
| This is why I always use a retail store's mobile website and
| never download their "app". The browser sandbox saves me from
| having to worry about these shenangians.
| travisporter wrote:
| How do the apple app clips work in this regard? Can they
| collect location info?
| hooksfordays wrote:
| According to Apple's support site[0] App Clips can request
| your location, and permission's automatically revoked after 1
| day, and only works while the apple clip is in use. So,
| better in theory.
|
| [0] https://support.apple.com/en-us/HT212238
| mikestew wrote:
| Because there is a setting for it, I assume that app clips
| can request location info. I have to assume, as there
| apparently is no app clip that has ever requested such. Come
| to think of it, I don't know that I've used an app clip.
|
| But the setting is there.
| switchbak wrote:
| I assume that at least one of the apps I have is probably
| sharing all my data right now. Be it the flashlight or the
| guitar tuner, or that menu planner thing.
|
| I remember a time when app developers weren't the user's enemy,
| but that was a long time ago.
| Fauntleroy wrote:
| ...until they decide they'll make more money by forcing mobile
| users to use the app and start kneecapping the mobile web
| experience left and right. We need strict regulation for this
| or it'll never end.
| 0daystock wrote:
| A lot of people are rightfully upset over this, but a more
| nuanced point: if your phone is capable of installing "apps" from
| a "store" - there is far, far more insidious data collection
| going on by significantly more capable adversaries.
| version_five wrote:
| I assume every app that has location permission does this. I
| can't imagine google doesn't, or the phone company. I don't think
| it's right (and even less right that apparently google will
| provide this information to law enforcement). I just think the
| only practical thing to do is assume you are being tracked and
| don't install apps unless you're ok with the tradeoff.
|
| The flip side of this, is why would I ever install a Tim Hortons
| app, why do I think they are offering an app, and what possible
| meaningful benefit (even assuming I went there regularly) would I
| drive from having an app?
| bstar77 wrote:
| Clearly you've never bought coffee from a chain after 2015.
| davidkuennen wrote:
| Most store apps I know offer some kind of discount or
| membership program with points if they use the app. I guess
| something like that.
| monkeybutton wrote:
| Afaik they made Roll Up The Rim digital and in-app only
| because of covid.
| ChoGGi wrote:
| I used their website for rolling up, worked mostly alright.
| stanmancan wrote:
| I have the app and it's surprisingly useful, mostly because Tim
| Hortons can have pretty long, slow lines. I'll usually place my
| order when I'm a few minutes away so that I can simply grab my
| order and walk out.
|
| It can also be helpful if you show up and there's a long
| lineup. Mobile orders get pushed to the front of the line, so
| instead of waiting in line you can place a mobile order and go
| grab it right away. I feel a bit guilty doing that though.
| gnabgib wrote:
| It isn't really an app though, it's one of those half arsed
| SPA in an webview that CONSTANTLY updates the large JS
| payload whenever you open it. Agree about the line bypass
| feature.. Tims can be insanely slow at rush hours.
|
| They also switched Roll Up the rim to REQUIRE the app if you
| want to roll (2? 3 years ago?) - I hope a successful lawsuit
| comes out of that given this privacy ruling.. a lot of people
| were forced to install the app just so they could collect an
| occasional free coffee/doughnut. If they did that last minute
| at the counter they wouldn't even have read the permissions
| (a similar argument to that which renders many EULA invalid
| in Canada).
| elevaet wrote:
| > Mobile orders get pushed to the front of the line, so
| instead of waiting in line you can place a mobile order and
| go grab it right away.
|
| Interesting, so customers pay for queue priority with their
| location data. Except the problem is it's not a fully
| consentual agreement, customers aren't explicitly aware of
| the arrangement.
|
| My apathetic side says we're entering a world where it's so
| inconvenient to have privacy that we'll probably not bother.
| frosted-flakes wrote:
| Location data is not required to use the app. You can just
| select No at the permissions prompt.
|
| For me, the only options are "Allow only while using the
| app", "Ask every time", and "Don't allow". Background
| tracking isn't even an option.
| interestica wrote:
| >guilty
|
| Do we need... App neutrality laws? Ha
| leviathan wrote:
| My anecdote is that once I was traveling on the 401 and
| stopped at an ONroute to grab a coffee. The line was
| extremely long and not moving at all, I had time to download
| the app, register, place an order, see it print out at the
| register and someone took it an made my coffee before the
| line even moved. I just quit the line, moved to the empty
| section where the mobile orders are and picked up the coffee
| as I was deleting the app.
| Li7h wrote:
| Smart assumption to make.
|
| On the flip side, people install the app because they usually
| are how the rewards programs are implemented now.
|
| From the app page:
|
| _Mobile Order & Pay
|
| Select and customize your favourite food and drinks, choose
| your preferred Tim Hortons location, and pay from the app. It's
| now that easy to order your favourite Tim Hortons items from
| your phone.
|
| Personalized Menu
|
| Add recently ordered items with one tap. Customized orders are
| saved on your menu so you can get your order just the way you
| like it.
|
| Tims(r) Rewards
|
| After just seven eligible purchases, receive your choice of a
| FREE coffee, tea or baked good. Keep checking for more special
| offers to come. It's time to reward your routine!
|
| Scan for Tims(r) Rewards
|
| A digital version of your loyalty card that you can scan easily
| when ordering in the restaurant - never miss an opportunity to
| earn rewards.
|
| Scan to Pay
|
| Save time and pay for your order right from the app -- no need
| to carry cash or a credit card!
|
| Take Out, Dine In or Drive Thru
|
| Choose your pick-up method. Payment is completed in-app, so you
| can grab your order to go, or dine in with us. Your choice._
| version_five wrote:
| I must be an outlier. On the remote ordering side, I feel
| like inevitably it won't work out and will end up taking as
| much time as just ordering - but I do see the the appeal if
| it works well enough that it doesn't leave me pissed off once
| a week because they gave away my order or something.
|
| For the rest of it, it's just a meaningless distraction to
| me. I have enough going on without caring about tracking
| coffee rewards, or managing yet another payment method. I
| just don't find they make my life easier, and they take time
| and focus, plus nudge me to buy stuff I don't need or load
| money onto cards or whatever. I have frequent flyer
| memberships for the perks, but otherwise I've always found
| loyalty cards to be a gimmick, even more so when they want me
| to install a data harvesting app.
| runevault wrote:
| This is why I install so few apps. Yes granular permissions are
| a thing, but I always ask myself am I okay with this app
| potentially getting my data even if I saw no thanks to some
| yet-unknown side channel attack? Google apps are whatever
| because obviously they already have my data since I'm on
| Android.
| heleninboodler wrote:
| Yes, I am waiting patiently for the backlash against everyone
| and their brother "needing" you to install an app. Every
| device you buy, every new service you sign up for, they all
| want you to install an app that easily could have been a web
| page. My phone contains none of this (ok, I have 6 apps that
| I consider essential and they all have permissions as
| restrictive as possible, and I honestly even feel a little
| dirty with a few of those). My old phone, which spends 99% of
| its life in a drawer in airplane mode, is riddled with trash
| apps like my Asus router setup app and any app that is forced
| down my throat by a product that I want to use and can't be
| properly set up without installing an app. Loyalty program
| app? Not a chance. I have no idea what group of clowns wrote
| that thing, but one thing I do know is that it was outsourced
| most of the time.
|
| I look forward to the day when we've reverted back to simple
| web-based interfaces and most of the general public says
| "install an app? yeah, right" because they've learned not to
| trust that shit.
| runevault wrote:
| Yup completely agreed. Restaurant chains badly wanting
| everyone to install apps is one that really annoys me. Mind
| you the general hunger for data even beyond mobile bugs me.
| I went and bought shoes a few weeks ago and they needed my
| email address as that was how I would get my receipt. So of
| course now they keep sending me all their sales bullshit.
| It is all incredibly frustrating and stupid.
| SoftTalker wrote:
| Same, also on Android. I have maybe half a dozen apps
| installed that did not come with my phone. Most of the apps
| that _did_ come with my phone I have removed or disabled.
|
| I also keep location turned off unless I am actively
| navigating in Google Maps. I know that doesn't eliminate all
| tracking but it's an easy thing to do.
| LegitShady wrote:
| >The flip side of this, is why would I ever install a Tim
| Hortons app, why do I think they are offering an app, and what
| possible meaningful benefit (even assuming I went there
| regularly) would I drive from having an app?
|
| All of the fast food restaurants now offer "deals" and/or
| points only available through the app. Tims popular game "Roll
| up the Rim to Win" used to be printed on the cups, and is now
| only available through the app.
