Clickbait title: USPS did not share anything intentionally. They negligently allowed tracking pixels from certain companies on their Informed Delivery page.
Of course, it's terrible from a privacy point of view, but let's be honest and call things as they are.
> They negligently allowed tracking pixels from certain companies on their Informed Delivery page.
I had to work on a feature like that, where individual client-companies wanted to sprinkle arbitrary pixel-trackers across different steps in our website's workflow for their users... Even today, I still worry I wasn't paranoid enough.
_______
For the curious/critiquing: When conditions are met, the main page JS creates a temporary <iframe src="..." sandbox="allow-scripts allow-same-origin">, and the destination URL (signed, time-limited) instructs a different subdomain to host up the icky arbitrary markup.
Yes, I know about the srcdoc attribute, and that would have been much easier except it breaks some tracker-code. In particular, Google Tag Manager silently stopped working, and it was because it contained some logic looking for "real site" aspects. This affected both `srcdoc` and also confused things when testing with `file://` URLs.
I spend a fair amount of time fending off requests from our marketing team to add every tracker they can think of into our site. It's as if they don't even think about the possibility that our customers might not like that.
The platforms do an incredible job of selling their ad tech across a business. No matter what business you're in the expectation is that Google or Meta etc. SHOULD work, and if they don't your marketing team isn't doing it right.
So then the pressure comes from execs to do whatever is needed to make these platforms work well. The execs aren't close to the details of what that means, but they want results.
Marketing then gets told they need to push more data to the platforms to make things work. This lines up with the what the execs have been told as well, more data is a good thing right?
Since marketers are non-technical the platforms want to make passing data to the platforms AS SIMPLE AS POSSIBLE. Which leads to these all encompassing data trackers (which conveniently is good for the platforms as well). Marketers don't really understand the tradeoffs, they just know more data is a good thing, and they HAVE to get this platform working well or else they're out of a job.
Then the question of should we trust Google or Meta is just hand waved away. They're huge companies 'of course we should trust them, they're the best in the world' – is a pretty easy pitch for a personable account rep to make over an expensive lunch. Even if you don't trust them, what are you going to do, not work with them while you're competitors make money???
IMO it's clear market failure and govt intervention is the solution. Complaining about marketing departments not doing the right thing is never going solve the problem.
It's been largely a problem of the marketing team not knowing how to use the tools they had. Rather than figuring out how to extract the desired data from Google Analytics, they wanted to add more trackers just because those trackers promised to make some datum more easily accessible to these non-technical users.
So we dodged some of those bullets just by a combination of training the marketing folks on how to use their own tools, and by just taking the bull by the horns and extracting the data for them.
We used to worry about trackers duplicating and profiling our player base back when we were running multi-billion dollar mobile games. F2P monetization being the long-tail beast it is, you really worry about ad platforms understanding your revenue dynamics. It was actually the managers who were worrying about trackers rather than the other way around.
I don’t know if you can find a similar argument in your industry, but losing the long tail to customer profiling can be a good string to pull.
Why on earth is a government website linking anything from Facebook, Snapchat, etc? USPS isn't a trendy coffee shop or a designer brand, they're a federal agency of the United States government and should be held to a higher trust and privacy standard.
As the parent comment has explained, all USPS is doing -- at least from their perspective -- is to use some third-party analytics tools, without intentionally or specifically linking to Facebook or Snapchat.
Or put it this way -- is there a data analytics platform that is suitable & easy to use for any US government agency? Not that I am aware of (but please let me know). Without such infrastructure, these government organizations understandably are looking for those commercial options.
While I find it questionable that a government agency should be collecting analytics on its visitors in the first place, there are self-hosted analytics tools that they can use. One Google search turns up plausible.io which, even if its less convenient than Google would help with trust. It seems we've completely normalized the State conducting mass surveillance, tracking and metadata collection on citizens with the aid of corporate tech giants like Google.
The US government does run its own self-hosted analytics platform (https://analytics.usa.gov), which the USPS does in fact use. Which makes it all the more questionable that they were additionally using third-party analytics.
I don't think basic analytics is objectionable for a government org web service. I'd hope they'd be tracking "Do people use this? What kind of devices do people consume this site on? Is the page even loading properly for most people?"
> I find it questionable that a government agency should be collecting analytics on its visitors in the first place
I don't agree with them using known abusers of personal data for the tooling, but this is what I was talking about.
I don't like them using Facebook for analytics, I don't know what they were getting from it. But the basic premise of analytics, I think they should do.
Sure, but the answer they gave to this reporter was the same usual corporate garbage response that included "we need analytics to market our products" (???)
