> but the new trend is surveillance pricing. A company will know that you just got paid and so charge you just a bit more for your chicken nuggets than they do when you haven’t been paid in two weeks.
First of all, no, a company has no idea when you get paid. The reality of lots of apps (like McDonald's) is discount pricing. You pay full price at the store if you're a rich person who can't be bothered with apps. Downloading an app and creating an account is the modern equivalent of cutting out coupons or buy-10-get-one-free cards -- price-conscious consumers will go to the trouble and get cheaper prices. They're just loyalty programs. Price discrimination like this is nothing new, and it lets rich people subsidize the lower costs for people with less money.
These apps run in sandboxes. There's not much to surveil. Obviously don't grant them permissions to see your contacts or track your location all the time. Will the app be able to tie all your purchases to a single identity? Of course. But the stores already do that anyways if you use the same credit card for each purchase.
I don't mind downloading apps for the 5-10 stores/restaurants I go to most. Beyond that, I obviously won't because it's too much of a hassle. But the loyalty discounts I get save me real money. I have no problem with that.
Its more than coupons. These apps track your location, usage and so on then sell this data to a 3rd party. Coupons don’t do that. Do you read full useragreement you accept when installing apps? Most people wouldn’t understand the legalese in those.
A coupon could still be an image you find online that can be scanned and that’s it. Apps are totally not necessary unless they squeeze something out of the user.
So the McDonald's app knows I'm... at McDonald's when I use it? And that I'm using the app to order?
That doesn't seem like I'm giving up much information. Considering I'm placing the order at that McDonald's anyways, and they know the addresses of their franchisees.
Like I said, the same information is already revealed when I use a credit card.
I'm not granting it permission to track my location when I'm not using the app, obviously.
Ad SDKs exploit OS bugs to get location data. These specific ones have since been patched, but historicaly they read ARP tables, EXIF geo tags, and colluded with other apps that legimately had location permissions to get that info. It wouldn't surprise me if there are other live exploits quietly being used today. https://www.usenix.org/conference/usenixsecurity19/presentat...
That's a very naive look on the situation. There are plenty of websites that can explain how this is just not accurate better than I could attempt to summarize it. If web searching is not your thing, I'd assume a GPT could point you in the right direction
The argument was that apps can surreptitiously gather information from you. The apps in question didn’t get your location data without you specifically allowing it.
Websites can also ask you for your location.
In the comment you replied to I asked
> from your GPS without you giving them permission?
Individually, yes, each app cannot obtain much data. But all the apps sell their bit of data to a third party, and buy the resulting profile about you, because they can identify you.
So no, the McDonalds app doesn't know when you got paid directly. But it does know that you bought a cheeseburger in the last two weeks of every month, and it knows that your grocery expenses are higher in the first two weeks of every month, and you tend to eat at a restaurant in the first week of every month, and you take less ubers in the last week of every month; it's not hard to conclude that you get paid at the start of the month.
And that's without your banking app selling your info, which it might do. In which case it knows exactly when you get paid, and your probable current bank balance right now when you place your cheeseburger order.
To you and me, the consumer, the value of an app is "the same" as the old loyalty cards. But the value to the company is huge! How often you open the app (how often are you thinking about their food), how often you accept an offer, what the price of the offer is, what card you used to pay, where were you when you opened the app etc etc.
Going to be fun times when in 10 years time they sell all that information to your health insurance provider for them to go "Holy hell" and jack your insurances prices up 5 times over.
You don't need to use words like "slop", it's pejorative and has nothing to do with the issue at hand.
And the link you use is just different people getting different discount coupons in the app. Companies also mail different coupons to different people based on their purchase history. I can't really find myself getting worked up about different people getting different promotions.
And it's illegal for health insurance to offer customized pricing like that. And the credit card companies already know I eat at McDonald's or wherever else. Using the app isn't adding any new data.
And it's not $0.20 off. It's usually more like $5 off a $15 meal that brings it down to $10. And those numbers add up over the course of a year -- across a few apps, it adds up to hundreds of dollars of savings a year.
That's a beautiful strawman argument; let me have a tussle with it to see if it holds on its own.
