Schneier on Security
A blog covering security and security technology.
« Foreign Hackers Stealing American Health Care Records |
| Cold Boot Attacks Against Disk Encryption »
February 21, 2008
U.S. Post Office to Enable Wholesale Surveillance of Mail
The post office is launching a new barcode on first class mail that will enable the sender to track mail through the system:
With the new bar code, companies will be able to track mail delivery and know when their customers got a bill, solicitation or product, and the Postal Service will have another way of checking that mail is being delivered on time.
Companies also will be given a chance to buy data collected by the post office that will give them insights into how customers respond to advertising and marketing. A company, for instance, can buy a television or newspaper ad to tout a new product, follow up with an announcement in the mail and get a sense of how well the ad is connecting with customers.
So now the government will have a database of who sends mail to whom. Of course, there's no discussion of this in the news article.
ETA: The plan only applies to commercial mail, like ad mailers and magazines, not to letters that individual people send each other.
Posted on February 21, 2008 at 6:26 AM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This appears to be just a way of automating the guaranteed delivery service the PO already offers at extra cost. It does not seem able to tell whether the customer has sent a check, as Barr says.
Not only is this movie-plot surveillance, it strikes me as being completely impractical ... not unlike the Total Information Awareness baloney that was being pitched.
If a subject then does a bulk mailing, which one of the recipients is the hidden terrorist?
Even if you have the ability to jump from paper mail to phone calls (Tom sends mail to Dick who phones Harry who e-mails Mary who then drops it in Sue's purse via a brush-pass ...), it sounds more like the hit-and-miss of a phony psychic (I'm getting a name ... it begins with B, or maybe D, P, T, C, G, E ...) than sensible intelligence gathering.
If you read the article, the tracking data is only for bulk mailers, not individuals. While the new barcodes will be mandatory for bulk mailers, they will not even be an option for individual mail (you can use a delivery notification / return receipt if you want that).
The privacy implications of this are far less than those of the cookies present on most any website.
It's for *business customers*. It's not going to help keep tabs on individuals' mail. About the only way they could do that would be to stop sending anonymously posted mail from mailboxes, no?
Or am I missing something? They can already do traffic analysis based on ZIP codes, or maybe even machine read addresses, and there is no way to stop that because it is necessary for the postal service to work.
The bar caode and business mass mailing use looks new, but the US Postal Service has offered a Delivery Confirmation service for years. It's a extra fee service for certain types of postal mail such a Priority Mail.
Info at http://www.usps.com/send/waystosendmail/...
The term "intelligent mail" related to the US postal system has shown before. In 2003, the President's Commission on the US Postal Service (not affiliated with the USPS) issued a report with recommendations for improving the US postal system and improving security. Keep in mind that this was shortly after the anthrax postal contamination incidents.
The report included suggestions for what it call "intelligent mail". The intelligent mail would have tracking features and one of the proposals was identity-linked postage stamps. The tracking and ID linked postage stamps caused a stir.
The report, Embracing the Future, can be accessed via http://www.treas.gov/offices/domestic-finance/...
Some article about the privacy concerns:
This just seems to be a tracking number that took way too long for the USPS to catch up to fedex and UPS. Snail mail is just too small a part of the communications infrastructure to get a really good view on what is going on.
The only thing I could see this being an issue is that it might plug the holes that wouldn't allow big brother to see any billing not easily viewable due to e-billing.
Of course the real interest in it (security wise) is corporate espionage. Getting a copy of this (and wouldn't it fit on one SATA drive?) would be the mother of all customer lists.
What qualifies as a business customer, and how does that protect privacy?
Also, given the current administration's penchant for ham-handed surveillance, why should we accept bland assurances that it's NOT targeting individuals, or that the capabilities are only as stated? After all, we were told phone companies weren't monitoring anyone but terrorists.
The wholesale tracking of packages from UPS and Fedex doesn't prevent them from losing packages. They do it quite often.
Besides - who the heck still uses snail mail anymore?
I don't see a new privacy issue. If I send bulk mail, the PO already knows who sent it (by the Permit Number), and where it's addressed.
