Double-double tracking: How Tim Hortons knows where you sleep, work and vacation

I never would have consciously volunteered my home address, work location and vacation plans to Tim Hortons, but the company found out anyway.

I haven’t been singled out for special treatment. For more than a year, the coffee chain has been tracking the movements of customers in exacting detail through its mobile ordering app.

I’ve spent months sifting through my own data, and it’s staggering how much the company knows about me.

From my home to my office to a Blue Jays game at Rogers Centre, even all the way to Morocco, where I travelled on vacation last June, the company’s app silently logged my coordinates and relayed them back to its corporate servers.

Data privacy concerns have become a mainstream issue in recent years, even more so these days with various governments and companies proposing to track the COVID-19 virus using technology to keep tabs on where people go and who they might have interacted with.

But the reality is that companies have been tracking customers for years, and while Restaurant Brands International Inc., the owner of Tim Hortons, isn’t alone in this kind of corporate surveillance, the Tims app demonstrates how huge amounts of intimate data can be collected without users realizing that it’s happening at all.

Location tracking is partly dictated by user choice, and heavily influenced by a phone’s operating system, so we don’t know exactly how many people are being tracked by the company, but it’s fair to say that Tim Hortons is logging the movements of a significant portion of the millions of Canadians who use its app, in the same way the company was tracking me.

I didn’t realize how much until I saw my coordinates in a trove of data that RBI sent to me after I made a request under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) last fall.

According to the data, Tim Hortons had recorded my longitude and latitude coordinates more than 2,700 times in less than five months, and not just when I was using the app.

Tim Hortons chief corporate officer Duncan Fulton said users consent to this kind of tracking when they give the app access to the GPS on their phone.

Tim Hortons had recorded my longitude and latitude coordinates more than 2,700 times in less than five months, and not just when I was using the app

If I didn’t want the company to track my location in the background — even hours or days after I last used the app — Fulton said the onus is on me to deny the app such access.

Within the Tim Hortons app, an FAQ covering privacy issues told customers that it tracks location “only when you have the app open,” but that did not appear to be entirely true based on the data RBI provided to me.

After the Financial Post asked about the apparent discrepancy, the company changed its privacy statement to say that users’ ability to limit location tracking varies “depending on your device” and the company now states that users should “check and understand your device settings” to make sure they are comfortable with how much location information they’re sharing.

I had no idea how extensive the tracking data was until I saw it. There were readings taken at all hours of the day and night, and RBI kept tabs on me every time the app thought I was visiting one of its competitors.

RBI kept tabs on me every time the app thought I was visiting one of its competitors

The data also indicate that Tims is using a location-tracking service from a company called Radar Labs Inc. that claims on its website to ping phones carrying its technology as often as every three to five minutes.

As a reasonably tech-savvy person, I knew I’d given the app permission to access my location; it was necessary to route my daily coffee and bagel order to the nearest franchise, or for other coffee-buying-related purposes.

But I only started to suspect there was more at play in October, when I received an unfamiliar notification on my phone: “Tim Hortons got your location in the background. This app can always access your location. Tap to change.”

I began to wonder why the app would need to access my location even when I hadn’t opened it in hours. It bothered me: How many more times had Tim Hortons checked in on me? Was my coffee-ordering app tracking all my movements?

I made the PIPEDA request last fall, and the response came about a month later in an email from RBI’s director of IT Security and Compliance.

Was my coffee-ordering app tracking all my movements?

“To comply with your request, we searched for your name and email address across our Amazon Web Services servers, which hold primary user profiles. In addition, we requested a search for your information from our ancillary systems,” the email said.

“Please be advised that we searched across the Tim Hortons, Burger King, and Popeyes Louisiana Kitchen brands to locate your data.”

Along with three spreadsheets, RBI sent me a folder called “Events” that contained 12 text files, one, it turned out, for each month from November 2018 to October 2019.

The spreadsheets contained only basic profile information, but the text files were huge, containing thousands of pages of computer code in a format known as JavaScript Object Notation (JSON).

Altogether, the files contained 2,843 lines of code, with each line recording a “batch” of information pulled off my phone and logged in RBI servers.

Even the most benign batches revealed an impressive level of detail.

Many of them recorded my interactions with the Tim Hortons app, from launching the app through to checkout.