First, let's not miss the forest for the trees. We're engaging in a common "hacker" watering hole. Our opsec skills are very likely not representative of what your average person has, and the point of the article is to educate the average person.
Second, most of those apps require you give your pound of data upfront, or they won't work correctly until you grant permissions.
Next, it's not the same if the establishment I'm buying chicken nuggets from ties down my credit card to my identity or if it does the same plus a ton of extra data that I've been forced to grant.
Also, one of the main concerns from the article is surveillance pricing... So yeah, you sure "saved" a bunch ($100) over the course of 1 year at a restaurant, but overall you're worse off because some data broker managed to have all airlines raise your flight prices by $500 because they learned that you're going to have to attend your best mate's wedding.
And last, but not least, the article mentioned the binding arbitration clause that one blindly signs away when accepting the app's ToS:
> Walking into a restaurant to buy a cheeseburger, there’s no way a company can force you to enter a contractual agreement that includes binding arbitration. Downloading an app, however, requires agreeing to a “Terms of Service,” and those can absolutely include a binding arbitration clause, and that clause can be applied even to cases outside the app. This happened to Jeffrey Piccolo when his wife died of food poisoning in a Disney World. Disney made a motion to dismiss because a couple years back, Jeffrey had signed up for a free trial of Disney+, which included a binding arbitration clause, which meant that if Jeffrey wanted to complain about how Disney murdered his wife, they’d have to settle it out of court with a mediator that Disney hired. No jury, no judge, no oversight. [...]
Well, consider me impressed; perhaps I should consider switching away from Android... the only thing keeping me from doing so is Apple's walled garden... the hefty price tags don't help, too.
For my part, I can tell you that Samsung's "Galaxy Buds Pro" app (IIRC) for a while there didn't allow me to customize some settings if I didn't grant calendar or contact permissions... I tested today and that didn't happen (it was probably a bug... though I remember it being present for a LOT of time; enough that I stopped trying to open the app). My workaround consisted in using the widget to toggle noise-cancellation modes.
I should note that, instead of "customize settings" should read as "interact with the app" (as in permission prompt pop-up preventing interaction with main app).
It's not a strawman, please don't be insulting. But OK, let's tussle:
> most of those apps require you give your pound of data upfront, or they won't work correctly until you grant permissions.
That's false. I've never seen an app that required any permissions data upfront, except sometimes my location data while using the app if I wanted to be able to find the nearest restaurant.
> plus a ton of extra data that I've been forced to grant.
Again, there's no extra data. E.g. when I install the McDonald's app, it's not asking for my contacts or my photos or anything like that. This is not common practice among any major brands I've ever seen.
> but overall you're worse off because some data broker managed to have all airlines raise your flight prices by $500
That's not a thing. And it's really easy to check prices anonymously.
As for arbitration, sure check the ToS. The Disney case is the famous one and it's the only one I've heard of, but that was for a paid streaming service, not even an app. Arbitration is a separate problem to do with ToS's... and most of these apps don't even have ToS's you have to scroll through and accept, because that causes friction. So it seems like a different conversation.
It has nothing to do with app permissions, thank you for noting that, I'll update the article later. It works like this: as soon as they get your credit card information, they have enough information to go to a data broker and buy every bit of data on you that exists. Now they know who you are, and so now they know when you get paid, your net worth, your buying habits. Likely they're selling data back to brokers do as the other person mentioned even if you're paying less for burgers maybe now you're paying more for airplane tickets or something.
Second, these apps may not have a tickbox TOS but they seem to have one of those implicit TOSs that I'm still not sure how they are legal, e.g. "by using this service you agree..."
First line:
> Important: Please carefully read and understand these terms and conditions (“terms”). They contain an arbitration agreement, jury and class action waivers, limitations on McDonald’s liability and other provisions that affect your legal rights.
It's a binding arbitration agreement that covers disputes outside of the app:
> any claim or dispute (whether in contract, tort, or otherwise) that McDonald’s or any Member of the McDonald’s System may have with you, or that you may have with McDonald’s or any Member of the McDonald’s System, arising from or related to the online services or these terms will be resolved exclusively by final and binding arbitration administered by the American Arbitration Association (“AAA”) and conducted before a single arbitrator using the AAA’s Consumer Arbitration Rules and, if applicable, its Mass Arbitration Supplementary Rules (“rules and procedures”);
> It works like this: as soon as they get your credit card information, they have enough information to go to a data broker and buy every bit of data on you that exists. Now they know who you are, and so now they know when you get paid, your net worth, your buying habits.
