Schneier on Security
A blog covering security and security technology.
« The NSA's New Risk Analysis |
| Breaking Taiwan's Digital ID »
October 9, 2013
A New Postal Privacy Product
The idea is basically to use indirection to hide physical addresses. You would get a random number to give to your correspondents, and the post office would use that number to determine your real address. No security against government surveillance, but potentially valuable nonetheless.
Here are a bunch of documents.
I honestly have no idea what's going on. It seems to be something the US government is considering, but it was not proposed by the US Postal Service. This guy is proposing the service.
EDITED TO ADD (10/11): Sai has contacted me and asked that people refrain from linking to or writing about this for now, until he posts some more/better information. I'll update this post with a new link when he sends it to me.
EDITED TO ADD (10/17): Sai has again contacted me, saying that he has posted the more/better information, and that the one true link for the proposal is here.
Posted on October 9, 2013 at 1:08 PM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Interesting. I wonder how it will affect their ongoing surveillance and tracking of mail. Maybe it's a honeypot of some sort?
See here for details on the tracking of mail by the USPS:
A PO Box # with home delivery service? Didn't see how this would this differ or get past the "no PO Box" restriction that people have today.
I had an idea for a service a year or so ago called SnailMix. It worked like this:
You would sign up on a Tor Hidden Service and supply a GPG public key, a forwarder email address, and a bitcoin wallet internal to the service.
You would send bitcoins to the service providers if you needed to send mail out (to cover postage).
You would be able to generate a nonce (RFC 4648 base32-encoded pseudorandom string) which would go in the address line 2 for an address that doesn't already have one.
101 First Street
New York, NY 10101
(A more subtle implementation could use QR codes beneath the stamps)
These mixing stations would scan, GPG-encrypt, shred, and burn all remaining documents.
The problem is, I couldn't think of any use cases for such a service outside of helping credit card fraudsters dump documents in locations separated from their identity, so I never pursued it enough to flesh out the details, write a full specification, and produce PoC software.
I've wanted this service ever since I was a college student moving apartments every 6 months... This would be incredibly useful on several fronts.
Unless it's offered free of charge, how is this different from a PO box?
www.prc.gov ? People's Republic of China?
Just get a 3rd party PO BOX. I've been doing this for years. Places may not like USPS boxes but 3rd party PO boxes like The UPS Store and others usually format their addresses similar to
327 N 8th St #37
Philadelphia PA, 19123
I use that address for everything, bank accounts, driver license, anything ordered online etc... Doesn't do much for gov surveillance but it does prevent wackos from figuring out where I live (or at least makes it tad bit harder).
Doesn't help with utilities, things like Gas, Electric, and FiOS still come to the home address. I could change the delivery address of utilities to the mail box store but that would link both addresses in their databases.
Added advantage if you live in a city and FedEx etc won't leave packages on your door step these guys will sign for and hold packages for you. Also helps with changes addresses if you change apartments a lot.
I've been using private mailboxes for nearly 2 decades now, they are superior to home delivery and USPS PO boxes in nearly every respect.
(For utilities that are tied to my physical address I don't use my real name)
One thing I would like to see is the ability to give different shippers different pseudo-addresses to stymie cross-correlation. For example, if I buy sex toys from one place and crucifixes from another place and they both sell there sales info to a company like BlueKai, I don't want BlueKai to associate those two purchases to me.
I realize this would also break the current "only ship to authorized address" security model for credit card purchases. BUT, I already use 'disposable' credit card numbers which require an extra layer of security (my username/password) to create.
@Alex W - One obvious difference is that there would (could) be a one-stop way of changing your address, to anywhere in the country.
The system that E-bay and Pay pal are pushing for shipments from teh US to Canada shows some of the needed infrastructure. If I buy one of the items that use this the seller is instructed to send it to my name at an address in Kentucky. Pitney bowes runs that address and they (1) do bulk clearance for the Taxes and duty and (2) stick an address label with my real address and (3) truck it to Mississauga where it is mailed bulk rate. The various costs for all this are added to the paypal transaction for the initial purchase.
Some trusted third party could do this an a anonomiser service where anything received at their address is remailed with your real address. (perhaps on a weekly basis with aggregation to reduce postage charges)
This is a godsend to direct mailing companies (aka dead tree spammers). Now instead of filtering inefficiently for different writing versions of your name to prevent duplicates being mailed to you they just have to check the very machine-readable random number.
I am with Bruce /this... No idea what problem this is supposed to solve. Sounds like an idea straight from an address brokers christmas wishlist.
Weak security! Just develop a GPS tracking Android app and post an old smart phone (e.g. with broken screen) with the app running to the address. Wouldn't cost much more than $50 to break the "privacy". You could probably even just use a existing "Track my run" app.
My Dad, who worked in management at the USPS for > 20 years assured me in the early 90s that electronic mail would never take off. The Postal Service had tried it, and the key problem was getting the printouts into the envelopes at the receiving end without anyone reading the contents.
Not. A. Joke.
This would certainly make the NSA's compilation of snailmail metadata a *lot* less computationally intensive. I mean one simple, numeric field in their database would replace several current fields that have to deal with all kinds of data. And really, the current address fields have always been a major pitfall for any database admin.
Yeah, I gotta think the NSA and all the other letter agencies are lovin' this.
The guy you link to, who is supposedly pushing for this service, certainly looks like a real revolutionary; don't he? He's so perfect. I wonder if he actually exists...
