The U.S. Postal Service (USPS) has announced plans to provide its law enforcement branch with access to its vast trove of customer data, raising concerns among privacy activists about the organization’s expanding surveillance powers.
“USPIS will collect and aggregate eight data elements—Name, Address, 11-Digit Delivery Point ZIP Code (ZIP 11), Phone Number, Email Address, Tracking Number, IP Address, and Moniker,” the Postal Service stated.
According to the USPS, the influx of new data will allow postal inspectors to conduct “link analysis,” using data analytics to discover patterns and trends in criminal activity.
But privacy activists have brought up concerns.
“By demanding access to more postal data, the Postal Inspection Service is exposing USPS customers to wrongful surveillance and a greater threat of data breach,” EPIC stated. “The Postal Service and the Postal Inspection Service should separate their information collection procedures and ensure that USPS customers do not come under greater surveillance simply by using a government mail carrier.”
EPIC stated that the USPIS is in danger of mission creep—when an agency has access to more tools or information than it needs to complete its designed mission, leading it to expand into another role outside of the designated mission to utilize those tools.
“The Postal Inspection Service has a well-defined mission in protecting the mail, but the agency has often overstepped its bounds,” EPIC stated. “The Postal Inspection Service now claims a ‘wide jurisdiction’ to preserve the ’safety, security, and integrity of the nation’s mail system from criminal misuse.'”
EPIC also reiterated its criticism of the postal service’s Internet Covert Operations Program (iCOP), which was outed in 2021 by Yahoo News for surveilling protest movements.
“The availability of those tools facilitated monitoring protesters and organizers engaging in protected First Amendment activities,” EPIC stated regarding iCOP. “The Postal Inspection Service should be wary of onboarding new tools and new data sources given the agency’s troubled history with mission creep.”
EPIC’s comments to the USPS may be too little too late. The postal service’s Dec. 17, 2021, notification stated that its new data-sharing initiative was to begin on Jan. 18.
The USPS didn’t respond to questions about whether it has already begun transferring customer data to the USPIS or if it’s considering EPIC’s comment before moving forward.
EPIC is still pursuing its lawsuit against the USPIS for running iCOP without conducting a privacy impact assessment—a review of what information is collected, why it’s being collected, how the information is used, and how the data is stored.
The most recent filing from that case is Jan. 14, when the USPIS argued that EPIC’s case should be tossed out.
“EPIC lacks standing to bring this case, because it identifies no concrete interest belonging to it or its members that was harmed by Defendants’ alleged procedural failures,” the filing reads. “EPIC has no statutory right to the information it seeks, and it makes no allegation that the iCOP program harmed it or its members in any way, aside from its alleged failure to comply with the E-Government Act’s procedures.”
No hearings are scheduled in this case.