|
| I wouldn't install them anyways, but lots of people have no
| idea how compromising these applications are to their privacy,
| and wouldn't infer the amount of information collected even if
| they read the privacy policy.
|
| These sorts of spying applications should just be banned.
|
| Nothing will change due to this investigation, and I doubt Tims
| will be fined any amount that would actually stop them from
| doing it, and no one will go to jail.
| kjs3 wrote:
| _why would I ever install a Tim Hortons app_
|
| Discounts, freebees, coupons, loyalty club benefits and other
| financial incentives, usually. Pretty much the only reason you
| want it, because all these kinds of things usually do otherwise
| is nag you that you're near one of their locations.
| JacobThreeThree wrote:
| You can get all of these benefits by using the Tim Hortons
| mobile website with an account.
| dylan604 wrote:
| But that's like not native and so unhip. I'm convinced the
| whole push to get away from mobile web to native app is
| solely for the personal data hovering for the vast majority
| of apps.
|
| For example, a friend just downloaded the Wayfair app. Why
| is that necessary? She saved a couple of items, and now the
| app relentlessly notifies her about things even with
| notfications off. Doesn't happen with a mobile website.
| hydrok9 wrote:
| Yes, this is the entire corporate rational behind
| everything "mobile" and "cloud."
| moron4hire wrote:
| You can't win either way. Push for web apps and the
| necessary capabilities in the browser to make rich web
| apps and you get hit with "but browser fingerprinting!"
| malarkey from the privacy fetishists.
| peterkos wrote:
| I used to go there a ton and I wanted to see if there were any
| good deals, see if my go-to was in stock, accumulate rewards,
| and check hours if I went to a new store. The app theoretically
| provides the "best" experience as well -- I've yet to see a
| mobile website recently for something I use day-to-day that
| _isn 't_ trying to push me towards the mobile app, or was
| clearly never tested on a real device. (Obviously, that's the
| ideal, but such is the state of things.)
|
| The website didn't really suffice because the UX was bad, and
| wrestling with it got tiring. Apple+Google's hours were never
| quite correct.
| midislack wrote:
| In retrospect you probably feel pretty silly for falling for
| such a stupid ploy to rape your privacy just so you can save
| a nickel on a donut. I know Canada's in a food crisis but is
| it worth your soul?
| dave5104 wrote:
| Unless you want to unplug your modem, turn off your cell
| service, and live life as a luddite, your privacy on the
| internet doesn't exist.
| Forbo wrote:
| I strongly disagree with the way people just throw up
| their hands and accept defeat. It _is_ possible to have
| privacy on the Internet. Projects like Tor, I2P, and Nym
| are working to make this a reality. Fight back against
| the surveillance capitalist dystopia. Normalize privacy.
| pueblito wrote:
| I'm strongly considering it
| varenc wrote:
| You can use the app with the location permission disabled
| no problem. (On iOS at least)
| seanalltogether wrote:
| This is the reason I've been so frustrated with working with
| bluetooth devices on Android. Android places all bluetooth
| usage under Location permissions, and if you need talk to
| bluetooth devices in the background, users have to manually
| consent to background location tracking, even though that's not
| what we want to actually do.
| mormegil wrote:
| IIANM, this is only when _scanning_: as soon as you pair/bond
| with a device, the app can communicate with it even with the
| location permission switched off.
| gnabgib wrote:
| Unless I'm misunderstanding you, none of this is true for the
| Android devices I've owned. Vendor specific perhaps? Devious
| way to do it. Doesn't Apple suffer with the same problem
| (location+bluetooth tied?)
| lern_too_spel wrote:
| It depends on the targetSdkVersion.
| https://www.androidpolice.com/2021/05/19/android-12-apps-
| won...
| mirntyfirty wrote:
| Is this because it automatically becomes possible to obtain
| location when accessing Bluetooth?
| lern_too_spel wrote:
| This is in fact what most iOS apps that ask for Bluetooth
| permission use it for. https://www.theverge.com/2019/9/19/2
| 0867286/ios-13-bluetooth...
| alephxyz wrote:
| It's because it's easy to estimate someone's location from
| nearby Bluetooth beacons or wifi access points.
| brailsafe wrote:
| It's their attempt at keeping up with Starbucks, who locked in
| the app game years ago. A better question is why would anyone
| go to Tim Hortons in the first place
| jeroenhd wrote:
| Not just the location permission; apps have been found to scan
| pictures taken to build a location history out of the location
| metadata that is stored in pictures and such.
|
| Practically speaking, unless you disable location tagging in
| pictures, any app with media access can track your coarse
| location history, depending on how many pictures you tend to
| take throughout the week.
| CobrastanJorji wrote:
| I don't see why Google would sell your location data to others.
| Store your location data? Absolutely. Use your location data?
| Absolutely. Target ads to you based on your location data?
| Absolutely.
|
| Sell it to others, though? No way. Why would they give away
| their valuable advantage? It's very much in their interest to
| stop anybody else from getting that information, and I trust
| them to be self-interested.
| rdxm wrote:
| user3939382 wrote:
| Slap on the wrist for willfully violating the privacy of a
| massive amount of people. Par for the course in the US as well.
| Yet try violating the Wiretap Act as an individual, even
| accidentally, and see how it works out for you.
|
| That difference in results between giant corporations and
| individuals should give you a strong clue about who the "justice"
| system works for.
| system16 wrote:
| I wouldn't say it's a slap on the wrist. It's not even a
| scolding. Tim Hortons was literally found guilty of spying on
| millions of Canadians, and the only consequence they face is
| that they have to stop doing it.
| autoexec wrote:
| > That difference in results between giant corporations and
| individuals should give you a strong clue about who the
| "justice" system works for.
|
| It's not just the justice system either. It's also
| representation in government. We have research showing that the
| average citizen has effectively zero influence on public policy
| and that our government caters exclusively to corporations and
| a small number of extremely wealthy individuals. The only time
| the rest of us get something we something we want is when our
| interests just happen to align with the interests of the
| powerful. (see https://scholar.princeton.edu/sites/default/file
| s/mgilens/fi...)
| sharmin123 wrote:
| jordemort wrote:
| "Timbits? More like Timbots!"
| midislack wrote:
| Listen I know this wide-mouth VC fueled orgy of a web site will
| disagree but IF YOU INSTALL AN APP YOU CAN KISS YOUR PRIVACY GOOD
| BYE. It doesn't help if, eventually, after the fact, some
| government body hands down a paltry fine, if even. Your privacy
| has been raped and you will never get it back.
|
| So just stop installing stupid apps and you don't have to worry
| about issues like this.
| autoexec wrote:
| > So just stop installing stupid apps and you don't have to
| worry about issues like this.
|
| I agreed with you up until that last line. The problem is that
| this sort of invasive tracking isn't limited to the apps on
| your devices. The devices themselves are spying on you, and the
| lack of meaningful privacy protections leaves us vulnerable
| even if we left our cell phones sitting in lead lined boxes.
|
| Without installing any apps on our phones at all this kind of
| pervasive tracking data could be collected using bluetooth
| beacons, using cell phone tower data, using facial recognition
| technology, using license plate readers, using the GPS/OnStar
| systems in our cars or using radar systems that see through the
| walls of our homes.
|
| This isn't a problem our personal choices can solve. We only
| have the power to make choices that hurt us in different ways.
| We need real regulation and laws with many rows of very sharp
| teeth.
| 2OEH8eoCRo0 wrote:
| What? You can't live like God Emperor Stallman smugly using
| your flip phone and eating toe jam?
| hnburnsy wrote:
| Thanks Google for not allowing us users the ability to stop apps
| from starting up or not allowing apps to run in the background.
| Dicks.
|
| Every granted app permission should have the ability for the user
| of the device to revoke that permission.
| minsc_and_boo wrote:
| Google reviews all background location requests for apps:
| https://support.google.com/googleplay/android-developer/answ...
|
| The app from the article was collecting the data up until 2020,
| when Google launched this new app approval process.
| hnburnsy wrote:
| Don't they get around this with wifi scanning, viewing
| network connections and bluetooth scanning?
| theptip wrote:
| Don't all of those things come under the "location
| services" permission?
| ls15 wrote:
| And I should be able to provide fake data to apps out of the
| box. Some location that I can set manually, an address book
| with fake contacts, an image/video of my choice instead of
| camera access, audio for microphone, a directory of my choice
| for file/media access...
|
| All of these apps are not entitled to collect accurate data.
|
| I think there is an app on f-droid that does this.
| CosmicShadow wrote:
| Is there any sort of app (android) I can download that will tell
| me what other apps are constantly tracking my location and
| reporting back when they are not open? I'd also love that for
| anything that's constantly listening to what I say and reporting
| back.