Wow, I had assumed that the Posties were using their sophisticated scanning and sorting equipment to supply the other feds with everything they could want. Fellow govt emps and all that. I would assume that anything going through anything the US govt can touch is slurped. But maybe this is another dodge to get more suckers to incriminate themselves.
The scumbag was wrong, it should have been: verify, verify, verify, verify, then trust - skeptically and only when you have to.
Australia Post are setting up a "digital mailbox" service, which looks like a mix of ordinary webmail combined with a PayPal-like payment service for bills.
It also gives the government easier access to the inside of our envelopes as well as the outside. ;-)
Meh. Random numbers are not a good test case for supporting an external address database. If shipping companies really wanted to get with the times they'd start by supporting whois database lookups. I'd love to be able to use the same @ addresses I use online to move things around in real life.
I've thought about either setting up some sort of discrete delivery business, focused purely on anonymous delivery of maybe OTPs/crypto keys/simple love letters...but most importantly hardware components and maybe a liveCD burned on a "trusted" computer somewhere... In a city-atmosphere it would be a bunch of bicyclists and could be cheaper to run.
Customers have to sign some agreement stating they're shipping legal content so some dumb fed wouldn't just mail drugs or porn and shut it down.
Would rather someone else provide the service until the feds get done sniffing my backside.
Anything delivered by the USPS...lol. Thanks for delivering my textbooks a week later than others I ordered before, and not even sealing up the package right. Fed-ex or UPS for sure.
It's a neat idea, but it's been tried before.
Before about 1990 you could subscribe to a private mailbox service anonymously, and many of them let you disguise your address there as "Suite 123" or the like. Today, postal service regulations forbid both practices, and USPS will cut off delivery to anyone who tries to do them.
Now, if the government were to provide such a service, I wouldn't mind at all. While we'd still be vulnerable to their own snooping (or need to consider other defenses against it), there are other sorts of bad guys out there, and anything that makes it harder for them to find out where you live is a good thing. Of course, I'd want to be able to have the obfuscated address on my driver's license.
From a technological and logistical standpoint this would be extremely easy to realise. Already letters and packages are scanned and "resolved" to actually existing addresses, then encoded onto the package or letter. The routing is via the encoding, not what is written on the envelope. So you just need to add entries to the resolution database so the delivery person knows where to take it.
Of course, you could do away with human readable labels altogether. Just devise a "cryptographic" barcode that only authorised readers can decipher.
It may help, but don't forget, all of the printer manufacturers place almost-invisible identifying marks on every page printed, which encode the printer serial number, the time of printing, etc.
I am sure that the NSA, FBI, etc, have access to the information necessary to decode this information. Perhaps they even caused this functionality to exist in the first place.
So the front of every piece of posted mail is photographed, AND every printed piece of paper can be traced back and tied to the printer which printed it and the time of printing.
Once implemented, start-ups would quickly fill the need to provide address look-ups for any given private address code. There would be competition in this area. The credit bureau's would quickly be able to build a master database containing both the private code and physical address.
For several years I traveled a lot and used https://www.earthclassmail.com. Your mail (including packages) is delivered to their street address with an ID #, they scan the outside and notify you of receipt. You use their web interface to view the scan and tell them whether to shred it or ship it to an address of your choice. I found it quite convenient, if a bit spendy.
Clarification: I used the service I described for convenience, not security. As other commenters have indicated, records certainly would not be safe from three-letter agencies. I don't know if EarthClassMail sells info to Big Data.
@Godel - Canada Post has had a service like this for years, with the imaginative name "e-post." We were forced to use it for a while, when my wife's employer decided to send her pay stubs that way.
The list of problems goes on and on, and the benefits hard to identify.
What I found most amusing were the "terms of service." They claimed to provide all sorts of benefits - security, long term storage, etc. However, the ToS made it clear that they took no responsibility for anything, if anything went wrong they could not be held liable, etc., etc. And, if anyone ever figured out any way to hold them responsible for anything, they could change the ToS without notice at any time to eliminate the problem.
People may be interested in a proposal of mine from many years ago I called Addrescrow
I feel it's more likely to try to get it in the private shipping market and then move it to the USPS. Though the USPS is needed if you want to easily have a soft-forwardable and private address that would be accepted by those who insist on getting an address. Of course many of them refuse PO boxes already.
There are also services already that will give you a POBox and they just scan and email all that is mailed to it. And I use a service that does that for bills, it even arranges payment of the bills if they meet criteria.
The military has similarly been using APO and FPO addresses to hide the physical destination for a long time.
I see only two valid usage scenarios:
1) Dead tree spamming
2) Government hijacking of a PAF id. to have someone's correspondence conveniently sent directly to a TLA or front-end thereof, pretty much like seizing a domain name.
shame the public's not being informed of the USPS identity management stuff (& wearable computing too), the contracts, going through the exec, all in financial crisis, the private players involved...I hv no problem w/ people choosing a 666, but a done deal that's de facto imposed is the part I don't like
How do we avoid the fact that ones address is public record if you own a house? And most of those databases are online?
Currently, when registering a business, many US Counties require a physical address and prohibit POB's and PMB's.
This exposes the address of home-based businesses.
I wonder if this would be allowed.
--Funnily enough, my neighbor apparently went to the trouble of getting his house blurred from google earth. Pretty worthless considering google still has that data which now becomes more valuable if an enemy contacts google and satellites could read the dates off nickels in the 1970...
You would not believe the leakage of personal information in gov't available to the lowest of the low employees...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..