I think it's fucked up that any agency is "marketing products" at all, but inasmuch as this is necessary in some way, surely they don't need the kind of surveillance marketing that's questionably even worth it for corporate advertisers to use. It literally reads like a google or facebook lawyer wrote it
The problem is that the USPS isn't really a "government agency". It's a weird hybrid where in some ways the USPS is more or less forced at act as a private company would. I agree that it's bonkers that a national postal service would need to "market its products", but the USPS is constantly facing funding issues (in no small part due to its weird setup), so they have to do something to... well, drum up business.
I agree that they shouldn't be using tracking code from Facebook etc. for their analytics, but they do need analytics of at least some sort. I think that should hopefully be uncontroversial.
That wasn't always true, and changes in that direction were made to a lot of government agencies, doing things like making them pretend their budget is a business and that they need revenue streams is nonsensical and doesn't work, and I can say that with confidence because every time such changes are implemented the value of the department goes downhill fast, to the point where some people speculate that the intention of such policies is to kill those agencies. I sometimes buy that, but I also think we should acknowledge that while neoliberal political projects are often cynical and greedy, they are also often the result of incompetence. I see a certain naivete in people whose core competency has been gaining power through social influence not knowing how to actually build systems that work
i mean the entire last few decades or so people have been banging the drum that parts of government, like the USPS, should "operate like a business" or even be privatized. so this being an end result of that is not that shocking, unfortunately.
What's even sadder is that this is said in an economic and regulatory environment that has gradually winnowed away all the examples of businesses that made the argument even the slightest bit compelling if you squinted
Some of us do in fact believe that the only way to avoid common issues with mishandling information is not to gather it in the first place. I see sides of the same coin.
Still, I'd expect the government's bean counters to ensure that any usage of third party analytics involves some ironclad agreement to the effect of, "If you fail to meet <Herculean privacy desiderata>, then we f---ing own you", so at least the government gets something when said third party inevitably violates the agreement.
Except it was the government agency that violated their agreements by providing this data. At least Facebook, based on their response, specifically put in the agreement that this sort of data should never be provided. It seems like the proposal of consequences flows the wrong way here.
I must be missing something. Their list of who they are data with is vague such as "other organisations if this is necessary as part of providing services to you or them."
I suppose it is nice that they tell you that they may send your name, contact information and purchase information to market research companies?
The worst part is that it had been working just fine for me before. I already had a login that I think had been verified via postal mail. My IRS account obviously isn't going anywhere. Why do I have to create a completely new login, just to use less secure surveillance based authentication? It smells of corruption where someone gets a kickback based on how many people they can herd into the surveillance industry slaughterhouse. There are probably several layers of indirection (grift) because "government can't do anything", but that's still the underlying dynamic.
If I had to guess, the kickback isn’t from the auth provider.
Maintaining a system takes people & resources. For 40+ years, there’s a push to not allow the government to actually hire and manage those itself, but use commercial entities, because “big government is bad”.
So it is easier to get the approval to pay x2 as much for a 3rd party than do it for half the budget internally. And as things need to be done, you end up saying f*k it and help ruin public service because it was mandated you’ll do so.
And then you end up with shitty services, which was the intent all along: it’s not about big government, it’s about outsourcing government contracts to you and yours.
The person that you’re replying to already called it negligent. It’s clear that it’s negligent.
That’s different from USPS not having some “legitimate” reason to use a Facebook tracking pixel somewhere.
I’m not even American, but I just spent 30 seconds on the USPS site and came across an online store where you can buy gifts, etc. This reasonably puts them well within the ballpark of an organisation that’d seek to use this sort of tech. As anyone that’s worked with anyone in ecommerce marketing will tell you, there’s always organisational pressure to shove these ‘tracking pixels’ onto your site.
Again, it’s negligent that they did it, from a privacy POV. But let’s not conflate that with ‘old man grumbling about social networks’.
> That’s different from USPS not having some “legitimate” reason to use a Facebook tracking pixel somewhere.
I don't think the USPS has any legitimate reason to be hosting tracking pixels from any entity outside the US government. USPS should have analytics on their website, but the USG has a hosted analytics package[0], and that's what they should be using -- which they are[1], so they should already be getting the data they need.
This isn't exactly true. Even with junk mail they aren't profitable. But being profitable is a non-goal; they exist to serve the people, not to allow 3rd parties to harass them endlessly.
That's not really the point. If they didn't push junk mail so hard, they'd be insolvent and fail. Profitability is not the issue.
> But being profitable is a non-goal; they exist to serve the people
Agree, but someone should probably tell Congress that.
