// Field guide · read first
Most people focus on the package — the carrier, the contents, the address. What they ignore, almost universally, is the tracking page. And the tracking page is where people actually get caught. This guide covers the legal distinctions between U.S. carriers, the specific mechanisms that expose you when you check a tracking number, the documented failure modes of common privacy tools, and the exact procedure for checking shipment status with minimal exposure. No filler. Every claim is sourced.
The carrier decision happens before you ship
The privacy implications of carrier choice are settled in law, not opinion. The controlling distinction is simple: is the carrier a private corporation, or a federal agency?
FedEx & UPS
Their terms of service — which you agree to the moment you hand over a package — reserve the right to open, inspect, and X-ray shipments without notice. UPS Terms of Carriage §3.7 reserves the right to open and inspect or scan by x-ray any shipment at any time. Because they are private, the Fourth Amendment warrant requirement does not apply. The door is opened by contract, before law enforcement ever shows up.
USPS
Sealed First-Class Mail is constitutionally protected. In Ex parte Jackson (1878), the Supreme Court ruled unanimously that sealed mail is as fully guarded from examination as if retained by the parties in their own homes. A Postal Inspector must get a judge-signed warrant on sworn probable cause before opening anything.
The volume math
Finding one specific package without a tip-off is a statistical non-starter. The system doesn’t catch packages by being smart — it catches them when you flag yourself.
The tracking page is the actual threat vector
Every time you load a carrier tracking page from a standard browser, four categories of data are transmitted to and logged by the carrier’s servers:
- IP — Your IP address maps to your ISP account, billing address, and often your specific household.
- Fingerprint — Screen resolution, fonts, GPU, timezone and dozens more attributes that identify you with 90–99% accuracy, even without cookies.
- Timing — Behavioral timestamps: when you checked, how many times, and the interval pattern between checks.
- Linkage — Session correlation: cookies tying this visit to any other activity on the carrier’s domain.
The fingerprinting point is routinely underestimated. The EFF found 83.6% of browsers have a unique fingerprint; research from Lehigh and Washington University put identification at 99.24%. Crucially, Brave’s engineering team showed that combining just 5–6 attributes already creates a 90%+ unique fingerprint. You don’t need fifty data points. Five is enough. Now add behavior: checking tracking 30 times over 48 hours — a normal anxiety response — fuses with that fingerprint into a signature that exists nowhere else online. The carrier’s logs read: this fingerprint checked this number this many times from this IP. You created that correlation.
Why “Tor over VPN” fails here
Tor Browser routes Tor Browser traffic through Tor. That is its entire scope. It does not touch anything running outside the browser process — and on a typical machine, a lot is running. An adversary doing traffic correlation doesn’t need to break Tor’s encryption; they watch two streams at once (anonymized Tor traffic and real-IP telemetry from the same machine) and match them by timing. Expand each leak below.
Cloud sync — OneDrive & iCloud
OneDrive syncs files continuously, and iCloud pushes notifications and photo backups — all over your real IP, the entire time Tor Browser is open. Neither knows or cares that Tor is running. Both are broadcasting a heartbeat tied directly to your account.
OS telemetry — Windows & macOS
Windows Diagnostic Data and Connected User Experiences phone home to Microsoft; macOS maintains push connections to Apple’s APNs servers. This is baseline operating-system behavior that runs whether or not you opened a browser, and it carries your real IP and a stable device identifier.
The IPv6 leak most guides ignore
A 2025 advisory found Linux VPN clients leaking IPv6 traffic in a way that exposed real IPs even for users who believed they were protected. If IPv6 is enabled and your VPN or OS isn’t explicitly blocking it at the firewall level, you may be broadcasting a globally routable address right alongside your Tor traffic.
Your ISP sees the Tor connection itself
Entry node IPs are publicly listed in the Tor consensus, so your ISP can see that you connected to Tor — just not what you did inside. If Tor usage itself is a concern, pluggable transports (obfs4, Snowflake) can disguise the traffic as ordinary HTTPS, but that requires deliberate configuration, not just launching the browser.
The 17Track method, step by step
17track.net aggregates 3,300+ carriers across 230+ countries. When you enter a number, their servers query the carrier API — so the carrier logs a request from 17Track’s IP, not yours. Run it through Tor Browser and 17Track sees only a Tor exit node. Here is the full procedure.
