Clickbait title: USPS did not share anything intentionally. They negligently allowed tracking pixels from certain companies on their Informed Delivery page.
Of course, it's terrible from a privacy point of view, but let's be honest and call things as they are.
Why on earth is a government website linking anything from Facebook, Snapchat, etc? USPS isn't a trendy coffee shop or a designer brand, they're a federal agency of the United States government and should be held to a higher trust and privacy standard.
As the parent comment has explained, all USPS is doing -- at least from their perspective -- is to use some third-party analytics tools, without intentionally or specifically linking to Facebook or Snapchat.
Or put it this way -- is there a data analytics platform that is suitable & easy to use for any US government agency? Not that I am aware of (but please let me know). Without such infrastructure, these government organizations understandably are looking for those commercial options.
While I find it questionable that a government agency should be collecting analytics on its visitors in the first place, there are self-hosted analytics tools that they can use. One Google search turns up plausible.io which, even if its less convenient than Google would help with trust. It seems we've completely normalized the State conducting mass surveillance, tracking and metadata collection on citizens with the aid of corporate tech giants like Google.
I don't think basic analytics is objectionable for a government org web service. I'd hope they'd be tracking "Do people use this? What kind of devices do people consume this site on? Is the page even loading properly for most people?"
This is analytics data.
Or maybe you'd call that "mass surveillance".
Sure, basic analytics is not objectionable. The issue comes from the analytics not being limited to basic things, as this post shows.
I don't agree with them using known abusers of personal data for the tooling, but this is what I was talking about.
I don't like them using Facebook for analytics, I don't know what they were getting from it. But the basic premise of analytics, I think they should do.
Sure, but the answer they gave to this reporter was the same usual corporate garbage response that included "we need analytics to market our products" (???)
I think it's fucked up that any agency is "marketing products" at all, but inasmuch as this is necessary in some way, surely they don't need the kind of surveillance marketing that's questionably even worth it for corporate advertisers to use. It literally reads like a google or facebook lawyer wrote it
The problem is that the USPS isn't really a "government agency". It's a weird hybrid where in some ways the USPS is more or less forced at act as a private company would. I agree that it's bonkers that a national postal service would need to "market its products", but the USPS is constantly facing funding issues (in no small part due to its weird setup), so they have to do something to... well, drum up business.
I agree that they shouldn't be using tracking code from Facebook etc. for their analytics, but they do need analytics of at least some sort. I think that should hopefully be uncontroversial.
That wasn't always true, and changes in that direction were made to a lot of government agencies, doing things like making them pretend their budget is a business and that they need revenue streams is nonsensical and doesn't work, and I can say that with confidence because every time such changes are implemented the value of the department goes downhill fast, to the point where some people speculate that the intention of such policies is to kill those agencies. I sometimes buy that, but I also think we should acknowledge that while neoliberal political projects are often cynical and greedy, they are also often the result of incompetence. I see a certain naivete in people whose core competency has been gaining power through social influence not knowing how to actually build systems that work
i mean the entire last few decades or so people have been banging the drum that parts of government, like the USPS, should "operate like a business" or even be privatized. so this being an end result of that is not that shocking, unfortunately.
What's even sadder is that this is said in an economic and regulatory environment that has gradually winnowed away all the examples of businesses that made the argument even the slightest bit compelling if you squinted
Some of us do in fact believe that the only way to avoid common issues with mishandling information is not to gather it in the first place. I see sides of the same coin.
The US government does run its own self-hosted analytics platform (https://analytics.usa.gov), which the USPS does in fact use. Which makes it all the more questionable that they were additionally using third-party analytics.
Well…
Offtopic, I chuckled that the top* city visitors come from is Ashburn.
That's definitely just a GeoIP database picking up AWS traffic.
* (in the last 30 minutes, as of now)
Is Matomo not suitable?
I believe at least one French government website uses Matomo, based on the fact that I once used their React snippet to make it work.
