Canadian fast food chain Tim Hortons had app users under constant surveillance

Originally published at: Canadian fast food chain Tim Hortons had app users under constant surveillance | Boing Boing


Donuts need apps! /s


The privacy creep of Big Donut has been accelerating for decades.


Not.Canadian anymore, owned by RBI , which also owns Burger King, and is majority Brazilian owned. Most people have lowered their expectations of Tim’s in recent years, but good locations and few alternatives keep them going. When things get really bad, they pull Bieber out of the hat… ( like now, for instance ) I don’t go there, mostly because two fifty for a teabag, but if someone throws a breakfast sandwich my way I’ll eat it. There is kind of an expectation that when someone goes to Tim’s they have to bring something for everyone back, whether work or play, and that gets expensive fast. I knew a woman whose husband worked in the trades and spent over 800$ a month that way :slight_smile:


Christ, big data is just totally out of hand at this point. I’ve deleted most apps from my phone, blocked all the rest from accessing anything (except Google maps, and I probably should block it’s geolocator too except when I’m on the road), use ad blockers and tracker blockers on my computer, but it’s nuts how much you have to do to avoid all this crap. And not enough people seem to care for it to ever change.


So this is why a new Tim’s pops up everywhere I go?


I have a universal app on my phone. It’s called The Browser.

(I do have a couple company apps, like the reserve-a-spot one for mom’s medical tests.)


This! Very important - they went downhill rapidly when RBI bought them. Once upon a time they at least had good donuts, but then they decided they needed to turn themselves into Krispy Kreme 2, Overly Sugared Boogaloo, re-design their boxes to be hugely wide floppy things that fall apart when you’re trying to carry them, and generally drop the quality on everything while raising prices.

I think the last time I willingly stepped into a Tim Hortons was several years ago, and I turned around and left because the police were there arresting one of the staff. Didn’t ask why, no idea what was going on, just the cops dragging (yes dragging) a rambling/babbling guy in a Tim Hortons uniform in handcuffs out of the back rooms. Kind of leads to not trusting whatever’s on the shelf to sell, you know?


I’ve never worked with a Brazilian company, but I have been involved in a lot of contract negotiations with American business people and lawyers. Most of the time, the law and culture is similar enough that there’s no significant misunderstandings but privacy is definitely a problem area. Sometimes they assume Canada operates under the GDPR. Other times they assume we have the same lackluster privacy protections the US has. Either way, it’s something you always have to watch out for.

You can see this when Clearview AI’s CEO makes public statements about how they did nothing wrong because the information they collected was all available publicly on the Internet, completely missing the point that this doesn’t matter at all under Canadian law. And of course, in this article we have:

Tim Hortons halted the continual tracking of users’ locations in 2020 after the government began investigating. But that “did not eliminate the risk of surveillance” because “Tim Hortons’ contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell ‘de-identified’ location data for its own purposes,” the Office of the Privacy Commissioner said. As the office noted, there “is a real risk that de-identified geolocation data could be re-identified.”

I know that clause. Not that EXACT clause because I don’t work for Tim Horton’s. But I have had conversations about this kind of clause numerous times.


Every app like this that could just be a website, is only doing it because they can get away with more of this data fuckery than they could through a browser.


Well, it was that or putting a GPS tracker in the Timbits…


Just to be clear, this is on Android phones only. On an iPhone apps are completely blocked from accessing the location APIs without showing an explicit dialog box to the user asking them to authorize it.

Articles like this one that Rob links to always generalize with statements like, “it was was tracking people all the time without their consent!”. That is not possible on iPhone.

In this case, the specific claim is:

"The Tim Hortons app asked for permission to access the mobile device’s geolocation functions but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on,

This is not possible on an iPhone. If the user clicks “allow location only while using app”, the app is completely blocked from the location APIs while in the background. There is a no way around this. It’s a supervisor-level service in the OS. If they block location access entirely or say “no way” in the dialog, all location API access is completely blocked. You can’t call the methods in the API to access that hardware, period.

Android is a different and much messier story. Some newer versions ask for permission of the user, but all older ones do not and you can use pretty much any service with no permission. On older versions even big permissions like GPS are install-time permissions so the user consents forever without realizing when they download the app. Android is a security dumpster fire.

Source: I was a mobile developer for ten years and regularly dealt with advertising SDKs which push as hard as they can on permissions like this.


You can join the EU after Australia has


Now the U.K. has left the EU, I’m sure the space left can accommodate Canada - it is in NATO after all…


There are other countries in NATO we definitely don’t want, though… :us:

1 Like

Oh sure. Let in the country with the warmer climate first. Let me point out that Canada has no crocodiles.


And only a few venomous snakes (zero annual fatalities), no platypuses with their venomous spurs, no funnel-web spiders, and no fucking box jellyfish. Canada is a paradise when it comes to wildlife.


This topic was automatically closed after 5 days. New replies are no longer allowed.