The U.S. Postal Service has a "U.S. Postal Inspection Service's Analytics and Cybercrime Program"—of course it does! Its tasks, according to a report issued last week from the Postal Service's Office of Inspector General (IG), include via its "Internet Covert Operations Program (iCOP)" subprogram, to "proactively gather intelligence using cryptocurrency analysis, open-source intelligence, and social media analysis."
In doing so, the IG concluded in that report (which was the result of a House of Representatives Committee on Oversight and Reform request to look into Post Office online snooping), the iCOP program "exceeded the Postal Inspection Service's law enforcement authority."
One rub is that iCOP's efforts by law "must have an identified connection to the mail, postal crimes, or the security of Postal Service facilities or personnel prior to commencing"—a "postal nexus" in their lingo.
A big "oops" the IG uncovered is that "the keywords used for iCOP in the proactive searches did not include any terms with a postal nexus." The iCOPpers also "did not retain information needed to ensure compliance with the Postal Inspection Service's legal authority."
The program was intended to "[e]ngage in proactive threat hunting…to Postal Service executives, employees, infrastructure, and facilities." From "October 2018 through March 2021, more than half of the 1,745 work assignments" of the program "fell into one of two program areas – Prohibited Mail-Narcotics and Mail Theft."
But that wasn't all the iCOP program did. Often it performed searches (on generally publicly available information) that "did not include any terms related to the mail, postal crimes, or security of postal facilities or personnel. Examples of the keywords include 'protest,' 'attack,' and 'destroy.'" The IG report found in some cases that "iCOP intentionally omitted terms that would indicate a postal nexus in an effort to broadly identify threats that could then be assessed for any postal nexus." In other words, they thought they'd snoop about, say, our protests first, try to find out why the post office should care later.
The IG reviewed 434 uses of "the online analytical support services" in a category they call "requests for assistance" and "could not corroborate that the work associated with 122 (28 percent) of these requests was authorized under the Postal Inspection Service's legal authority." Of those 122 cases, 14 of them involved the use of facial recognition analysis with no stated relevance to postal safety or operations.
A separate category of iCOP use they call "reports" were also reviewed by the IG, and it found "70 reports produced by iCOP that assessed threats unrelated to specific investigations and determined that 18 (26 percent) did not identify a postal nexus within the report. These reports were produced from September 2020 to April 2021 and almost all (17 of 18) were associated with protest activities."
The reports purposes "ranged from summarizing potential protest activities nationwide to identifying activities in a specific location, but none identified how the potential protest activities related to the mail, postal crimes, or security of postal facilities or employees."
Postal agents, the IG reports, "stored sensitive information on their work computers and did not document how they used the information to respond to requests for assistance or develop reports. This information frequently contained significant amounts of PII [personal identifiable information] obtained from public sources, such as social media, and from contracted investigative tools that provide detailed background information such as addresses, birthdates, and social security numbers."
The IG report contains postal management's response, which stated that even if the postal nexus was not clear by any documention the IG saw, in every case it did exist, as far as the postal cops are concerned. Indeed, the fact that each search corresponds to an official "case number" within their system should be proof it is of legitimate post office concern.
The post office even cleverly argues that if it did keep conveniently checkable records about the searches it is doing regarding American citizens, as the IG recommends, then that would impact citizens' First Amendment rights. In other words, their snooping doesn't consitutes the harm but allowing any outside inspector to know about the details of the snooping results would.
The IG responded that "Without information about why the keyword search profile was developed or a direct postal nexus in the keywords, there is no evidence to support management's claim that the Postal Inspection Service was within its law enforcement authority in carrying out these automated searches."
The U.S. government makes sure that keeping tabs on what we are doing and saying is a big part of all its activities, small and large. This is a problem that, alas, no amount of inspector general reports is apt to make a big dent in.