Messages.app Violates Tracking Number Privacy
Today I received a shipment notification via text message to my phone number from a company unrelated to Apple. The shipped product was not ordered with my iPhone, and in fact the product manufacturer doesn’t even know that I own any Apple devices. The message included a US Postal Service tracking number. Messages app on my iPhone transformed the tracking number into a link. When I pressed down on the link to reveal the URL, I was surprised by it:
https://trackingshipment.apple.com/?Company=USPS&Locale=&TrackingNumber=My tracking number, which I won’t post here, was appended to the URL. If I had tapped on the link generated by Messages app, it would have sent my tracking number not to the US Postal Service but to Apple!
As he says, “Apple considers itself implicitly trustworthy,” so there are all these specific examples of violations that it just doesn’t count. But when it comes to others, Apple will assume the worst intentions and make the least charitable reading. For example, it makes broad public statements like, “The DMA has failed to live up to its promises, delivering less security, less privacy, and a worse experience.” And most people seem to unquestioningly believe these claims, just as they assume that App Review can and does reliably provide critical protection. (The reality is that it’s not possible for it to ensure privacy in accordance with the nutrition labels, and they don’t even check that the basic functionality works.) When an Apple-funded study suggests that one potential benefit of EU legislation might not have come to pass, Apple says that’s failing to live up to its promises. But when Apple breaks a specific privacy-related promise, it just memory holes it.
There’s good privacy work being done, but it’s gotten so bound up with marketing and anti-antitrust weaponization. For example, the recent watch Wi-Fi story got presented as: Apple is removing a useful feature because the EU was going to force Apple to give your private information to data brokers. Now, it seems, the actual story is that Apple is now asking for consent (i.e. no longer self-preferencing) and has created a secure API to provide the functionality while preserving privacy. This sounds like something to celebrate, but because privacy has become a cudgel it has to be badmouthed and obscured. For a while, sprinkling the word “privacy” everywhere gave the impression that they really care about privacy. But somewhere along the line, it’s started to seem more like a Get Out of Jail Free card. So, for me, the bit has been flipped, and whenever I see that word I’m on alert to see whether a specific claim is being made and whether it actually makes sense.
Previously:
- Apple-Funded Study on EU Alternative App Store Business Terms
- White Label Gemini on Private Cloud Compute
- iOS 26.2 to Remove iPhone–Apple Watch Wi-Fi Sync in EU
- AirPods Live Translation Expands to the EU
- Europe vs. App Tracking Transparency
- Evolution of Apple Security Bounty Program
- Apple’s Thoughts on the DMA
- French Siri Spying Lawsuit
- Tea and the App Store
- Apple Memory Holes OCSP Preference
Update (2025-11-14): I’ve been discussing this with Ivan Pavlov, developer of the excellent Parcel app, who doesn’t think there’s anything to be worried about. Perhaps he’s right, but I don’t see why one should bet against the data being useful when it seems like more private designs could work just fine. He says this was introduced in iOS 6, i.e. before Apple announced that new features would be reviewed by the privacy team, but I still think it contributes to reducing trust in the overall privacy initiative.
Nick Heer notes that the shipment tracking is really part of Apple Data Detectors rather than being specific to the Messages app.
What is interesting to me is that the
trackingshipmentURL already contains the shipping company when it is created by the data detector. That is, Apple’s web-side service is not used to determine which courier this number corresponds to. It is only performing a straight redirect.
This suggests that much of the logic is already client-side, so the lookup could be made more privacy preserving simply by looking up a URL template for the appropriate company on demand. There’s no need to download and cache elaborate conversion logic that could become outdated.
As far as Apple is concerned they can do more or less whatever they want as long as it never leaves Apple themselves. Because they are obviously implicitly trustworthy.
Even the great privacy work they do, relies on you just trusting your phone actually does what they say. Because it’s locked down so much you have no control over anything to prevent it if it didn’t.
14 Comments RSS · Twitter · Mastodon
I don't think anyone should take any of Apple's privacy claims seriously at this point.
Regrettably, it seems that Apple’s executive team has become as bad as so many politicians: they lie, steal, cheat and appeal their way to riches, caring nothing for who they hurt or even that they’re lying. To these sort of people, the ends always justify the means. They should be shamed into changing, but they have no shame to even feel. The only carrot or stick to them is money.
Nice use of memory hole. This is what I’ve been saying, they are full on newspeak. Privacy is another one of the words.
2019's Siri eavesdropping scandal is when I internalized that marketing was a higher priority than privacy at Apple. https://en.wikipedia.org/wiki/Siri#Privacy_controversy
I also remember the 2018 GDPR claim that they have almost no data that they can link to an individual user to be a stretch. I let it slide then as a relatively benign marketing gimmick.
When I used a Mac I was continuously bothered by its OCSP app launch tracking. It's disgusting that any company would know which apps and scripts I launch when, even if they really never ever look at it.
Marketing impinging on security, as seen with their bug bounty program, is also insanely shady. There's great privacy and security stuff going at Apple but at the end of the day marketing/communication trumps every other discipline, making Apple unreliable and untrustworthy.
@Alexandre Yeah, just to repeat this again because people seem to misremember: the initial situation was that Apple shared private audio recordings with subcontractors. Customers were not aware of this and had no way to opt out. More than a year later, they added opt out in a dark pattern sort of way.
Seems like a nothingburger with a side of conspiracy.
I get the suspicion but aren’t these generally unfounded suspicions of Apple spying on users somewhat disproven by the lack of actual consequences or effects on real users? I mean, especially in comparison to the advertising giant everyone uses and ignores.
What’s apple’s interest in tracking its users with this information? Follow the money. And SMS from some third party — is Apple getting the blame for that, too?
