Smartphones have forever changed humanity. I’m convinced they constitute one of the greatest inflection points in human history, on par the discovery of the wheel or the Industrial Revolution. But still, does everything need its own app? I mean, seriously, a pocket supercomputer is beyond the wildest dreams of even folks in the early ‘90s, but do I have to have an app for each coffee shop I want to order from?
It’s great, sure, the convenience of it all, but there may also be costs, especially if your coffee app of choice is for Tim Hortons. The Canadian coffee and donut brand’s app has been tracking users’ movements without their consent, even when the app wasn’t in use.
It’s all very disptopian, dis-spro-pian even. As reported by Ars Technica, the app would track users location and movements every few minutes of every day, whether the app was actively in use or not. According to an announcement by Canada’s Office of the Privacy Commissioner based on their own investigation, “The Tim Hortons app asked for permission to access the mobile device’s geolocation functions but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data.” With those data points, it would infer where the user lived, worked, when they were traveling, and would “generate an event” any time they went to a Tim Horton’s competitor, a sports venue, and to and from their home and office.
The surveillance was first discovered thanks to a reporter at the Financial Post, who found through his own use of the app that his geolocation had been recorded over 2,700 times in less than five months, despite being told that it only tracked location while the app was in use. That June 2020 report kicked off the investigation by the Canadian government that now finds the app was acting in violation of the country’s privacy laws.
Tim Hortons halted collecting geolocation data via its app shortly after the investigation begin, but because their contract with an American location services supplier “contained language so vague and permissive that it would have allowed the company to sell ‘de-identified’ location data for its own purposes,” per the Office of the Privacy Commissioner,” halting collecting data didn’t equate to eliminating the risk of surveillance. There still exists “a real risk that de-identified geolocation data could be re-identified.”
According to Ars Technica, the coffee and donuts brand doesn’t appear to be facing any punishment for the violation. The company has been made to delete any location data they still had, as well as instruct their third-party partners to do the same, and has agreed to “implement the agencies’ recommendations” to bring the app into compliance with Canadian privacy laws.
It’s like the old saying goes: It’s better to beg for forgiveness for illegally collecting users’ location information than ask for permission to legally do so, because there are literally no consequences for you actions and you don’t want to miss out on all that sweet, sweet data, softly falling all around us like so much icing sugar atop the cake donut of modern life.