Deutsche Post DHL Group

Deutsche Post DHL Group receives the BigBrotherAward 2023 in the Consumer Protection category for their practices of digital coercion. Through changes in the operation of DHL’s parcel locker stations, they want to force customers to use a smartphone and the company’s Post & DHL App. The Post & DHL App sends data to tracking companies without asking for consent. This case of digital coercion particularly deserves a rebuke because this is a former state enterprise that excludes citizens from an important basic service.
Laudator:
Rena Tangens am Redner.innenpult der BigBrotherAwards 2021.
Rena Tangens, Digitalcourage

Dear award winner,

“unfortunately you were absent at the time of delivery.”
So now you are getting a public delivery instead.

The BigBrotherAward in the Consumer Protection category goes to Deutsche Post DHL Group1

1. because they changed the technical setting of their parcel lockers (“Packstationen”) in such a way that now it is no longer possible to collect your parcels without using a smartphone and the Post & DHL App.

2. because the Post & DHL App, without having been asked to do so, starts sending data to tracking companies straight after it has been started. That is illegal.

3. for trying to avoid obligations in the basic letter delivery service, for example by planning to replace post offices by machines, so-called “post stations” (“Poststationen”).

Do you remember the times when children were allowed to play outside unsupervised? Sometimes they played tricks: they rang random doorbells and ran away as fast as they could.

These children are now adults and currently work for DHL2.

Sometimes they don’t even bother to ring but immediately drop a card into your letter box telling you you were not present. Then there are several possibilities: the parcel has been handed over to a friendly neighbour. Or: the parcel goes to a post office where you have to pick it up during opening hours. Or it ends up at a DHL parcel locker. If you are lucky, it is the parcel locker at the supermarket round the corner. With bad luck it goes to one at the other end of town.

There’s no doubt about it – parcel lockers can be handy. You have to register for using them. Until recently they gave you a DHL service card. With this card, in combination with a PIN for the parcel, you could collect your parcel anytime 24/7.

It may come as a less pleasant surprise if you haven’t registered for the parcel locker at all, but your parcel has still been redirected there.

Especially if it happens to be the new type – the so-called “lean” parcel locker. Such a “lean” parcel locker is no longer operated via screen. Now you stand in front of it without a clue how you are supposed to get hold of your parcel.

Smartphone obligatory digital coercion!

“Lean” means that DHL can now not only do without a display but also without a card reader and an Internet connection. Technically that means your smartphone will have to establish a Bluetooth Low Energy connection to the parcel locker. And it has to use the Post & DHL App to connect to the main Post datacentre via mobile communication. Without a connection to the datacentre, such a new parcel locker is as thick as a brick and has no idea what is being kept for whom in which locker. Deutsche Post saves the expense for setting up parcel lockers with an Internet connection of their own and cheekily uses its customers’ smartphones.

Now what if the packing station happens to be in an area with poor mobile reception? Well, tough luck.3 And what if you don’t even own a smartphone? You do realise you can forget about collecting your parcels, don’t you? Without a smartphone you have lost your right to exist.

There are, however, good reasons for not having a smartphone. There are those who simply can’t afford one. Others may be too old to want to deal with the technology (but still like receiving parcels). And finally there are people with high technological affinity who, precisely because of their expert knowledge, refuse to constantly walk around with such a pocket spy.

No, dear Post & DHL: it is not at all okay to presuppose that every man and woman has to have a smartphone.

The Post & DHL App send first, ask later

Even for those who do own a smartphone there are good reasons for not wanting to install the “Post & DHL App”. For example, the fact that the Post & DHL App starts transmitting data as soon as it has been started.

IT security expert Mike Kuketz checked its behaviour and found out the following: the app establishes connections to Google Firebase (USA), Adobe Inc. (USA), the Adobe Experience Cloud4 (among others) and Google Firebase Remote Config (USA). In addition, there is Sentry5 and finally the “Google Firebase Analytics” Tracker.

Mind you, all that happens without your knowledge, even before you have interacted with the app in any way. Then – as you may have suspected – a cookie consent banner appears. The usual procedure starts – through manipulative design they try to trick you into selecting the red button that says “accept all”.

But even those who managed to select “confirm preferences” are by no means safe from further trackers. Another connection to Adobe is established and more data are provided for the purpose of measuring user behaviour.

Review of the App’s legality

Peter Hense, a lawyer, has checked the legal status of the Post & DHL App. He concludes that the European General Data Protection Regulation (GDPR) as well as the Telecommunications–Telemedia Data Protection Act (German abbreviation: TTDSG) are disregarded. After all, transmitting data to Google and Adobe, both based in the US, requires user consent.6 The Post & DHL App, however, starts transmitting data before the consent banner is even presented to the user. Just clicking “accept all” is not in fact sufficient for informed consent. This would require previous and clear information about the personal economical consequences that consent to the use of data for tracking may have. Deutsche Post does not provide such information. Thus there is no valid consent – and therefore any data processing on this basis is simply illegal. For such violations of applicable law the GDPR provides for considerable fines: 4% of DHL’s global turnover (€94 billion in 2022) is a sum in view of which even the executive board should actually develop an interest in data protection …7

Mike Kuketz informed Deutsche Post AG / DHL of the technical and legal analysis of the Post & DHL App. Judging by Deutsche Post AG’s answer, they do not see the point at all. In short: “Everything is fine, there is nothing to see, please move on.”