| johndhi wrote:
| Don't really care about stupidly drafted privacy laws being
| violated. They do nothing for me.
| Karawebnetwork wrote:
| 5M+ downloads according to Play Store. More on Apple.
| walrus01 wrote:
| in my experience the ordinary android or ios end user will
| automatically click "yes/accept/allow permission" on almost
| anything that pops up on their screen.
| revolvingocelot wrote:
| >"This investigation sends a strong message to organizations that
| you can't spy on your customers just because it fits in your
| marketing strategy. Not only is this kind of collection of
| information a violation of the law, it is a complete breach of
| customers' trust. The good news in this case is that Tim Hortons
| has agreed to follow the recommendations we set out, and I hope
| other organizations can learn from the results of this
| investigation." - Michael McEvoy, Information and Privacy
| Commissioner for British Columbia
|
| Insane that there isn't any more forceful enforcement for "a
| violation of the law" than setting out "recommendations" and
| trusting that the guys under investigation for "violation" of
| the, presumably, privacy "law" will implement it.
| [deleted]
| airstrike wrote:
| You'd need a lawsuit for that. The investigation FTA was by
| "privacy agencies" which have no ability to enforce anything
| more severe than recommendations
| [deleted]
| revolvingocelot wrote:
| I actually did read the article; I even grabbed a quote from
| it! Still, the governmental privacy authorities suggest that
| the law was broken; I'm aware that they aren't enforcement,
| because I read the article, but the language is pretty clear
| that they think these actions broke the law.
|
| >You'd need a lawsuit for that
|
| Can you elaborate? Is there Canadian privacy law being
| violated here that doesn't stipulate any penalty other than
| exposing Tim Hortons to private lawsuits? Forgive the
| directness of my question, your comment reads like you'd
| know.
|
| edit: reading the Report of Findings [0] on the page itself
| suggests that because the violations ceased once, er, the
| violating entity had been informed of the investigation and
| had suggested that it'd delete the harvested data, the joint
| investigation "therefore found this matter to be well-founded
| and conditionally resolved". So, nobody really cares
|
| [0] https://www.priv.gc.ca/en/opc-actions-and-
| decisions/investig...
| throwaway_95283 wrote:
| Yeah Canada isn't the US, we have remedies available to us
| other than sending people to jail.
| revolvingocelot wrote:
| >Yeah Canada isn't the US, we have remedies available to
| us other than sending people to jail
|
| Can you elaborate? Is there Canadian privacy law being
| violated here that doesn't stipulate any penalty other
| than exposing Tim Hortons to private lawsuits? Forgive
| the directness of my question, your comment reads like
| you'd know.
|
| ...to be perfectly honest, "launch a civil suit and get
| pennies!" sounds much more American than throwing people
| in jail for privacy violations. The data is already out
| there.
| throwaway_95283 wrote:
| Yeah I can, the The Office of the Privacy Commissioner of
| Canada, Commission d'acces a l'information du Quebec,
| Office of the Information and Privacy Commissioner for
| British Columbia, and Office of the Information and
| Privacy Commissioner of Alberta collectively and
| individually do not have the power to imprison people.
| There is no determination they can make under the law
| that results in people or corporations going to jail.
| deathanatos wrote:
| I mean, given the article, it doesn't seem like Canada
| has availed itself of _any_ remedy, let alone sending
| people to jail, which is the point in this thread.
|
| Like, in America, we might slap the company on the wrist,
| fine them something like the equivalent of $1 for a
| normal person. And then business continues as usual.
|
| There's not even an ineffectual fine, here.
| mardifoufs wrote:
| What are they in this case? And I guess your comment is
| true as long as you ignore the incarceration rates for
| First Nations. Which is coincidentally something we
| canadians really like to do whenever it's time to feel
| smug about our southern neighbors.
| [deleted]
| dragonwriter wrote:
| > And I guess your comment is true as long as you ignore
| the incarceration rates for First Nations. Which is
| coincidentally something we canadians really like to do
| whenever it's time to feel smug about our southern
| neighbors.
|
| The US is at least as bad, absolutely and even relative
| to the White population, with Native Americans, though it
| gets less attention because Native Americans get less
| attention in US politics than First Nations do in Canada,
| and because it's further masked by the attention to both
| the general runaway incarceration in the US and the
| racial impact on Blacks of unequal incarceration.
| [deleted]
| autoexec wrote:
| Surely, there's no "stronger message" than a company getting to
| make money hand over fist by exploiting their customers and
| then getting away with nothing but a slap on the wrist. That'll
| make sure no company ever decides to do that same thing since
| they'd obviously hate making tons of money and getting
| "recommendations" after a stern talking to.
|
| Talk to me about "strong messages" when CEOs are sent to prison
| and a company's assets are seized.
| bozhark wrote:
| edit: Jail? Asset seizure? Nah, you want to make it non-
| viable as a business decision. Something like...
|
| Revoke their license retroactively to when they started doing
| this to consumers.
|
| Charge them for all individual incidents at maximum
| allocation per law.
|
| Allow the option of reduced fees per incident based on how
| quickly the business responds.
|
| Hold a minimum value per incident that you do not go under.
|
| Increase their tax responsibility by 15% for the next 5
| years.
| autoexec wrote:
| Why not do most of that too? Yes, it should be non-viable
| as a business decision, but also something that will result
| in very personal and life altering consequences for those
| running the company. If I spied on even just a single
| person like this I'd be thrown in prison as a stalker.
| "Charge them for all individual incidents at maximum
| allocation per law." would mean a life sentence for CEOs
| when really just a decade or two behind bars would be
| enough to ensure that companies don't risk it.
| bozhark wrote:
| ?Por que no los dos?
|
| The individual goes to jail, not the company. So how much
| does a fall guy cost a company? That's just cost of
| business if responsibility is only held by the
| individual.
| malfist wrote:
| Why do we have to make sure the company doesn't go under
| with our fines?
|
| We don't make sure criminals aren't too impacted by jail,
| why should corporations be different?
| m12k wrote:
| I think the GDPR has shown that all you need to do is set
| fines as a % of revenue, and they'll be taken seriously.
| bozhark wrote:
| I would make a shell corp that held all revenue.
|
| No obligation to fines.
|
| The key is to set multiple avenues of responsibility. It
| may be easy to find loopholes individually, but
| collectively it would become too burdensome. At least,
| for the company, make skirting the charges be as costly
| as following suit.
| autoexec wrote:
| There is a very long list of companies who have been
| fined for GDPR violations, and several which have been
| fined repeatedly. It's not working. Show me a list of
| companies which have been dissolved or were broken up and
| sold off after GDPR violations. Then it _might_ be enough
| to be taken seriously.
| clairity wrote:
| for something like this, jail time plus asset seizures is
| surely too extreme (purdue pharma, on the other hand...).
| however a severe financial penalty for both company and
| executives (VPs and up, plus legal counsel) makes a ton of
| sense. for execs, you'd want to especially financially negate
| at least some past and future bonuses and stock compensation,
| because it makes up the bulk of most executive comp.
| autoexec wrote:
| > for something like this, jail time plus asset seizures is
| surely too extreme
|
| If you'd go to jail for acting that way, why is that
| suddenly too extreme for CEOs? The fact is that very very
| personal details including things like sexual preferences,
| the medical history, the political views, the sexual
| partners, and the religious practices of millions of people
| were exposed by this data collection and that can't be
| taken back. All that data will exist forever and will
| likely be used against these people for the rest of their
| lives.
|
| I don't want Canada to become the dystopian prison-nation
| that the US is. The "Land of the Free" has more of its
| population behind bars than any other country on Earth, but
| some jail time (not life behind bars) is completely
| appropriate for the scale and scope of what was done here
| and it is necessary to prevent it from happening again.
| clairity wrote:
| you'd be wont to find anyone who'd support exective
| prison time more than me, but i'm against prison time as
| a _de facto_ punishment for exactly the reason that it
| results in too many people being locked up frivolously. i
| agree that the scale and scope here are atrocious, but
| again, take away all their gains and more, especially in
| regards to prestige and esteem, and you 'll deter this
| type of behavior as effectively as incarceration without
| any of the downsides of prisons (especially the perverse
| incentives and the exhorbitant costs).
|
| the punishment should fit the crime. that's why i'd throw
| the sacklers in prison (because they ruined countless
| lives, up to and including death), but not these
| executives.
| autoexec wrote:
| > take away all their gains and more, especially in
| regards to prestige and esteem, and you'll deter this
| type of behavior as effectively as incarceration
|
| I guess that'll have be left to speculation until
| somebody actually manages to convince their government to
| try it, but I suspect that any financial penalties that
| don't outright end a company will rarely be enough on its
| own to act as a deterrent, and that absolving CEOs of any
| responsibility or accountability and placing the
| financial burden of fines for violating the rights of
| millions on the company as a whole will just cause it to
| be seen as an acceptable gamble for CEOs. It's not even a
| bad one. The gains to be made exploiting people are very
| high after all, and the risk of being caught fairly low.
