Jordan: If you use the internet or you have a smartphone, you probably assume that some big technology conglomerates know a lot about you. Google Apple, Amazon, whoever provides your internet service, you produce enough data just walking around that all of those folks probably know where you’re going, where you live and work and all that stuff.
But the place that serves you, your mediocre morning, double, double? Really?
News Clip: Tim Horton’s, they’re out with a really cool new app. What you can do is go in and select your double double, and you can select some food and pay an order from your app and pick it up.
Jordan: Yes, really. Tim Horton’s, if you use the app, might be tracking you right now.
And this is the story of what happened when one reporter tried to find out exactly what the coffee company knows about him and why exactly they want to know that stuff, and what they might be doing with it. And also who else might be doing this? Because if your local coffee chain can compile this amount of information about its customers, well, what’s stopping everyone else?
I’m Jordan Heath-Rawlings and this is The Big Story. James McLeod is a business technology reporter for the Financial Post. Hi James.
James: How’s it going?
Jordan: It’s going very well, except I’m now wary of everything on my phone.
James: Well, that’s probably healthy.
Jordan: Why don’t you just start by telling me, how the hell did you get onto this story about what Tim Horton’s knows about you? What prompted it?
James: So it was early October of last year. I was at home cooking dinner and I got this notification on my phone, my personal device is a Pixel3 XL, which had just updated to the latest version of the Android operating system. And I got this notification that basically said, ‘Hey, just so you know, Tim Horton’s checked your location in the background’.
There’s a new feature in the updated Android system that you can now limit this if you want, and only let it access your location when you’re using the app. And so that’s sorta twigged me to thinking, I hadn’t had the Tim Hortons app open for hours and hours. Probably not since I ordered a cup of coffee in the morning.
And so I was sorta wondering how often is this app checking my location in the background? And from there, I kind of started digging into it and I was pretty surprised by what I found.
Jordan: How did you start digging into it, where do you begin to try to figure out what they know?
James: So there’s a law in Canada called PIPEDA, which I always forget what the acronym stands for, but it’s Canada’s data and privacy law, and a provision in there that not a lot of people are familiar with, is any time a corporation is collecting data about you as an identifiable individual, you have the right to request to see everything they’ve got on you. And it’s as simple, there’s usually an email address and the privacy policy, you send a formal request. And 30 days later I got back a trove of data that was everything that Tim Horton’s had about me generated by the app.
Jordan: And when you looked at that data for the first time, what was your initial reaction?
James: I haven’t actually told anyone else this yet, but my initial reaction was, what I got was a few spreadsheet files that were just really basic profile data, and then I had these 12 text documents and this is in early November of last year. I opened up one of the documents and it was just a wall of jibberish, it looked like computer code. And at the time I took one look at it and said, well, I can’t read that. And basically it sat in my inbox for another couple months, until early January when I was working on a different story about location stuff, and I sorta was thinking, I should really go back and see if I can make sense of those Tim Horton’s files. Maybe there’s something in there. I reached out to a friend of mine who’s a game developer, and he took one look at the data and said, ‘Oh yeah, I can help you read this, no problem’. And just on the phone with him going through it, we very quickly identified that there was a lot of location data in there. And the more digging in I did, the more sort of shocked I was by how much Tim Hortons was doing in the background.
Jordan: So for those of us that don’t have the Tim Horton’s app or similar apps, like it, just walk us through the user experience, how do you use it? What do you assume it’s doing versus what it is?
James: So the basic function of the app is just mobile ordering. So I loved the app because it was super convenient, on my way to work, you just pull it out a few blocks from the Tim Horton’s, tap, tap, tap. I want a coffee and a bagel, it’s got my credit card details. It transmits the order to the nearest location, and you just walk in, your coffee and your food is waiting for you. Easy breezy. The other part of the app is it’s got a loyalty program built in. So you buy, I think it’s like seven coffees and get the eighth one free, or six coffees and get the seventh one free, something like that.
And as a tech reporter, I knew this was a data harvesting play on some level, any loyalty program really is about tracking a consumer. Every time you swipe your Air Miles card or whatever it is, it’s all about sort of following an individual consumer and understanding consumer behaviour.
The thing I didn’t appreciate is when you install the Tim Horton’s app, it asks for location permission because it needs to know where you are, so it can route your order to the nearest Tim Horton’s franchise. But it turns out, and I’m sure we’re going to talk lots about this, Tim Horton’s was actually using the location information to find an awful lot about me and every other person who’s using the app.