Matomo is pretty solid. And you can always use it just to ingest the data, then analyze it with something other than the default dashboards.
Still, I'd expect the government's bean counters to ensure that any usage of third party analytics involves some ironclad agreement to the effect of, "If you fail to meet <Herculean privacy desiderata>, then we f---ing own you", so at least the government gets something when said third party inevitably violates the agreement.
Except it was the government agency that violated their agreements by providing this data. At least Facebook, based on their response, specifically put in the agreement that this sort of data should never be provided. It seems like the proposal of consequences flows the wrong way here.
Security and similar audits are a big deal in government. Or, at least, they were...
Imagine believing this wasn't the product of corruption and nobody got kickbacks for letting this "mistake" happen.
And now you see why the GDPR requires a site to list the third parties involved.
https://www.royalmail.com/privacy-notice and the cookie policy, 3.4.
Defund the USPS. They absolutely suck. 60% of their volume is junk mail. Lets save the planet.
60% is junk mail because they’re not funded properly. Junk mail provides postage fees that fund them.
This isn't exactly true. Even with junk mail they aren't profitable. But being profitable is a non-goal; they exist to serve the people, not to allow 3rd parties to harass them endlessly.
That's not really the point. If they didn't push junk mail so hard, they'd be insolvent and fail. Profitability is not the issue.
Agree, but someone should probably tell Congress that.
The situation is trash (literally; 95% of my mail goes directly to the recycling bin), but conservatives want the USPS to behave more like a business, and its funding -- and need to do crappy things -- reflects that.
I never said they should be profitable, just that junk mail funds them.
Sounds like they exist to serve big business pumping out tons and tons of land fill routed trash, subsidized by the federal government/taxpayers. Given they're unionized, they can just lobby whomever to keep this unicorn status. Federal agencies should not be allowed to unionize.
If properly funded, do you really want the USPS filtering your mail to only deliver what they think you want delivered?
Their job isn't to stop junk mail. Their job is to reliably deliver whatever mail has my address on it to my mailbox.
They don't have to provide bulk-mailing services to non-government entities. This is where someone says "Mail one of these advertisement packages to every person in this district", and it's not actually addressed to you. This would raise the cost of mailing spam to the same cost as mailing real letters.
Not filtering, no, but I would like them to set bulk mail prices high enough to actually reflect the cost of the externalities of sending (and trashing) that mail. Fewer companies would send so much junk if they had to pay for its true cost.
The United States Constitution requires the United Staes Government to run a postal service. This means that the USPS must exist and it must be properly funded.
To be pedantic, the US Constitution simply grants Congress the exclusive power to establish post offices and post roads. Nowhere does it make any requirements about how Congress uses that power.
So much of the constitution is like that. Take the second amendment for example. "Arms" aren't clearly defined, affordability isn't guaranteed, taxation of such arms/ammo isn't restricted, and other amendment(s) can alter the provision of the amendment (ie, the fifth is why felons can lose their 2nd amendment rights)
The Constitution was never intended to spell out all laws of the country. It's a framework for how our government should work and a list of fundamental rights that should be protected at all costs.
The second amendment doesn't define "arms" because (a) at the time there wasn't much ambiguity there and (b) "arms" isn't actually the most important concept there. The second amendment enshrines the right for citizens to be able to stand up militias and defend themselves. The US didn't have a standing army until WW2, despite Alexander Hamilton's opinions on the matter. The second amendment was put in place because colonists lived under the thumb of a monarch and at the end of an army's barrel with nothing guaranteeing the people a right to defend themselves, their neighbors, or their fellow colonists (eventually countrymen).
The Constitution is a legal document and the foundation of all American law. It turns out a specific definition of "arms" would actually be very useful to the modern legal doctrines of the post-industrial society in which we actually live, as opposed to the pre-industrial agrarian society for which the British re-establishing their colonies, slave revolts and uprisings from Native Americans were problems worth worrying about.
