by Brooke Kaufman

A recent report from the Postal Service’s Office of Inspector General (“IG”) uncovered a program of “postal cops” within the U.S. Postal Service. The U.S. Postal Inspection Service’s Analytics and Cybercrime Program is used to “proactively gather intelligence using cryptocurrency analysis, open-source intelligence, and social media analysis.” The IG report (which was issued at the request of a House of Representatives Committee on Oversight and Reform to uncover Post Office “online snooping”) ultimately concluded that the iCOP program “exceeded the Postal Inspection Service’s law enforcement authority.”

By law, iCOP’s efforts must have an “identified connection to the mail, postal crimes, or the security of Postal Service facilities or personnel prior to commencing” — a “postal nexus” in their words. The IG report uncovered that keywords used for iCOP in proactive searches did not include terms with a postal nexus. The postal cops also did not retain information that related to the Postal Inspection Service’s legal authority.

The program was intended to “[e]ngage in proactive threat hunting” to Postal Service executives, employees, and affiliates. However, the iCOP program frequently performed searches on public information that “did not include any terms related to the mail, postal crimes, or security of postal facilities or personnel. Examples of the keywords include ‘protest,’ ‘attack,’ and ‘destroy.’” According to the IG report, iCOP “intentionally omitted terms that would indicate a postal nexus” in order to cast a wider net in searching for potential threats. Only later would a potential postal nexus be assessed.

The IG reviewed 434 “requests for assistance” and “could not corroborate that the work associated with 122 (28 percent) of these requests was authorized under the Postal Inspection Service’s legal authority.” Of the 122 cases, 14 involved facial recognition analysis unrelated to postal safety or operations.

A separate category called “reports” were also reviewed by the IG, which found 70 reports that “assessed threats unrelated to specific investigations” and 18 that did not contain a postal nexus. 17 of the 18 reports, produced from September 2020 to April 2021, were “associated with protest activities.”

According to the IG, postal agents stored sensitive information containing significant amounts of PII (personal identifiable information) on their work computers. The agents obtained the information from public sources, such as social media, and did not document how the information was used to fulfill requests or draft reports.

Postal management responded to the postal nexus claims in the IG report, saying that “even if the postal nexus was not clear by any documentation the IG saw,” it did exist, at least by their standards. The post office also argues that keeping “conveniently checkable records” about its searches on American citizens would constitute a First Amendment violation. In other words, the snooping itself isn’t a harm to people, but allowing outside inspectors to know about it would be.

The IG’s response was as follows: “Without information about why the keyword search profile was developed or a direct postal nexus in the keywords, there is no evidence to support management’s claim that the Postal Inspection Service was within its law enforcement authority in carrying out these automated searches.”

Subscribe today

Already a subscriber? Login