Jordan: How much is it finding out? How much data does it collect?
James: The thing that I determined is Tim Horton’s is working with a company called Radar Labs, and they’re an American company. Their whole business is sort of geolocation stuff, and apps that have radars technology in them essentially send a steady stream of GPS data to their servers when you’re in motion. It can be as often as every three to five minutes, the phone is pinging your location. And when you’re stationary, it slows down to once every 10 minutes or so. And so radar collects this steady stream of GPS coordinates and analyzes them, and is basically sending back to Tim Horton’s a series of interesting observations and inferences based on their analysis. So for example, right away, they figured out where I live and where I work. I hadn’t disclosed that to the company, but it’s not really hard to figure out like where I’m going every day between 9:00 AM and 5:00 PM, where I’m spending every night.
So they correctly inferred my home location and my workplace. They were also using the GPS signals to track every time they thought I was visiting one of their competitors. So writing the code, you could see like ‘user entered place:true’. And then a couple lines down. It was ‘place name:McDonald’s or Starbucks’, and there’s a whole list of them.
Off the top of my head I think it was Starbucks, Second Cup, McDonald’s, A&W, Kentucky Fried Chicken, Pizza Pizza, Subway, a bunch of others. Then the other thing they were doing was every time I traveled more than a hundred kilometres from home, they were also making a note of that and where I went to. Every time I went traveling, they wanted to sort of keep track of where I was going. So I found notations of like visiting my parents’ farm, which is about a two hour drive outside Toronto. I went to Winnipeg last summer for my cousin’s wedding. They even sort of had the whole details of my vacation to Morocco through this. It was pretty wild.
Like you could literally see, we took all the location coordinates out of the data and plotted them on a map. And the guy at the office who was sort of doing this, sent me an email and said, ‘I think there’s some garbage data in here, were you in Morocco last year?’ And sure enough, I got on a plane and you could see when my cell phone picked up the cell network in Amsterdam, which is where I had a layover.
And then I took another flight to Morocco, and because I happen to walk past a Kentucky fried chicken in downtown Marrakesh, they logged my location in downtown Morocco. So I could see the whole pattern of my vacation just logged through the Tim Horton’s app.
Jordan: What was your first reaction when you realized how extensive this was?
James: I was shocked. Perhaps I should have known because I mean, my full time job is I’m a technology beat writer for a business publication. And a thing that you hear a lot from sort of cynical technology people, is if it’s technically possible to do something, you should probably assume that someone is doing that thing.
But the kind of intimate details, rhythms of your life, where you live, where you work, where you visit. And there were data points in there that Tim Horton’s wouldn’t even recognize the significance of, but I could sort of see my ex girlfriend’s house on the map. I could see the time I went to the airport to pick up a friend who was visiting from out of town. You can sort of see a trace of your whole life just through these data points. And it really felt very intimate, what they were able to see about me.
Jordan: I mentioned in the intro to the show, that I kind of assume that because they carry a smartphone, the big tech companies know about me. I would be dumb to think that Google and Amazon and Apple don’t know that kind of stuff. But the reason I think this story feels so different is it’s such an innocuous little app. And if Tim Horton’s is doing it then who else is? Everybody right?
James: Yeah and that is a thing that, in full fairness to Tim Horton’s, one of the things they’ve sorta told me is that they are not at the cutting edge of this stuff.
And I view this story as a case study in what many companies are doing. I encourage people to read the story on the Financial Post website, it’s pretty extensive, and think about it in terms of what apps have access to your location on your phone and any app that you’re giving information to, whether it’s uploading photos, whether it’s location information, whether it’s something else, maybe your voice or a video. Whatever data they can get, they are going to try to extract the most value out of, because this is how you compete in business in the 21st century. It is all about targeting and profiling and understanding your consumers to drive incremental revenue. And it really is an arms race, where everyone feels like they need to do it because everybody feels like their competitors are doing it, and if they don’t do it too, they’re going to get left in the dust.
Jordan: Explain the practical nature of what you just described, what would a company like Tim Horton’s do with that information of where you are and when you’re near their competitors and et cetera? How would they monetize it, capitalize off it, et cetera?
James: So the cheeky example and, Restaurant Brands International, which is the parent company that owns Tim Horton’s, also owns Popeyes and burger King. And last year, I think it was, they had a promotion where if you ordered a Whopper from Burger King inside a McDonald’s location, they’d give you a dollar off.
