Tech

USPS Caught Sharing Customer Information with Meta, LinkedIn, and Snap

Published

on

The U.S. Postal Service (USPS) has been exposed for sharing the personal information of millions of Americans, including customer addresses, with major tech companies Meta, LinkedIn, and Snap. This alarming revelation, uncovered by TechCrunch, has sparked significant concern over privacy violations and the potential doxxing of USPS customers.

TechCrunch’s investigation revealed that USPS was sharing customer information through hidden data-collecting code, commonly known as tracking pixels, embedded across its website. These pixels are designed to collect user data, such as pages visited, each time a webpage loads in the customer’s browser. Shockingly, the data collected included the postal addresses of logged-in USPS Informed Delivery customers, who use the service to preview images of their incoming mail.

It remains unclear how many individuals were affected or the duration of this unauthorized data sharing. As of March 2024, the Informed Delivery service had over 62 million users, indicating the potential scale of this breach.

In response to TechCrunch’s findings, USPS spokesperson Jim McKean stated, “The Postal Service leverages an analytics platform for our own internal purposes, so that we understand the usage of our products and services and which we use on an aggregated basis to market our products. The Postal Service does not sell or provide any personal information that is collected from this analytics platform to any third party, and we were unaware of any configuration of the platform that collected personal information from the URL and that shared it without our knowledge with social media.”

McKean added that USPS has taken “immediate action to remediate this issue,” but did not specify the measures taken. Further comments were declined.

When approached for comment, Facebook spokesperson Emil Vazquez emphasized that their policies prohibit advertisers from sending sensitive information via their Business Tools. Vazquez noted, “Doing so is against our policies, and we educate advertisers on properly setting up Business Tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

Spokespeople for LinkedIn and Snap did not immediately respond to TechCrunch’s requests for comment.

TechCrunch’s testing confirmed that the USPS website shared postal addresses of logged-in customers with Meta, LinkedIn, and Snap. This was verified by inspecting network traffic using tools available in most modern browsers. The data-collecting code was found to scrape customer addresses from the Informed Delivery landing page after login and transmit this information to the aforementioned companies.

In addition to addresses, other data, such as information about the user’s computer and browser, was collected. Although this data appeared pseudonymized, researchers have long cautioned that pseudonymous data can still be used to re-identify individuals.

Tracking numbers entered into the USPS website were also shared with various advertisers and tech companies, including Bing, Google, LinkedIn, Pinterest, and Snap. This included some in-transit tracking data, such as the real-world location of mail in the postal system, even when customers were not logged in.

USPS has not disclosed whether it will request the tech companies to delete the collected data. Additionally, the USPS Office of Inspector General, the federal watchdog overseeing the postal service, has not commented on the situation.

USPS is the latest organization to face scrutiny for using web tracking code. In 2023, telehealth startup Cerebral and alcohol recovery apps Tempest and Monument admitted to sharing private health information with tech and advertising companies, prompting removal of the tracking code.

The Federal Trade Commission (FTC) has also taken enforcement action against healthcare data giant GoodRx and online therapy company BetterHelp for sharing sensitive customer data. GoodRx paid $1.5 million in fines, while BetterHelp was ordered to compensate patients $7.8 million.

This unfolding situation underscores the critical need for stringent oversight and transparency in data sharing practices to protect consumer privacy.

SOURCE: TECH CRUNCH

#M904721ScriptRootC1506001 { min-height: 300px; }

You must be logged in to post a comment Login

Leave a Reply

Cancel reply

Trending

Exit mobile version