|
| CEOs certainly don't care about prestige and esteem. They
| are often sociopaths and psychopaths who care very little
| about others or how they are viewed. Even when their
| actions do destroy a company they'll just deploy their
| golden parachutes and happily drift off to another one.
| As much as our legal systems fail to hold CEOs
| accountable corporations themselves are certainly no
| better at it.
| sdfhdhjdw3 wrote:
| > Talk to me about "strong messages" when CEOs are sent to
| prison and a company's assets are seized.
|
| +1
|
| I love capitalism, but the fact that laws are so meek towards
| companies is a flaw of our implementation of it.
| timsco wrote:
| Agreed - especially when you consider the provincial and
| federal tax dollars needed to prop up the various privacy
| commissions and launch an investigation like this one.
| colpabar wrote:
| Ah you know, it's a multimillion dollar corporation, so laws
| are just tough to enforce, because reasons. It's not like if a
| regular person was caught doing this, because then it'd be
| simple: that person would go to jail.
|
| Also, there's no way that every other fast food app isn't doing
| the exact same thing. There's no way that mcdonald's is going
| to give me a free big mac just for having the app installed if
| they aren't collecting as much data as they can access on my
| device.
| nopeNopeNooope wrote:
| sitkack wrote:
| The fact that was labeled just means that they were inferring it
| on the client. Given any location stream from a person and POI
| data you can infer all of this stuff, including if they have
| kids, a mistress, if they are gay or straight, if they are
| religious, friends, age, sex, nationality.
|
| I think Tim Hortons should be required to analyze and publish the
| data from questions supplied by the public.
|
| What is the likelihood that I will have to visit a bathroom
| within X minutes after consuming a Tim Hortons? Visit a hospital?
| Get in a car crash?
|
| What percentage of Tim Hortons customers also visit strip clubs?
|
| What is the average waiting time in line for a TH visitor?
|
| Thoughts?
| DwnVoteHoneyPot wrote:
| > The Tim Hortons app asked for permission to access the mobile
| device's geolocation functions, but misled many users to believe
| information would only be accessed when the app was in use. In
| reality, the app tracked users as long as the device was on,
| continually collecting their location data.
|
| How does this work on an iPhone? If in Location Services and I
| have app set as "While Using the App", I'm assuming it's not
| possible for Tim Horton's app to collect data "as long as devices
| was on". Did it somehow bypass these settings?
| gnabgib wrote:
| As others have noted the app works fine without location on.
| (Android also has "only when using App" settings) It does
| default full location access all the time which is where the
| problem starts. Sane defaults required.
| LeoPanthera wrote:
| That setting cannot be bypassed on iOS.
| barbazoo wrote:
| Can it be bypassed on Android? Until now I assumed "While
| using the app" means exactly that.
| minsc_and_boo wrote:
| No, it can't. Google reviews every Android app that is
| requesting special permission for background location
| access.
|
| Tim Hortons was doing this back prior to 2020 when Google
| started requiring approval.
| rfwhyte wrote:
| Wildly disappointing that this massive, and blatantly illegal
| collection of user location data has (of course) merely resulted
| in a slap on the wrist for the perpetrators here.
|
| There should be huge (multi millions) fines and probably even
| jail time for the execs who approved / managed this app, but as
| per usual our corporate overlords get off with a "Stern warning"
| and a promise not to do it again.
| evandale wrote:
| I'm reminded of the corporation taken to arbitration story
| yesterday. I'm curious if you would be able to get anything from
| Tim Hortons if you did that.
| blorenz wrote:
| I recently attended an automotive dealership conference where I
| was being pitched for a product that would let me know if my
| customers were at rival dealerships. I poked and prodded to
| understand if these were legitimate claims or just marketing
| hype. They revealed that they purchased location data from app
| developers. I was shocked and surprised -- I don't know why I was
| because this should have been expected. It really enlightened me
| on the exploitation and misuse of data by crappy apps.
| paulmd wrote:
| Is there a simple way to buy this information for yourself?
| I've always been curious what information is out there on me.
| soared wrote:
| This info is anonymized and barring extreme measures you
| can't be identified individually in a data set. It's sold
| with very specific usage rights, and for advertising uses a
| cpm (cost per thousand) fee. You can't ever buy the data set,
| but just the ability to target users who exist in it.
|
| For example Visa has an exclusive deal with oracle. So only
| oracle can buy audiences with visa data, and visa has super
| strict requirements and only builds them in house. If you say
| "I want users who purchased x product" the size must be 5mm
| users minimum (I think) and visa models it up using
| lookalikes/etc to 20mm+ users (maybe slightly off on sizes).
| Then it's like $4 cpm to use at a dsp. Brands/agencies etc
| have to go through oracle to get visa data.
| Cd00d wrote:
| My team used to buy location data that we packaged up into
| reports for equities investors - the premise being the more
| foot-traffic your brand had, the more revenue you're likely to
| have.
|
| Tons of apps sell this info. I think a lot of the 3rd party
| weather apps have been the traditional worst offenders because
| everyone wants to know the weather where they actually are in
| the moment.
| kennywinker wrote:
| I know the "best" way to stop this kind of privacy violation
| is good consumer protection and privacy laws, but I wonder if
| we couldn't also regulate the downstream market. I.e. make
| the sale and resale of personal data, as Cd00d is describing,
| illegal. It seems pretty proven that the humans doing that
| buying and selling aren't going to stop doing it out of civic
| responsibility or moral disgust
| minsc_and_boo wrote:
| That's still whack-a-mole. Even if you changed the rules to
| selling user data, these apps would just update it in their
| TOS that consumers agree to without reading.
|
| Even laws have this problem. There are so many cookie bars
| on websites that users just click through them anyways.
| kennywinker wrote:
| Whack-a-mole by the way the laws are written. You can
| write laws that aren't whack-a-mole. E.g. "it is illegal
| to sell or transfer user's data to another company
| without positive informed consent from the user within 1
| month of the transfer"
|
| Every time a company wants to sell on your data, they
| have to email you and ask permission. Not responding to
| that message isn't consent.
|
| Find a loophole in that.
| runnerup wrote:
| > Find a loophole in that.
|
| Enforcement.
| mattnewton wrote:
| They'll just come up with some aggregated form of the
| data they claim doesn't violate the letter of the law,
| sell that, and be in business for years before anyone
| finds out let alone tries to enforce the rules and find
| out of they are violating it.
|
| This would honestly still be a huge improvement imo, as
| even forcing data brokers to anonymize or aggregate the
| data, even if it is ultimately not actually providing
| privacy, is still a recognition of the problem over the
| current system in most states.
| mr_toad wrote:
| You can't agree to something illegal. If the law makes it
| illegal for third parties to use location data then it
| doesn't matter what the TOS are.
| verisimi wrote:
| > I know the "best" way to stop this kind of privacy
| violation is good consumer protection and privacy laws
|
| But I don't want any of my data collected or shared!
|
| The laws you are hoping for won't allow that - if they
| existed, at best they would only allow those companies to
| whom you have consented. Ie the mega-corporations. Local
| shops would be the ones without the data. Which would be
| pretty much exactly the opposite way I would choose to
| share my data, if I were forced to by law.
| amluto wrote:
| I think the best way is to attack the market from all
| sides.
|
| - GDPR-like legislation to try to prevent the inappropriate
| collection of this information.
|
| - Ban the sale of or trafficking in illegally collected
| personal information. Apply serious monetary penalties to
| anyone who sells such information improperly. Additionally,
| anyone who sells such information and subsequently learns
| that it was improperly collected or was GDPR-deleted must
| tell their buyers, who must then delete it.
|
| - Buyers are liable if sellers are found to have violated
| the rules and don't pay. They are also liable if they fail
| to honor delete requests. Buyers who consider this
| liability unacceptable may attempt to purchase or require
| insurance.
| jonhohle wrote:
| > Ban the sale of or trafficking in illegally collected
| personal information.
|
| In the US isn't the sale of illegally acquired data
| already illegal under 18 U.S. Code SS 2315?
|
| I wonder if any existing stalking laws would cover
| existing data collection practices. Most people are upset
| when they learn there are records of their location down
| to a meter or so wherever they go that are sold to anyone
| who wants it. Does that meet the bar of "emotional
| distress"?
| Cd00d wrote:
| Honestly, I'm not sure it needs to be illegal. I'm not sure
| it shouldn't be either.