The situation is trash (literally; 95% of my mail goes directly to the recycling bin), but conservatives want the USPS to behave more like a business, and its funding -- and need to do crappy things -- reflects that.
Sounds like they exist to serve big business pumping out tons and tons of land fill routed trash, subsidized by the federal government/taxpayers. Given they're unionized, they can just lobby whomever to keep this unicorn status. Federal agencies should not be allowed to unionize.
Not filtering, no, but I would like them to set bulk mail prices high enough to actually reflect the cost of the externalities of sending (and trashing) that mail. Fewer companies would send so much junk if they had to pay for its true cost.
They don't have to provide bulk-mailing services to non-government entities. This is where someone says "Mail one of these advertisement packages to every person in this district", and it's not actually addressed to you. This would raise the cost of mailing spam to the same cost as mailing real letters.
There’s been some back and forth about the sudden mandate for USPS the pre funding retiree healthcare out 65 years, which nominally created a great deal of debt to the government as they failed to meet that sudden obligation. However, by removing the obligation that ‘debt’ disappeared as the government hadn’t actually spent any money on USPS retirees healthcare.
The United States Constitution requires the United Staes Government to run a postal service. This means that the USPS must exist and it must be properly funded.
To be pedantic, the US Constitution simply grants Congress the exclusive power to establish post offices and post roads. Nowhere does it make any requirements about how Congress uses that power.
So much of the constitution is like that. Take the second amendment for example. "Arms" aren't clearly defined, affordability isn't guaranteed, taxation of such arms/ammo isn't restricted, and other amendment(s) can alter the provision of the amendment (ie, the fifth is why felons can lose their 2nd amendment rights)
The Constitution was never intended to spell out all laws of the country. It's a framework for how our government should work and a list of fundamental rights that should be protected at all costs.
The second amendment doesn't define "arms" because (a) at the time there wasn't much ambiguity there and (b) "arms" isn't actually the most important concept there. The second amendment enshrines the right for citizens to be able to stand up militias and defend themselves. The US didn't have a standing army until WW2, despite Alexander Hamilton's opinions on the matter. The second amendment was put in place because colonists lived under the thumb of a monarch and at the end of an army's barrel with nothing guaranteeing the people a right to defend themselves, their neighbors, or their fellow colonists (eventually countrymen).
The Constitution is a legal document and the foundation of all American law. It turns out a specific definition of "arms" would actually be very useful to the modern legal doctrines of the post-industrial society in which we actually live, as opposed to the pre-industrial agrarian society for which the British re-establishing their colonies, slave revolts and uprisings from Native Americans were problems worth worrying about.
The second amendment was a reaction to having lived under the oppression of British rule, not concerns over slave revolts or native uprisings.
That aside, the concept of amendments exist for a reason. It's totally reasonable for Congress today to amend the Constitution if a definition of "arms" is now needed. It wouldn't be the first time a new amendment modified or entirely voided an earlier amendment.
What we don't need is court rulings, executive actions, or even new legislation short of an amendment trying to modify or redefine an existing amendment. If an amendment needs to be changed or clarified that needs to happen at the level of another amendment, anything less is short cutting the system and, in my opinion, not democratic.
> Clickbait title: USPS did not share anything intentionally. They negligently allowed tracking pixels from certain companies on their Informed Delivery page.
You needed to read through to the end of the article. TechCrunch did its own testing and confirmed that the mentioned sites were scraping data from the USPS, including but not limited to the postal addresses. The negligence that allowed USPS to leak such information in the name of analytics or whatever it is they were gaining from Facebook et al. is unconscionable, and USPS are very much responsible, just as they would be for a trivial hack with the same effect.
When a researcher notices they can show source, or tweak an id in a URL and see data they shouldn't, and report it, they're threatened with jail time.
How come Meta can secretly scrape my web session, steal information, and that's not considered a massive violation of these same laws? These companies act like they're entitled to everything. Some CEOs and senior managers jailed for plotting these data theft tactics would be a welcome change... But it's never going to happen, and they know it.
I got an email from a co-worker today, and noticed at the bottom of his signature a "Create your own email signature" link, which led to wisestamp.com. Turns out they sell an email signature service to companies.
I pointed out to him that advertising an unrelated company in his corporate emails was tacky, but even worse there was a tracking pixel in the email, clearly specific to him. So, any time someone opened one of his emails, WiseStamp would know.
I was critiqued on here the other day for saying I thought HTML was inappropriate for emails and that I use a plain text email client. This is one of the reasons. Reading an email should not expose you to “tracking pixels” and for me it doesn’t.
