I just came across an interesting feature in the Posten Sporing app of Posten Norge AS.
This app does the following (translated from the product description on Google Play):
Record tracking makes it easy to monitor packages on their way to you with the Post Office.
When you register with your mobile number and email we find automatically packages on the way to you. To achieve this, we rely on that the sender has registered your mobile number or email. We therefore constantly check if there are packages on the way to you and alert you via push when there is a new package. We will notify you when you can get it at the post office or possibly when it will be delivered to your home.
All good and well, of course. It also lets you enter a package tracking number manually. Handy of course, should you have a package coming your way that didn’t make it into the system automatically.
But… here you can also enter some totally random number like… 12345
And then it suddenly gets interesting! I see a long list of packages, none of them mine (see screenshot, which I mutilated a bit on purpose). I can track their whereabouts, and it wouldn’t surprise me if I’d get a hentekode (pickup code) in the app when the package I selected makes it to the post office and is ready for pickup.
I wonder how long it will take before less honest people will start abusing this ‘feature’…
Their website on http://sporing.posten.no/ is even worse. There I can also search by phone number. This makes it very easy for anyone to track exactly where their neighbours, colleagues & family shop, and quite often it also gives a fair idea of what’s been purchased…
Posten responded pretty quickly via Facebook:
posten | me |
---|---|
Hello. In regards to the amount of hits showing when you search using 12345, this is due to the fact that the app also uses "sender reference" to find packages, which in turn generates many hits as many senders will use similar references. Regards, Ø. | |
But should I be able to see all these other packages? What if I add one as 'mine' in the app? Do I also get a 'hentekode' when the package is ready for pickup? | |
Yes, as the app uses Sender Reference as a "search parameter", you will and should be able to see these. You will not be able to collect the package as it is not in your name, and will not receive a "hentekode". If you add it as "mine" in the app, you will simply be tracking someone elses package. Regards, Ø. | |
Hmm, still not quite convinced about privacy of end-users/recipients here, but ok... | |
Hi Evert. If you don't find our routines satisfying, you can leave a complaint using this form Regards H. | |
As long as Datatilsynet (the Norwegian Data Protection Authority) is happy with the routines, so am I 😉 |
The Digipost have a similar privacy issue too. The extensive use of predictive help while fullfilling schemes, reveals the name, adress and part of the mobile number of other users. Even if parts of a mobile number are hidden, it’s quite easy to find out what the rest is. Specially when the adress follows. Serie of mobilenr. have often been allocated to a specific dealer in a specific part of Norway. Therefor, if you want to keep your mobile quite private but not secret, you may not use Digipost.
I usually have to show ID when I pick up my packages?
This is pretty bad. Whenever I pick up packages, I just give the number to the guy in the post office, and he asks me “Are you “? “Yes, I am”. And then he gives me the package.