While customers thought they downloaded the restaurant’s mobile app to make it easier to order and pay for coffee and other menu items, the app actually tracked their movements and recorded them even when it wasn’t open. Although the app did ask for permission to access a mobile device’s geolocation functions, it misled many users who believed their location information would only be accessed when the app was in use. To make matters worse, the app also used location data to infer where Tim Hortons’ customers lived, worked and whether they were traveling. In fact, the app generated an “event” each time customers entered or left one of the restaurants’ competitors, a major sports venue or their home or workplace.
Selling de-identified geolocation data
According to a press release (opens in new tab) from the Office of the Privacy Commissioner of Canada, the investigation uncovered how Tim Hortons continued to collect vast amounts of location data for a year even after the company had scrapped plans to use it for targeted advertising. In its defense, Tim Hortons says that it only used aggregated location data in a limited way such as analyzing user trends like whether customers switched to other coffee chains or how their movements changed as a result of the pandemic. Once the investigation was launched in 2020, the company stopped continually tracking the location of its users but this didn’t eliminate the risk of surveillance. Canada’s privacy watchdogs found that Tim Hortons had a contract with an American third-party location services supplier which contained language so vague and permissive that it would have allowed the company to sell “de-identified” location data on its own. The risk here is that de-identified geolocation data could be re-identified with a recent report (opens in new tab) from the Office of the Privacy Commissioner of Canada highlighting just how easily people can be identified by their movements. With someone’s location data in hand, it can be used to infer where people live and work as well as to make deductions about their religious beliefs, sexual preferences, social political affiliations and more. Privacy Commissioner of Canada Daniel Therrien provided further insight on the matter in a press release, saying: “Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians.”
Convenience at a cost — why you may want to avoid installing restaurant apps
While Tim Hortons has agreed to delete any remaining location data and establish and maintain a privacy management program based on recommendations from Canada’s privacy watchdogs, this incident shines a light on the privacy and security risks posed by restaurant apps. Being able to order and pay for your food using one app may be convenient, but if a restaurant chain falls victim to a data breach, your financial information could be exposed. At the same time, these sorts of apps may request access to your location and other device permissions when they don’t necessarily need them. They can quickly eat up your phone’s storage and data as well. We’ve also seen restaurant chains hit by cyberattacks in which attackers were able to gain access to customers’ payment details. Back in 2017, cybercriminals used malware to access Chipotle’s POS systems to steal the information contained on the magnetic strip on the back of customers’ payment cards. Just last year though, attackers took over the restaurant chain’s Mailgun account to send out malicious emails to Chipotle customers as part of a phishing campaign. Besides restaurant apps, food delivery services have also become a target for hackers as they have become more popular. For instance, the information of 4.9 million customers, delivery workers and merchants was stolen by hackers from DoorDash following a breach at one of its third-party service providers. There have also been cases where users had their Uber Eats accounts hacked according to CTV (opens in new tab). Anytime you download a restaurant app or even a loyalty app, you’re giving companies greater access to your personal and device data. For this reason, you might be better off going directly to a company’s site to place your next food order if possible or using an old-fashioned loyalty program card instead.
It’s not just apps — restaurant QR codes are risky, too
Although QR codes have been widely used in South Korea and other countries in Asia for years now, they only became mainstream in the U.S. during the pandemic as restaurants wanted to avoid having multiple customers touch the same menu. Instead, restaurant goers scanned a QR code at their table to access a business’ menu online. In a blog post (opens in new tab) though, the ACLU points out that many QR codes in restaurants are actually generated by a different company that collects, uses and may even share your personal information with other companies. Scanning a QR code at a restaurant with your phone also gives companies access to your device’s advertising ID number, making it easier to track you online. While most QR codes are harmless, an attacker or a scammer could put their own QR code sticker over a legitimate one to redirect unsuspecting users to websites hosting malware. This is why the ACLU recommends that you treat QR codes like links in an email from an unknown sender. You can also use software that allows you to inspect a QR code before opening the site it takes you to in your browser.