Canada’s privacy laws have ‘no teeth’: What I learned during an eight-month investigation into Tim Hortons’ data tracking
Systems are built to frustrate transparency, and companies don't face any real penalties when they ignore the law
I had been impatiently waiting for a particular email to arrive for two months before it finally hit my inbox last week. I was hoping to learn something new about Tim Hortons’ location surveillance efforts by asking one of its technology partners what it had about me.
Back in June, I’d reported that the coffee chain had been tracking me and countless other customers through its mobile ordering app.
But Tim Hortons itself wasn’t doing the data analytics work to process GPS signals and figure out where I lived and worked, as well as whenever I visited one of its competitors. Instead, Tim Hortons’ parent company, Restaurant Brands International Inc., contracted that work out to New York-based Radar Labs Inc.
I was curious as to whether there was additional information about me in Radar’s servers, since it was handling the raw data behind Tim Hortons’ tracking efforts.
But other than some additional detail suggesting phones can capture altitude, there wasn’t much new in the spreadsheets I received. I really only learned what I already knew: Tim Hortons had been tracking me. I also learned how frustrating it can be to try to figure out where your data goes.
The much more important conclusion to come out of the whole process of trying to find out what data a particular company had on me is that Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA) is fundamentally flawed.
The act is largely toothless, legal experts have said, with the only real penalty for violating the law being a potential loss of reputation.
“Reputational harm is currently the bigger risk, as opposed to pure legal risk,” University of Ottawa law professor Michael Geist said when I interviewed him about PIPEDA in July. “The law itself doesn’t have enough teeth.”
In theory, the right to access your data under PIPEDA should be a key component of how Canadians protect their privacy and prevent corporations from abusing the information they collect.
Reputational harm is currently the bigger risk, as opposed to pure legal riskMichael Geist
In practice, technology systems are built in a way to frustrate transparency, and companies do not face any real penalties when they ignore the law.
My investigation of the location tracking done by Tim Hortons on its customers started in October 2019, when my phone received an alert that said the company’s app had checked my location in the background — in other words, I was not using the app at the time.
After I filed a request for all of my personal information that Tim Hortons held, a right that every Canadian has under PIPEDA, I received a trove of data indicating that the app was indeed tracking me.
Radar Labs was processing the data, turning raw location coordinates into insights, such as inferring where I lived and worked, as well as details about when I visited the location of one of the coffee chain’s competitors.
The app even tracked me on vacation all the way to Amsterdam and Morocco.
On the same day my initial story about this tracking was published, I filed a follow-up request to Radar Labs, because its website seemed to indicate that it might be holding a much larger stash of location data on me.
The data RBI had already sent me appeared to be pulled directly from the company’s servers, recording only the insights that Radar Labs had sent it. But Radar’s website states that when clients use its technology, Radar receives a steady stream of location data from phones as often as every three to five minutes.
I asked Radar directly to see everything it had, but the company never directly responded.
Yet PIPEDA states: “An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.”
More than two months later, I still haven’t received a formal response from Radar.
However, 28 days after I sent my request, I received an email from RBI that said, “Radar referred your request to RBI. Your access request relates to personal information collected through the Tim Hortons app and, accordingly, RBI will provide you with a response.”
RBI unilaterally gave itself another 30 days to respond, setting a new deadline of Aug. 11.
At 8:27 p.m. on Aug. 11, RBI sent me another email that said, “We conducted a thorough analysis of your data in Radar’s custody and found no additional data beyond what we have already provided to you.”
As part of that email, I received two spreadsheets of data. “The data in the attached files includes both the data previously provided to you and any new information in Radar’s custody collected between November 1, 2019 through June 12, 2020,” RBI’s email said.
The main takeaway from the data sent to me in August was the same conclusion I arrived at months ago: the Tim Hortons app on my phone was silently logging location coordinates and other data on my phone in an effort to track me.
The Tim Hortons app on my phone was silently logging location coordinates and other data on my phone in an effort to track me
The only new thing I could find was that it might be possible for a company to log my altitude if it had the right access.