The second amendment was a reaction to having lived under the oppression of British rule, not concerns over slave revolts or native uprisings.
That aside, the concept of amendments exist for a reason. It's totally reasonable for Congress today to amend the Constitution if a definition of "arms" is now needed. It wouldn't be the first time a new amendment modified or entirely voided an earlier amendment.
What we don't need is court rulings, executive actions, or even new legislation short of an amendment trying to modify or redefine an existing amendment. If an amendment needs to be changed or clarified that needs to happen at the level of another amendment, anything less is short cutting the system and, in my opinion, not democratic.
How? The US government doesn’t fund the USPS.
There’s been some back and forth about the sudden mandate for USPS the pre funding retiree healthcare out 65 years, which nominally created a great deal of debt to the government as they failed to meet that sudden obligation. However, by removing the obligation that ‘debt’ disappeared as the government hadn’t actually spent any money on USPS retirees healthcare.
I wholeheartedly agree with where you're coming from, but don't try to login to your IRS account these days without first taking some Xanax (tm).
I am pretty sure they said they’d reevaluate that ID login change but instead rammed it through.
I think about it every time I have to use it.
The worst part is that it had been working just fine for me before. I already had a login that I think had been verified via postal mail. My IRS account obviously isn't going anywhere. Why do I have to create a completely new login, just to use less secure surveillance based authentication? It smells of corruption where someone gets a kickback based on how many people they can herd into the surveillance industry slaughterhouse. There are probably several layers of indirection (grift) because "government can't do anything", but that's still the underlying dynamic.
If I had to guess, the kickback isn’t from the auth provider.
Maintaining a system takes people & resources. For 40+ years, there’s a push to not allow the government to actually hire and manage those itself, but use commercial entities, because “big government is bad”.
So it is easier to get the approval to pay x2 as much for a 3rd party than do it for half the budget internally. And as things need to be done, you end up saying f*k it and help ruin public service because it was mandated you’ll do so.
And then you end up with shitty services, which was the intent all along: it’s not about big government, it’s about outsourcing government contracts to you and yours.
You are all over the place.
The person that you’re replying to already called it negligent. It’s clear that it’s negligent.
That’s different from USPS not having some “legitimate” reason to use a Facebook tracking pixel somewhere.
I’m not even American, but I just spent 30 seconds on the USPS site and came across an online store where you can buy gifts, etc. This reasonably puts them well within the ballpark of an organisation that’d seek to use this sort of tech. As anyone that’s worked with anyone in ecommerce marketing will tell you, there’s always organisational pressure to shove these ‘tracking pixels’ onto your site.
Again, it’s negligent that they did it, from a privacy POV. But let’s not conflate that with ‘old man grumbling about social networks’.
Not the GP, but:
I don't think the USPS has any legitimate reason to be hosting tracking pixels from any entity outside the US government. USPS should have analytics on their website, but the USG has a hosted analytics package[0], and that's what they should be using -- which they are[1], so they should already be getting the data they need.
[0] https://digital.gov/guides/dap/
[1] https://analytics.usa.gov/postal-service
The USG solution is just Google Analytics though, so…
because that's how the guberment collects data
frankly I prefer when it's the government rather than companies selling it to foreign countries or scammers
How can a tracking pixel cause a customers postal address to be sent to Meta?
1. customer enters their address in form fields
2. those form field values are templated into a GET request to the Meta tracking pixel (or POST request to the /events endpoint, or ...)
3. profit
they've made it very easy https://developers.facebook.com/docs/meta-pixel/implementati...
OK, based on your link the answer to my question seems to be: it's not a tracking pixel, but the "Meta Pixel", which the documentation describes as "a snippet of JavaScript code".
Welcome to the wonderful world of affiliate marketing, adtech, and tag management.
In that world, third party ‘tags’ that are included in a page are generally referred to as ‘pixels’. Sometimes they are single pixel img tags. Frequently they are scripts. But the industry calls them ‘pixels’ anyway.
