USPS Tracking Queries to Its Package Tracking Website

A man was arrested for drug dealing based on the IP address he used while querying the USPS package tracking website.

Posted on May 22, 2015 at 12:33 PM • 27 Comments

Comments

JaysonMay 22, 2015 1:02 PM

In October 2013, U.S. Postal Service (USPS) investigators opened a package in Hollywood, Florida that contained 500 grams of a "white crystal-like substance" that turned out to be the synthetic stimulant methylone.

That's how the background starts? What incredibly good luck the investigators had in opening packages that day...

Some DudeMay 22, 2015 2:58 PM

During the days of the original silk road, I heard people were warned not to track their packages using TOR. Apparently that increased the likelihood of the package being intercepted substantially.

Not sure if it was/is true, but it shows that there have been allegations of this sort of behavior for a long time.

Spaceman SpiffMay 22, 2015 3:02 PM

So he sends drugs via the postal service, who has drug sniffing dogs or whatever. They get a hit, and then the feds (sending contraband via the USPS is a federal crime) monitor for hits on that package... Bingo! Brain dead drug dealer is busted! Of course, it may not have been dogs, but the sender may have been a known dealer... Same result.

Another JustinMay 22, 2015 3:14 PM

I don't see anything surprising about this. So they keep server logs and maybe even filter out requests for package tracking info for later possible use eg someone claims a package never arrived but an IP address frequently associated with them (especially if they have a free USPS signin/account such as to buy postage, order supplies etc) made frequent tracking requests implying that they were aware of the USPS-supplied expected delivery time and delivery status. Seems like good business sense. Mail fraud is an actual problem. I would be disappointed if UPS, Fedex etc did not do something similar.

On the other hand, Google allows you to search the tracking number and will automatically figure out the carrier (USPS, Fedex, UPS at the least), send the request to the carrier and return the results to you as the search result. So unless you want your tracking search saved by Google it's best to go to the carrier website.

mooMay 22, 2015 3:35 PM

I'm surprised that anybody would be surprised by this. They would need to keep logs for various business-related reasons (lost/damaged package claims, mail fraud, customer service patterns, etc). Of course they would comply when law-enforcement asks them for IP addresses after they've identified something fishy about a package.

It probably works the other way around too, where law enforcement knows the IP address(es) and demands info about any package(s) shipped or queried from those IP addresses.

rgaffMay 22, 2015 5:11 PM

Hello government shills, howrya doin... of course YOU wouldn't be surprised by anything.

Harry JohnstonMay 22, 2015 6:44 PM

Heck, I'm fairly sure our web site (departmental website in a University) tracks IP numbers and requests. I don't think we've ever needed it, but Apache logs everything by default.

Also, if I remember correctly, our information security standards document (based on industry standards) mandates such logging - if you discover that your servers have been hacked, how are you going to investigate without logs?

The original JustinMay 22, 2015 6:48 PM

I love it. "FUD ... planted by law enforcement to dissuade people from buying drugs online" and "delusional ravings of tweaked out users."

GodelMay 22, 2015 8:29 PM

I confess I might not have thought of this if I was importing drugs, but if you're doing something that requires a physical delivery then you can never be safe anyway.

The use of sniffer dogs or x-ray machines means the buyer is always at risk.

TorIsNotACrimeMay 23, 2015 6:56 AM

> I heard people were warned not to track their packages using TOR.
> Apparently that increased the likelihood of the package being intercepted substantially.

Oh my...
Using Tor is not a crime; people have a right to protect privacy.

I never use package tracking website again.
I will use VPN if I really want to track my package then...

rgaffMay 23, 2015 8:26 AM

@ TorIsNotACrime

"I will use VPN if I really want to track my package then"

You missed the point. Tor didn't flag you as "only suspicious people use tor," it flagged the package you tracked with it as "only suspicious packages get tracked with tor." So then in principle, using VPN would do the same if they chose to make it the same.