We don't actually know that. What we know is that they said they didn't share anything intentionally. But there is almost no penalty for lying about such things and the USPS is desperate for money, so I don't think it's impossible that some USPS person made an under-the-table deal with Meta or another company to add this stuff to its website in exchange for a kickback. Only a detailed audit would be able to find out the truth, and that seems unlikely to happen unless Congress gets upset about the issue.
Not directly. They’re used to track people’s behavior on your website after seeing an ad for your company, like knowing that people who see a Facebook ad for stamps are 12% more likely to buy them or whatever.
Not at all. Tracking pixels are installed by advertisers so they can understand if advertising on platform A, B, C actually drives business outcomes X, Y, Z. In other words, they're primarily a tool to see whether you're getting value for the ad dollars you're spending.
(Their secondary purpose is to let you show ads to people who already came to your website, i.e.: focusing your ad dollars on people who might actually care about your products and services in the first place)
Title could be misleading but only if the reader jumps to conclusions; it does say anything about intent. It only says data was shared. That's 100% accurate.
USPS customers have no recourse so arguably intent is irrelevent anyway.
OK, based on your link the answer to my question seems to be: it's not a tracking pixel, but the "Meta Pixel", which the documentation describes as "a snippet of JavaScript code".
Welcome to the wonderful world of affiliate marketing, adtech, and tag management.
In that world, third party ‘tags’ that are included in a page are generally referred to as ‘pixels’. Sometimes they are single pixel img tags. Frequently they are scripts. But the industry calls them ‘pixels’ anyway.
It is, surprisingly, not a terribly honest industry.
I don't know why you're being downvoted, calling full access javascript embedded into a page a 'tracking pixel' is a total lie. Then again 'serverless' is where you use a server, so the track record isn't great.
I guess most people reading this already knew that the term 'tracking pixel' has evolved beyond its original meaning, and is now commonly understood to include all sorts of tracking code.
I did not, but now I know :)
(And although serverless doesn't mean 'no server', we know what the word means and it doesn't cause confusion.)
I have trouble accepting that as mere negligence (vs. gross negligence). Anyone hosting a website should be familiar with the trackers and other cruft that comes from third parties they utilize. This is why I'm incredibly choosy about what libraries I use and which third parties I allow to put content on my site (directly or indirectly). If you don't have good insight on this you have no business including their assets/snippets. I use open-source analytics tools that run entirely on my infrastructure, not the junk from Meta etc.
"Everyone else does it" is not a palatable excuse.
These companies are known for having user-hostile, privacy-invasive reputations, so as developers we should by default be wary of them.
E.g. Including a Facebook "Like" snippet on your page lets them siphon all sorts of data from your visitors, particularly if the user hasn't logged out of their Facebook account. It's not how users expect the web to work, and it's an insidious technique (they're deliberately taking advantage of thousands of unwitting webmasters who don't understand the baggage that snippet comes with).
More examples here: https://www.consumerreports.org/electronics-computers/privac...
Frankly, even if USPS was unaware, the data still ended up in those third party hands via their services so as far as I'm concerned, yes, they did facilitate the sharing of said data. At least they plugged the hole once it was pointed out to them.
This just highlights the pervasive privacy issues in adtech. Many platforms today even support server-side events tracking which bypasses client-side detection & prevention like an adblocker would do to a tracking pixel. The true scope is alarming: way beyond clicks and views, they track events like "MakeAnAppointment", "AddPaymentInfo", "LoanApplication", etc.
This is the real reason why TikTok is a national security risk. Their ad platform, widely used by Shopify, Adobe, Segment, WooCommerce, etc., collects intimate data on non-TikTok users: prescriptions, medical appointments, loan applications, credit card details. Millions who'll never use TikTok, Facebook, etc. are still subject to this data collection in the name of "converting users to customers".
At the policy level, we urgently need a national data privacy act to address these types of systemic issues. At the technology level, things like zero-knowledge advertising could mitigate a lot of the user privacy risk.
> When reached for comment, Facebook spokesperson Emil Vazquez provided a statement: “We’ve been clear in our policies that advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies, and we educate advertisers on properly setting up Business Tools to prevent this from occurring. […]
Seems pretty convenient to blame the people using the tool.
> Our system is designed to filter out potentially sensitive data it is able to detect.”
And just how much attention is spent making that work well? Or is that really just an afterthought with no ongoing improvements so that they can say they tried?
Tangentially related, the government publishing my address whatsoever really upsets me. Voter records, property records, the DMV, and the USPS all in some way publish or sell citizens' addresses to private companies. I do not know why this is legal. I do not want anyone outside of the government knowing my address.