It is, surprisingly, not a terribly honest industry.
Yeah semantic drift haha...
https://chatgpt.com/share/3331fdec-c69c-46b0-9ffe-c48848fb29...
I don't know why you're being downvoted, calling full access javascript embedded into a page a 'tracking pixel' is a total lie. Then again 'serverless' is where you use a server, so the track record isn't great.
I guess most people reading this already knew that the term 'tracking pixel' has evolved beyond its original meaning, and is now commonly understood to include all sorts of tracking code.
I did not, but now I know :)
(And although serverless doesn't mean 'no server', we know what the word means and it doesn't cause confusion.)
I also didn't know and I definitely don't like how it underplays the capabilities of the tracking.
Doesn't the term confuse anyone hearing it for the first time? It sure did me.
it could have been much worse, I have seen passwords leaked this way
("seen" meaning "I worked at a company where this happened and read the code with my own eyes" not just "I read it in the newspaper")
I had to work on a feature like that, where individual client-companies wanted to sprinkle arbitrary pixel-trackers across different steps in our website's workflow for their users... Even today, I still worry I wasn't paranoid enough.
_______
For the curious/critiquing: When conditions are met, the main page JS creates a temporary <iframe src="..." sandbox="allow-scripts allow-same-origin">, and the destination URL (signed, time-limited) instructs a different subdomain to host up the icky arbitrary markup.
Yes, I know about the srcdoc attribute, and that would have been much easier except it breaks some tracker-code. In particular, Google Tag Manager silently stopped working, and it was because it contained some logic looking for "real site" aspects. This affected both `srcdoc` and also confused things when testing with `file://` URLs.
I spend a fair amount of time fending off requests from our marketing team to add every tracker they can think of into our site. It's as if they don't even think about the possibility that our customers might not like that.
There are layers to the problem.
The platforms do an incredible job of selling their ad tech across a business. No matter what business you're in the expectation is that Google or Meta etc. SHOULD work, and if they don't your marketing team isn't doing it right.
So then the pressure comes from execs to do whatever is needed to make these platforms work well. The execs aren't close to the details of what that means, but they want results.
Marketing then gets told they need to push more data to the platforms to make things work. This lines up with the what the execs have been told as well, more data is a good thing right?
Since marketers are non-technical the platforms want to make passing data to the platforms AS SIMPLE AS POSSIBLE. Which leads to these all encompassing data trackers (which conveniently is good for the platforms as well). Marketers don't really understand the tradeoffs, they just know more data is a good thing, and they HAVE to get this platform working well or else they're out of a job.
Then the question of should we trust Google or Meta is just hand waved away. They're huge companies 'of course we should trust them, they're the best in the world' – is a pretty easy pitch for a personable account rep to make over an expensive lunch. Even if you don't trust them, what are you going to do, not work with them while you're competitors make money???
IMO it's clear market failure and govt intervention is the solution. Complaining about marketing departments not doing the right thing is never going solve the problem.
It’s not even about the customers.
We used to worry about trackers duplicating and profiling our player base back when we were running multi-billion dollar mobile games. F2P monetization being the long-tail beast it is, you really worry about ad platforms understanding your revenue dynamics. It was actually the managers who were worrying about trackers rather than the other way around.
I don’t know if you can find a similar argument in your industry, but losing the long tail to customer profiling can be a good string to pull.
I've been flat out blocking google tags manager for years and never noticed any breakage because of this.
I got an email from a co-worker today, and noticed at the bottom of his signature a "Create your own email signature" link, which led to wisestamp.com. Turns out they sell an email signature service to companies.
I pointed out to him that advertising an unrelated company in his corporate emails was tacky, but even worse there was a tracking pixel in the email, clearly specific to him. So, any time someone opened one of his emails, WiseStamp would know.
He removed it immediately.