In today's fascist state, if you really want to send packages anonymously (and track them anonymously too) you need a different kind of mail system, not one with your real name and address literally written on the package!

This is all just logic.

Chuck FitzgeraldMay 23, 2015 6:43 PM

You have it backwards - the package is identified by Postal Inspectors first. A federal search warrant is obtained and the package is opened. Inspectors notify the USPS admins over the tracking database to capture IP data for inquiries. Either the mailer or the reciepient will query for a given parcel.

Associating a physical package with a tracking number can be done at two places - at the origin or the delivery point. In transit the parcel loses its individuality in a container as large as a 53 foot trailer.

There are only about 1,200 total Postal Inspectors, including management in the US and they cover external crimes, physical security of Post Offices, child exploitation, revenue fraud and mail fraud in addition to drugs in the mail.

How many drug parcels could maybe 400 Inspectors nationwide identify by having a computer spit out a parcel ID at one of 30,000 delivery units and they: respond to the delivery unit, locate the package, obtain a search warrant, open the parcel, put together a search warrant for the receiving address, assemble a team to serve the warrant, and execute the warrant in such a time that the addressee doesn't suspect something is awry? None.

The parcels have to be identified on the originating end. Getting an IP address is just icing on the cake. It shows guilty knowledge and lessens the credibility of "I don't know a thing about that parcel you delivered, I'm just receiving it for a friend".

rgaffMay 23, 2015 9:25 PM

@Chuck Fitzgerald

Perhaps you didn't notice the whole "silk road... people were warned not to track their packages using TOR... that increased the likelihood of the package being intercepted substantially" part? You're saying direct experience with this kind of thing is simply wrong? Totally convincing! Eyeroll.

Coyne TibbetsMay 24, 2015 1:08 AM

Government records everything. USPS: under Congress' thumb, close enough for government work.

JustinMay 24, 2015 1:13 AM

@Chuck Fitzgerald

Notwithstanding the Constitution, I don't think it takes a warrant for postal inspectors to open mail, and I know it doesn't take probable cause. Given a tracking number that has raised suspicion, that package could be flagged for further attention anywhere it's sorted, processed, or scanned. There are more points than just origin and delivery, especially for packages that come overseas, and then have to cross the continental U.S. Not just customs, but sorting and processing at various intermediate cities, etc.

If the package is flagged, and then it is scanned at some waypoint, there is no reason that that scan necessarily has to show up on the tracking website. It's still en route, as far as the customer is concerned. They can put a yellow sticker on it and divert it to one of those 400 inspectors just like that. Open it up, look at it, and if it passes inspection, peel the yellow sticker off, tape it up and drop it back in the mail. Program the tracking website not to show the diversion. Any warrants needed are obtained by parallel construction.

I often get packages (books etc.) that have been delayed, sliced open and taped back together after I have tracked them online with no effort to hide myself. Tell me they don't have enough inspectors to intercept drugs in the mail, when they sure enough intercept my books.

stevenMay 24, 2015 1:15 PM

Oh wow, that's bad. I never realised couriers are in a position to match up physical addresses to IP addresses in this way. Imagine the potential abuses of that data, if they sell it to online marketers, social networks, debt collectors, private investigators, government. Of course the retailers are in such a position too.

Even if you routed all your web browsing through a privacy VPN, if you have a single fixed IP address, the courier can associate that with your name and postal address this way. On the other hand if you use Tor, you'd only flag yourself and home address as a Tor user.

At least usps.com does support HTTPS. Without it, intelligence agencies probably harvested the tracking codes to maintain such a database themselves.

@Harry Johnston: "but Apache logs everything by default." - most webservers will log the visiting IP and the URI visited; that would include parameters of a GET request but not a POST request. The USPS website does use a POST request on the Track Your Package search form. So I think this data collection was set up very much intentionally (probably in response to their HTTPS deployment leaving the intelligence agencies shut out).

rgaffMay 24, 2015 2:43 PM

"I never realised couriers are in a position to match up physical addresses to IP addresses in this way."