Sure, but the USPS is not a government-owned corporation (like Amtrak), it was made an "independent agency" of the US executive branch back in July 1971, over half a century ago; under Nixon [0].
The head of the USPS (Postmaster General, currently Trump appointee Louis DeJoy) reports to the Board of Governors [1] (9 governors + PG + Deputy PG) who are nominated by the President; the PG can be removed by an absolute majority of the board. The USPS is overseen by the Office of Inspector General (USPS-OIG), current head Tammy Hull [2] and has a "hotline" (actually a web form) for reporting complaints [3] which fall under its focus areas, which includes fraud, computer crime and employee misconduct. Seems like one place to start.
For previous 2022 discussion of controversies involving Postmaster General DeJoy and what it would take to remove the PG, see [4].
The PG has no term limit but most recent PGs averaged ~5 years. Historically it wasn't seen as a partisan appointment and wasn't replaced when an incoming President changed to the other party.
Because we have failed to adapt our laws sufficiently to keep up with modern networked computing realities. And it is more profitable in the short term (the short term is ending, right about now, in my opinion) to continue to not update our laws.
We are going to start to see productivity drop at some point (now) from all of the corruption and inefficiencies that are stacking up to pay for said short-term profits.
Lots of places have the ad/tracker code in paths that can't handle the error correctly. Like, they always think the object they need is there (window.google.tag or whatever).
We need to educate the Journeymen in the game to use try/catch and other methods so the hot-path don't die.
Not sure about the illegal part but, for sure a failure in test cases.
Government sites shouldn't load any third party content.
For a work project, I recently had to visit about 200 government web sites from countries all over the world.
It's surprising how many of them not only load third-party content, but actually have banner and pop-over advertising on them, especially in Asia and Africa.
By comparison, even America's worst government web site¹ is better.
Seeing a page like that is refreshing these days. Loaded in a fraction of a second on my cellphone. Healthcare.gov on the other hand shows a blank screen on firefox mobile for ios.
For a long time, .gov was for the federal government only.
In the days before search engines, people knew that their state's home page was state.xx.us. Lots of people memorized URLs back then, the way it was ordinary to know dozens of phone numbers off the top of your head.
I planned many a road trip by typing in travel.state.xx.us for the various states I planned to visit.
I think the .us registry regulates the state name abbreviation subdomains, and school districts and county levels. I agree, not as good as .gov tld, but still, a layman lile me cant get a example.ca.us without some kind of proof showing actual connection with California government. (Not that California uses .ca.us, it uses .ca.gov)
I couldn't buy I-bonds from the US Treasury website because they are using a third party identity verification. WTF? Third parties can't verify me, I've infiltrated private companies with nonsense to protect my privacy. Ask the IRS, DMV, DHS, or USCIS instead to verify me, damnit.
U.S. Savings bonds are something you "set and forget" and don't check up on them for decades. I had a HELL of a time acessing my online account (had to get someone from my congressman's office to get a Treasury Department manager on my case) to check my bonds that I bought in 2003 and, yes, I had my username, password, and the second factor stored in my safe deposit box, and access to the email I used to sign up for it.
The problem was the Treasury obsoleted the second factor they issued in 2003 (a physical lookup card with numbers on it) and I had to reverify myself. They couldn't log me in with the information I used to log into Treasury Direct two decades ago.
Reverification required entering information like the Driver's Licence number I had in 2003 and the DL expiration date of my 2003 licence (I don't know! It was in another state and I no longer have it) and some other security questions I apparently answered when signing up and short-sightedly didn't write down ("Favorite Vacation Destination")
Good luck logging in to check your iBonds 30 years from now! The don't issue paper bonds anymore to anyone. Maybe they're hoping for "breakage" -- people will simply forget they own them!
Uselessly tied up budget and so many strings attached is functionally identical to broke.
I have a friend who works at USGS in California, the folks who track (among other things) volcanic and tectonic activity on the west side of the US (that includes Yellowstone).
For their field trips, they have a daily stipend for food & lodging of ~$100 IIRC. If you know the cost of lodging, you can understand how that's a ridiculously small amount.
Per diem rates can be looked up at https://www.gsa.gov/travel/plan-a-trip/per-diem-rates. The standard combined rate is $166: $107 for lodging and $59 for meals and incidentals. This is adjusted for high COL locations. Many hotels have a deal with the government where rates are subsidized. Government employees should pay no taxes on their stays.
So yeah, they’re not staying at the Ritz on government business (and they shouldn’t be!) but it’s not like they’re living in a tent.