One of the new spreadsheets that arrived from Tim Hortons included columns labelled “floorlevel,” “altitude” and “verticalaccuracy,” but two of those columns were completely devoid of data. And the altitude column only had spotty data, with many spreadsheet lines left empty, and recorded numbers ranging from 39.79999924 up to 292.5195313, which might measure feet or metres above sea level, but it’s not clear.
“The floor level and vertical accuracy fields are empty in our response to your access request because those fields are not associated with the platform upon which your device operates,” Duncan Fulton, Tim Hortons chief corporate officer, said in a response to a follow-up question. “We confirm that we never used altitude data to attempt to ascertain your (or anyone else’s) vertical location within a multi-storey building.”
But, it turns out, some phones have built-in barometers and other sensors that can track altitude.
Along with longitude and latitude coordinates, and the data possibly recording elevation, the spreadsheets contained what could charitably be called a lot of gibberish.
One column labelled “projectguid” had the same string of numbers and letters — “5b45b3e7-cacf-4f33-bb60-ea5d20b21dec” — for each row and a different column, simply labelled “_id,” had information such as “5d4e9a70fd4dd2002744e8d7” in each line.
I repeatedly tried reaching out to Radar, but the only response was a terse email from chief executive and company co-founder Nick Patrick, who told me I should only be talking to Tim Hortons.
Tim Hortons said some of those numbers are unique identifiers for specific locations. Some of the numbers also appeared in the older files sent to me by Tim Hortons.
“The 24-character entries you cited (e.g. 593083c28f27e8a156bd63d4) are Radar’s unique identifiers to identify a location based on the applicable latitude and longitude coordinates, which were also included in our prior response,” Fulton said in an email. “Unique identifiers are used because locations may sometimes not have a specific street address.”
PIPEDA specifically anticipated this kind of thing, and the law states, “The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.”
But there’s little recourse if an organization doesn’t comply.
If I think a company has violated the privacy law, I can file a complaint to the Office of the Privacy Commissioner, and perhaps there might be a subsequent investigation. There might even be a report that would name and shame the company in question.
As a result of my investigation, Tim Hortons has already taken the public relations hit about its location-tracking practices, and the privacy commissioner has now launched its own probe.
Ultimately, we’d still probably need to just take Radar Labs’ word, via RBI in this case, that it has nothing else on me in its servers.
Since first reporting on the Tim Hortons app, I’ve heard whispers from multiple sources about the grey market of companies buying and selling user data, perhaps even the same companies that publicly claim they never sell such data.
The point is that technology companies design their services in ways that make it impossible for a user to know what’s really going on behind the scenes.
Key questions remain: How can I have any hope of controlling where my data winds up if I don’t even know who has my data? How can I consent to something when I don’t know it’s happening?
None of this is unique to Tim Hortons. Technology systems today are built to provide a clean user interface and hide the guts of the system. The public doesn’t know what is happening behind the facade, whether it’s Tim Hortons doing location tracking, or Google LLC and Facebook Inc. using every possible scrap of data to target ads.
However, public trust is the casualty when consumers know they’re being used, but not how they and their data are specifically being used. And if we don’t know how our technology works, we suspect the worst.
How can I consent to something when I don’t know it’s happening?
For example, in spite of assurances to the contrary from every privacy expert in the country, a Leger poll recently found that 52 per cent of Canadians do not believe the federal government that its recently introduced COVID-19 app doesn’t track location.
Only 20 per cent of Canadians said they’ll install the app, which could be a critical tool for tracing the spread of infection if there was enough public buy-in.
This lack of trust in technology is becoming a life-or-death issue.
Globally, regulating Big Tech remains one of the great unsolved problems of our time, but no one has come up with an answer, other than a few hand slaps and inconsequential fines.
PIPEDA certainly isn’t cutting it. The promise of transparency falls short, and we’re all the worse for it.
• Email: firstname.lastname@example.org | Twitter: jamespmcleod