By C.J. Lovelace – November 25, 2017
The holiday season means a significant increase in mail as millions upon millions of letters and packages move through the U.S. Postal Service system en route to their destinations.
For years, the postal service has taken digital photographs of mail as it moves through sorting facilities, helping make the process operate smoothly.
But with the independent federal agency rolling out a new service nationally earlier this year that uses those photographs to let the public get a peek at what could be waiting in their mailboxes, some security experts have questioned the program’s safety and the safeguards in place to protect user privacy.
The new free service, called “Informed Delivery,” provides daily email updates with scanned images of a user’s mail expected to arrive that day.
“With Informed Delivery, you can see your mail before it’s delivered to your door,” said Freda Sauter, a USPS spokeswoman with the Maryland field office. “This adds a layer of transparency to the mail delivery process.”
The postal service has reported favorable reviews among the nearly 7 million people who have signed up so far, but does it give hackers another way to dig up and potentially use your personal information?
“The short and easy is, yeah,” said Diana Bartlett, an assistant professor in cybersecurity at Hagerstown Community College.
After researching the topic, Bartlett said her biggest concern with Informed Delivery is how USPS authenticates users when they sign up for the service.
To sign up, users create a username and password, then enter their home address, email address and other personal information.
The service uses a “knowledge-based authentication” system that asks several multiple choice questions, such as a town in which a user previously lived or a school they attended.
Bartlett said most of the answers to the personal questions are things that hackers could easily find through social media or other websites.
“Basically, you can find those answers,” she said, adding that user feedback has shown that the system is difficult to unsubscribe from once enrolled, also a questionable issue from a security standpoint.
“(Hackers) basically have yet another way of getting your information,” Bartlett said.
Once in the system, a would-be hacker could gather further personal information about a user by reviewing their incoming mail, such as where the person banks or shops, as well as spot potential targets for theft from unsecured mailboxes, she said.
Asked about security concerns, Sauter said the postal service takes privacy “very seriously” and protects the personal information of its customers.
“The scanned images are of the external markings, showing only the exterior, address side of letter-sized mail,” she said. “Informed Delivery is in full compliance with federal privacy laws. The mail is protected by the U.S. Postal Inspection Service, whose sole mandate is to safeguard the entire Postal Service system, including the employees who deliver and process the mail and millions of customers who use it.”
The service, which the USPS has called “an innovative experience in today’s highly digital environment,” was first rolled out in Northern Virginia in 2014 then expanded to New York City in 2015. It was launched nationally in April.
Registered users receive an email with up to 10 black-and-white images of the outside of their mail each morning. Images can be can be viewed as email notifications or accessed through the USPS online dashboard.
The postal service has been scanning all mail as standard protocol since the deadly anthrax attacks in 2001, so the digital service does not cost anything extra for customers.
The system allows only one user account per mailing address, which makes enrolling in the service the easiest way to safeguard yourself from possible nefarious activities regarding your mail, Bartlett said.
“I think it’s something that personally, even looking at the research … I wouldn’t say, ‘Oh, well OK, this is really bad,'” she said. “But this raises a lot of questions.”