Don’t take this the wrong way but I don’t think that the average HN poster’s view on lodging/expenses is the correct gauge for what’s an appropriate per diem for your average government worker on a business trip.
And if the government worker wants to travel for work like a consultant or a FAANG employee then they can of course pay out of pocket.
Maybe. Unless I'm being wined and dined by a client, my expenses have been pretty middle-brow business lodging and restaurants in general. I'm not sure I'd expect a government employee to be going the Motel 6 and McDonald's route just because they work for the government.
How do you figure? Establishing Post Offices is a Constitutionally enumerated power of Congress, and the USPS exists as a Federal Agency since the Postal Reorganization Act of 1970 [1]:
> The United States Postal Service shall be operated as a basic and fundamental service provided to the people by the Government of the United States, authorized by the Constitution, created by Act of Congress, and supported by the people.
While I don't necessarily agree, the argument is that the 1970 postal reorganization act required the postal office to be self funded, and that since they are not funded with any federal dollars they are somewhere between a government service and a private service. Some argue that because of this we have seen a significant degredation in the quality of mail, because the USPS explicitly and intentionally delivers the equivilent of spam mail to every address in the country. They do this as a form of generating revenue that wouldn't be required of a proper government service. This ties into the current post as it seems plausible the reason USPS shares customer data with Meta is due to their requirement of self funding.
> since they are not funded with any federal dollars they are somewhere between a government service and a private service.
This argument makes no sense at all to me (I did catch the part where you don't necessarily agree either btw).
There's no law which says that everything a government does has to be run at a pure loss on tax revenue. Many local utilities are owned by their respective governments, and are not infrequently run at a modest profit. That doesn't make them private, it makes them profitable.
> Some argue that because of this we have seen a significant degredation in the quality of mail, because the USPS explicitly and intentionally delivers the equivalent of spam mail to every address in the country.
This is quite possibly the case, but has no bearing on whether or not USPS is a government entity, which, it is.
> This ties into the current post as it seems plausible the reason USPS shares customer data with Meta is due to their requirement of self funding.
This, I do not consider plausible at all. I'm 99% sure that some youngster working on the digital side of USPS added some tracking pixels because it's all they knew how to do.
What do they "govern"? They distribute junk for advertisers. That's the majority of their existence. Can you imagine their carbon footprint? Driving to almost every US address 6 days a week to leave junk mail that 99% of goes straight to the trash. But I'm supposed to drive an EV or take the bus???
Tracking pixels are just insane. I can't imagine a non-regulatory/legislative solution when the biggest companies on the planet will pay you money just to put a script on your page. How does that get outcompeted? Someone richer pays you to not sell out your users? Just ban this shit.
Make possession of PII highly risky so the value of collecting this data becomes negative. Then you don't have to come up with cat-and-mouse regulations trying to chase down the latest workaround of the law as companies won't want the liability that comes with possession of the data in the first place.
> when the biggest companies on the planet will pay you money just to put a script on your page
AdTech companies don't pay you to install these on your websites. Their customers install them to help understand if the ads they're already paying for are leading to the outcomes they, the customers, care about. I posted a related comment here: https://news.ycombinator.com/item?id=41007679
<Customer> I want people to sign-up for my F2P game
<Google> We can show ads to people who may be interested in your F2P game
<Customer> How do I know if the ads I paid for actually led to installations?
<Google> Install this script on your "thanks for signing-up" page
<Customer> Cool thanks
How does the law differentiate that from jQuery on a CDN? The CDN is also doing some amount of tracking, and some of it is simply technically necessary. Google is actually using the Google Fonts service to track traffic.
Ah, well, if it's written in a FAQ, then the most naive interpretation of the sentence must be true. No way they'd just lie or pull off a "trickster genie" interpretation of that sentence.
A CDN delivering something like jQuery will not receive cookies nor query parameters and will return a very generous max-age, allowing the browser to reuse the resource for any number of pages or sites without contacting the CDN again.
The value of CDNs like this has diminished greatly with the advent of HTTP/2 and HTTP/3.
This is true, but there is a mitigation available: The site can require the resource to match a specified cryptographic hash before running. This did not work with polyfill.io because that CDN would dynamically return different resources based on the user agent.
Technically CDNs are not needed, we could just fully drop CDNs as well and cache files by content hash in the browser across multiple sites (<script hash="AAAAAAAAA" fallback="https://cdn..."></script>, instead of by path).
It would make the web faster and reduce tracking.
Now, is that really what Google Fonts or Cloudflare CDN wants ?
Maybe, but it will reduce the amount of data shared to the intelligence groups.
