The meal voucher scam

Preface

We start from the unavoidable right to a daily meal to the digital alternative to the company canteen. In the second part we will go into more detail about the applications of Ticket Restaurant through computer analysis and, finally, the case study of a particular App.

It will be demonstrated how the Apps collect countless data between Informed Consent and Digital Tracking. The reader will be able to reproduce the Test so that he can analyze their own application.

Finally, some solutions will be suggested to improve Privacy and limit Informatics invasiveness.

I work at a certain time I will also have to eat

[PART ONE] - lots of regulations and lots of blah blah blah.

The Worker’s Right to a lunch break is regulated, which in the absence of a company canteen (not mandatory for the employer), can be replaced with an alternative service. For companies with more than 30 employees, a refectory space must be provided, an environment in which workers can consume meals in a comfortable and safe way, therefore with the presence of tables, chairs , lighting, heating and cleaning of the rooms are the responsibility of the employer. It is certainly not the aim of this article to delve into issues of Labour Law, but rather to focus on the consumption of the daily meal in the event that the employer has opted for Meal Vouchers also known as Restaurant Tickets.

The scam is in the name Meal Voucher, which has nothing to do with the actual compensation for the worker commensurate with the actual cost he will bear.

My meal is more expensive than the face value of the ticket

Another scam, employers are prevented from issuing vouchers for amount higher than the minimum tax exemption threshold of €4 for paper vouchers and €8 for digital ones if they exceed this amount, they will have to be taxed ¹.

You have to go on a diet, or put money out of your own pocket to be able to eat a decent meal.

In a dystopian world we will have the nutritionist who will list the things that can be bought/eaten and will receive a percentage compensation equal to the difference between the face value of the meal voucher and the actual value of the expenditure on a deliberately downward controlled diet.

Difference between canteen replacement allowance and meal voucher

The difference lies in taxability: the replacement allowance contributes to the worker’s income, both fiscal and contributory.

We run after the Fringe Benefits

Everyone is eagerly awaiting the welfare of the Fringe Benefit, the 2025 Budget Law ceiling for next year (still temporary) should be €1,500 for employees with the risk of distorting the Corporate Welfare itself.

Commercial consultants cannot do anything other than advise because the tax pressure has reached unbearable limits, becoming unaware promoters of a bizarre system.

Complications not simplifications.

Restaurant Ticket

[PART TWO] - you probably don’t know that installed apps collect data and that companies make money from selling them.

In this part we will try to identify if Trackers are present in Ticket Restaurant Apps and then analyze an App in more depth.

The tests are repeatable by the readers.

What are Trackers?

Trackers are track elements present in Apps, websites, digital devices and in combination with other technologies have the purpose of to profile in detail the data coming from the sensors and from the digital behavior of the user himself.

Tracking and profiling are a very lucrative business that brings in dizzying advertising revenues.

Trackers do not have the same function and it can present different levels of intrusion of the privacy².

• Crash Reporters: These trackers specialize in application crash reports. In other words, their goal is to inform application developers that an App has encountered a problem. Therefore, the information collected at the time the application crashed will allow the developer to fix the bug.
• Analytics: These trackers are designed to collect usage data and allow the developer to better understand their audience (for example, to know which page you visited, or how long you stayed on a certain area of ​​the page).
• Profiling: The aim of these trackers is to collect as much information as possible about the user who uses a given application, in order to build a virtual profile of the user. For this purpose, the tracker will focus for example on the internet browsing history, the list of installed applications, and so on.
• Identification: Trackers are responsible for determining your digital identity. This identity can refer to an official identity or to an abstract, fictitious identity (Nickname, Pseudonyms, etc.). The purpose is, for example, to be able to correlate the user’s online activities with their offline ones.
• Advertising (Ads Advertising): Trackers aim to create a profile of the user in order to show him targeted advertisements. This is only possible/relevant if the user already has a digital profile available. The ultimate goal of the creator of the tracker is to monetize his application by earning money, for example, through advertising.
• Location: Trackers are designed to determine the geographic location of your mobile device. To do this, trackers use a variety of sensors: GPS chips, cells at which your phone connects to, nearby Wi-Fi networks, nearby Bluetooth devices, or even specific sounds from speakers.

Difference between Informed Consent and Tracker

Informed Consent are all those options that appear during installation for which you consent or not to the collection of your data, differently from Trackers you cannot express any refusal, the only protection is not to install the App.

How the Apps were chosen

Some Apps³ have been chosen and distributed on the basis of the “Open procedure tender for the conclusion of a framework agreement for the assignment of the canteen replacement service through meal vouchers for the PA (edition 10)” click here .

Brief description of the Companies

Day Up The group present in 22 countries, 1 million companies, 1 million partners, 24 million users, 3,000 employees, 8.5 billion in turnover.

In addition to profit objectives, we pursue one or more common benefit goals, operating in a responsible, sustainable and transparent manner towards people, communities, territory and environment click here .

Edenred French company listed on the stock exchange Edenred SA EDEN Euronext spread worldwide with more than 150,000 companies, more than 150,000 partners, more than 2,500,000 users

Latest significant financial events:

• Agreements to buy Danish SaaS2 platform Spirii and Brazilian transportation benefits platform RB, source .
• Meal vouchers: 20 million seized from Edenred Italia for fraud and bid-rigging il sole 24 ore .

EP S.p.A. 800 employees. 15,000,000 meal vouchers issued, 30,000,000 affiliated commercial establishments.