|
| I wholeheartedly admit, some of our data providers are
| shady, and there's no way I would go work for them. I don't
| like the way they mislead people.
|
| That said, the data we get is anonymous. Sure, if I know
| enough about you, and you're in one of my panels, it's
| feasible that I might be able to figure out which panelist
| you are. I know there's been some kerfuffle there with less
| than upstanding "private investigators" and bounty hunters
| in the past. But, the data we deal with is far too
| expensive for those sorts.
|
| We find valuable consumer behavior insights the data at
| regional levels. That creates information that's valuable
| not only on Wall St, but to retailers and brands, who are
| desperate for anything to help them understand market share
| and loyalty.
|
| I dunno. It's a weird world. It's also a very commoditized
| world. Just having access to the data is no longer the main
| value add - you have to provide the meaning of it as well.
| ProjectArcturis wrote:
| There's no way to anonymize location data. Where does
| your phone spend the night plus where does your phone
| spend the weekday equals a unique identifier when cross-
| referenced with an address database.
| bisby wrote:
| "We need your location to give you accurate weather readings
| for where you are. We need internet access to fetch the
| weather data."
|
| Weather apps also have plausible excuses for requesting
| permissions.
| derefr wrote:
| Weather data is so tiny that there's no good reason to not
| just fetch the whole weather point-map for your country and
| then select from it client side.
| SoftTalker wrote:
| I can look out the window and see what the weather is where
| I am now. Beyond that I am interested in the weather for my
| general area over the next couple of days, which is
| imprecise enough anyway that my exact location doesn't
| matter.
| maccard wrote:
| Can you tell whether it's going to be raining in 30
| minutes? Can you tell whether it's going to be 10 or 22
| degrees later today when you're up at 7am?
|
| I definitely can't do either, and ive been wrong enough
| times to know that
| Cd00d wrote:
| I use the 6 and 12 hour forecasts every single day,
| personally. Simple stuff like - is it going to rain while
| we go to the playground, what's the UV going to be while
| we're at that outdoor thing, how cold is it going to be
| after I go to bed and do I need to close some windows...
| that sort of thing.
| Scoundreller wrote:
| Though I enjoy that apple at least let's me give imprecise
| location to most maps. Would be nice if I could set it
| myself to X kilometres.
| kayodelycaon wrote:
| The amount of data available in the automotive world is
| incredible. License plates connect VINs with everyone who owned
| the car. Driver's licenses can be inferred if not directly
| connected. History of fines tied to person or vehicle.
| Dealerships and insurance have records tied to the VIN. Who
| financed loans for how much...
|
| It just doesn't stop.
| daniel-cussen wrote:
| That's part of why I refuse to own a car. Walking is much
| better. I love walking.
|
| Plus the whole thing is highly conspiratorial, like you talk
| about. Getting you to the bargaining table ie into the
| dealership. Then they work you, edmunds.com has an article
| about all the shitty little defeating tactics car dealerships
| do, at the direct verbal instructions of the dealership
| owner, and him directly under orders from the car companies.
|
| Plus it's oil, American soldiers die every day for that oil
| in the Middle East, and many local people with them. It's no
| joke, in fact one time a military man I knew told me he just
| drove slower on the highway, like 30 mph under the limit,
| strictly because that oil is American blood, and you use much
| less driving slower to reach the same place. Like the lower
| speed limits of the 70's, but under his own volition.
|
| In WW2, there was propaganda (not being negative, I don't
| consider it a negative thing, means words to be spread,
| spread the word) saying if you drive alone, you're driving
| with Hitler. Later, if you drive alone, you're driving with
| terrorists. There would be no war, at all, in the whole
| Middle East if it weren't about oil exploitation. That's the
| whole deal. Israel a little bit, but oil all the way. The
| Middle East had, up until I think 1947, including Iran, a
| very high opinion of America, blue jeans rock and roll,
| pizza, inventions, California, Cadillacs, what's not to love.
| Then came the Israeli War of Independence, then grossest of
| all the coup in Iran in 1953 which was just disgusting, and
| things changed very quickly.
| throwaway0a5e wrote:
| All these advertisers get to do all sorts of creepy stuff and
| yet I, a normal person, can't go from plate to name. I just
| wanna offer to buy cool old shitboxes I see driving around.
| monkeybutton wrote:
| If you have money, is there anything really stopping you?
| Just set up a fake corporate-looking website and start
| contacting vendors! You will have to meet minimum order
| volumes though.
| throwaway0a5e wrote:
| I don't do enough sales volume anymore for it to be worth
| it.
|
| And even if I did I don't exactly want to lead a trail of
| breadcrumbs straight to a title floating operation.
| yial wrote:
| I think you can actually.
|
| In Pennsylvania for example,
| https://pennsylvania.staterecords.org/licenseplate
|
| There's a form to fill out. Looking at the instructions
| it's E or F, so in theory if you can fulfill one of the
| reasons in F, I suppose you don't need the owners
| information.
|
| Outside of the US, you can also request similar information
| - Ontario for example.
|
| http://www.ontario.ca/page/uncertified-vehicle-record
| throwaway0a5e wrote:
| There's a federal law that restricts the info to a list
| of specific purposes (basically that list) and states are
| slowly updating their processing accordingly so you
| generally have to lie on the forms. Different states go
| to different lengths to do their due diligence.
| walrus01 wrote:
| runnerup wrote:
| Houston tracks every car on the major highways by their built
| in Bluetooth interfaces. Even if you do t have a Bluetooth
| phone, the car has Bluetooth and will give up its ID to large
| antennas on the light posts along the highway.
| daniel-cussen wrote:
| License plates also. It's not new.
|
| I think it's fine, if you're going that fast, you can't be
| anonymous. Airplanes aren't, missiles sure as shit aren't,
| the whole atmosphere is under surveillance for anything
| larger than a baseball.
| runnerup wrote:
| Being able to track passengers is a bit new
| shadowgovt wrote:
| Specifically for cars, that's not actually surprising.
| They're between several-to-tens-of-thousand dollar highly-
| mobile multi-ton pieces of hardware that are both incredibly
| valuable should they be stolen and incredibly dangerous
| should they be misused.
|
| The tracking probably shouldn't extend to customer marketing
| uses, but the fact that VINs tie to plates tie to drivers'
| licenses is a system built out of hard decades of experience
| on the kind of damage people can do if the system isn't
| tracked and audited.
| parineum wrote:
| > Specifically for cars, that's not actually surprising.
| They're between several-to-tens-of-thousand dollar highly-
| mobile multi-ton pieces of hardware that are both
| incredibly valuable should they be stolen and incredibly
| dangerous should they be misused.
|
| How does this data prevent either of those things?
| shadowgovt wrote:
| It doesn't. It's incredibly hard to stop a first-time bad
| actor in the general case. To a first approximation:
| that's what the car key is for, but if that fails (or an
| authorized user is the one doing the damage)...
|
| The key is part of the sentence is tracked _and audited._
| It helps to make people whole after-the-fact and minimize
| repeat harm.
|
| To give a few concrete examples: commit a crime while
| operating a car? Your plate is, in modern times, now in
| the databases of multiple police precincts. You will now
| find it difficult to operate on public roads without
| getting pulled over (which also impinges on your ability
| to easily flee from the scene of the crime). Steal a
| whole car and ditch or replace the plate? Your VIN is now
| flagged stolen, so good luck getting any legit operator
| to do work on that car. Crash a car and try to repair it
| and re-sell it with a damaged frame? Again, the VIN is
| logged if you had any professional do major repairs on
| the car. And if the cops pull you over on a public road
| and you aren't licensed to operate a vehicle on a public
| road... Oh boy, hope you didn't have plans this week.
| parineum wrote:
| None of that requires a maintained historical database
| except for the totalled.
|
| Your car gets stolen, you report the VIN and the plate to
| the police, they get a warrant. No Database required.
|
| Your parent was talking about a load of historical data
| that's available via your VIN number.
|
| > History of fines tied to person or vehicle. Dealerships
| and insurance have records tied to the VIN. Who financed
| loans for how much...
|
| If that's all true, that's absurd. All that is required
| for what you're talking about is, at best, a database of
| current owners.
| hnburnsy wrote:
| Interesting...what's the end game, play hard ball if they are
| not rival shopping or give in if they are?
| dylan604 wrote:
| Everything in auto sales is a game. The more information on
| you they have, the more they can "persuade" you to buy at
| numbers more favorable to them. They look at the status of
| your car. If it's clean, they think you're more serious to
| buy and might not have to negotiate as low. If doesn't look
| like you've made the effort to clean it out before getting
| rid of it, they might think you're just shopping.
