The U.S. Postal Service (USPS) has announced plans to provide its law enforcement branch with access to its vast trove of customer data, raising concerns among privacy activists about the organization’s expanding surveillance powers.
The USPS came under scrutiny in 2021 when it was revealed that its law enforcement arm, the U.S. Postal Inspection Service (USPIS), was monitoring both left- and right-wing protest groups on social media. Multiple nonprofit organizations sued the USPS, seeking internal records about its surveillance program and questioning the legality of such activities.
Those lawsuits haven’t stopped the Postal Service from seeking additional surveillance powers. On Dec. 17, 2021, the USPS announced that it intended to provide customer data to USPIS investigators.
“USPIS will collect and aggregate eight data elements—Name, Address, 11-Digit Delivery Point ZIP Code (ZIP 11), Phone Number, Email Address, Tracking Number, IP Address, and Moniker,” the Postal Service stated.
According to the USPS, the influx of new data will allow postal inspectors to conduct “link analysis,” using data analytics to discover patterns and trends in criminal activity.
But privacy activists have brought up concerns.
The Electronic Information Privacy Center (EPIC) filed comments with the USPS on Jan. 18, urging the Postal Service to put the brakes on its plans.
“By demanding access to more postal data, the Postal Inspection Service is exposing USPS customers to wrongful surveillance and a greater threat of data breach,” EPIC stated. “The Postal Service and the Postal Inspection Service should separate their information collection procedures and ensure that USPS customers do not come under greater surveillance simply by using a government mail carrier.”
EPIC stated that the USPIS is in danger of mission creep—when an agency has access to more tools or information than it needs to complete its designed mission, leading it to expand into another role outside of the designated mission to utilize those tools.
“The Postal Inspection Service has a well-defined mission in protecting the mail, but the agency has often overstepped its bounds,” EPIC stated. “The Postal Inspection Service now claims a ‘wide jurisdiction’ to preserve the ‘safety, security, and integrity of the nation’s mail system from criminal misuse.’”
Such mission creep has occurred before, according to EPIC, which cited the postal service’s surveillance of the LGBTQ community in the 1950s and ’60s—when the USPIS investigated the delivery of homosexual publications under laws that were intended to restrict the mailing of obscene materials.
EPIC also reiterated its criticism of the postal service’s Internet Covert Operations Program (iCOP), which was outed in 2021 by Yahoo News for surveilling protest movements.
“The availability of those tools facilitated monitoring protesters and organizers engaging in protected First Amendment activities,” EPIC stated regarding iCOP. “The Postal Inspection Service should be wary of onboarding new tools and new data sources given the agency’s troubled history with mission creep.”
EPIC’s comments to the USPS may be too little too late. The postal service’s Dec. 17, 2021, notification stated that its new data-sharing initiative was to begin on Jan. 18.
The USPS didn’t respond to questions about whether it has already begun transferring customer data to the USPIS or if it’s considering EPIC’s comment before moving forward.
EPIC is still pursuing its lawsuit against the USPIS for running iCOP without conducting a privacy impact assessment—a review of what information is collected, why it’s being collected, how the information is used, and how the data is stored.
The most recent filing from that case is Jan. 14, when the USPIS argued that EPIC’s case should be tossed out.
“EPIC lacks standing to bring this case, because it identifies no concrete interest belonging to it or its members that was harmed by Defendants’ alleged procedural failures,” the filing reads. “EPIC has no statutory right to the information it seeks, and it makes no allegation that the iCOP program harmed it or its members in any way, aside from its alleged failure to comply with the E-Government Act’s procedures.”
No hearings are scheduled in this case.