Tuesday, November 17, 2015

Schlotzsky's: Funny name, serious sandwich, poor privacy

I had a hankering 4 @Schlotzskys. Then I remembered the loyalty app demands too many perms. Guess I'll have to settle 4 a lesser sandwich...

When I began writing this post, I did not know how it would end. My hope was it would become a story of a privacy issue acknowledged and a restaurant modifying its customer loyalty app to respect its customers' privacy. Thus far, 5 months after initially reporting this, the Schlotzsky's "Lotz4Me" mobile loyalty app remains an egregious invasion of privacy beyond any loyalty app I have seen in the past.

Those not from the Texas may not recognize the name Schlotzsky's. For that matter, you might not even know how to pronounce the name. That's OK. The chain that originated in downtown Austin makes a fantastic hot sandwich on fresh sourdough buns. Since the first restaurant opened in 1971, the chain has grown to some 350 locations - mostly in the southern and southwestern US (well over half are in Texas).


They are great at making food.

They are not so good at choosing digital products.

Loyalty programs started out as a win/win for both the retailer and the consumer. For many years, loyalty or "frequent customer" programs worked on the concept that a business would give a customer a discount for shopping or dining regularly. The business generated more sales, the customer saved a few dollars, and everybody won.

In June 2014, Schlotzsky's partnered with customer relationship management (CRM) company Punchh to launch a new loyalty program named "Lotz4Me." Like most modern loyalty programs, this one is a bit of a give-and-take: I give up some information in exchange for a discount or freebies. 

Degrees of privacy concern vary, but as long as I know what I am giving up and what I am getting in return, I can make an informed decision. In this case, I am willing to give up a little personal information that might be used to advertise to me, in exchange for free sandwiches.

Fast forward a year though, and suddenly the cost changed. Beginning in June 2015, an update to the app asked for some new permissions, namely permission to retrieve running appson my phone. Why a customer loyalty program needs to know what else is running on my phone, I don't know. Suffice to say, it was inappropriate, and I chose not to upgrade the app. Naturally, the app prompts me to upgrade if I try to run it, and closes if I cancel the upgrade.

Schlotzsky's Lotz4Me app requests permission to retrieve running apps

So I did what any self-respecting security researcher would do: I contacted the company to ask about this. The reply I got was "send us an email and we'll look into it." So I sent an email ... and, crickets.

Letter to Schlotzskys

Since I can make use of the discounts through a website that does not prey on my privacy, I didn't force the issue. Eventually I mentioned it again via social media a few months later, and again got a promise to look into it, followed by crickets:

Dialog between me and Schlotzsky's

In October, I checked again to see if perhaps they had improved the app. Lo and behold, there was a new version. But surprise! It was an even more egregious invasion of privacy:

The latest Schlotzsky's Lotz4Me app requires access to contacts and web browser history

Not only does the app demand access to my running apps, but now it also requires access to my contacts and my web bookmarks and browsing history. Seriously? Do they really expect me to trade my web browser history, my contacts list, and a list of apps I use, for a sandwich? Follower @scriptjunkie1 captured my sentiment nicely:

Wow @Schlotzskys, that's creepy

But this time it was more than one customer chiming in, and after sending another email to both the restaurant chain and to Punchh, Schlotzsky's responded that the brand manager and app developer would look into it. Then again, it has now been a month since that most recent exchange, and I have yet to hear anything else from either Schlotzsky's or Punchh, nor has there been any change to the app in the Google Play app store. 

Punchh is not the only offender in this space - in fact, 5 researchers with the Federal Trade Commission's summer research fellows program put together a very thorough report analyzing over 100 popular Android and iOS apps, to find that many, many apps share personally identifying information with third parties.

To be honest, I don't expect any response from Punchh. They are in the business of providing CRM to companies, and from their perspective, the more invasive they are, the more "value" they can provide to a business. In the truest of senses, you and I are the product being sold, while Schlotzsky's and others are the customer.

My hope, however, is that consumers are sufficiently privacy-conscious to say "enough" and favor businesses that respect their personal information.

Just sell me a sandwich. Don't turn me into a product to sell.

Suffice to say I do not have the Lotz4Me app on my phone now.

Update November 24: A few days after writing this, fellow security pro Stephen Haywood wrote about another creepy retail privacy situation. In his case, the creepy was in a face-to-face transaction rather than via an online app: his 11-year-old son bought something from a Yankee Candle shop, and was told he had to give up his phone number to get his receipt. A consenting adult willingly trading information for a discount is one thing ... demanding private information from an impressionable minor during a cash transaction is another thing entirely.

Personal information has value - value that retailers have discovered and use various tactics to acquire. I like Stephen's advice: he has trained his kids to not give personal information to strangers, and has given then "code names" and fake phone numbers for those cases where a retailer won't accept "no" as an answer.