Messages.app Violates Tracking Number Privacy
Today I received a shipment notification via text message to my phone number from a company unrelated to Apple. The shipped product was not ordered with my iPhone, and in fact the product manufacturer doesn’t even know that I own any Apple devices. The message included a US Postal Service tracking number. Messages app on my iPhone transformed the tracking number into a link. When I pressed down on the link to reveal the URL, I was surprised by it:
https://trackingshipment.apple.com/?Company=USPS&Locale=&TrackingNumber=My tracking number, which I won’t post here, was appended to the URL. If I had tapped on the link generated by Messages app, it would have sent my tracking number not to the US Postal Service but to Apple!
As he says, “Apple considers itself implicitly trustworthy,” so there are all these specific examples of violations that it just doesn’t count. But when it comes to others, Apple will assume the worst intentions and make the least charitable reading. For example, it makes broad public statements like, “The DMA has failed to live up to its promises, delivering less security, less privacy, and a worse experience.” And most people seem to unquestioningly believe these claims, just as they assume that App Review can and does reliably provide critical protection. (The reality is that it’s not possible for it to ensure privacy in accordance with the nutrition labels, and they don’t even check that the basic functionality works.) When an Apple-funded study suggests that one potential benefit of EU legislation might not have come to pass, Apple says that’s failing to live up to its promises. But when Apple breaks a specific privacy-related promise, it just memory holes it.
There’s good privacy work being done, but it’s gotten so bound up with marketing and anti-antitrust weaponization. For example, the recent watch Wi-Fi story got presented as: Apple is removing a useful feature because the EU was going to force Apple to give your private information to data brokers. Now, it seems, the actual story is that Apple is now asking for consent (i.e. no longer self-preferencing) and has created a secure API to provide the functionality while preserving privacy. This sounds like something to celebrate, but because privacy has become a cudgel it has to be badmouthed and obscured. For a while, sprinkling the word “privacy” everywhere gave the impression that they really care about privacy. But somewhere along the line, it’s started to seem more like a Get Out of Jail Free card. So, for me, the bit has been flipped, and whenever I see that word I’m on alert to see whether a specific claim is being made and whether it actually makes sense.
Previously:
- Apple-Funded Study on EU Alternative App Store Business Terms
- White Label Gemini on Private Cloud Compute
- iOS 26.2 to Remove iPhone–Apple Watch Wi-Fi Sync in EU
- AirPods Live Translation Expands to the EU
- Europe vs. App Tracking Transparency
- Apple’s Thoughts on the DMA
- French Siri Spying Lawsuit
- Apple Memory Holes OCSP Preference
2 Comments RSS · Twitter · Mastodon
I don't think anyone should take any of Apple's privacy claims seriously at this point.
Regrettably, it seems that Apple’s executive team has become as bad as so many politicians: they lie, steal, cheat and appeal their way to riches, caring nothing for who they hurt or even that they’re lying. To these sort of people, the ends always justify the means. They should be shamed into changing, but they have no shame to even feel. The only carrot or stick to them is money.
