back to top
Thursday, December 12, 2024

Careers

USPS Shared Customer Addresses with Meta, LinkedIn, Snap

 

 

The U.S. Postal (USPS)Service was sharing the postal addresses. Its online customers with advertising and tech giants Meta, LinkedIn, and Snap, TOPCLAPS has found.

USPS Claims to Address the Issue

On Wednesday, the USPS said it addressed the issue and stopped the practice, claiming that it was “unaware” of it.

Hidden Data-Collecting Code

TOPCLAPS found USPS was sharing customers’ information by way of hidden data-collecting code (also known as tracking pixels) used across its website. Tech and advertising companies create this kind of code to collect information about the user — such as which pages they visit — every time a webpage containing the code loads in the customer’s browser.

Collected Data Included Postal Addresses

In the case of USPS, some of that collected data included the postal addresses of logged-in USPS Informed Delivery customers. Who use the service to see photos of their incoming mail before it arrives.

Scale of Data Collection Unknown

It’s not clear how many individuals had their information collected or for how long. Informed Delivery had more than 62 million users as of March 2024.

USPS Statement on Data Collection

In a statement to TOPCLAPS , USPS spokesperson Jim McKean said: “The Postal Service leverages an analytics platform for our own internal purposes, so that we understand the usage of our products and services and which we use on an aggregated basis to market our products.”

No Personal Information Sold or Provided

“The Postal Service does not sell or provide any personal information that is collected from this analytics platform to any third party, and we were unaware of any configuration of the platform that collected personal information from the URL and that shared it without our knowledge with social media.”

Immediate Action Taken

“We have taken immediate action to remediate this issue,” the spokesperson said, without saying what action was taken. The spokesperson declined to comment further.

Meta’s Response

When reached for comment, Facebook spokesperson Emil Vazquez provided a statement: “We’ve been clear in our policies that advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies, and we educate advertisers on properly setting up Business Tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

No Comment from LinkedIn and Snap

Spokespeople for LinkedIn and Snap did not immediately comment when contacted by TOPCLAPS.

Testing Confirms Data Sharing

In our testing, TOPCLAPS discovered that the USPS website shared the postal address of a logged-in USPS Informed Delivery customer with Meta, LinkedIn, and Snap. TOPCLAPS tested this by inspecting the network traffic using tools baked into most modern browsers.

Data Scraping from Informed Delivery Page

Our testing showed the data-collecting code on USPS’ website was scraping the customer’s address from the Informed Delivery landing page after customers logged in and then sending it to the companies.

Additional Data Collected

The code also collected other data, such as information about the user’s computer type and browser, which appeared as partly pseudonymized — essentially scrambled in a way that makes it more difficult for humans to know where data came from, or who it relates to, by using randomized identifiers in place of real customer names. But researchers have long warned that pseudonymous data can still be used to re-identify seemingly anonymous individuals.

Tracking Numbers Also Shared

TOPCLAPS also found that tracking numbers entered into the USPS website were also shared with advertisers and tech companies, including Bing, Google, LinkedIn, Pinterest, and Snap. Some in-transit tracking data was also shared, such as the real-world location of the mail in the postal system, even if the customer was not logged in to USPS’ website.

USPS’ Response to Data Deletion

USPS’ spokesperson declined to say if the postal service will ask the tech companies to delete the data that they collected.

No Comment from USPS Office of Inspector General

A spokesperson for the USPS Office of Inspector General, the federal watchdog that provides oversight of the postal service, did not comment at press time.

Similar Incidents with Other Organizations

USPS is the latest organization in recent years to curtail its use of web tracking code.

Previous Cases of Data Sharing

In 2023, telehealth wellness startup Cerebral and alcohol recovery apps Tempest and Monument revealed they had shared private health information, including assessments submitted by their users, with tech and advertising companies, and had since removed the tracking code.

Federal Trade Commission Enforcement Actions

In the same year, the Federal Trade Commission brought enforcement action against healthcare data giant GoodRx. Which agreed to pay $1.5 million for sharing health data of customers with advertisers. Online therapy company BetterHelp, which was ordered to compensate patients to the tune of $7.8 million for also sharing their private health questionnaire responses.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here