Caching across sites is a privacy risk in itself, because scripts can measure the time required to load a resource and therefore detect if a visitor has visited another site with the same resource before. That‘s why modern browsers no longer cache across sites.
Because the point of cache is to save time, not waste it. Like most naïve delays in response to timing attacks, that also doesn’t solve the tracking problem – if there’s any detectable difference (consider a cross-site tracking server that serves the content with a controllable delay) under any circumstances (consider network and disk load and availability), the mitigation is defeated.
Sites don’t share that many resources byte-for-byte anyway. The current solution is fine.
Random delays don’t stop timing attacks. You just need to gather more data before your estimate of the “unrandomized timing” is good enough for you to make your conclusions.
It’s hilarious that your off-the-cuff solution to “stopping data being shared to the intelligence groups” is itself reintroducing a known and now-mitigated security vulnerability.
I mean I'm not writing a literal law, but that would be roughly illegal and punishable in my fantasy world where a right to digital privacy existed. Laws, as a rule, don't physically stop anyone from doing anything they want. Plenty of illicit things happen on the internet already.
> How does the law differentiate that from jQuery on a CDN? The CDN is also doing some amount of tracking, and some of it is simply technically necessary.
I don't know, it might be an intractable problem. It sucks how there's no way to tell the difference between the payloads of two different 3rd party scripts when they're executed in the browser, huh?
I don’t get it. Thought tracking pixels were just for unsophisticated websites and those who wanted to track people across different sites.
USPS has an authenticated page where they know their customers. Why wouldn’t they just analyze THEIR OWN logs instead of relying on third-party advertising companies?
Pixels aren't pixels, oddly enough, it's marketing jargon for cross-site tracking, which way back when was accomplished by pixels. So even relatively sophisticated analytics platforms are still "pixels". I don't like it either.
The USPS wants to know which of their ad campaigns is successful, and want to be able to target advertising, so they embed their advertising platforms' Javascript in their site. That part seems reasonable for a government agency that's required to self-fund. The problem is either that the tracking was on pages that shouldn't have had it, or that it wasn't restricted in what it could send to the analytics platforms.
This may sound hyperbolic but I think the US is a failed state. Humanity is facing a mess because the hegemony is falling apart in the hands of extremely incompetent leadership. Generations of nepo-babies have led to incompetency. In very simple terms: today's rich are stupid.
Your address is basically public information in a number of different ways (e.g. voter registration rolls and real estate transactions) unless you take a lot of steps, including using legal entities, to obfuscate it. I'm not going to specifically defend USPS practices but your address isn't really private in the US and many other places.
Very true and this is why I’m not surprised by TechCrunch’s discoveries here. I just assumed they were tracking and selling the data as they always have been. I assume they’re selling the images of everyone’s mail as well.
The USPS is treated differently by Congress and is required to fund itself, unlike basically any other government service. It's unfortunate that something that was historically trustworthy has been essentially turned into some kind of weird government profit-making mashup.
I don't think USPS is a net-bad though. I can only imagine how bad Fedex and UPS would become if they didn't have to compete with the USPS. And they're already pretty bad.
I tend to agree, it is a net negative for me too. My weekly tour of the mail room is to discard junk mail that I ceaselessly try to opt out of. When I asked for them to stop delivering the magazine subscriptions of a previous tenant addressed to "or Current Resident", they told me they are not allowed to do so.
Once I chose to send a package through them, and I watched the tracking as the package rerouted to their lost mail center in Atlanta ("Mail Recovery Center", a misnomer if there ever was one). How could it be lost if they were still updating the tracking information? (Naturally, it was never "found".)
I briefly forwarded my mail to a relative's address while I was out of the country for an extended period, and they sold that to numerous institutions without my permission, creating a headache to unwind. To this day knowledge-based authentication systems quiz me about an address I never lived at.
I don't get a warm and fuzzy patriotic feeling from having a national postal service. If anything it feels like an anachronism. Paper mail has been virtually irrelevant to me my entire life.
When I moved a year ago, I didn't file an address change. I only gave it to my bank and a few others I needed to keep informed of my address. Almost none of the junk from my old address has followed me to my new address. One annoying exception has been the DMV in my new state informing the Secretary of State in my old state that I surrendered my old state's license for one in my new state. The SoS sent me a letter asking if the move was permanent or not because if so, they wanted to remove me from my old state's voting roll. I understand the desire to keep voting rolls clean but I'm not happy that this happened behind my back. Plus before I moved, I went to the SoS's site for my old state and informed them that I was moving and should be removed. I'm guessing they get a feed from other states and just mail everyone without checking if you've already been removed. Given the general incompetence of the SoS in my old state, it's probably just a matter of time before they leak out my new address to interested parties. I haven't registered to vote in my new state and unregistered in my old state so it's not like I'm trying to double vote or even vote at all.