This is blatantly false. There are laws against credit card companies and banks selling individually identifiable transaction histories or balances. Financial datasets do get sold but they use anonymization and aggregation to say things like "people in ZIP codes 100xx who shop at Merchant A also spend X% of their fast-food budget at Merchant B."
> Second, these apps may not have a tickbox TOS but they seem to have one of those implicit TOSs that I'm still not sure how they are legal, e.g. "by using this service you agree..."
Right, but this really doesn't have anything to do with apps. These same kind of implicit TOS's exist anytime you shop anywhere on a website. Like you say, their enforceability is questionable -- just because they exist doesn't mean they hold up in court. And if you rent a car in person vs via an app, you still sign the same agreement at the rental counter. I agree that forced arbitration is a problem, but apps are pretty orthogonal to it. If you want to fight forced arbitration, then call your representative and work to raise awareness. Crusading against apps doesn't accomplish anything.
> then call your representative and work to raise awareness
Strongly curious why you believe individual action to protect privacy is less effective than calling a politician. Do you have personal experience with effectiveness in individual lobbying of the government? Or some example I can go learn about? I'm deeply cynical about influencing politics without capital or a cult of personality.
I said call your representative about arbitration, not privacy. Because arbitration is everywhere -- not installing an app isn't going to make much difference.
Reps' offices absolutely tally the subjects their constituents call about, and it affects what bills they vote for and propose. Obviously it has to be lots of people calling, but those are made of individuals. There are tons of examples of successful organizing leading to change. But yes it definitely takes organizational effort.
Sorry if I came off as insulting; I admit I thought your original arguments were too bad-faith to not have been made by a bot or a foreign state actor.
So... We clearly have experienced different things (or rather, the author and I have experienced similar things, and you haven't), and therefore we have very different views on the matter...
You don't have to believe me; I just wouldn't be so dismissive about people sounding off alerts and alarms about increasive abusive and invasive practices, as I've seen different levels of inaccessibility becoming normalized (e.g. you can't access some Spanish governmental services unless you have an Android or Apple phone).
Also, it's surprising to me that — if you're posting in this place — you wouldn't at least be aware of the possibility that ... companies are liars and can abuse or circumvent permissions [0] (e.g. everyone is spying on your clipboard).
So, are you really sure that regular popular apps are on the up and up and only taking what is needed to offer a service, or could they be doing something else and not have your best interest at hand?
> Sorry if I came off as insulting; I admit I thought your original arguments were too bad-faith to not have been made by a bot or a foreign state actor.
I don't need to listen to you doubling down on insults. Your tone is completely inappropriate for HN.
To answer your final question: yes, I really am that sure. iOS now prevents apps from spying even on your clipboard without permission. I have a decent technical understanding of iOS's sandbox. It appears you do not.
But again. Please take your snark elsewhere. It's simply not appropriate for HN:
> but the new trend is surveillance pricing. A company will know that you just got paid and so charge you just a bit more for your chicken nuggets than they do when you haven’t been paid in two weeks.
First of all, no, a company has no idea when you get paid. The reality of lots of apps (like McDonald's) is discount pricing. You pay full price at the store if you're a rich person who can't be bothered with apps. Downloading an app and creating an account is the modern equivalent of cutting out coupons or buy-10-get-one-free cards -- price-conscious consumers will go to the trouble and get cheaper prices. They're just loyalty programs. Price discrimination like this is nothing new, and it lets rich people subsidize the lower costs for people with less money.
These apps run in sandboxes. There's not much to surveil. Obviously don't grant them permissions to see your contacts or track your location all the time. Will the app be able to tie all your purchases to a single identity? Of course. But the stores already do that anyways if you use the same credit card for each purchase.
I don't mind downloading apps for the 5-10 stores/restaurants I go to most. Beyond that, I obviously won't because it's too much of a hassle. But the loyalty discounts I get save me real money. I have no problem with that.