- Download Tor Browser. Get it from torproject.org/download — the official source only. Some third-party builds have been compromised.
- Connect, change nothing. Launch and click Connect. Don’t install extensions; they alter your fingerprint and make you stand out from the Tor Browser baseline pool.
- Type 17track.net directly. Enter the address by hand — don’t search for it. Do not sign in and do not create an account. Guest use only.
- Paste the tracking number. Search. The carrier logs a request from 17Track’s IP via a Tor exit node — not your real address, fingerprint, or location.
- Fully close the browser. Close Tor Browser completely when done — don’t minimize. For each later check, repeat from step 2 so you get a fresh circuit.
OPSEC layers most guides skip
Delivery address hygiene
A private mailbox service (iPostal1, Anytime Mailbox, PostScan Mail) gives you a real street address that isn’t your home and accepts from all carriers — unlike a PO box. Set it up with a payment method not tied to your home address.
Vary your timing
Checking from your home network at 11 PM every night creates a pattern even if each session is anonymous. Consistent timing across anonymous sessions is a known de-anonymization vector. Stagger when you check.
Never cross the streams
Check email in the same Tor session and you’ve linked your Tor fingerprint to your email identity. The five-attribute threshold means that correlation is trivial database matching, not sophisticated analysis.
Test your own fingerprint
Run EFF’s Cover Your Tracks (coveryourtracks.eff.org) from your normal browser, then from Tor Browser. The delta shows you exactly how exposed you are right now versus the Tor baseline.
Carrier legal comparison
| Factor | FedEx / UPS | USPS |
|---|---|---|
| Legal type | Private corporation | Federal agency |
| Warrant to inspect | Not required | Required (First-Class) |
| X-ray authority | Written into TOS §3.7 | Needs suspicion + warrant |
| LE cooperation | Voluntary, no paperwork | Requires court authorization |
| Daily volume (2024) | ~50M/day combined | ~20M/day |
Tracking method comparison
| Method | Hides from carrier | Hides OS telemetry | ISP sees Tor |
|---|---|---|---|
| Chrome / Safari (home) | No | No | No |
| VPN only | Partial | No | No |
| Tor Browser alone | Yes (exit node) | No | Yes |
| Tor Browser + 17Track | Yes (17Track IP) | No | Yes |
| Zero Trace Pen | Yes | Yes | Mitigated |
Every method above is a workaround for the same root problem: your operating system never stops talking. The only real fix is an OS that routes every process through Tor and runs entirely from RAM, leaving nothing behind when you unplug it. That’s exactly what the Zero Trace Pen was built to do — turn any computer into a private, leave-no-trace machine in seconds. No setup, no telemetry, no recoverable history. If you’ve read this far, you already understand why the browser alone was never going to be enough.
// The architectural limit
Everything above is mitigation at the application level — a browser trying to be anonymous while sitting on top of an OS that is not. The limitation is architectural: Tor Browser cannot control what the operating system does. The complete solution is an OS that routes every process through Tor and runs from RAM without writing to the host drive. When you pull it out, the session ends and leaves nothing recoverable. On such a system there is no path for OneDrive or iCloud to reach the internet except through Tor — and the host machine learns nothing, because nothing is written to it.
[ get the zero trace pen → ]Sources
Legal sources
- Ex parte Jackson, 96 U.S. 727 (1878) — unanimous
- United States v. Van Leeuwen, 397 U.S. 249 (1970)
- United States v. David, 943 F. Supp. 1403 (E.D. Va. 1996)
- UPS Terms and Conditions of Carriage §3.7; FedEx Terms and Conditions
Data & research sources
- USPS Postal Facts, FY2024 volume figures
- Porritt et al., Applied Animal Behaviour Science (2015) — detection-dog vigilance decrement
- EFF Cover Your Tracks; Lehigh & Washington University fingerprinting studies; Brave fingerprinting analysis
- RECTor: Robust and Efficient Correlation Attack on Tor, Wu et al. (2024)
- Forbes — FedEx / Flock Safety surveillance reporting (2024)
- Electronic Frontier Foundation — privacy and surveillance research
Leave a Reply