If I drop a letter in a mailbox, I won't be using the bar code, so the PO learns nothing they don't already.
I'm not really sure I get how this allows them to confirm receipt like the story suggests.
If that were the case, wouldn't UPS, FedEX, DHL all have 100% delivery rates, since it's all tracked?
Heck I've even seen "delivered" a day before a package arrived with those guys on more than one occasion. So what does this really prove?
Unless there's a signature on receipt, it doesn't do anything.
I'm curious how such tracking records would hold up in court for someone like a credit card company trying to prove a customer received a bill on a certain date. I'd suspect due notices would still need to be sent by certified mail.
At least in Germany, all mail is sorted by automatic address readers, only a tiny bit has to be read by humans who then type the address inte the automated system.
Just read the sender as well and store into which mail box the letter was dropped...
Voilà, same effect.
And just by the way, guess which country forces the german post to collect such data for every mail that goes to this country ?
I don't really see how this is different from the current state of affairs. Especially if the new system is as bad at tracking as their delivery confirmation/tracking is. I can have my package and three days later it'll finally show up in their system as shipped. Unless they improve it vastly, I don't see how it will be useful. Also, how is the post office going to know if the advertisements really "connected" with someone? Are they going to look through my junk mail bin? All they're going to be able to do is say that it was received at a house, about what they do now.
@Nick: The post office has, in the past, offered at least two common classes of mail: First Class Mail (which is what most people are familiar with when they think of sending a letter) and Standard Mail (which is what most businesses use when they can).
Standard mail seems to be what is being discussed here. Standard mail has limited uses: no personal correspondence, no handwritten or typewritten letters, no bills, no statements of account. Circulars, newsletters, flyers, advertising, etc, are all OK, as are small parcels. There must be at least 200 pieces of essentially identical items, or at least 50 pounds. The sender must do some of the work normally done by the post office: sorting it by zip code, carrier route, or even by delivery point on the carrier route; bundling it up; taking it to the post office in prelabeled trays, bags, or boxes, etc. The more work the sender does preparing the mail, the less per piece the sender pays.
If you are a small office sending out routine correspondence except for monthly bills to your 100 clients, you probably won't be affected by this at all.
As given by several posters, this is something that bulk mailers will do. The individual will not learn to write barcode as a native language, so let's do some exploratory conjecture: "With the new thumb-print, Cash Cow Enterprises will be able to track mail response to idiot marketing and know when their customers are thinking. Profit Services will have another way of checking that personal responsibility is being eliminated."
Most people leave a print on the stamp when sticking it, media would not put it on a live mike if the system tried to scan the print if no barcode - which could run as a lower priority thread: I get ten times as much commercial mail as I do from people. My fear here is what I have seen to be an insistence on belief systems to govern vis-a-vis thinking.
FEMA illustrates the textbook example.
"get a sense of how well the ad is connecting with customers"? Feh. If they mailed me some piece of junkmail crap, this'll tell them the post office actually delivered it ... big deal. It won't tell them whether I actually read it, tossed it in the recycling bin unread, lit my fire with it, or used it to line my catbox. Saying this will give marketers a sense of "how well they're connecting with customers" is like saying you can drive through town counting driveways, then use that data to infer how many cars Cadillac is selling.
I want a barcode reader on my trash can, so that the advertisers know not to spam me again.
This is more than just automated delivery confirmation of the outgoing mail, it also seems to apply to the return envelope — a credit card bill comes with an envelope that has a bar-code on it, allowing the credit card company to tell whether I've put that envelope in the mail or not. Of course such a system is open to messing with by not using their envelope, obscuring the bar-code, or by using an old one (or even someone else's) instead, but if the bar-code acts as the stamp as well maybe people would be less likely to do that kind of thing.
Kinda seems like computers end up keeping track of things doesn't it?
