{"id":50041,"date":"2025-11-13T18:06:46","date_gmt":"2025-11-13T23:06:46","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=50041"},"modified":"2025-11-26T15:23:31","modified_gmt":"2025-11-26T20:23:31","slug":"messages-app-violates-tracking-number-privacy","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/11\/13\/messages-app-violates-tracking-number-privacy\/","title":{"rendered":"Messages.app Violates Tracking Number Privacy"},"content":{"rendered":"

Jeff Johnson<\/a>:<\/p>\n

\n

Today I received a shipment notification via text message to my phone number from a company unrelated to Apple. The shipped product was not ordered with my iPhone, and in fact the product manufacturer doesn’t even know that I own any Apple devices. The message included a US Postal Service tracking number. Messages app on my iPhone transformed the tracking number into a link. When I pressed down on the link to reveal the URL, I was surprised by it:<\/p>\n

https:\/\/trackingshipment.apple.com\/?Company=USPS&Locale=&TrackingNumber=<\/code><\/blockquote>\n

My tracking number, which I won’t post here, was appended to the URL. If I had tapped on the link generated by Messages app, it would have sent my tracking number not to the US Postal Service but to Apple!<\/p>\n<\/blockquote>\n

As he says, “Apple considers itself implicitly trustworthy,” so there are all these specific examples of violations that it just doesn’t count. But when it comes to others<\/em>, Apple will assume the worst intentions and make the least charitable reading. For example, it makes broad public statements<\/a> like, “The DMA has failed to live up to its promises, delivering less security, less privacy, and a worse experience.” And most people seem to unquestioningly believe these claims, just as they assume that App Review can and does reliably provide critical protection. (The reality is that it’s not possible for it to ensure privacy in accordance with the nutrition labels<\/a>, and they don’t even check that the basic functionality works.) When an Apple-funded study suggests that one potential benefit of EU legislation might not have come to pass, Apple says that’s failing to live up to its promises. But when Apple breaks a specific privacy-related promise, it just memory holes it<\/a>.<\/p>\n

There’s good privacy work being done, but it’s gotten so bound up with marketing and anti-antitrust weaponization. For example, the recent watch Wi-Fi story got presented as: Apple is removing a useful feature because the EU was going to force Apple to give your private information to data brokers. Now, it seems, the actual story is that Apple is now asking for consent (i.e. no longer self-preferencing) and has created a secure API to provide the functionality while preserving privacy. This sounds like something to celebrate, but because privacy has become a cudgel it has to be badmouthed and obscured. For a while, sprinkling the word “privacy” everywhere gave the impression that they really care about privacy<\/em>. But somewhere along the line, it’s started to seem more like a Get Out of Jail Free card. So, for me, the bit has been flipped, and whenever I see that word I’m on alert to see whether a specific claim is being made and whether it actually makes sense.<\/p>\n\n

Previously:<\/p>\n