And that was sort of a fun cheeky example. It was sort of on full display, what was happening there, but when you open the Tim Horton’s app, they sometimes put promotional offers in front of you. And the whole idea here is, the better they know their customer the more they can target that customer to sort of maybe, sell them a sandwich instead of just a coffee or introduce new products to them that they think they may like. And as I’m saying this, I realize it’s a not obvious connection between figuring out where people live and work with the GPS unit on their phone, and figuring out who to target a sandwich promotional offer too.
But the thing is that this data is so cheap to harvest it’s basically no cost to just scrape it and store it and analyze it, that the incentive is very much for every company to scoop up as much as they possibly can and just figure out how to use it later.
Jordan: Now that I’m just thinking about it based off what you said, I mean, they probably know based on when you walk into their competitors, what time you get hungry every day and send you an offer then.
James: Yeah, it’s the sort of thing where that line of thinking that I mentioned earlier, where if it’s technically possible to do something, you should assume they probably are doing it, really opens you up to a kind of paranoia that I think is unhealthy. I’m sure you’ve had the conversations with people who are convinced that their phone is listening to their conversations.
Jordan: We have that conversation in story meetings probably every two weeks.
James: And I’ve never seen anyone prove that it’s happening, but after going through this, I’m a lot less ready to sort of dismiss it out of hand and say that’s definitely not happening, because these systems are deliberately opaque. All you see is the end experience that’s personalized for you based on some data, and you don’t know what it is. It seems unhealthy to me just because if you don’t know what they’re using to track you, It really invites the mind to go to a very suspicious place that I think is ultimately corrosive for society.
Jordan: So tell me then I guess how much information does the average user of this app get about what the app is collecting and when you talked, cause you mentioned you talked to Tim Hortons about this, what did they say to you when you showed them this?
James: So Tim Horton’s basic position is that users consent to this kind of tracking because they turn location permission on.
So, they let us access their location, that means they’re consenting to us checking up on their location. And there is of course a very dense and impenetrable privacy policy, but in the app, there’s also a shorter sort of FAQ document, and actually originally, before I contacted Tim Hortons, there was some misleading information in that document, which said that Tim Hortons uses your location only while you have the app open to find your participating restaurants and send you location-based offers. I’ve seen my data. They’re not only tracking you when you have the application open. And after I contacted Tim Hortons and pointed this out, they quietly changed the privacy policy. And now it sort of says it’s complicated. And they mentioned that they may send you something based on your commute. They may send you something based on the community where you live, but they definitely aren’t making it clear to users that they know where you live, that they know where you work, that they know where you go on vacation.
Jordan: Is there any way for a user to limit that data collection and still use the app for what it’s intended to do?
James: It’s getting better. Apple and Google have both been making changes. And it does depends to a huge extent on what operating system your phone is running. Apple has had better privacy controls for quite a number of years. And Google is sort of playing catch up on this front. As I mentioned at the beginning of this conversation, the reason I got suspicious about this is because my phone had updated to Android 10, which allowed for sort of a granular, either granted location access all the time, deny it location access all the time, or granted only when the app is open and running on your phone.
And so of course I’ve now limited the Tim Horton’s app, so it can only see my location when I open the app. But they are going farther, there are signals that later this year Google is going to get even more strict about this. I would say that this kind of opens them up to some accusations of hypocrisy because Google is tracking absolutely everything about you.
And there are a lot of people who sort of say that Google is just trying to make sure that they’re the only ones who can do this hyper-targeted advertising because they know everything about you. But understanding the settings on your phone is important. But what I would say is these apps are built in a way where the choices maximize data collection. Tim Horton’s could have separated the loyalty program out from the store locator function.
But the fact that those two things are built into the same app gives them a reason to ask you for location permission and you say, yeah that makes sense because they need to know my location to locate the nearest store. And so to some extent, companies are always going to try to build their products in ways to get the maximum amount of data, and you really have to be vigilant and careful about that.
Jordan: What do privacy experts say about this kind of stuff when you ask them? Is this just all fair play?
James: I don’t think anyone would say this is, well, I mean, some people might say it’s fair play, but most people are in the sort of technology privacy discussions are pretty cynical. What we are walking around with in our pockets are effectively surveillance devices that can find out enormous amounts of information about us and Google makes a lot of money off of advertising targeted at people. And that’s a part of why they have the Android operating system to sort of own and operate on this mobile platform.
I do think that a lot of people think that the focus needs to be on regulation, that it is misguided to think that consumers can meaningfully make choices on this stuff. Because these services are built in such a way that you don’t really know what’s going on. And in fact, as I mentioned, the kind of language in the Tim Horton’s app really led me to believe that this kind of location tracking wasn’t happening until I saw the data for myself.
