USPS shared customer postal addresses with Meta, LinkedIn and Snap

> They negligently allowed tracking pixels from certain companies on their Informed Delivery page.

I had to work on a feature like that, where individual client-companies wanted to sprinkle arbitrary pixel-trackers across different steps in our website's workflow for their users... Even today, I still worry I wasn't paranoid enough.

_______

For the curious/critiquing: When conditions are met, the main page JS creates a temporary <iframe src="..." sandbox="allow-scripts allow-same-origin">, and the destination URL (signed, time-limited) instructs a different subdomain to host up the icky arbitrary markup.

Yes, I know about the srcdoc attribute, and that would have been much easier except it breaks some tracker-code. In particular, Google Tag Manager silently stopped working, and it was because it contained some logic looking for "real site" aspects. This affected both `srcdoc` and also confused things when testing with `file://` URLs.

Why on earth is a government website linking anything from Facebook, Snapchat, etc? USPS isn't a trendy coffee shop or a designer brand, they're a federal agency of the United States government and should be held to a higher trust and privacy standard.

> Clickbait title: USPS did not share anything intentionally. They negligently allowed tracking pixels from certain companies on their Informed Delivery page.

You needed to read through to the end of the article. TechCrunch did its own testing and confirmed that the mentioned sites were scraping data from the USPS, including but not limited to the postal addresses. The negligence that allowed USPS to leak such information in the name of analytics or whatever it is they were gaining from Facebook et al. is unconscionable, and USPS are very much responsible, just as they would be for a trivial hack with the same effect.

If they allowed the tracking pixels, they intentionally shared the data. We all know what the tracking pixels do.

I got an email from a co-worker today, and noticed at the bottom of his signature a "Create your own email signature" link, which led to wisestamp.com. Turns out they sell an email signature service to companies.

I pointed out to him that advertising an unrelated company in his corporate emails was tacky, but even worse there was a tracking pixel in the email, clearly specific to him. So, any time someone opened one of his emails, WiseStamp would know.

He removed it immediately.

> USPS did not share anything intentionally.

We don't actually know that. What we know is that they said they didn't share anything intentionally. But there is almost no penalty for lying about such things and the USPS is desperate for money, so I don't think it's impossible that some USPS person made an under-the-table deal with Meta or another company to add this stuff to its website in exchange for a kickback. Only a detailed audit would be able to find out the truth, and that seems unlikely to happen unless Congress gets upset about the issue.

Post: Car strikes, kills pedestrian at crosswalk

Top post: Title is clickbait, driver didn't kill pedestrian on purpose.

Pedestrian: <is dead>

This is so naive. When you allow those tracking pixels you get paid to do it.

Title could be misleading but only if the reader jumps to conclusions; it does say anything about intent. It only says data was shared. That's 100% accurate.

USPS customers have no recourse so arguably intent is irrelevent anyway.

How can a tracking pixel cause a customers postal address to be sent to Meta?

They intentionally shared data with "certain companies" that then shared it with meta etc. Let's be even more honest.

You are right, it’s not sharing. It leaking. It should be “USPS leaked customer postal addresses to Meta, LinkedIn and Snap”

Ok so they unintentionally shared customer postal addresses with Meta, LinkedIn and Snap.

Doesn’t really seem like clickbait to me.

So the data wasn’t shared? These companies do not have USPS PII?

I have trouble accepting that as mere negligence (vs. gross negligence). Anyone hosting a website should be familiar with the trackers and other cruft that comes from third parties they utilize. This is why I'm incredibly choosy about what libraries I use and which third parties I allow to put content on my site (directly or indirectly). If you don't have good insight on this you have no business including their assets/snippets. I use open-source analytics tools that run entirely on my infrastructure, not the junk from Meta etc.

"Everyone else does it" is not a palatable excuse.

These companies are known for having user-hostile, privacy-invasive reputations, so as developers we should by default be wary of them.

E.g. Including a Facebook "Like" snippet on your page lets them siphon all sorts of data from your visitors, particularly if the user hasn't logged out of their Facebook account. It's not how users expect the web to work, and it's an insidious technique (they're deliberately taking advantage of thousands of unwitting webmasters who don't understand the baggage that snippet comes with). More examples here: https://www.consumerreports.org/electronics-computers/privac...

