The Financial Post provided Erinn Atwater, research and funding director at Open Privacy, a non-profit advocacy organization focused on better tools and practices for privacy and digital security issues, all the data associated with reporter James McLeod’s usage of the Tim Hortons app. Atwater confirmed the Financial Post’s analysis of the data, and helped explain elements of the code.
Timestamp_Unixtime_MS: The app uses Unix TIme, a standardized computer format to mark time. In this case, it records the exact time when this JSON event was logged in the RBI server at 9:04 a.m. and 34 seconds, on Aug. 23, 2019. According to emailed receipts from Tim Hortons, the only transaction McLeod had on that day was at 8:20 a.m. on the way into the office, so it is unlikely he would have the app open 44 minutes later.
Event name: The Tim Hortons app uses Radar Labs Inc. to conduct location analysis on customers. In this case, Radar is creating a JSON event for when the user enters the office. Radar tracks users in the background and analyzes the location data to infer the location of their home and office. The service then creates digital logs when the user enters or exits their home or workplace.
Confidence: Each Radar insight comes with a confidence rating “based on the size and time distribution of clusters” of location data, according to the company’s website.
Longitude, Latitude: These coordinates correspond with Postmedia Place in Toronto, and the precise location is the southwest corner of the building, which is where McLeod’s desk is. Similar JSON events record his home address, including his apartment’s exact location inside the building.
Timestamp_unixtime_ms: Based on a best interpretation by the Financial Post in conjunction with Atwater of how the data is recorded, this second timestamp appears to record the exact time when the location was logged on the phone, 39 seconds after 9 a.m. on Aug. 23. This timestamp is roughly four minutes before this information was logged in the RBI servers. Radar indicates it processes data on its servers. This means that far more location data may be recorded in Radar servers before the important events are transmitted to RBI servers.
In other parts of the Tim Hortons JSON code, the company logged detailed information about the user’s device, including the phone model, operating system, network provider, the amount of available memory and how much charge the battery holds. Through the Radar service, Tim Hortons is also tracking customers every time they visit a competitor such as Starbucks or Second Cup. Radar also informs Tim Hortons every time a user travels more than 100 kilometres away from their home.
This chunk from a different line of JSON code shows the Tim Hortons app logging McLeod’s location while he entered the Rogers Centre for a Toronto Blue Jays game at 7:14 p.m. on Aug. 9, 2019.