Apple Data Detectors Reroute Parcel Tracking Through an Apple Web Service ⇥ lapcatsoftware.com

Jeff Johnson:

Today I received a shipment notification via text message to my phone number from a company unrelated to Apple. The shipped product was not ordered with my iPhone, and in fact the product manufacturer doesn’t even know that I own any Apple devices. The message included a US Postal Service tracking number. Messages app on my iPhone transformed the tracking number into a link. When I pressed down on the link to reveal the URL, I was surprised by it:

https://trackingshipment.apple.com/ ?Company=USPS&Locale=&TrackingNumber=

[…]

[…] Apple has inserted itself where it doesn’t belong with this Messages “feature,” or misfeature. Why does Apple want to send itself our tracking numbers? Apple tracking is the opposite of privacy!

Apps throughout Apple’s operating systems can support different data detectors to automatically identify things like phone numbers, flight numbers, and shipment numbers. The latter are, indeed, rerouted through that trackingshipment.apple.com website; I have found this to be the case in first-party apps like Messages and Notes, as well as third-party apps, like MarsEdit, with support for data detectors.

A curl request to that endpoint on a sample parcel number reveals no explicit tracking scripts or methods are used:

curl "https://trackingshipment.apple.com/?
Company=Ontrac&Locale=
&TrackingNumber=ANUMBERIFOUNDONTHEWEB"

<HTML><HEAD><TITLE>Found</TITLE></HEAD><BODY>
<H1>Found</H1>This document has moved 
<a href="https://www.ontrac.com/tracking/?
number=ANUMBERIFOUNDONTHEWEB">here</a>. 
</BODY></HTML>%         

What is interesting to me is that the trackingshipment URL already contains the shipping company when it is created by the data detector. That is, Apple’s web-side service is not used to determine which courier this number corresponds to. It is only performing a straight redirect. My guess about why it is set up like this is so Apple can push minor changes to the web service if a courier changes their parcel tracking URL format instead of shipping it in the next operating system update.

It is, however, entirely possible Apple is retaining server logs with identifying parcel tracking information. As Johnson writes, this is not a claim that Apple is misusing this data, only that it is possible.

Michael Tsai:

As he says, “Apple considers itself implicitly trustworthy,” so there are all these specific examples of violations that it just doesn’t count. But when it comes to others, Apple will assume the worst intentions and make the least charitable reading. […]

This is one of the glaring problems with leaving privacy governance up to self-interested corporations. I have no reason to believe Apple is doing anything wrong with this information. If I were designing this data detector, I would probably do it in a similar way. But because everything you do within Apple’s platforms could be governed by the company’s broad privacy policy, it has wider latitude than any individual developer.

Update: Johnson in a reply on Mastodon posits a smarter and more privacy-sensitive approach. (And goes to show why I am not designing data detectors; see above.)