Supermarkets that have apps and websites appear to have their affairs in order. Many apps and websites appear to be insufficiently secured. In addition, they violate the privacy of their customers by passing on data to Facebook without informing them in advance. This is evident from research by the Consumers' Association. That interest group put thirteen large supermarket chains along their Privacy Meter. This tool checks on dozens of points whether organizations comply with European privacy legislation and do not unnecessarily share data with other companies.
A large number of the applications and websites investigated went wrong. For example, the sites of Coop, Deen, Deka, Dirk, Hoogvliet, Jan Linders, Picnic and Spar placed advertising cookies on computers without asking for permission in advance. Also, according to the Consumers' Association, the eight supermarket chains had confusing cookie menus, or they threw up a cookie wall preventing visitors from visiting the site.
Since the introduction of the cookie law in May 2011, website owners and advertisers in Europe are required to ask for prior permission to place commercial, non-functional cookies. They must also inform visitors in advance about the cookies they intend to place and what purpose they serve. Blocking information by erecting a cookie wall is not allowed under this legislation.
Consumer Association research also shows that security is not up to scratch. At Coop, Dirk, Jan Linders, Plus and Spar, attackers can endlessly enter e-mail addresses and passwords until there is a match. This is an automated process also called brute force attack.
The advocacy organization acknowledges that hackers can do relatively little damage if they guess a customer's password. Perhaps because there is little to no sensitive personal data stored. It becomes a different story if that customer uses the same password for other online accounts. Despite the fact that security experts have been advising for years not to use the same password for multiple services, however, many recycle their passwords.
Finally, privacy is also a concern at most supermarkets. At Coop. Hoogvliet, Jan Linders, Picnik, Plus and Spar it was possible to find out who is a customer at this supermarket. The Consumers' Association fired off a long list of e-mail addresses to the supermarkets' servers. If the e-mail address was known, the interest group received a dissenting response.
The Consumers' Association also investigated the network traffic of various apps. It showed that Coop, Deen, Jumbo, Jan Linders and Spar passed on information to Facebook without informing customers in advance. For Facebook, this information is interesting: the platform then knows exactly where you do your daily shopping and can serve you personalized ads based on this information. A less pleasant one is that Facebook also knows when you do your shopping and what smartphone you have.
The apps and websites of Albert Heijn, Aldi and Lidl came out best in the privacy test. Only in Albert Heijn's iOS app did the interest group discover a minor flaw: there it was not possible to save custom cookie settings.
Following this investigation, the Consumers Union notified supermarkets of its findings. In early December, the Union conducted the investigation again to see if they supermarket chains had their act together now. Unfortunately, that turned out not to be the case. All five supermarkets where a password problem was found had not fixed the shortcoming. In a response, they said that this was due to the Christmas rush and the corona virus, and thus they will take action at a later date.
Deka and Picnic no longer place advertising cookies on computers without first asking for permission after the Consumer Association's warning. Coop and Jan Linders no longer communicate with Facebook through their apps. Other supermarkets say they will make adjustments this month or early next year.
Sandra Molenaar, director of the Consumers Union, says she is unhappy with the "lax attitude" of the supermarkets. She finds the supermarkets' "laconic response" "downright worrisome. "It is relatively easy to implement technical measures that make a brute force attack impossible, yet the supermarkets choose not to do so. While we know that many consumers use the same password in different places. By doing nothing, supermarkets are knowingly exposing their customers to the risk of being hacked. With potentially far-reaching consequences. I find that very bad," Molenaar said.