So ultimately I think it will, at some point come down to what kind of regulations we put in place and how good enforcement is, to prevent companies from just scooping up and tracking everyone as much as they possibly can.
Jordan: In the meantime before that happens, you kind of touched on it a bit before, but can you maybe give us the location settings for dummies explanation for how anybody can just make sure that this isn’t happening, where they don’t want it to?
James: Yeah. So, I mean, whether you’re dealing with Android or iOS, you should be able to go into the settings on your phone and look at the app permissions. And that is something that everyone should just make a habit of doing on a regular basis and just scanning through and seeing which apps have access to which parts of their phone. I’m literally, while we’re talking, I’m sort of looking at it now and just sort of seeing which apps, I’m not going to read them all out because that would reveal some personal information about me on a podcast, but which apps have had access to location,
Twitter keeps asking for access to my location so I can attach it to tweets. I’m never going to give Twitter my location. It doesn’t need that. I don’t want Twitter to know where I am. Making a habit of doing that and doing that in a maximally defensive way is just good digital hygiene at this point.
It’s probably too complicated for me to walk through step by step across both operating systems. But yeah, go to Google or Duck Duck Go if you’re worried about your privacy, and just search for how to manage location permissions, and there’s lots and lots of tutorials online about how to find exactly where those settings are and how to scale back permission so the apps you don’t want to know things about you, you can wall them off as best as possible.
Jordan: My last question is just to you as a tech reporter, did the process of reporting this story change how you’ll use your phone, once we’re actually allowed to go places again? Was this shocking to you?
James: I’ve had a lot of time to sort of digest this and there were definitely moments where I was shocked. Just sort of seeing the frequency of the data. I think I determined that they logged my GPS coordinates something like 2,700 times in the space of four or five months. That’s a lot. That’s not even every single time they accessed it and sent it to radar.
That’s just sort of the interesting events that they logged in the data. The thing that I’ve really been thinking about is, I still like Tim Horton’s coffee. During the pandemic, I’ve actually been brewing Tim Horton’s coffee at home because I like it.
Jordan: Why?
I had been drinking Tim Horton’s coffee since I was in high school. It is familiar. I know this is maybe the most controversial thing we’re going to talk about, but I like the taste. Coffee and a bagel is probably the meal that I have eaten most often in my life, just because it’s a part of my breakfast nearly every morning, and I really appreciated the convenience.
I didn’t like fumbling for my wallet and waiting in line and going through spending the 10 minutes to get in and out of the store. And it was super great to just tap, tap, tap on my phone, and then have my order waiting for me there. And it is disappointing to me that we can’t have these services without companies bolting on data collection tracking on the side.
And the only choice you really have as a consumer, is to accept the tracking or opt out of 21st century services. All on its own, for Tim Horton’s, the app should be a win-win. It’s convenient for customers, and it saves them on labor because it’s fewer people who are going to the cashier.
This is an efficient system that’s better for everyone. But because companies can’t resist or feel like they can’t give up the tracking stuff, because they feel their competitors are doing it. It just leaves consumers with this choice of either, just step away from technology altogether, or accept this level of surveillance.
And that is really unfortunate to me. And that’s the big thing that I’ve been thinking about a lot.
Jordan: James, thank you so much for walking us through this so clearly. And I know our offices are not that far from each other, so when we eventually do go back to work, I’m going to make a point of buying you a good coffee.
James: Well, there’s a Tim Horton’s right on the corner there. It’s great. I go there all the time. They know.
Jordan: They do know. Alright, thanks a lot, man. Have a great weekend.
James: Thanks for having me.
Jordan: James McLeod of the Financial post. That was The Big Story, a slightly terrifying one. We have lots of terrifying technology stories and you will find them all at thebigstorypodcast.ca. We don’t track you if you go there, at least I don’t think we do. You can also talk to us on Twitter at thebigstoryfpn. And of course, we are wherever you get your podcasts on Apple, on Google, on Stitcher, on Spotify. Leave us a rating and review there, or email us at thebigstorypodcast@rci.rogers.com. And tell us what you think and what we should be covering.
Claire Brassard is the lead producer of The Big Story. Ryan Clarke and Stefanie Phillips are our associate producers, Annalise Nielsen is our digital editor and Joseph Fish is our intrepid research assistant. Thank you so much for listening. Have a safe weekend. We’ll talk Monday.
Back to top of page