Bruce, I don't think this can be used by the Post Office to track who sends mail to who. The sender's identity is known to USPS, but the recipient's identity is not.
mailpieces today. The mailer may use these codes to identify an individual address or a group of addresses. Under Intelligent Mail services, mailers will have the opportunity to assign certain parts of the Intelligent Mail code to their own mailpieces. Consistent with our practices for all mail, the Postal Service will not have access to the information in the mailer-assigned portion of the code, except if mutually agreed upon by the mailer and Postal Service (such as for an added service benefit), or if requested by the Postal Service for security purposes. In those instances, these privacy policies will apply.
Now, the exceptions listed here are alittle vague, but I suspect the USPS is not building an infrastructure for wholesale mail monitoring. (I could be wrong tho. It's happened before.)
Is anyone else getting the impression lately that Bruce is having difficulty separating the serious threats to privacy from the trivial ones? It's well and good that the powers that be are having their feet held to the fire over the seemingly constant attempts at expanded surveillance of citizens but this blog is really getting to have whiff of Chicken Little.
A few years back, I noticed that some junk mail came with a bar coded number on the return envelope and a statement about contents being protected by law with punishments for misuse.
I think the bar code identifies who it was sent to so when the envelope comes back they know who returned it. The marketer must pay the return postage, and if the envelope is empty, or contains only the non-identifiable paper that was sent out, this costs a lot. Thus, with the bar code, they now can identify who is sending back the equivalent of returned junk mail, and you might be subject to prosecution or being billed for that "misuse".
I speak only for myself here, these comments are not sanctioned or approved by USPS.
As has been stated, this is for bulk mailers. The big customers for USPS (i.e. one customer who generates lots of revenue) are obviously those that have the most mail to send. In other words, businesses that send out lots of coupon packets, catalogs, etc.
You can read about the Intelligent Mail service here:
There's no conspiracy going on here, it's just bulk mailers being able to see that mail has been delivered, and maybe in some cases that a customer did indeed send in a response (i.e. filled out the magazine subscription card that they received).
USPS, unlike any other Federal agency, is supported entirely by postage. No tax money is ever used. USPS is not run as most Federal agencies and has a significantly more corporate approach to its operations. Privacy and security is taken very seriously at USPS.
Like other Federal agencies, the United States Potal Service has an oversight arm, the Office of the Inspector General:
which audits USPS to look for internal fraud. In addition, USPS has its own law enforcement branch, the Postal Inspectors:
Postal Inspectors investigate claims of fraud and abuse of the postal system, help find missing and exploited children, promote identity theft awareness and yes even arrest postal employees if they are found to have abused the US Mail.
I do not think that FedEx, UPS or other delivery agencies can claim the level of overight and security that USPS has for their delivery systems.
This assumes the postal worker delivers your mail to your house to count it as "delivered." Mine delivers my neighbor's mail to me on a regular basis (and I have to assume it works the other way around).
If it stops the carriers from stealing people's Netflix, I'm down with it.
" So now the government will have a database of who sends mail to whom..."
Federal snoops have long used their monopoly postal system to monitor the citizenry.
FBI "mail covers" have been routine for many decades. A mail-cover is a covert, warrantless procedure whereby local post offices specially log all mail going to/from people or organizations of interest to the FBI (or other government agencies). Everything externally observable on individual mail items is recorded and handed to the FBI, especially all To/From addresses. The Feds consider such snooping to be perfectly legal, since Americans should expect a reasonable expectation of privacy from their U.S. Post Office ONLY for the 'contents of sealed mail' -- everything else is fair game to collect, disseminate, and even sell privately (...like standard change-of address card data).
Of course, the 1976 Congressional 'Church Committee' discovered a very, very cooperative U.S. Post Office routinely permitted the FBI/CIA large-scale covert, warrantless access to the sealed-contents of private U.S. mail:
"... Between 1940 and 1973+, two agencies of the federal government -- the CIA and the FBI -- covertly and illegally opened and photographed first class letter mail within the United States. These agencies conducted a total of twelve mail opening programs for lengths of time varying from three weeks to twenty-six years. In a single program alone, more than 215,000 communications were intercepted, opened, and photographed; the photographic copies of these letters, some dated as early as 1955, were indexed, filed, and are retained even today. Information from this and other mail opening programs -- "sanitized" to disguise its true source -- was disseminated within the federal establishment...
