Sean Davidson
Oliver JensenTIL if you track a package on ups.com, it will send your full tracking link including the tracking number to both Google and Facebook.
This is just "normal".
Use an ad-blocker, folks.
A cursory look later, your tracking number (along with the fact that you checked it on ups.com) are sent to at least:
* omtrdc.net (Adobe)
* company-target.com (Demandbase)
* doubleclick.net (Google advertising)
* google-analytics.com
* facebook.com
* qualtrics.com
* adsrvr.org (theTradeDesk ad network)
* techlab-cdn.com (Ericsson tracker)
Coach Pāṇini ®This ☝️reminded me of the @signalapp merch: https://shop.signal.org/products/me-x-signal-more-followers-white
Chris@ojensen
So my immediate reaction is what the actual fuck. I would feel a lot better if someone had a good explanation for this.... But I have s feeling they may not....
So my immediate reaction is what the actual fuck. I would feel a lot better if someone had a good explanation for this.... But I have s feeling they may not....
coffeeaddict@RedOct @ojensen There isn't a good explanation but I doubt they track only UPS links (nor for the purpose of getting your tracking ID) you visited but rather for every single website with their trackers, so it's sort of like they have access to your browser history in full detail (which is very convenient for targeted advertising).
There is a non-negligible chance they don't even parse this link to wait for your mail together, it's a useless data by itself.
There is a non-negligible chance they don't even parse this link to wait for your mail together, it's a useless data by itself.
@coffeeaddict @ojensen
At this point I'm just thankful I found out about privacy badger years ago and have had it turned on ever since. I've always blocked third party trackers through Firefox, but I recently got Ublock, and I've just added a pihole to my home network. Also have a VPN on my phone usually running (Android Auto of course isn't compatible with VPN)
It's infuriating that I need to go to such lengths to keep people from making money off of me without paying me for my data.
Sorry for the rant, and thank you for the comment.
At this point I'm just thankful I found out about privacy badger years ago and have had it turned on ever since. I've always blocked third party trackers through Firefox, but I recently got Ublock, and I've just added a pihole to my home network. Also have a VPN on my phone usually running (Android Auto of course isn't compatible with VPN)
It's infuriating that I need to go to such lengths to keep people from making money off of me without paying me for my data.
Sorry for the rant, and thank you for the comment.
WarmasterPalakEricsson has trackers embedded in their CDN? Fuck that. Now I have to start blacklisting CDNs? Dammit.
@WarmasterPalak I don't know this for a fact, I'm basing this assumption entirely on results I found when I threw that domain into a search engine.
Sherri W (SyntaxSeed)@ojensen Considering that one of the most basic features of website visitor analytics is to tell you which pages & urls on your site are being visited... this isn't surprising.
But I do wish sites would encrypt URL parameters more often. It's awful when personal info like email address, mailing address etc, show up in the url.
But all that is old news. Many analytics also track what you type. So if you briefly mistype your password in the username field... 😳
@syntaxseed absolutely. I'm not trying to make the point here that UPS' behavior is "evil", rather that even giving them every benefit of the doubt, their failure at protecting data is staggering.
Like when the college board was found to be sending everyone's SAT scores to Facebook in a very similar manner, and wrongly denied it because they legit didn't know they were doing it. At some point I don't care if it's malice or just incompetence: the effect on others is the same.
@ojensen Omg 100%! The level of (willful) ignorance is such that I wonder if it's used as a shield/excuse.
But Google, FB & all, make it utterly idiot proof to add these incredibly powerful analytics tools to a site so the companies using them are never forced to really think about it.
It usually boils down to "marketing wants to track their add campaign. Add this snippet." And no one thinks twice.
I keep tripping up my clients when I point out it's impact on their privacy policy. 😵💫
danimrich@ojensen Imagine the embarrassment if Facebook decided to openly use this for advertising: "your friend ABC is expecting a parcel from XXXShop. Check out their latest special offers: …"
Chancerubbage
David B@ojensen they couldn’t be bothered to do it server-side?
gr8ape@lorewanderer @ojensen Why pay for network when it can be offloaded to the user ?!
Jamie McCarthy@gr8ape @lorewanderer @ojensen The client is logged into Facebook, i.e., has cookies in the facebook.com domain that are transmitted to Facebook along with the tracking number. Having the js trigger the http request from the client’s browser is how Facebook connects the package to your other data. This can’t be done from the backend.
