The IT Nerd

This is one of those topics that I always thought would come up more often. CTV News is reporting that the Teamsters union is accusing CN Rail of tracking employees movements, even after hours via the tablets that CN Rail issues their employees and not disclosing that they were doing so:

The Teamsters Canada Rail Conference, which is the union that represents 5,500 Canadian National railway employees, alleges CN has been monitoring the whereabouts of a train operator outside of work hours through a company-issued tablet.

“It’s spying, it’s wrong and it’s illegal in our view” according to Teamsters Canada’s director of public affairs Christopher Monette, who adds “on top of it being creepy, it’s downright dystopian. It’s something that shouldn’t be happening.” 

The union says they have reason to be concerned that a large number of CN Rail employees may have also had their location tracked by the company during their own personal time after work.Speaking to CTV National News, Monette says that CN “didn’t tell us this was going on and they didn’t seek consent from workers to use geolocation data” from their company issued devices and believes CN was trying to keep their tracking methods secret.

“We only found out about this by accident, through a disclosure process where the company was forced to disclose why they were disciplining a worker,” according to Monette.

Now CN Rail doesn’t want to comment on this. But frankly I am not surprised. Tablets and phones issued by companies are often what are called “managed” devices. Meaning that the devices are put into a type of software called Mobile Device Management software or MDM for short. This software allows a company to do a number of things. Get the status of the device, push out software updates, remote control the device for troubleshooting purposes, and most relevant to this story, track the device. Now a company may only decide to use this software to track a device if it is stolen. But I can see a scenario where a company may use this software to track a device at all times. Which if they disclose that up front, I guess that’s fine. But if they didn’t you get this situation.

Now if you have a company issued device and are afraid of being tracked, there are very low tech solutions to this:

Cyber security analyst and lawyer Ritesh Kotak believes employees who have a work phone, tablet or laptop should try and purchase their own personal devices to use off work hours.

“These high-tech problems have really low-tech solutions,” Kotak says.

He also says that he uses a tab to cover the camera on his work computer when he’s not on a video call. Kotak adds that, if possible, employees should turn their work devices onto airplane mode off work hours.

“It’s important to understand that information (from your devices) is being collected on a continuous basis by the employer, it’s probably being stored and there maybe third parties who have access to it.”

One thing to consider is that if you go this route, your company may complain at some point because the device isn’t on all the time. Another thing to consider is if you “BYOD” or bring your own device, and the company puts their MDM software on it, you could be in the same situation. So you may want to keep that in mind as well.

The bottom line is that if you use company property, or simply have their software installed on your own smartphone or computer, you should have no expectation of privacy. Ever. Unfortunate, but true.

Home Depot is my go to for anything I need to fix stuff around my condo. But perhaps I should rethink that as the Canadian Privacy Commissioner has determined that Home Depot handed over customer data to Meta (aka Facebook) without consent from customers:

It is an issue highlighted in a recent investigation by the Office of the Privacy Commissioner of Canada (OPC) into Home Depot of Canada Inc. (Home Depot). By participating in Meta Platforms Inc.’s Offline Conversions program, Home Depot was found to be sharing details from e-receipts – including encoded email addresses and in-store purchase information – with Meta, which operates the Facebook social media platform, without the knowledge or consent of customers.

And:

The investigation found that Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt since at least 2018. However, the investigation revealed that during this period, the encoded email addresses, along with high-level details about each customer’s in-store purchases, were also sent to Meta.

Information sent to Meta was used to verify if a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s advertisements sent over the platform to measure and report on the effectiveness of those ads. Meta’s Offline Conversions contractual terms also allowed it to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.

Each email address Home Depot shared with Meta was encoded so that it could not be read by individuals at Facebook. Meta employed an automated process that allowed it to match email addresses attached to Facebook accounts. Email addresses not already associated with a Facebook account could not be linked to individuals.

While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality.

During the investigation, Home Depot said that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, adequately explained that the company uses “de-identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” including “with third parties.” Home Depot also relied on Facebook’s privacy statement, which explained the Offline Conversions program.

The OPC, however, rejected Home Depot’s argument as the privacy statements Home Depot relied on for consent were not readily available to customers at the check-out counter, and consumers would have no reason to seek them out. Moreover, the OPC found that Home Depot’s privacy statement did not clearly explain the practice in question.

Now I have always been suspect of getting e-receipts from companies which is why I always prefer printed copies. This revelation makes me want to double down on never getting an e-receipt. Now I tried to find a comment from Home Depot or Meta but I couldn’t find one. Which in itself says something. But in the meantime, here’s what the Privacy Commissioner says that Home Depot has to do:

As a result of the investigation, the OPC recommended that Home Depot:

• cease disclosing the personal information of customers requesting an e-receipt to Meta until it is able to implement measures to ensure valid consent;
• implement measures to obtain express, opt-in consent from customers prior to sharing the information with Meta, should it resume the practice; and
• ensure meaningful consent by providing customers requesting an e-receipt with key information regarding its sharing of information with Meta at the point of sale, and by strengthening its privacy statement to include a detailed explanation of its practices and how customers can withdraw consent.

It will be interesting to see if Home Depot complies with this. Because now that this is out there, Home Depot is going have to deal with customers who do not trust them. And that’s not a good place to be in.