This was long before FISA and the Patriot Act... when that kind of stuff was really, really, illegal. But no one was even prosecuted then. Today, how totally carefree do ya think current federal operatives are about amassing a nationwide mail intelligence database.
It's reasonable to assume such database already exists... barcodes would just improve its efficiency.
Should I assume that each piece of bar-coded mail will need to be scanned at the point of delivery? My snail mail is already slow enough, often arriving at my home (office) as late at 6 pm. Not to mention the regular flow of mail that mistakenly gets delivered to my neighbor's house (and vice versa). How much slower will it get if every piece of junk mail needs to be scanned by hand by the carrier?
The government owns your soul anyway. Hell, I wasn't even thinking about the privacy aspects because I was too busy thinking "damn, the UK really needs this, this is awesome"
@Mark in CA
Want to stop all that junk mail? Go here: http://www.proquo.com/
These guys have stopped ALL my junk mail, except offers from companies that I asked not be stopped.
The only one I can't seem to stop is local supermarket circulars; it looks like these aren't even "mailed"; there is no To nor From address anywhere on the circulars.
But seriously, proquo has been great. Very pleased with them.
@"I do not think that FedEx, UPS or other delivery agencies can claim the level of overight and security that USPS has for their delivery systems."
Then howcome I spent $8+ with Brown to deliver a brown envelope yesterday. I was returning software to a legal firm. I could have spent 85 cents to have the post office do it but I would have difficulty separating the serious threats from the trivial ones. I know if I had some program to deliver, I would hire private carrier, but PO is assimilating a style and methodology developed by private carrier so they are competitive for my business there.
If, as a result, it became possible to use the tracking (in reverse) as a way to tell the scumbag bulkmailers to stop sending me crap, I'm all for it. Of course, this wouldn't do any good unless there was some economic penalty for disregarding my request.
@Matt The USPS has to know the recipient's address…or the post can't go through. Whether they link it to the sender is the question, and once the system is in place it would be trivial to do so.
The relevant point of the argument seems to be that the USPS is an "independent establishment of the executive branch of the Government of the United States" and said branch hasn't been too keen on maintaining individual rights and freedoms to (purportedly) improve aggregate security.
How is this surprising? You write a letter, address it, and put it in the mail box. Who thinks that this is a secure transaction?
This doesnt add anything the USPS doesn't already do, from a "privacy loss" perspective.
If they don't already photograph every automatically sorted letter, I would be very surprised.
For letters that the OCR systems can't read, they already video record those, because often the humans who are reading the envelope to keypunch the barcode are working remotely from the sorter.
The true "end to end, link sender and receiver" database would come from the electronic indica system that is available for Priority Mail and Express Mail, since the sender account and the receipient address are coded into the 2D barcode, which gets read and checked for every such package.
By the way the real threat from the USPS is not this (correctly pointed out by plenty of other posters). It's that the USPS actively sells its database of recipient names and addresses, and even offers to "clean" (their word) advertiser's mailing lists for them. Let's just say this is a bizarrely overlooked hole since most US addresses receive mail. It is _extremely_ difficult to get yourself out of this database and even when you do, well-meaning carriers (who of course walk right past the address that "doesn't exist" often try to add it back.
I expect inferences to be drawn in some individual cases, and in the unanonymized aggregate commonly, as to what constitutes willful conduct by mail recipients; the inferences may be drawn by companies and by government agencies with access to the information, and may mostly be automated. Anything addressed to you may be used against you, as may any response you mail (perhaps regardless of its content) in a pre-coded envelope. The contact trees that may be easily assembled would have been troubling enough.
The evidentiary/marketing/surveillance chains cannot be complete without code scanning on the receiving end, which is not being proposed—not that a critical information gap is likely to preclude use of the collected personal data and inferences.