This is why web browsers are a privacy nightmare
Mark Rotteveel@jamiemccarthy @gr8ape @lorewanderer @ojensen In Firefox, third-party cookies are stored per actually visited site. So, if you're visiting the UPS site, then it can't send cookies of your (normal) visit to Facebook, they are isolated from each other.
Ives@mrotteveel @jamiemccarthy @gr8ape @lorewanderer @ojensen According to the 'user-agent' in the first screenshot, this is Firefox?
@ives @jamiemccarthy @gr8ape @lorewanderer @ojensen I was specifically addressing the point that facebook cookies are transmitted, and that is not the case in Firefox (or at least, if they exist, those cookies are specific to the UPS site visits, and not your normal Facebook visits)
@mrotteveel @jamiemccarthy @gr8ape @lorewanderer @ojensen Thx for clarifying. So the cookie won't have your FB login. But the page URL, with tracking nr, is sent to FB.
Somehow I suspect that even without the actual login, they'll still link that info with your account.
Somehow I suspect that even without the actual login, they'll still link that info with your account.
@ives given that it comes from your IP address, which is the same IP address you use to access Facebook, in many cases yes (though of course you share an IP address with everyone on your local network).
There are also other more convoluted methods of attempting identification with varying tradeoffs in terms of accuracy and complexity.
@ives @mrotteveel @jamiemccarthy @gr8ape @lorewanderer what Mark is saying is that Facebook can't simply use my Facebook cookie to determine my identity -- you'll notice there's no cookie header in the request. So they'll need to rely on less straightforward and possibly less accurate means (eg my IP address) to associate the data with me, Oliver Jensen.
Cassandrich@lorewanderer @ojensen They're not *trying* to give the data to FB, etc. They're embedding social media and analytics widgets, and those widgets in turn embed malware from the companies providing them.
Don MartiServer-to-server tracking is a trend now -- sites and apps can send events over Facebook CAPI (which doesn't go through the client so your privacy tools don't see or filter it) Good example of why you need a full stack of privacy tools+laws+regulations, no one software install is total protection
JW prince of CPH@ojensen - which explains why you'll sometimes get phishing emails & text messages about packages at the exact time when you're expecting a package, making you extra-susceptible to get taken.
Not a hypothetical; this happened to a (very tech savvy but also very busy) friend of mine & the timing & correct (fake) sender was the only reason it worked on him.
Apparently, perpetrators of scams like that can simply buy the necessary information from Google or Facebook.
Great.
refraction 
🐧DaveNull🐧 ☣️pResident Evil☣And I guess the tracking page contains your name and/or full address?
That would be totally illegal in Europe (UPS ships in Europeans countries, as well)
@devnull It does not -- it only shows very limited information, assuming you're not logged in with a verified MyChoice account.
That being said, they do make additional information publicly accessible via their API. See https://hachyderm.io/@ojensen/111738042974115557
Oliver Jensen (@[email protected])
Attached: 2 images @[email protected] So this raises an interesting question about what data can be accessed with a tracking number. If you go to ups.com, it will only show you its origin, current location, and estimated arrival time, gating any other information behind a (verified) UPS MyChoice account. BUT they make a lot more data available via their APIs. For example, if you throw your UPS tracking number into your favorite search engine, you get a lot of detail supposedly gated behind such a verified account.
@ojensen I asked because some companies do show these info on their pages, even if you're not logged. Chronopost has a "recipient name:" comment in the last step of delivery, with the name of the recipient in it.
And many companies, including DPD show the full details in the "modify the shipping address/date" page, which isn't necessarily accessible only to authenticated users. Often, tracking number and recipient zip code are enough to access such page.
@devnull I had a quick look at the responses UPS provides to anonymous requests.
Some senders may include who they are. Even if they do not, you get a "sender code" which is a few random chars uniquely identifying the sender.
It does not show the source address or destination address, but it does have some pretty interesting data. Here's a mildly redacted version of mine: https://0x3c.net/Eg2VQ/json
I'll post another one once it arrives to see if any additional data is available.
@devnull here's the updated version now that it has been delivered: http://0x3c.net/MLMRv/json
Not much new in there, other than a link to a photo of my front door.
@ojensen All of that is sent to google/facebook/adoe/whatever through their trackers, including the photo? 🤔
@devnull Not directly, but effectively yes: the tracking number is sent to those parties, and the UPS API will respond with all of that data to anyone with the tracking number. The data includes a link to the "proof of delivery" page which has the photo.
The photo itself is gated behind the most comically shitty "security" check I've seen in a while: they challenge you for the destination postal code, while displaying the destination city on the very. same. page.