There are two ways to handle package tracking number lookup URLs -
1. everyone gets on their phone, a constantly-updates list of tracking numbers to website conversions (what happens when a tracking website changes? How long before everyone gets updates. Security vs convenience/avoiding broken links)
2. Do conversion on a central website. (and can do it privately by not tracking the IP address request is coming from, say, via Private Relay)
So this perhaps is similar to the blocking of malicious programs — devices phone home to get the latest at time of use because it’s more accurate.
@Someone elsd I don’t think anyone’s claiming that Apple is secretly trying to spy on tracking info. Rather, the story is that this is a sloppy design and that the company that constantly talks about privacy and uses it as questionable justification to advance its business interests doesn’t actually walk the walk itself. Nobody else can write an app that accesses SMS or notifications because Apple can’t guarantee that the information would remain on the device, yet Apple’s own feature unnecessarily sends it off device to their own server. Why should Apple get the benefit of the doubt (that they are receiving the data but don’t actually want it) when they don’t extend that charity to anyone else?
1. could probably even be simpler and do a live lookup without caching.
> And SMS from some third party — is Apple getting the blame for that, too?
Huh? This response appears nonsensical. The SMS was from the manufacturer of the product, providing me with a tracking number for the order. There's nothing to "blame" about that.
The Apple Messages app transformed the purely textual tracking number into an apple.com link. That's the problem.
> There are two ways to handle package tracking number lookup URLs
I think you misunderstand the situation. The Messages app data detectors already detected the mention of USPS in the SMS and put Company=USPS in the apple.com link. What Messages could have done instead is get the usps.com tracking link format, without sending my tracking number to Apple.
@Michael, so we’re talking architecture and hypotheticals of privacy violations and risks. Sure, but let’s also judge by actions. Apple has stated they don’t want to track people and make efforts to avoid it.
Are folks questioning/criticizing their choice of architecture only? You might be but seems to me like some other people are also questioning their motives, and conflating the two
@Jeff, that’s options #1 I described above.
You could also copy the number and enter it into Google, which will unfurl/unroll it for you just like Apple did, exposing your tracking number to an advertising company
Or go manually paste it into the USPS site
I am guessing that worldwide, shipping companies change their URLs often enough that apples current choice (#2) is somewhat better to users and/or to Apple re: providing better service, and not for nefarious uses.
@Someone else I don’t understand. You say to judge by actions, but then you repeat the words. The point is that they don’t match. Jeff is describing a design that avoids the downsides of both your #1 and #2. And, anyway, what makes you think that the URL formats are changing all the time? Why would they do that?
> @Jeff, that’s options #1 I described above.
I don't know why there would need to be a constantly updated list, as opposed to just fetching the list when it's needed, when Messages needs to replace a tracking # with a URL.
> I am guessing that worldwide, shipping companies change their URLs often enough that apples current choice (#2) is somewhat better to users
I don't know why in the world you believe this or what evidence you have for it.
More broadly, at this point I can only trust tech companies that speak about privacy when they demonstrate that their service or product, whatever it is, *couldn't* be violating user privacy. That is, they can show that they are not collecting the data that could be used to violate your privacy in the first place. This can take many forms, from releasing source code to being transparent about their architecture to use of end-to-end encryption. But if they don't demonstrate this somehow, I don't trust them, regardless of what they say.
There have been too many examples at this point of companies that start out with privacy as a "core value" that go public, get bought out, or just can't resist the lure of the proverbial "one ring" of the tech world, and then sell out their users.
As has been pointed out in this very thread, there have been multiple cases of Apple's architecture being designed in such a way that it could be used to collect data. This issue with tracking info is just one example.
And Apple, as we know, has been reversing their earlier user friendly policies for ones that are user hostile, and each year this trend continues. A decade ago it would've seemed ridiculous for Apple to litter their apps with ads, because they were the premium tech company that cared about UX. Not so any more.
Each year they have to turn a bigger profit than the previous year, otherwise it upsets their investors and their stock price will start to collapse. At some point their relentless drive to monetize services will see diminishing returns, and enshittifying their platforms will result in decreasing hardware sales. At that point, they'll need *something* they can use to drive more profit. And of course it'll be the next phase of enshittification: selling out their users. They're sitting on a treasure trove of user data, and they could make billions selling it. The fact that their OS and services already have the architecture in place to do this, whenever they decide to, and assuming they haven't already, pretty much guarantees they will. There is no reason to trust them, and every reason to suspect them.
@michael, Jeff,
I didn’t read your reply closely enough:
> The Messages app data detectors already detected the mention of USPS in the SMS and put Company=USPS in the apple.com link. What Messages could have done instead is get the usps.com tracking link format, without sending my tracking number to Apple.
Yes, that would make sense. Cache but check for a new url format for a shipping service every time. Slower — more trips — but yeah, that’d be fine/better, if we don’t trust Apple.
Back to my original point — so why do we think Apple is tracking us? Or is it sold about architecting maximum privacy into the service itself?
If it’s the later, I think it’s totally valid to question it.
Ultimately, don’t know if Apple keeps requesters IP addresses — or if it’s just a redirect and they toss or don’t record that IP address. They’d probably have us believe they do the latter, but short of a subpoena, how would we ever know? (And so the obvious next question is has it ever come up in investigations? If not, then that’s a clue)
Apples data detectors have been around for what, 20 years or more? So this very well might have been built before their more recent focus on privacy and encryption. Or for all we know, they could be doing some IP remixing ala Private Relay (as these are web calls).
@Someone else It’s about architecting maximum privacy. As I said in the update, this was apparently added in iOS 6, so long after data detectors (which preceded Mac OS X) but before the big public privacy push and Private Relay.
