U.S. The U.S. Postal Service maintains a “U.S. Postal Inspection Service’s Analytics and Cybercrime Program”—of course it does! According to a last week report from the Office of Inspector General (Postal Service), its tasks include, via its “Internet Covert Operations Program” (iCOP) subprogram, “proactively gather intelligence through cryptocurrency analysis, open source intelligence and social media analysis.”
The IG concluded that the iCOP program exceeded the authority of the Postal Inspection Service in law enforcement.
One rub is that iCOP’s efforts by law “must have an identified connection to the mail, postal crimes, or the security of Postal Service facilities or personnel prior to commencing”—a “postal nexus” in their lingo.
One big mistake the IG found was that keywords used in proactive searches for iCOP did not contain any terms related to a postal nexus. The iCOPpers “didn’t retain any information necessary to comply with the legal authority of the Postal Inspection Service.”
This program was designed to help “[e]ngage in proactive threat hunting…to Postal Service executives, employees, infrastructure, and facilities.” From “October 2018 through March 2021, more than half of the 1,745 work assignments” of the program “fell into one of two program areas – Prohibited Mail-Narcotics and Mail Theft.”
However, that was just one of the many things the iCOP software did. It often performed searches on publicly accessible information that did not contain any keywords related to mail, postal crime, security of post facilities, personnel, etc. The keywords included ‘protest’, ‘attack’, and ‘destroy’. In order to identify potential threats, the IG report discovered that “iCOP” intentionally omitted certain terms in cases where they could indicate a postal nexus. The IG report found that in some cases, “iCOP intentionally omitted terms that would indicate a postal nexus” to broaden their identification of threats that could then be assessed for any postal nexus.
434 online analyses support services were used by the IG in a group they called “requests to assistance”. The IG “couldn’t confirm that work related to 122 (28%) of these requests was authorized pursuant the Postal Inspection Service legal authority.” Fourteen cases of the 122 involved the use facial recognition analysis without any stated relevance to operations or postal safety.
The IG also looked at a separate category of iCOP usage called “reports”. It found that “70” reports were produced by iCOP and assessed threats that weren’t related to any specific investigations. 18 (26%) didn’t identify a postal nexus in the reports. They were all produced between September 2020 and April 2021. Nearly all of them (17 out 18) had been associated with protest activities.
Although the reports’ purposes were to summarise potential protest activity nationwide, they also identified activities in one specific area. However, none of the reported activities indicated how these potential protest activities could be related to postal security, crimes or the safety of employees or facilities.
The IG reported that postal agents “stored sensitive data on their computers but did not record how the information was used to reply to inquiries or create reports. These documents often contained large amounts of PII. [personal identifiable information]Obtained from both public and contracted sources such as social media and investigative tools which provide extensive background information like addresses, birthdates and social security numbers.
This IG report includes the response of postal management. It stated that, even though the postal nexus could not be clearly seen in any document, the IG did see it in each case. The fact that every search matches an “official case number” in their system is a strong indicator of legitimacy.
Even the post office cleverly suggests that it would be a good idea to ask for a refund if they were to accept. Did Keep easily accessible records of searches that it makes regarding American citizens. The IG suggests this. That This would affect citizens’ First Amendment rights. Their snooping does not cause harm, but it would allow any inspector outside to see the results.
“Without any information regarding why the keyword profile was created or a direct postal nexus within the keywords, there’s no evidence supporting management’s assertion that the Postal Inspection Service had the lawful authority to conduct these automated searches.”
U.S. government ensures that all of its small and big activities are monitored closely. Unfortunately, this is not a solution that can be solved by a lot of inspection general reports.