USPS Provided Customer Mailing Details to Meta, LinkedIn, and Snap

TechCrunch discovered that the USPS had been inadvertently disclosing the postal addresses of its digital patrons to large tech and advertising entities such as Meta, LinkedIn, and Snap.

The USPS acknowledged the problem on Wednesday, affirming that it has ceased such activities and was previously “unaware” of them occurring.

The investigation revealed that the USPS implemented stealthy, data-gathering scripts on their website, a common practice among tech and advertising firms to amass user data, including page visits, through hidden tracking pixels whenever a user loaded a page on their site.

For users subscribed to the USPS Informed Delivery service, which offers previews of upcoming mail, these covert codes captured and shared their actual postal addresses with the aforementioned companies.

The extent of the data collection or the number of affected individuals remains unspecified. However, as of March 2024, the Informed Delivery service boasted over 62 million users.

USPS representative Jim McKean clarified that the Postal Service utilizes analytics tools for internal review to gauge product and service engagement but does not sell or willingly share customer data with third parties. They were caught off guard by the platform configuration that led to the unintended data sharing.

Immediate corrective actions were taken by the USPS, although specifics of these measures were not disclosed, with further comments on the matter being declined.

Facebook’s Emil Vazquez responded, emphasizing the company’s policy against advertisers sharing sensitive user data through their Business Tools and the measures in place to prevent such breaches.

Likewise, LinkedIn’s Brionna Ruff reiterated their advertising tools and contracts strictly forbid the acquisition of sensitive data from partners.

Snap had not given a response to inquiries from TechCrunch at that moment.

Further examination by TechCrunch confirmed that upon login, the USPS website did indeed transmit user postal information directly to Meta, LinkedIn, and Snap, deduced through analyzing network traffic with standard browser tools.

The investigation also showed that the tracking code was not only scraping addresses from the Informed Delivery landing page post-login but was collecting diverse data, like computer and browser specifications, albeit in a somewhat anonymized manner. Despite this, experts caution that such pseudonymized data might still be traceable back to individuals.

Furthermore, it was noted that tracking numbers input on the USPS site were shared with several advertisers and tech firms, including Bing, Google, LinkedIn, Pinterest, and Snap, revealing certain package-tracking details regardless of user login status.

The USPS spokesperson refrained from commenting on whether they would request the deletion of the collected data from these tech companies.

A commencement of a statement from the USPS Inspector General’s office, tasked with oversight responsibilities, was pending at the time of reporting.

This revelation positions the USPS amongst other organizations retracting from web tracking practices in recent history.

In 2023, entities like the telehealth startup Cerebral, alongside recovery platforms Tempest and Monument, admitted to sharing sensitive user information with tech and ad companies, subsequently eliminating such tracking scripts.

That same year witnessed the Federal Trade Commission taking decisive actions against GoodRx for disclosing health information for advertisement purposes, resulting in a $1.5 million settlement, and against the online therapy platform BetterHelp, which was mandated to reimburse patients $7.8 million for similar privacy infringements.

Updated with responses from Meta and LinkedIn.