Frankly, even if USPS was unaware, the data still ended up in those third party hands via their services so as far as I'm concerned, yes, they did facilitate the sharing of said data. At least they plugged the hole once it was pointed out to them.

Yet another reason why ublock should be a default extension for everyone as it blocks those by default.

Is it also Apple's fault when people send inappropriate messages via imessage?

I mean, filtering messages that contain _addresses_ ... That must be an almost impossible task to do for machines of a multi billion dollar company!

Sure, but the USPS is not a government-owned corporation (like Amtrak), it was made an "independent agency" of the US executive branch back in July 1971, over half a century ago; under Nixon [0].

The head of the USPS (Postmaster General, currently Trump appointee Louis DeJoy) reports to the Board of Governors [1] (9 governors + PG + Deputy PG) who are nominated by the President; the PG can be removed by an absolute majority of the board. The USPS is overseen by the Office of Inspector General (USPS-OIG), current head Tammy Hull [2] and has a "hotline" (actually a web form) for reporting complaints [3] which fall under its focus areas, which includes fraud, computer crime and employee misconduct. Seems like one place to start.

For previous 2022 discussion of controversies involving Postmaster General DeJoy and what it would take to remove the PG, see [4].

The PG has no term limit but most recent PGs averaged ~5 years. Historically it wasn't seen as a partisan appointment and wasn't replaced when an incoming President changed to the other party.

[0]: https://en.wikipedia.org/wiki/United_States_Post_Office_Depa...

[1]: https://about.usps.com/who/leadership/board-governors/

[2]: https://www.uspsoig.gov/

[3]: https://www.uspsoig.gov/hotline

[4]: "Can Biden fire US Postmaster General Louis DeJoy?" https://www.federaltimes.com/federal-oversight/2022/08/24/ca...

TBH I don’t even want the government knowing my address.

Because we have failed to adapt our laws sufficiently to keep up with modern networked computing realities. And it is more profitable in the short term (the short term is ending, right about now, in my opinion) to continue to not update our laws.

We are going to start to see productivity drop at some point (now) from all of the corruption and inefficiencies that are stacking up to pay for said short-term profits.

Really, you don’t want to fill out a permanent change of address form with the USPS.

They sell that information. Or license it. Or whatever they call it when they are holding booths at advertising and marketing trade shows.

You want to fill out a temporary change of address, renew it the one allowable time and then ghost USPS.

By then you should have updated your personal and business contact info with any group you care about.

USPS is one of the largest distributors of spam in the United States.

Lots of places have the ad/tracker code in paths that can't handle the error correctly. Like, they always think the object they need is there (window.google.tag or whatever).

We need to educate the Journeymen in the game to use try/catch and other methods so the hot-path don't die.

Not sure about the illegal part but, for sure a failure in test cases.

Pixels aren't pixels, oddly enough, it's marketing jargon for cross-site tracking, which way back when was accomplished by pixels. So even relatively sophisticated analytics platforms are still "pixels". I don't like it either.

The USPS wants to know which of their ad campaigns is successful, and want to be able to target advertising, so they embed their advertising platforms' Javascript in their site. That part seems reasonable for a government agency that's required to self-fund. The problem is either that the tracking was on pages that shouldn't have had it, or that it wasn't restricted in what it could send to the analytics platforms.

They don't leak your address, they sell it.

https://postalpro.usps.com/mailing-and-shipping-services/NCO...

When I moved a year ago, I didn't file an address change. I only gave it to my bank and a few others I needed to keep informed of my address. Almost none of the junk from my old address has followed me to my new address. One annoying exception has been the DMV in my new state informing the Secretary of State in my old state that I surrendered my old state's license for one in my new state. The SoS sent me a letter asking if the move was permanent or not because if so, they wanted to remove me from my old state's voting roll. I understand the desire to keep voting rolls clean but I'm not happy that this happened behind my back. Plus before I moved, I went to the SoS's site for my old state and informed them that I was moving and should be removed. I'm guessing they get a feed from other states and just mail everyone without checking if you've already been removed. Given the general incompetence of the SoS in my old state, it's probably just a matter of time before they leak out my new address to interested parties. I haven't registered to vote in my new state and unregistered in my old state so it's not like I'm trying to double vote or even vote at all.

Can I FOIA everyone's address?