Another option is to use the temporary address change form instead of the permanent one. You can have your mail temporarily forwarded for up to a year. Permanent forwarding also only lasts for a year. The only difference is that the USPS notifies everyone of your new address for permanent forwarding, but not for temporary. Just keep an eye out for any forwarded mail and notify the sender yourself if it’s something you want to keep receiving.
Probably also voter registration information in your state. And I'm sure there are real estate databases. And while much less applicable with the decline of landlines, most people's addresses used to be published annually in the white pages delivered to everyone. Your address just wasn't considered to be sensitive information for the most part historically.
To be pedantic, I pay federal taxes which are then loaned to the USPS with no expectation of being paid back, as well as P.O. box fees because the nearest no-fee pickup is at the county seat, as well as subsidizing the USPS exemption through local property taxes that have to absorb that overhead.
Wait until you hear that the USPS scans the front and back of every piece of mail that passes through its high-speed scanners, stores it for an unknown period of time, and makes those records available to law enforcement.
Those images are part of their 'informed delivery' service which you can sign up for.
I've noticed on a number of occasions that the contents of the envelope were noticeable without enhancement and legible with simple contrast/level adjustment.
There are whole discussions on various forums and subreddit about image background, fonts of address, sending addresses of USCIS letters to immigrants applicants, to know or guess whats the content of the letter, due to anxiety and curiosity of can't wait until you actually open the letter, that if this letter is a routine acknowledgement, or interview request, or request for proof, or approval or something. Most of the time if the address section shows a part of green statue of Liberty, its a good news.
Or they scan using UV or other frequencies so that even if the envelope is visibly opaque it’s not opaque to their scanner. Sometimes their post processing slips up and reveals that their scanner can see thru the envelope.
USPS Informed Delivery emails have tracking pixels. But all the mail scans are just attachments to the emails. You can configure email client to not load any remote content and the they will still get rendered pretty nicely. I was pretty surprised to see those attachments in the first place, because some of the scans were quite large (a few hundreds KBs).
That which takes place in public has never been, and will never be, subject to 4th Amendment protections. Otherwise the police would need probable cause, and therefore a warrant, to look at you while walking down the street.
Clearly it is a contested issue even within the court system, there have been verdicts made that go both ways on the same issue and many lawyers are noticing that your position is not shared by everyone in charge, and I do not think any of us are in a position to make such unfalsifiable claims.
>the court determined that no “search” had occurred prior to the entry in Tuggle’s home, so the Fourth Amendment did not apply. To reach this conclusion, the court had to set aside the dictionary and replace the normal meaning of “search” with a fuzzy definition that different courts interpret in different ways at different times.
Both of these cases were decided against the defendant, and more to the point, both of these cases concern the police setting up a camera specifically pointed at the front of someone's home.
That is quite literally on the dividing line between public and private space. I can easily imagine later courts ruling that the combination of specific intention on the part of the police, and the limitless nature of this surveillance, makes it different in kind from the classic stakeout (which does not require a warrant, and never has), and that therefore that in particular requires a warrant to be obtained. I don't think that will happen, but it's imaginable.
You're talking about a truck driving around with a camera, and sharing that data on request with law enforcement. That's a completely different thing, and it isn't an edge case at all. That is, and will be, not subject to 4th Amendment protection. On the contrary, Fields v. City of Philadelphia supports a 1st Amendment right to film in public, in that case, the conduct of the police. But the principle generalizes.
Furthermore, as an example, let's say that a repairman enters a home, and sees what he or she reasonably believes to be a brick of heroin on a desk. Later, the police, having staked out this home, ask that repairman if they happened to see something suspicious. The repairman tells the police about the brick, they get a warrant, and enter the home. All of this is completely legal.
So there's just no world in which a FedEx truck, or any truck, filming the public space in the ordinary course of doing what it does (delivering packages in this case), where the police later ask for and obtain that record, is going to be subject to 4th Amendment restrictions. It is simply, on many levels, not how things work.
And FedEx delivers on private property 90% of the time, all day every day. This includes car license plates which they actively scan for, meaning your physical location is now being tracked and sold. Cameras always running.
> We’ve been clear in our policies that advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies, and we educate advertisers on properly setting up Business Tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.
Please stop denying the fact that you could have disabled usps when they sent the sensitive data. But why would facebook/meta do it when they need so data.
Of course, it's terrible from a privacy point of view, but let's be honest and call things as they are.