This formerly state-owned company assumes that, being a stock corporation, it can just ignore applicable law as it pleases – and takes itself to be entirely immune to criticism or prosecution.

It would, however, be perfectly possible to program parcel lockers in a privacy and consumer friendly way. We are wondering whether the less than adequate design of parcel lockers and of the app is the result of bad intentions or sheer ignorance. The question becomes more poignant once you know that Deutsche Post / DHL are currently laying off half the IT department in charge …

DHL saves time and money on IT and then wants to force us to install its crappy software.

Greenwashing yellow stains

Forcing customers to use smartphones and the Post & DHL App at the parcel lockers plus unauthorised data transmission to tracking companies alone would be worthy of a BigBrotherAward. On top of that, though, Deutsche Post / DHL deserves a special award in the “Hypocrisy” category.

The reasons they give for “lean” parcel lockers are, believe it or not, sustainability and protection of the environment and climate. Yeah, man – cool idea to put solar panels on top. They try to make people believe that parcel delivery, too, is climate protection – after all, DHL definitely emits less CO₂ by spawning off the parcels into the parcel lockers all at once rather than taking them to their respective destinations. CO₂ is, however, then emitted by customers who have to drive to the parcel lockers individually to pick up their parcels8. Overall, probably not a win for the climate. But a win for Deutsche Post DHL.

This BigBrotherAward is about the tendency to put surreptitious pressure on people to go along with surveillance structures: a login is required in one place, cash is no longer accepted in another, here you have to install an app, there you are denied access to service-related information unless you use a smartphone – or to service altogether. Those who don‘t comply are facing more and more difficulties in everyday life.

That is what we call “digital coercion”.9 10

Why are we giving Deutsche Post AG DHL, of all people, a BigBrotherAward for digital coercion?

Cutting down on basic service

This requires a little more context: on 1 January 1995, the privatised Post AG took over the letter service, until then owned and run by the state, and the associated obligations. That is: basic service for everyone, reliability, delivery to the smallest island in the North Sea.

In fact the letter service used to be the Post AG cash cow for years, they made a lot of money. Nevertheless they charged more and more for postage. We have reason to suspect that this served to cross-fund the parcel service in order to get rid of competitors by offering this service at low prices11 12. Deutsche Post DHL Group is now the leading company in logistics worldwide.

Now that the parcel service is booming and letters are often replaced by email, the letter service is no longer as profitable. During the postal strike earlier in 2023 Deutsche Post AG promptly threatened to simply get rid of the letter service this year. And in case of new negotiations, to rely exclusively on cheap subcontractors. A mail service that no longer delivers letters?!

The obligations of the Post AG are part of the Universal Postal Services Regulation (Post-Universaldienstleistungsverordnung). But these obligations have not been correctly fulfilled by Post AG for years. Long delivery times and poor quality in letter delivery and a lack of post office branches, especially in the country, have given rise to a constantly growing number of complaints to the Federal Network Agency (Bundesnetzagentur).13

Deutsche Post AG DHL, however, is not making an effort to improve the service. Instead they pretend those deficiencies do not exist and try to get rid of their duties. They demand changes in the laws concerning mail services and in the Universal Postal Services Regulation. According to them, longer delivery times for letters should simply be legalised. If letters do have to arrive the next day, we are supposed to pay extra for postage in future. The plan is to have additional machines, so-called post stations (“Poststationen”) take over the tasks of post offices – these will be pimped parcel lockers which also offer letter services.

These “post stations” are not fully accessible.14 The lockers are inaccessible to children, people of short stature and customers in wheelchairs. They will be hard to operate by blind people. Unlike post office branches, these lockers will not provide real staff on location for all those who require assistance. And finally, the post station machines will no longer accept cash. Thus you will no longer be able to buy a stamp without leaving electronic traces. Another case of digital coercion.

Post AG has slipped the current Social Democrat/Greens/Liberals coalition government the idea for the legal changes with little bits of sugar to make it suitably palatable for each party. Something to do with innovation for the Social Democrats, encouragement of competition for the Liberals and climate protection for the Green Party. We have reason to suspect imminent changes to the Postal Act this year for an increase in Deutsche Post DHL Group’s profit.

A warning to members of German parliament, the Federal Network Agency and those fighting for the climate in the Ministry of Economic Affairs: Don’t be deceived!

And stop the parcel lockers being changed into lockers where a smartphone and an app are indispensable. So far there are only about 2,000 new lockers, but about 10,000 old ones which could still work with service card and PIN – if the Post let them. In other words, it is not too late.