I was critiqued on here the other day for saying I thought HTML was inappropriate for emails and that I use a plain text email client. This is one of the reasons. Reading an email should not expose you to “tracking pixels” and for me it doesn’t.
People want to be able to include images in their emails, or bold text. HTML is fine for email, just turn images off by default
This is so naive. When you allow those tracking pixels you get paid to do it.
Not directly. They’re used to track people’s behavior on your website after seeing an ad for your company, like knowing that people who see a Facebook ad for stamps are 12% more likely to buy them or whatever.
Not at all. Tracking pixels are installed by advertisers so they can understand if advertising on platform A, B, C actually drives business outcomes X, Y, Z. In other words, they're primarily a tool to see whether you're getting value for the ad dollars you're spending.
(Their secondary purpose is to let you show ads to people who already came to your website, i.e.: focusing your ad dollars on people who might actually care about your products and services in the first place)
If they allowed the tracking pixels, they intentionally shared the data. We all know what the tracking pixels do.
It's right there in the name.
Ok so they unintentionally shared customer postal addresses with Meta, LinkedIn and Snap.
Doesn’t really seem like clickbait to me.
The title is clickbait. If they did this intentionally, it is much more scandalous and will cause more outrage than just a stupid mistake.
You needed to read through to the end of the article. TechCrunch did its own testing and confirmed that the mentioned sites were scraping data from the USPS, including but not limited to the postal addresses. The negligence that allowed USPS to leak such information in the name of analytics or whatever it is they were gaining from Facebook et al. is unconscionable, and USPS are very much responsible, just as they would be for a trivial hack with the same effect.
When a researcher notices they can show source, or tweak an id in a URL and see data they shouldn't, and report it, they're threatened with jail time.
How come Meta can secretly scrape my web session, steal information, and that's not considered a massive violation of these same laws? These companies act like they're entitled to everything. Some CEOs and senior managers jailed for plotting these data theft tactics would be a welcome change... But it's never going to happen, and they know it.
We don't actually know that. What we know is that they said they didn't share anything intentionally. But there is almost no penalty for lying about such things and the USPS is desperate for money, so I don't think it's impossible that some USPS person made an under-the-table deal with Meta or another company to add this stuff to its website in exchange for a kickback. Only a detailed audit would be able to find out the truth, and that seems unlikely to happen unless Congress gets upset about the issue.
Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity."
I have trouble accepting that as mere negligence (vs. gross negligence). Anyone hosting a website should be familiar with the trackers and other cruft that comes from third parties they utilize. This is why I'm incredibly choosy about what libraries I use and which third parties I allow to put content on my site (directly or indirectly). If you don't have good insight on this you have no business including their assets/snippets. I use open-source analytics tools that run entirely on my infrastructure, not the junk from Meta etc.
"Everyone else does it" is not a palatable excuse.
These companies are known for having user-hostile, privacy-invasive reputations, so as developers we should by default be wary of them.
E.g. Including a Facebook "Like" snippet on your page lets them siphon all sorts of data from your visitors, particularly if the user hasn't logged out of their Facebook account. It's not how users expect the web to work, and it's an insidious technique (they're deliberately taking advantage of thousands of unwitting webmasters who don't understand the baggage that snippet comes with). More examples here: https://www.consumerreports.org/electronics-computers/privac...
Frankly, even if USPS was unaware, the data still ended up in those third party hands via their services so as far as I'm concerned, yes, they did facilitate the sharing of said data. At least they plugged the hole once it was pointed out to them.
Post: Car strikes, kills pedestrian at crosswalk
Top post: Title is clickbait, driver didn't kill pedestrian on purpose.
Pedestrian: <is dead>
So the data wasn’t shared? These companies do not have USPS PII?
They intentionally shared data with "certain companies" that then shared it with meta etc. Let's be even more honest.
Title could be misleading but only if the reader jumps to conclusions; it does say anything about intent. It only says data was shared. That's 100% accurate.
USPS customers have no recourse so arguably intent is irrelevent anyway.