|
| If they know you're looking at other dealers, then yes, they
| might think they need to play harder. If they know you're
| looking at accessories for this new car, then they can think
| you're more ready to buy. Every bit of detail they can get,
| they will use.
| hnburnsy wrote:
| Seems like rival shopping is on the margin and recouping
| the location service tracking costs feels unlikely or at
| least untraceable in terms of tying it back to an ROI.
| sitkack wrote:
| Not just app data, but you can also purchase celltower data,
| https://airsage.com/
|
| It is easy to fuse with other sources.
| Yhippa wrote:
| Someone more informed might know this better than me: are all
| mobile apps constantly collecting as much data on you as they
| can and reselling it? I had this realization sometime during
| COVID (I know, I'm late to the party). I assume any free (as in
| beer) app is doing this and possibly even paid apps.
| lisper wrote:
| Yes. Of course. Did you really think people develop these
| apps as philanthropic endeavors?
| aftbit wrote:
| <s>Right, just like the Linux kernel and OpenSSL.</s> Just
| because something is free doesn't _automatically_ mean you
| are the product. That said, I agree in this case - lots of
| free scammy apps are free because they make more money that
| way than selling the app.
| minsc_and_boo wrote:
| Sure, but these free mobile apps typically are not open
| sourced projects.
|
| Even so, a not-insignificant number of OS software is
| also a business strategy to buy B2B consulting services.
| Terry_Roll wrote:
| Not all mobile apps, but your mobile phone is your own
| personal surveillance device. So when mobiles first came out
| they didnt have any background noise cancelling algo's so if
| someone's phone "accidentally" called the last person whilst
| it was in their pocket, you could listen into everything they
| were discussing and identify the other people they were
| talking to. The Edward Snowden leaks, showed the phone's can
| be remotely activated if switched off, a bit like the Intel
| Management Engine is for PC's, so to defeat that you need a
| phone you can take the battery out of. If you want to analyse
| it in greater detail, do a replay attack on the transmission
| from your phone, like you can with wifi and then pick apart
| the data that is being transmitted. You might have to write
| your own software and get a suitable SDR dongle to listen in
| to a smart phone, but its doable. About a decade ago, you
| could get apps for android which allowed your phone to
| override the cell traffic management, in other words you
| could make you phone use a particular cell mast when there
| was a choice, as this can also be used for triangulation
| purposes, it offered a level of privacy by ignoring the other
| masts so triangulation couldnt take place. The smart thing to
| do is roll your own OS for your devices, you can even use
| wifi to identify whether someone is carrying a gun or knife
| on their person because different alloys react differently to
| RF signals like wifi, so you could have one of the new Garmin
| Fenix 7 Super Sapphire's with your own OS working with a
| smart phone on you that is also running your own OS scanning
| for metals. Anybody doing a concealed carry near you gets
| found out. Hacking firmware like the OnePlus 8 Camera which
| see's through plastic also removes privacy for people,
| because nylon is plastic and plastics are being used more and
| more in clothes, like winter Fleece jackets.
| https://twitter.com/MaxWinebach/status/1260564386546094081
| https://twitter.com/BenGeskin/status/1260607594395250690
|
| Science is stealing everyone's privacy and I stopped carrying
| a mobile years ago!
| roywiggins wrote:
| This investigation from a couple years ago in the NYT was
| pretty good:
|
| https://www.nytimes.com/interactive/2019/12/19/opinion/locat...
| jonhohle wrote:
| It's funny that when the story is about their political
| allies, that data becomes much less concerning:
|
| > "It's really, really hard to assign even what side of the
| street you're on when you're using this kind of data," said
| Paul Schmitt, a research scientist and professor at the
| University of Southern California.
|
| https://www.nytimes.com/2022/05/29/us/politics/2000-mules-
| tr...
| neuronexmachina wrote:
| Looking at the preceding paragraphs, I'm not sure I
| understand what point you're trying to make:
|
| > Mr. Phillips and Ms. Engelbrecht's case is largely built
| on cellphone data. A report created by the group includes
| an appendix that claims to list "IMEI" numbers of the
| tracked devices -- 15-digit codes unique to each cellphone.
| But each entry on the list is a 20-character string of
| numbers and letters followed by a lot of x's. Mr. Phillips
| said new IDs had been created "to obfuscate the numbers."
|
| >"The same report says the group "purchased 25 terabytes of
| cellphone signal data emitted by devices" in the Milwaukee
| area in a two-week period before the 2020 election. They
| claim to have isolated 107 unique devices that made "20 or
| more visits to drop boxes" and "multiple visits to
| nongovernmental organizations" that were involved in get
| out the vote efforts.
|
| >A number of researchers have said that while cellphone
| data is fairly precise, it cannot determine if someone is
| depositing ballots in a drop box or just passing by the
| area.
|
| >"It's really, really hard to assign even what side of the
| street you're on when you're using this kind of data," said
| Paul Schmitt, a research scientist and professor at the
| University of Southern California.
| jonhohle wrote:
| The parent posted a NYT article about cell phone data
| being used to inferring an individual activity based on
| their location. Recently, the NYT is implying that the
| data isn't really all that accurate and can't be used to
| infer an individuals activity.
| sirsinsalot wrote:
| Even though as a software developer in Europe, it makes my life
| much more complicated, I hope more GDPR-like measures are
| implemented and enforced.
|
| I know that might be at odds with many on HN's opinions, but
| government/regulatory protection for consumers has a place.
| brundolf wrote:
| Reminder that in addition to denying location permissions, on iOS
| you'll also want to turn off "Background activity" for apps that
| don't have a reason to need it. There was an article a couple
| years ago where some apps were polling your course location in
| the background based off of your IP address.
| sys_64738 wrote:
| This is why I don't install garbage apps on my iPhone.
| darepublic wrote:
| I should stop going to Tim's. Not just because of this, in fact
| the thought was already in my mind this morning as I was in a
| huge car lineup for morning drive-thru that extended out of the
| Tim Horton's parking lot and into the side street, barring entry
| to other businesses. And the garbage bins were overflowing with
| discarded coffee cups and dripping with spilt coffee. A rare but
| not insignificant minority of drive-thru workers can be downright
| authoritarian, once you pick up your order from the window some
| of them will bark at you to gtfo, even if you just take a moment
| to settle your coffee cup into it's holder.
| gjsman-1000 wrote:
| Uh huh - if I am Tim Hortons, the slap of the wrist was just the
| price of this valuable information and the insights retrieved
| from it.
| thfuran wrote:
| And it was a steal.
| theptip wrote:
| Say what you will about the pains of implementing GDPR, I think
| it mostly got the core concepts right. We should implement
| something similar in the USA. California's CCPA is a step in the
| right direction, but it seems to lack any teeth.
|
| Apps should not be allowed to collect data on you without your
| consent. And, they should not be able to just claim they need
| everything; without a legitimate need you should be able to opt
| out of tracking like the OP. And finally, the fines should have
| teeth so that offenders are actually incentivized to avoid
| infringing, instead of getting a slap on the wrist and profiting
| from violations.
| emptybits wrote:
| > "This investigation sends a strong message to organizations..."
|
| Canadian here. Sorry, sending a sternly worded message to law
| breakers isn't enough.
|
| > " The good news in this case is that Tim Hortons has agreed to
| follow the recommendations we set out,"
|
| No. GOOD news in such a case isn't an agreement to follow the law
| in the future. Didn't they already do that and then break the
| law?!
|
| Good news in such a case might be, oh let me think ... a
| temporary loss of business license for violation of laws and
| customer trust, and then fines (or revenue loss due to license
| suspension) of a magnitude that shareholders or the parent
| company feel which can then inform the board, executive
| responsibility, policy decisions right down the chain, etc.
|
| This is law-breaking for profit.
| [deleted]
| brailsafe wrote:
| Good thing they were fined into oblivion! Oh wait, they weren't?
| They were just asked to accept some suggestions you say?
| jeffwask wrote:
| - Install our app get $5 off your next purchase - Web special;
| only can only be order via the app - Free fries when ordering via
| our app
|
| They only want your data. Fuck your business. Fuck the food. It's
| all about your data.
| Cipater wrote:
| Hang on.
|
| >The Tim Hortons app asked for permission to access the mobile
| device's geolocation functions, but misled many users to believe
| information would only be accessed when the app was in use. In
| reality, the app tracked users as long as the device was on,
| continually collecting their location data.
|
| Does this mean that the prompt is completely useless?
| Cd00d wrote:
| Not sure why this is getting downvoted. I think it's a good and
| reasonable question.
|
| I suspect it's the difference between an app's prompt and the
| OS's prompt.
| thepasswordis wrote:
| It's so interesting seeing this.
|
| There is currently a film making the rounds in right
| wing/election-interested circles called 2000 Mules.