It is not a matter of one individual tracker, but a whole universe of permanent surveillance. Neither is it a matter of gaming gadgets only accessible via smartphone. But it is about basic needs that everyone has, like getting hold of a parcel that someone sent to me. It is not about the money charged for a single stamp but about the reckless attitude by which a company tries to privatise profit and leave the liabilities to the community. And finally it is about the tendency to subject people to surveillance everywhere and on the side during all their everyday activities.

Dear Deutsche Post AG DHL – you have been sent a notification of your BigBrotherAward. No, the BigBrotherAward will not be delivered to you – you will have to collect it. An app is not required for this purpose.

Jahr

Laudator.in

Rena Tangens am Redner.innenpult der BigBrotherAwards 2021.
Rena Tangens, Digitalcourage
Sources:

The laudator has provided sourced background information on the app, parcel lockers, the moves by Deutsche Post to reduce basic services and dilute the regulatory requirements, and other related topics. See the sources section on the German version of this page.

1 Deutsche Post is the German mail service, formerly a government agency and now privatised. DHL, originally a US company and acquired in 2002, is now Deutsche Post’s parcel division.

2 We would like to thank Ingo Börchers, who provided this piece of information in his satirical recapitulation of the year 2022 at the Bielefeld Theatre (Theater am Alten Markt) in December.

3 Yes, that is indeed what happens at times.

4 The analytics server is called smetrics.dhl.de and thus pretends to be located at DHL’s datacenter. But then it directs you to dhl.de.ssl.sc.omtrdc.net. Contrary to what you would expect at first glance, Deutsche Post is not where the data are captured and processed for analysis, but Adobe’s Experience Cloud. The domain omtrdc.net in fact belongs to Adobe.

5 Sentry: The tracker Google Analytics has been replaced by Sentry (https://sentry.io/), which is hosted under the domain “quality.dpdhl.com” by DHL themselves. As the name “quality” suggests, this is tracking. Not required for the app’s pure functionality.

6 The legal regulations for valid consent are given in § 25 TTDSG. Cf. the verdict by the European Court of Justice on 30/04/2014 – C-26/13, paragraph 71 – Kásler/OTP Jelzálogbank Zrt https://curia.europa.eu/juris/liste.jsf?language=en&num=C-26/13

7 For the particularly grave offences listed in the GDPR under article 83, paragraph 5, fines can be up to 20 million Euros or for an undertaking up to 4 per cent of the turnover achieved worldwide in the preceding financial year, depending on which sum is higher.

8 Yes, in towns the parcel locker density is high enough for people to collect their parcels on foot or by bicycle. But in the country the standard means of transport will be cars.

9 Digital coercion – introductory article: https://digitalcourage.de/digitalzwang

10 There are many examples of digital coercion. Digitalcourage collects reports in a “digital coercion reporting device“: https://civi.digitalcourage.de/digitalzwangmelder Yes, Digitalcourage also accepts reports via conventional mail :)

11 Cf. the experts‘ report by Justus Haucap and Christiane Kehler, 1/2016, for the Federal Association of Parcel and Express Logistics, BIEK: Unfairer Wettbewerb im Postmarkt. Deutsche Post AG/DHL: Quersubventionierung in den Paketmarkt, Marktbeherrschung und unzureichende Regulierung https://www.biek.de/download.html?getfile=148

12 This is what the expert in competition law, professor Haucap, says. Welt.de, 2 February, 2023, Birger Nicolai: Interview with Prof. Justus Haucap. https://www.welt.de/wirtschaft/plus243900307/Deutsche-Post-Ich-koennte-auf-den-Montag-als-Zustelltag-verzichten.html

13 Golem.de, 16 Dec 2022, Federal Ministry of Economic Affairs (Bundeswirtschaftsministerium): Briefzustellung an Packstationen könnte möglich werden. https://www.golem.de/news/bundeswirtschaftsministerium-briefzustellung-an-packstationen-koennte-moeglich-werden-2212-170560.html Quote: “In diesem Jahr zählte die Bundesnetzagentur schon mehr als 37.000 Beschwerden über die Brief- und Paketdienste, mehr als doppelt so viele wie im Vorjahr. Ein Großteil der Reklamationen bezieht sich auf die Briefzustellung der Post.” (“This year the Federal Network Agency received over 37,000 complaints concerning letter and parcel services, more than twice as many as last year. Many of these complaints refer to letter delivery by Deutsche Post.”

14 Lack of accessibility is criticised by the social organisation VdK. Cf. Logistik-Watchblog.de, 03/02/2020: Nicht barrierefrei: Sozialverband kritisiert Postautomaten.
https://www.logistik-watchblog.de/neuheiten/3830-barrierefrei-sozialverband-kritisiert-postautomaten.html

About BigBrotherAwards

In a compelling, entertaining and accessible format, we present these negative awards to companies, organisations, and politicians. The BigBrotherAwards highlight privacy and data protection offenders in business and politics, or as the French paper Le Monde once put it, they are the “Oscars for data leeches”.

Organised by (among others):

BigBrother Awards International (Logo)

BigBrotherAwards International

The BigBrotherAwards are an international project: Questionable practices have been decorated with these awards in 19 countries so far.