I don't understand the disconnect. If I write my real name and physical address on a clearly visible piece of paper (like an envelope or exterior of a package) and then "track" it by looking at where it is on a web site..... in what universe am I NOT associating that IP address with my physical address? How could anyone possibly not see this? Viewing anything having to do with your real name or address from an IP address associates that IP address and name/physical address together. It's so logical and obvious.

Likewise, if you use Tor to look at something that has anything to do with your real name or physical address, you've de-anonymized your Tor session too by so doing. Same as when you purchase something online using your credit card using Tor, or log into your normal email account that's ever been associated with your real identity using Tor.

The same applies to any VPN. If you use Tor or VPN to do things that are associated with you, then you're associating EVERYTHING ELSE you use that VPN account or Tor session with you too. It's all so basic, why aren't people getting it?

Now we can bitch and whine and say "well the post office and all other carriers should keep such interactions separate" but as we've proven over and over... unless there's a SPECIFIC LAW FORBIDDING THIS... YOU CAN BE CERTAIN THEY ARE DOING IT..... and.... when it comes to "Intelligence Agencies" even if there IS such a law, you can STILL be certain THEY are doing it, and sharing it with everyone else too, because they are totally and completely above all laws in today's society. Parallel reconstruction which is systematic lying to all courts and every legal system top to bottom is an obvious prominent example of this "above the law" principle.

Laws forbid our post office from "opening" letters, for example.... BUT THERE IS NO LAW FORBIDDING USING EVERY RAY AND BEAM KNOWN TO MAN TO SCAN EVERY LETTER (short of frying them all to ashes) and read every single word of every letter that way, without technically physically opening them.... right? So therefore, we MUST assume they are doing this! We must assume all our mail is read by authorities regardless of any law that "seems" to forbid that by merely forbidding "opening".... Of course they don't have the manpower to do it with physical eyes, so they use computers to scan for key words and flag them for review by people, and then in any public explanation they'll torture words like "collect" to mean something other than what it means to pretend they are not outright lying.... sigh.

fajensenMay 25, 2015 6:19 AM

It is always wise to at least use someone else's IP address (and physical address too) for this kind of thing. It's an added bonus when a random innocent person is raided by the militarised police force.

I read a while back that some drug dealers were using a timing attack on the FedEx tracking service - if a package was delayed, then they assumed that it had been intercepted, a warrant obtained, the goods replaced with baking soda and a large team of police waiting at the drop-point, so they just abandoned it. Now a days, "they" don't bother with any of that tedious legal crap - the evidence chain is simply created after the fact.

JustinMay 25, 2015 5:27 PM

'Now a days, "they" don't bother with any of that tedious legal crap - the evidence chain is simply created after the fact.'

That is the worrisome trend. In fact crime rates have been dropping in the U.S. for the past five years. No doubt there is a lot of pressure to keep those private prisons full, but let's have some real honest evidence and respect for Constitutional rights before we lock people up.

Anon5May 27, 2015 3:05 PM

"The MSP watched as Bates placed two large white plastic garbage bags in a dumpster behind his building. Once Bates and the woman drove away, the MSP retrieved the bags.

Inside the bags was a host of evidence suggesting that Bates was involved in some sort of business from China."


Doesn't this guy own a shredder?

I know from the article he was being watched, but couldn't he have placed the garbage bags in a dumpster besides the one behind his own apartment building?

Or, used a shredder that created small enough bits of paper that he could have flushed them down the toilet?

