Cell phone with USPS logo and several computer codes in the background

TechCrunch has uncovered that the U.S. Postal Service (USPS) was sharing the postal addresses of its online customers with significant advertising and tech companies such as Meta, LinkedIn, and Snap.

On Wednesday, USPS announced that it had addressed the issue and stopped the practice. USPS stated that it was unaware of the data sharing. Read this article to learn more about the USPS data-sharing issue and its prospects.

Data Collection Mechanism

TechCrunch found that USPS was using hidden data-collecting code, known as tracking pixels, on its website. These codes are typically used by tech and advertising companies to collect user information, such as page visits, whenever a webpage loads.

The data collected included postal addresses of users logged into USPS Informed Delivery, a service that allows customers to see photos of their incoming mail. It remains unclear how many individuals were affected or for how long this data collection occurred. Informed Delivery had over 62 million users as of March 2024.

Statements From USPS And Tech Companies

Jim McKean, a USPS spokesperson, explained that the agency uses an analytics platform to understand and market its products and services.

He also claimed that USPS does not sell or provide personal information from this platform to third parties and that USPS was unaware of any platform configuration that shared personal information without its knowledge.

USPS took immediate steps to address the issue but did not specify the actions taken, and McKean declined to provide further comments.

Emil Vazquez represented Meta (Facebook) and stated that their policies prohibit sending sensitive information through their Business Tools and that they educate advertisers to prevent such occurrences.

Brionna Ruff from LinkedIn noted that LinkedIn's ad tools and agreements prohibit sharing sensitive data. Snap did not respond to a request for comment.

Test Findings

Testing revealed that the USPS website was sharing postal addresses of logged-in Informed Delivery customers with Meta, LinkedIn, and Snap. This test was done by inspecting network traffic using tools available in most modern browsers.

USPS's website was scraping customer addresses from the Informed Delivery landing page and sending them to these companies. Other data collected included information about the user's computer type and browser, which was pseudonymized but still potentially identifiable.

Tracking numbers entered into the USPS website were shared with advertisers and tech companies like Bing, Google, LinkedIn, Pinterest, and Snap. Some in-transit tracking data, including the real-world location of mail, was shared even if the customer was not logged into the USPS website.

Lack Of Further Action

USPS did not confirm if it would request tech companies to delete the collected data. The USPS Office of Inspector General did not comment at press time. USPS is the latest organization to limit the use of web tracking codes. Here are some recent examples of similar incidents:

  • Cerebral, Tempest, and Monument shared private health information with tech and advertising companies and later removed the tracking code.
  • GoodRx was fined $1.5 million for sharing health data with advertisers.
  • BetterHelp was ordered to compensate patients $7.8 million for sharing private health questionnaire responses.
 

The USPS data-sharing incident highlights ongoing concerns about privacy and data security in the digital age. Organizations are increasingly scrutinized for their data practices, emphasizing the need for transparency and robust data protection measures.