|
| In the film, the narrator/host purport to have purchased several
| trillions of points of tracing data from the time around the 2020
| election, and _claim_ to have identified "ballot mules", that
| is: people who appeared to be going from various Democrat
| affiliated non-profits to many different ballot boxes in their
| city.
|
| The conclusion being: these people were stuffing ballot boxes.
|
| However, the "technical" take downs of these claims are that this
| location data is not accurate enough to support them.
|
| But then articles like _this_ come out, or many of the comments
| below, which _do_ support the idea that you could purchase highly
| accurate GPS tracking data of "anonymized" cell phone users.
|
| It's just interesting how the technical analysis on these things
| seems to change so dramatically based on what the context is.
| jordanmorgan10 wrote:
| You wanna believe that your data is safe with your donut chain of
| choice. Everyone wants to believe that.
| UI_at_80x24 wrote:
| For those of you who don't know who/what "Tim Horton's" is allow
| me to educate and enlighten.
|
| https://en.wikipedia.org/wiki/Tim_Hortons
|
| It's a 'fast food/coffee' chain that really was made popular by a
| recurring skit on a TV show called: Royal Canadian Air Farce
| (Sketch based usually heavy on the political satire)
|
| The skit had 3 people sitting around a table drinking coffee and
| cracking jokes about current-events and mostly political fiascos.
| It was this lampooning of 'typical Canadian behaviour' of art
| imitating life that caused more people to show up and start
| hanging out at the corner coffee shop. In my small home town
| (40,000 people) there were maybe 3 shops (aka Timmies). During
| this boom to it's popularity that number increased by atleast 10.
| They made their doughnuts in-house every morning, and the coffee
| was tolerated as being acceptable.
|
| As the franchise grew in popularity it became something of a joke
| and expectation that a person could find a Timmies on nearly
| every block, and you would never need to drive more then 10
| minutes to get to the closest one.
|
| Throughout it's financial hardships and ownership changes there
| has been a lot of complaints that "The coffee isn't as good as it
| used to be." And rumours that McDonalds (with it's McCafee push)
| bought Timmies old supplier of beans.
|
| Now the food is no longer made in store, and my impression is
| that the coffee is worse. There have been other cost-cutting
| measures like making the popular contest "Roll up the Rim" (where
| a person could unroll the lip of the cup of coffee to reveal a
| prize from free confections, to money and a car); becoming an
| APP-only prize (more like a lottery style jackpot then a winning
| cup).
|
| In total, I am not surprised. Their quality has gone downhill,
| and the treatment of staff is horrendous.
| hbn wrote:
| The street near where I live has 3 Tim Horton's locations
| within less than a 1km distance (~800m according to a quick
| check on Google Maps)
| mdm_ wrote:
| Downtown Hamilton, or downtown Toronto?
| greenshackle2 wrote:
| Downtown Montreal has 7 Tim Hortons in 1 square kilometer.
| angst_ridden wrote:
| I can see one Timmies from my balcony. There's another
| around the corner.
| hydrok9 wrote:
| Downtown Winnipeg has two right across the street from
| each other!
| mattkrause wrote:
| There are at least three within a short walk of my
| apartment.
| hbn wrote:
| There are provinces other than Ontario despite what
| Ontarians might believe ;)
|
| (Relatively) larger city in Saskatchewan. Not downtown
| either!
| beloch wrote:
| Tim Hortons is _everywhere_ in Canada and they _used_ to be
| decent. The current owners are subsisting on brand recognition
| and market inertia.
|
| Once enough negative associations form with the brand, it'll be
| the work of a generation to turn things around. Tracking user
| locations probably won't have a huge impact on the Tim Horton's
| brand. Most people just don't care enough about privacy issues.
|
| Tim Horton's _real_ problem is that they are becoming known for
| bad coffee, bad donuts, and bad food, while similarly
| ubiquitous chains, like McDonalds, now have decent coffee and
| have added donuts to their menus. If I have to choose between a
| McDonalds burger and a microwaved chicken-finger with a shelf-
| stabilized tortilla wrapped around it from Tim Horton 's, the
| choice is easy. Practically every truck-stop town that has a
| Tim Horton's _also_ has a McDonald 's very close by, so it
| really is just market inertia propping Tim Horton's up at this
| point.
| stewx wrote:
| Also, the chain is named after its former NHL player founder,
| who died after crashing his car while drunk and on drugs.
| rejectfinite wrote:
| Sounds like a based guy tbh
| UI_at_80x24 wrote:
| I'll be honest I assumed that information was in wikipedia.
| jamal-kumar wrote:
| A friend of mine back in Canada is a cop and he told me that
| ever since they switched from Costa Rican beans around 2010 the
| coffee has been bad. I remember a friend of mine got a job
| there and he was like the only things that are fresh on the
| menu are the tomatoes and lettuce, literally everything else
| comes shipped into the store frozen - yet their tagline, on the
| sign of every store and on every cup of coffee, is 'always
| fresh'. heh
| qball wrote:
| >ever since they switched from Costa Rican beans around 2010
| the coffee has been bad
|
| The unfortunate problem for Tim Horton's in Canada is that
| going to McDonalds (of all places) is better in every single
| way- their basic coffee is miles ahead in quality, their cups
| and lids are better, and their food is too.
|
| Sadly, their coffee in the US is absolutely atrocious, to the
| point where I'm not convinced it even qualifies as "coffee".
| parineum wrote:
| > Sadly, their coffee in the US is absolutely atrocious, to
| the point where I'm not convinced it even qualifies as
| "coffee".
|
| I prefer it to starbucks.
|
| I typically make my own coffee but if I'm looking for a
| drip coffee and I'm out, I got to McDonalds.
| jamal-kumar wrote:
| I don't patronize ANY of these chain places. Like I might
| get a donut and a coffee at the airport from tim hortons
| because that's literally all there is open at 2am but
| i've just never been impressed by literally any big
| franchise and kinda feel more cheated I spent 10$ on some
| meal or whatever that really doesn't cost that much. It
| blows me away that people compare them cause they're
| literally all atrocious. I had a girlfriend come to
| Canada at one point and she was so un-impressed by the
| fact that people act like timmy's is some national
| treasure.
|
| A friend of mine in Costa Rica knows Starbucks has a
| pretty funny trick to say they have coffee from there
| (Higher altitude begets better coffee). They actually
| just ship it in these big bags with the 'hecho en mexico'
| eagle on them and then re-bag it in Costa Rica. It's
| incredibly non-sustainable.
| parineum wrote:
| Well, you're at the airport at 2am and there's a Tim
| Horton's, a Starbucks and a McDonald's next to each
| other. This is the situation I'm talking about (though I
| was thinking on a road trip and wanting a quick coffee).
| I'd choose McDonald's.
|
| I'm not super picky with coffee but whenever I've had
| Starbucks drip, it's tasted burnt. They make their money
| on the coffee milkshakes and it shows.
| brailsafe wrote:
| This is the only reference I've ever seen to Air Farce outside
| of my own childhood, in which I'd watch it with my grandmother.
| Incredible summary
| rileyphone wrote:
| Tim Horton's was bought by RBI, which also includes Burger King
| and Popeye's. They run things super lean, though quality at the
| restaurant is going to be mostly up to the franchisee. For
| Tim's, I got the feeling that they don't really understand the
| customer; business seems to be doing fine since the
| acquisition, though the grumbling doesn't stop.
| loceng wrote:
| "becoming an APP-only prize (more like a lottery style jackpot
| then a winning cup)."
|
| Sooo they could track exactly where their customers were going?
| skipants wrote:
| >Consistent with this explanation, our Offices confirmed that the
| SDK tracked, as Events, home, office, geofenced locations
| (including its competitors), and travel in and out of Canada. For
| example, news articles had noted that an event was recorded with
| computer code such as "user.entered.place" with "place.name":
| "Rogers Centre", or "user.entered.office".Footnote 16 Using open-
| source resources and tools, the investigative team's technology
| analysts determined that the SDK programming code included the
| following: USER_ENTERED_HOME; USER_EXITED_HOME;
| USER_ENTERED_OFFICE; USER_EXITED_OFFICE;
| USER_STARTED_TRAVELING; USER_STOPPED_TRAVELING; and
| USER_ENTERED_GEOFENCE; USER_EXITED_GEOFENCE.
|
| This is just downright appalling.
| Gak2 wrote:
| quick google search... looks like the LiveShopper SDK
| [deleted]
| cs702 wrote:
| The industrial data-gathering complex is expanding into ever more
| ethically dubious, ever more ridiculously unjustifiable niches.
|
| For an instant, I thought the OP might be a link to a fake story
| in _The Onion_.
