Security

USPS shared customer postal addresses with Meta, LinkedIn and Snap

The U.S. Postal Service was sharing the postal addresses of its online customers with advertising and tech giants Meta, LinkedIn and Snap, TechCrunch has found.

On Wednesday, the USPS said it addressed the issue and stopped the practice, claiming that it was “unaware” of it.

TechCrunch found USPS was sharing customers’ information by way of hidden data-collecting code (also known as tracking pixels) used across its website. Tech and advertising companies create this kind of code to collect information about the user — such as which pages they visit — every time a webpage containing the code loads in the customer’s browser.

In the case of USPS, some of that collected data included the postal addresses of logged-in USPS Informed Delivery customers, who use the service to see photos of their incoming mail before it arrives.

It’s not clear how many individuals had their information collected or for how long. Informed Delivery had more than 62 million users as of March 2024. 

In a statement to TechCrunch, USPS spokesperson Jim McKean said: “The Postal Service leverages an analytics platform for our own internal purposes, so that we understand the usage of our products and services and which we use on an aggregated basis to market our products.”

“The Postal Service does not sell or provide any personal information that is collected from this analytics platform to any third party, and we were unaware of any configuration of the platform that collected personal information from the URL and that shared it without our knowledge with social media.” 

“We have taken immediate action to remediate this issue,” the spokesperson said, without saying what action was taken. The spokesperson declined to comment further. 

When reached for comment, Facebook spokesperson Emil Vazquez provided a statement: “We’ve been clear in our policies that advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies, and we educate advertisers on properly setting up Business Tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

LinkedIn spokesperson Brionna Ruff said much to the same effect, noting that “customer ad tools and agreements are clear and prohibit them from sharing sensitive data with us.”

Snap did not respond to a request for comment when contacted by TechCrunch.

In our testing, TechCrunch discovered that the USPS website shared the postal address of a logged-in USPS Informed Delivery customer with Meta, LinkedIn and Snap. TechCrunch tested this by inspecting the network traffic using tools baked into most modern browsers. 

Our testing showed the data-collecting code on USPS’ website was scraping the customer’s address from the Informed Delivery landing page after customers logged in, and then sending it to the companies.

The code also collected other data, such as information about the user’s computer type and browser, which appeared as partly pseudonymized — essentially scrambled in a way that makes it more difficult for humans to know where data came from, or who it relates to, by using randomized identifiers in place of real customer names. But researchers have long warned that pseudonymous data can still be used to re-identify seemingly anonymous individuals. 

TechCrunch also found that tracking numbers entered into the USPS website were also shared with advertisers and tech companies, including Bing, Google, LinkedIn, Pinterest and Snap. Some in-transit tracking data was also shared, such as the real-world location of the mail in the postal system, even if the customer was not logged in to USPS’ website.

USPS’ spokesperson declined to say if the postal service will ask the tech companies to delete the data that they collected. 

A spokesperson for the USPS Office of Inspector General, the federal watchdog that provides oversight of the postal service, did not comment at press time.

USPS is the latest organization in recent years to curtail its use of web tracking code.

In 2023, telehealth wellness startup Cerebral and alcohol recovery apps Tempest and Monument revealed they had shared private health information, including assessments submitted by their users, with tech and advertising companies, and had since removed the tracking code.

In the same year, the Federal Trade Commission brought enforcement action against healthcare data giant GoodRx, which agreed to pay $1.5 million for sharing health data of customers with advertisers, and online therapy company BetterHelp, which was ordered to compensate patients to the tune of $7.8 million for also sharing their private health questionnaire responses.

Updated with comment from Meta and Linkedin.

The life-upending flaw that USPS won’t fix

Related Articles

Back to top button