@ojensen … 🙄🤦♂️
It's like changing the delivery address/date. If you have the tracking number, you can get the destination postal code from the tracking page… Then you can use the tracking number along with the destination postal code to change the shipping address.
On some companies websites, the "proof" on delivery is just a signature, no matter whose signature. I'd suggest people not to use their real name as signature since it's often "protected" by the destination postal code… 😤
Joan Albright@ojensen Went to a bank website yesterday, was having issues with loading so I thought to check my tracker blocker in case it was blocking something vital ... there was a Facebook tracker there, too. This was AFTER logging in.
@Lironah oof - did you check what data it was sending?
[[for others stumbling across this thread: the reason that Joan's observation is awful -- REGARDLESS of the answer to my question above -- is because from a technical standpoint it puts the decision of what to send under Facebook's control. FB could easily push a silent update to say "also send me the name, account number, routing number, and bank balance", and then silently remove it again before anyone could see it happened]]
@ojensen I didn't look, no. Hopefully Privacy Badger squished it sufficiently that they didn't get anything.
This was Chase Bank, to name and shame properly.
Rainer Burkhardt@ojensen
"Your package delivery from Dildokiller2000 has been automatically shared with your friends."
"Your package delivery from Dildokiller2000 has been automatically shared with your friends."
@logorok So this raises an interesting question about what data can be accessed with a tracking number. If you go to ups.com, it will show you the origin, current location, arrival time, and optionally the sender, gating any other information behind a (verified) UPS MyChoice account.
BUT they make a lot more data available via their APIs. For example, if you throw your UPS tracking number into your favorite search engine, you get a lot of detail supposedly gated behind such a verified account.
Robert Jan Schutten
nantucketlit
Usona Homarano@ojensen can these tracker apis be ddos'd? just curious, purely hypothetical
@mcjevans I doubt it. Pictured are literally Google and Facebook. A pretty significant fraction of the entire global population uses them regularly.
🇺🇦 Dany@ojensen I'm basically a tech potato, so what I'm going to say might be ridiculous. Sorry in advance. I live in the EU, so I usually have a lot of screens asking me consent on cookies, and I usually disable them all. Does this prevent this kind of behavior?
@CiaobyDany my understanding is that GDPR is designed to prevent this kind of behavior. So, "in theory, yes; in practice, maybe". American companies do tend to have... creative... ways of interpreting GDPR.
A far more reliable prevention is just to install Ublock Origin.
Calidann
sandywb14
Alkaris 
@ojensen This is why if you use Gmail and you get a tracking on an order you made you can click on the Track Package option within Gmail to take you to the tracking page. So you'd have to give up Gmail if you use it. Even if using AdBlocker while using Gmail it can still track it just from your inbox regardless.
Kay Ohtie 🔜 FWA
haliphax 👾@ojensen Easy to accomplish through simple negligence/absense of forethought:
1. Add metric gathering bullshit to your website such that it gets rendered on every single page, because it's easier that way
2. Forget/disregard that this same website is used for sending shipment tracking info to customers
@ojensen To be clear, this is still bad. It's just not "swivel chair and white Persian cat in your volcano lair" bad (at least regarding the shipment company).
@haliphax this is most likely true, and yet: https://hachyderm.io/@ojensen/111755240762937368
Oliver Jensen (@[email protected])
@[email protected] absolutely. I'm not trying to make the point here that UPS' behavior is "evil", rather that even giving them every benefit of the doubt, their failure at protecting data is staggering. Like when the college board was found to be sending everyone's SAT scores to Facebook in a very similar manner, and wrongly denied it because they legit didn't know they were doing it. At some point I don't care if it's malice or just incompetence: the effect on others is the same.
@ojensen Absolutely agree. It doesn't make it alright whatsoever. They have an even greater responsibility than a general web presence.
⁂ Kyva@ojensen do you know some privacy folk that can move this? https://codeberg.org/kyva/activismo-digital/src/branch/main/data-for-import.txt
Is a list of webpages that make you purchase a subscription for decline ad cookies
Is a list of webpages that make you purchase a subscription for decline ad cookies
wbpeckham@ojensen No VPN will block traffic sent from the UPS site to the Google site, the Facebook site, and six dozen other spy agencies. The VPN blocks interception of some information between your PC and the site you connect to, it does not secure the information that is already in the remote site.
@wpeckham this is why I recommended an ad blocker and not a VPN in my post.