|
| I mean, it wouldn't be out of place there: "Fast-food chains
| collecting vast amounts of location data."
|
| And yet, no one is shocked.
| juice_bus wrote:
| > The app also used location data to infer where users lived,
| where they worked, and whether they were travelling. It generated
| an "event" every time users entered or left a Tim Hortons
| competitor, a major sports venue, or their home or workplace.
|
| yikes
| [deleted]
| micah63 wrote:
| When Burger King "bought" Tim Hortons in 2014 (I believe this was
| a tax evasion effort by Burger King to leave US and "merge" with
| a Canadian food company), the whole experience went to pot. This
| was a Canadian institution. I won't even step foot in a Tims
| anymore, the food, the customer experience, the app, it's all
| junk.
| midasuni wrote:
| Interesting. My first trip outside of Europe was my honeymoon
| in 2008 to Canada. Various tour guides told us that Tim Hortons
| ("Timmy's") was a Canadian institution.
|
| Since then I've travelled a fair bit in US cities and a little
| in Canada and the only real difference I can see is that Canada
| has a Tim Hortons on the corner.
| Marsymars wrote:
| I mean, I'd still call it a Canadian institution, but it's
| not _good_.
|
| > Since then I've travelled a fair bit in US cities and a
| little in Canada and the only real difference I can see is
| that Canada has a Tim Hortons on the corner.
|
| Depends where you go. There's probably more of a different
| cultural feel in Quebec and the Atlantic provinces. e.g. Cafe
| Olimpico is a Montreal institution that feels
| quintessentially Montreal. (And the US has places with very
| different cultural feels to each other - of places I've
| visited, Honolulu isn't very similar to Billings - but I'm
| less familiar with the US than Canada.)
| midasuni wrote:
| I was amazed by many things with our 3 weeks in Canada,
| including how cheap car hire for a massive (Ford escape)
| car was, how wide the roads were, how off road logging
| roads were
|
| But one thing that stuck with me was seeing things I'd only
| ever heard of in tv/movies - Wendy's and Dairy Queen come
| to mind.
|
| But I'd heard of them. And of course Starbucks (which we
| had in the U.K.)
|
| Never heard of Tim Hortons though, which I guess shows the
| relative strength of a medic an cultural exports vs
| Canadian cultural exports.
| jjkaczor wrote:
| It got even worse when it was sold (and re-sold?) - don't ever
| go back.
| LegitShady wrote:
| counterpoint - Tim Hortons quality has been in serious decline
| for far longer - when they stopped baking goods in-store in
| 2002.
| ShroudedNight wrote:
| > when they stopped baking goods in-store
|
| Technically, I believe they still bake things, but they
| certainly don't prepare the doughnuts from scratch on-site
| anymore. Indeed, quality declined spectacularly when their
| slogan changed from "Doughnuts" to "Always Fresh".
| LegitShady wrote:
| No you're incorrect here - they don't bake them in store
| anymore at all - the donuts etc are shipped baked and
| frozen and are defrosted only.
| octobus2021 wrote:
| I'm against companies tracking my whereabouts and wanting to know
| everything about my personal life. However. Here's what the
| "charges" are as per the statement:
|
| >The investigation concluded that Tim Hortons' continual and vast
| collection of location information was not proportional to the
| benefits Tim Hortons may have hoped to gain from better targeted
| promotion of its coffee and other products.
|
| So it's obviously ok for a business to collect information. This
| includes information _legally_ collected from customers' phones
| (I'm sure everybody just clicks OK agreeing to the terms when
| installing the app). So what's the issue? That the amount is
| "vast"? That it's "continuous"? That it's "not proportional to
| the benefits"? Who decides what's vast and what's not, what's
| proportional and what's not? I'm really not getting what they're
| being accused of doing. They got a lot of data and had no clue
| what to do with it (missed opportunity if you ask me), is that a
| crime now?
| DebtDeflation wrote:
| I may be in the minority here but IMO the only really
| legitimate purpose a "Tim Horton's app" would have for
| accessing location data would be to push offers to you when
| you're near one of their stores, and that should be opt-in not
| a default. Also, there's no legitimate reason for them to
| actually be storing the data - it's an app that you use to
| purchase coffee from retail locations, it doesn't need to track
| me 24/7 and store the info in a database. The number of apps
| that ask me for permission to access my Location, Contacts,
| Phone, Microphone, Camera, etc. is appalling. I feel like we
| need to revisit the whole idea of telemetry in mobile apps,
| like start over from scratch.
| MiddleEndian wrote:
| >I feel like we need to revisit the whole idea of telemetry
| in mobile apps, like start over from scratch.
|
| Also the operating systems. You get a new Android phone,
| Google Maps randomly comes up and tells you "Hey you're at
| this location, want to do this check-in bullshit?" even
| though it wasn't previously open. And yet, the app list
| button only shows a few things that have viewable windows, no
| easy way to see every background task that's running adn
| presumably spying on you. It's designed like this
| deliberately.
| octobus2021 wrote:
| There're ways to get rid of all of it already. Get a
| dumbphone/featurephone, install open source OS, or even get
| a phone with one installed. Yes, they're more expensive and
| way less polished. Android is way more developed, has a
| large number of apps, and it's free (at least Android OS
| itself). Why do you think that is? Who do you think is
| paying for all that?
| hughw wrote:
| Yes, it is a crime.
| octobus2021 wrote:
| In case if it was not clear from the way I phrased my
| question, it doesn't make any sense. The business _legally_
| collected marketing information and then got fined because
| they collected too much, did it for too long, or didn't make
| a good use of it. I just don't get it.
| LegitShady wrote:
| >Who decides what's vast and what's not, what's proportional
| and what's not?
|
| The people who conducted the investigation - the Office of the
| Privacy Commissioner of Canada
| lykahb wrote:
| Is there any other purpose of making an app other than
| surveillance and ads?
| indymike wrote:
| In this case, taking an order from a consumer and collecting a
| payment comes to mind.
|
| Just because you have a useful app doesn't mean you have to
| sell the user's location data to make money, ESPECIALLY if you
| are ALREADY making money with the app.
| gruez wrote:
| > In this case, taking an order from a consumer and
| collecting a payment comes to mind.
|
| all of this can be done in a web app, including the payment
| (apple pay).
| unfocused wrote:
| The actual detailed report can be found here:
| https://www.priv.gc.ca/en/opc-actions-and-decisions/investig...
|
| Essentially, both Android and iOS apps were collecting data. Also
| interesting to note, that Ontario accounted for 54% of purchases
| in May 2020, of people that used this app. I wonder how close it
| to actual sales.
|
| Full disclosure, I just used this app today in Ottawa. Doh!
| tossstone wrote:
| Ontario contains almost half of Canada's population so that
| seems very plausible
| paxys wrote:
| Ontario makes up ~40% of Canada's population, so that isn't too
| far off. It probably goes up to >50% when you filter on young
| urban professionals, who are the target demographic of Tim
| Hortons.
| mb7733 wrote:
| What kind of yuppie goes to Tim Hortons?
| hydrok9 wrote:
| I think there's lots, certainly doesn't seem to be thought
| badly of among the young adults I know
| brailsafe wrote:
| Are you urban though or suburban? The suburbs have
| basically no options for anything that they serve.
| brailsafe wrote:
| Not even yuppies in MB go to Tims
| tempest_ wrote:
| Aha that might be their target but young urban professionals
| are not likely to be the largest demographic.
|
| That demographic prefers Starbucks, and more likely some hip
| 3rd wave place over timmies.
| brailsafe wrote:
| Ya that surprised me. I'm sure as hell not going to Tims if
| I can help it.
| 3qz wrote:
| > young urban professionals, who are the target demographic
| of Tim Hortons
|
| Are you sure? Tim's is always full of blue collar guys and
| old people whenever I go in. Starbucks is for yuppies.
| brailsafe wrote:
| Tim Hortons is a place for people with either no taste, no
| money, or no choice in where they get their various coffee
| and snack fixes.
| davidkuennen wrote:
| Crazy. I suppose they stopped after Google and Apple tightened
| their rules in 2020 regarding location tracking and not because
| of a change of heart.
| LegitShady wrote:
| they don't say exactly when and why they disabled the tracking
| except "in 2020", but in june 2020 when the original expose on
| their trackign appeared in the Financial Post, tims had no
| plans to disable the tracking, just to edit their privacy and
| other policy texts so that it wasn't outright them lying.
|
| https://financialpost.com/technology/tim-hortons-app-trackin...
|
| There is the above privacy investigation but also a bunch of
| class action lawsuits filed in multiple provinces.
___________________________________________________________________
(page generated 2022-06-01 23:00 UTC)