DuffBeerMay 27, 2015 10:03 PM

@Justin if you frequently receive books via media mail, they are frequently inspected because they have a lower (money losing) mailing cost. The following classes of mail are subject to inspection:

Periodicals items.
Standard Mail items.
Package Services (including Media Mail, Library Mail and Bound Printed Matter) items.
Standard Post
Parcel Select®
Incidental First-Class Mail attachments or enclosures mailed under DMM 703.9.
GXG items that contain non-documents.
Priority Mail International items except the Flat Rate envelope and small Flat Rate box.
M-bags.
Items sent via “Free Matter for the Blind or Other Physically Handicapped Person” under 39 U.S.C. §§ 3403–06 and IMM 270.
All other Domestic / International mail not specifically stated below.

If you are worried about inspection, the following classes of mail cannot be opened for inspection:

First-Class Mail® items.
Priority Mail® items.
Priority Mail Express™ items.
Global Express Guaranteed® (GXG®) items that contain only documents.
Priority Mail Express International™ items.
Priority Mail International™ Flat Rate envelope and small Flat Rate box.
First-Class Package International Service items
First-Class Mail International items.
International Priority Airmail™ (IPA®) items, excluding IPA M-bags.
International Surface Air Lift® (ISAL®) items, excluding ISAL M-bags.
Certain Global Direct™ (GD) mail.
International transit mail.

If you are worried about integrity of sensitive or valuable mail, registered mail creates an audit trail of every human touching your letter.

JustinMay 28, 2015 1:00 AM

@DuffBeer

Thank you for the clarification. Of my books, the ones that seem inspected the most frequently are the ones I receive from overseas or from smaller, lesser known bookstores.

Also this brief blurb in the FAQ.

4. Can Postal Inspectors open mail if they feel it may contain something illegal? First-Class letters and parcels are protected against search and seizure under the Fourth Amendment to the Constitution, and, as such, cannot be opened without a search warrant. If there is probable cause to believe the contents of a First-Class letter or parcel violate federal law, Postal Inspectors can obtain a search warrant to open the mailpiece. Other classes of mail do not contain private correspondence, and therefore may be opened without a warrant.

I feel that registered mail is very slow, very expensive, and makes a very big deal out of the fact that you have Something To Hide.

AlexSMay 28, 2015 11:27 PM

So...the USPS can do this...but LOST 3 CERTIFIED envelopes on me last year, each containing substantial settlement checks, which I was able to prove were stolen by USPS employees? Interesting how that works....

Re: webserver logs, my company does this ALL the time. Part of my company's business is financial forensics. It's amazing how many perps do some research on the investigators. Our website even had Bernie Madoff stopping by weekly for a period of time, which I assume was to see if he was next.

Anthony Barreto-NetoDecember 28, 2015 11:03 AM

My wife was selling item on Craig's list in Florida. A man contacted her thru the List and "bought" it. To make long story short i'll just put pertinent details: He sent her a Cashiers check for more money than item cost as he wanted her to cash 'Cashier's' check and send money left from purchase to shippers to ship item.
I'm retired law enforcement and thought that sounded but weird so I tracked the package (btw, package was about 2-3 weeks late). During tracking on USPS I got the below back from USPS Tracting web site:

Shipment Tracking
FL
December 24, 2015 10:08 am - Departed USPS Facility - JACKSONVILLE FL
December 24, 2015 9:14 am - Arrived at USPS Destination Facility - JACKSONVILLE FL
December 23, 2015 11:27 pm - Departed USPS Facility - NTX P&DC
December 23, 2015 4:34 pm - Arrived at USPS Origin Facility - NTX P&DC
- Seized by Law Enforcement
December 2, 2015 - Pre-Shipment Info Sent to USPS

Obviously the line that caught me eye was "Seized by Law Enforcement" however, if that were the case why would it then be delivered? When I saw check which didn't have bank telephone number I started to do some checking and that's how I am now writing here. Just wondered if anyone has seen this before and if so what was the result?
I'm pretty sure that the check is counterfeit and have no intentions of cashing it, I also do not like anyone interfering with USPS,,even though I'm retired LEO, I have never believed I was above law or participated in what I now see happening in law enforcement.
Thanks very much for any/all info provided.
This ny

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.