The app is owned by Restaurant Brands International, which also owns the Burger King and Popeyes apps.
The essence of the investigation is Tim Hortons app’s use of the Radar.io SDK, which the Burger King and Popeyes apps also use (we verified this using app SDK analysis). The Radar SDK sucks private user location data out of the app, sending it to Radar servers, automatically learning users’ home, work, travel – basically their every move. (Radar boldly markets this as a feature on their Web site).
This is a coffee app. Anyone see a problem with that?
In a detailed investigation, journalist James McLeod caught the app red handed, tracking his every move, even his vacation to Morocco.
Why would a coffee shop app need to know every place you go? And, even more shocking, why would they send all of your data to an SDK company that has data on 100s or 1000s of such apps and therefore millions of people? Radar claims they don’t sell this data (we’ve all heard that before), but even if they don’t, simply possessing that much data on individuals is a risky proposition.
And, this Radar.io page exists to promote Radar vs PathSense:
Exactly Radar, thank you for pointing out that difference!
Unlike Radar, PathSense does not suck your user’s most private, intimate (location), data out of your app and store it on our servers. PathSense has no access to your data, period. So there is no way we can automatically learn where you live, work, where you take you kids to school, where you go on vacation, or how you live every minute of your life.
PathSense Privacy: Data never leaves the phone.
The Tim Hortons app reportedly stopped background location collection as a result of this investigation. App developers have historically been able to get away with bad behavior. That is quickly changing as Apple, Google, regulators, and now even Congress and State Attorney Generals are cracking down on user location tracking.
If you are an app developer, here’s a better idea: don’t do creepy stuff in the first place. The contract of trust is between you and your users. Don’t break that, or you will lose them forever. Don’t collect user data you don’t absolutely need for the functionality of your app (and definitely don’t send your users’ data to other companies, or include SDKs that suck users’ data out of your app, where you lose control of it).
Build for privacy, transparency, and trust. Learn more about PathSense Privacy.