So are they going to scan my recycle bin? Cos that's where I put 80% of the stuff that it sounds like this will be on. If they're not putting it on mail I send back out (or if it's on return mailers when I can just use my own envelopes), I don't see how it's going to track "the check in the mail".
So now the government will have a database of who sends mail to whom. Of course, there's no discussion of this in the news article.
I think our friends at Snopes would file this allegation under "important if true." Especially given the number of commenters who've taken issue with what you had to say, can you provide some support for this assertion, either textual (an article that DOES discuss this in detail) or logical (because of issue A discussed in the article I linked, therefore B)?
The intelligent mail bar code has space for 31 digits. Only 9 digits are available for the entity sending the mail (i.e., the business customer), which the post office says are to be used for the mailing event and the customer. It would be possible to mine this data and create correlations of the types of mail that a customer receives. Having such a database would allow the government an opportunity to create profiles of mail recipients at particular addresses. However, mining this data would require merging recipient id numbers from business data bases.
A description of the 31-digit bar code is here: http://www.usps.com/mailpro/2007/mayjune/...
Given today's capability to generate two dimensional bar-codes, this system seems to be out dated even before it is deployed. The information-carrying capacity of the 31 digit bar code is too low for the government to exploit it on a large scale. However, it could be done for particular addresses and it would facilitate the monitoring described in other comments. One of the aspects that is presented by profiling the mail is the ability of the government to build clusters of mail recipients. Having created such profiles, there could be sufficient information for probable cause to issue search warrants , entry into the terrorist surveillance database, or targeting specific addresses for certain types of illegal activity.
The mass mailers are not the issue. What is at issue is the government having information that you receive mail from certain financial institutions, certain magazines, and other businesses, which taken together give you a unique profile. I think a larger danger is that an unscrupulous individual working from within the post office could generate these same profiles and specific residences or individuals could be targeted for robbery or fraud.
l wish we could have such a service here in the UK. l have long suspected that "First class mail " gets the same priority as ordinary mail. We would be able to see at a glance were that important letter is, royal mail would never allow it though! they would have to employ thousands of workers to field the complaints!
One thing this might do is enable return-only mailings. Say I'm a business and I want to make it free for you to mail me an order, I can put a prepaid envelope in my catalog and send it to you.
You, being miserly, can paste a new address on the envelope and send a letter to Aunt Martha for free.
But if the return postage is paid by a barcode, and the barcode belongs to me, and I agree with the post office that it's only to be honored when sending the mail to me....
My cost goes down, as I only pay for orders and "stop spamming me" requests, and USPS collects another fee for your letter to Aunt Martha. I can see why they like it.
Seems as though they ought to put a barcode on my mailbox as well, since my $@!%ing moron of a mail carrier can't seem to accurately ascertain which of the three mailboxes in my complex (each complete with full name and address) *my mail needs to go into.
Maybe even a handheld scanner complete with big, flashing red lights that go off when the less-than-vigilant carriers 'accidentally' scan the wrong destination box for any given piece of mail.
I know I'd be all for this, since I'm kind of tired of being forced to have a neighborhood committee meeting every weekday to get all of my mail.
For surveilance purposes, it will only work if "anonymous" email (e.g. mail drop-boxes) are removed and one has to present identification before sending mail. I wouldn't rule it out.
Mailing a package already requires ID and has since roughly 9/11.
I work in the direct mail industry (not speaking for my employer here). As far as I can see, this is just a fancy version of delivery confirmation. All that "connecting with the consumers" means is that you'll know the Postal Service didn't lose the mail before it got to its destination.
If the Postal Service is compiling their own database from this information -- and I don't have much faith in their technological ability to do so -- neither the mailers nor the consumers will get any benefit out of it.
Wow? Arabic blogspam? I've never seen that before---guess I don't read enough blogs.
Do you really think they don't have this information already?
@Do you really think they don't have this information already?
Well, yes - they had a Federal Agent deliver it.
Seems pretty obvious.
Not able to get any newspaper which is produce from NJ. They sent it I just do not receive it. They are not in english.
may God be with u
when i wrote may birth date i did a miskate in a year i wrote 2007
now what can i do
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.