Pellegrini S.p.A. “A goal that we have achieved by pursuing ethical and sustainable values ​​through a transparent, dynamic and innovative approach, which has allowed us to create a relationship of trust with all stakeholders: Customers, Users and Operators click here .”

Sodexo Benefits & Rewards Services Italia S.r.l. changes its name to Pluxee. 36 million users of Pluxee solutions, 500 thousand customers, 1.7 million partners, 4.4 million daily transactions, listed on the stock exchange Pluxee NV PLX .

Tracker Presence Analysis

The trackers present in the Apps can be verified by the Exodus application downloadable from F-Droid, Exodus will show for each installed application the permissions it requests and the possible presence of tracking elements.

Every software release must be reviewed for possible changes.

What Trackers Do

Below are numbered the Trackers used by the applications and reported with a brief description of their functionality.

1. AltBeacon - Allows Android devices to use beacons much like iOS devices do. An app can request to get notifications when one or more beacons appear or disappear. An app can also request to get a ranging update from one or more beacons. It also allows Android devices to send beacon transmissions, even in the background.
2. Google Analytics [analytics] - Tracker web page .
3. Google Firebase Analytics [analytics] Tracker web page - Firebase gives functionality like analytics, databases, messaging and crash reporting.
4. Google Tag Manager [analytics] Tracker web page .
5. Huawei Mobile Services (HMS) Core [location, advertisement, analytics] Tracker web page - HMS Core is a collection of tools made for Huawei’s partners and app developers. It includes Ads Kit, Analytics Kit, Location Kit, and more. HMS Core offers a rich array of open device and cloud capabilities, which facilitate efficient development, fast growth, and flexible monetization. This enables global developers to pursue groundbreaking innovation, deliver next-level user experiences, and make premium content and services broadly accessible.
6. Microsoft Visual Studio App Center Analytics [analytics] Tracker web page - Collects real-time analytics that highlight users’ behavior. It also provides push notifications to mobile devices.
7. Microsoft Visual Studio App Center Crashes [crash reporting] Tracker web page - Automatically generates a crash log every time your app crashes. The log is first written to the device’s storage and when the user starts the app again, the crash log will be sent to App Center.
8. Tealium [analytics] Tracker web page .
9. Google CrashLytics [crash reporting] Tracker web page .
10. Exponea [analytics] Tracker web page - Exponea does customer data collection, customer-centric analytics and segmentation using artificial intelligence.
11. Facebook Flipper [analytics] Tracker web page - The Flipper desktop app and the mobile native SDK establish a connection which is used to send data to and from the device. Flipper does not make any restrictions on what kind of data is being sent. This enables a lot of different use-cases where you want to better understand what is going inside your app. For example you can visualize the state of local caches, events happening or trigger actions on your app from the desktop.

Conclusion

The Worker needs basic information and few functions, it is not clear why there are Apps with 0 up to 8 trackers for purposes that are identical, why?

Detailed App Analysis

[PART THIRD] - on the Android operating system the App Ticket Restaurant® by Edenred is analyzed.

Informed Consent

Raise your right hand if you at least once and without thinking too much consent to your App’s optional functions explained in the information banner.

The consents are related to:

• Geolocation for promotional purposes
• Profiling
• Promotional notifications

Further information details are on access your location.

The Ticket Restaurant App uses your location data, even when the App is closed or not in use, to show you the merchants near you who accept the service and to offer you a personalized experience by receiving text notifications that will warn you, for example, when a merchant near you activates promotions dedicated to you.

You have thought that in addition to collecting your data, always and in any case, the App costs you in energy and premature battery degradation.

Don’t complain that your phone’s performance in terms of processor and battery consumption has worsened over time because the Apps govern your cellular system.

Connection Analysis

Two applications are available that allow you to analyze data traffic (interview with servers: domain and IP address):

1. PCAPdroid - is a privacy-friendly app which lets you track and analyze the connections made by the other apps in your device.
2. Rethink: DNS + Firewall + VPN For the monitoring part, it keeps track of incoming and outgoing Internet traffic.

TEST

No informed consent enabled Over time I have analyzed the application’s Internet traffic and I have blocked everything that does not concern the Edenred site/domain.

The servers and IP addresses can change over time so you should always monitor your data traffic.

At the time of I’m writing, only tr-mobile.it.edenred.io (server responds from the United States) and sso.eu.edenred.io (server responds from the United States) are enabled.

Internet traffic blocking⁴ concerns n. 21 domain rules and n. 43 IP rules.

MUMBLE, the last domain that was blocked became apparent when I searched for a partner establishment and the request was sent to the api.tripadvisor.com server.

Conclusion

That emerges is a lack of protection of personal data with no way out to accept to install an App because it provides a fundamental service (such as Ticket Restaurant), without forgetting that it is activated on a phone whose profiling casing is in the hands of Google and the manufacturer of the mobile phone. These considerations also apply to Apple.

Freedom of choice for users is weakened and in some cases lost and limits their Digital Self-Determination by forcing them without any alternative to disclose their data, just to be able to use the daily meal voucher service.

For to obtain greater protection it requires a series of computer skills that not everyone has.

Being able to install and configure a Privacy Oriented operating system on your mobile phone is not for everyone, which makes protecting your data a privilege that few can implement.

A useless building has been built by taking away working time for other purposes, wasting energy resources for a nonsensical management because Ticket Restaurant have no reason to exist. Solution, a simple tax-free lunch allowance in the paycheck, is not something out of science fiction since it is already used for some types of salary items.