Postal Service hacking into hundreds of seized mobile devices, tracking users' social media posts

U.S. Postal Inspection Service accused of violating Americans' privacy, civil liberties on large scale.
Image
U.S. Postal Inspection Service workers investigate mail related crimes
U.S. Postal Inspection Service workers investigate mail related crimes
Dominic Bracco Ii / The Washington Post via Getty Images

Watchdog groups are sounding the alarm on the law enforcement arm of the U.S. Postal Service, which they say is violating the privacy and civil liberties of the American people by using sophisticated tools to break into hundreds of citizens' cellphones and collect their social media posts.

Until now, it's gone largely unpublicized that the U.S. Postal Inspection Service (USPIS) admitted in its 2020 annual report that it not only employed top-of-the-line technology hundreds of times to hack into mobile phones but also planned to expand its use of the hacking tools in the future.

"The Cellebrite Premium and GrayKey tools acquired in [fiscal year] 2019 and 2018 allow the Digital Evidence Unit to extract previously unattainable information from seized mobile devices," the 2020 report states. "During FY 2020, 331 devices were processed, and 242 were unlocked and/or extracted by these services. The success of the program and ever-increasing demand for services required the purchase this year of a second GrayKey device for use on the East Coast."

The USPIS's figures indicate a surge in such hackings compared to 2019, when the agency disclosed it accessed 34 devices using Cellebrite and 143 with GrayKey.

Last week, the Epoch Times first reported on the agency's use of hacking tools to access encrypted mobile devices.

The new technology used by USPIS has found workarounds to break into phones, unscramble otherwise unreadable encrypted data, and copy it for law enforcement to go through.

This technology is dangerous and prone to abuse, according to Jake Wiener, a law fellow at the Electronic Privacy Information Center (EPIC), who argued these tools violate one's privacy and are often unnecessary.

"Cellphones contain multitudes of intimate information about all aspects of our lives, messages with family, private pictures, records of our movements, and much more," Wiener told Just the News. "Phone hacking tools are a direct threat to privacy because they can expose information that everyone wants to keep private, and would be irrelevant to a criminal investigation."

Forensic tools like Cellebrite and GrayKey "give investigators the ability to access and analyze far more information than ever before," said Jennifer Granick, surveillance and cybersecurity counsel for the American Civil Liberty Union's Speech, Privacy, and Technology Project. "This includes information people do not know is on their devices, such as deleted and temporarily stored data. Forensic tools can unlock and extract private information that is irrelevant to an investigation, and there are inadequate safeguards in place to make sure this information will not be misused."

Wiener, Granick, and other critics of the USPIS program note it's unclear for which crimes and investigations the agency uses hacking tools to access locked phones, raising concerns that the criteria are arbitrary and could lead to the government agency abusing its power.

The bar for using this hacking technology should be quite high, if it's used at all, and governed by strict oversight, privacy advocates say. Others counter that, in cases where national security and the lives of Americans are at risk, authorities should have greater ability to obtain potentially critical information quickly.

USPIS declined to comment on how it determines when to use Cellebrite Premium and GrayKey tools to extract data from seized mobile devices. However, the agency suggested it follows federal law in all cases, including by obtaining a warrant.

"Only a limited number of individuals have access to these tools, and they are used in accordance with legal requirements," a USPIS spokesperson told Just the News. "A search warrant, court order, or other constitutionally permissible situation must exist prior to any digital evidence examination of cell phones."

If a federal agency wants to use new technologies like Cellebrite's phone hacking tool, the E-Government Act of 2002 requires the agency to first go through a Privacy Impact Assessment (PIA), which should disclose the risks to individual privacy created when the agency uses the technology, ways to mitigate the risk, and ask whether using the technology is justified.

USPIS didn't answer an inquiry asking whether it produced a PIA.

"If the Postal Inspection Service hasn't done a PIA for Cellebrite and GrayKey, that suggests the agency is not considering the harmful effects of using this technology or putting sufficient safeguards in place to prevent abuse," said Wiener. "If they have, it is not published on their website."

Accessing cell phones hasn't been the only source of controversy for USPIS. Yahoo News revealed last year that the agency has been "quietly running a program that tracks and collects Americans' social media posts, including those about planned protests."

The surveillance effort, known as the Internet Covert Operations Program, iCOP, involves analysts going through social media sites to flag "inflammatory" posts and share that information across the federal government.

iCOP's official mandate is the "identification, disruption, and dismantling of individuals and organizations that use the mail or USPS online tools to facilitate black market trade or other illegal activities."

The program has used facial recognition technology and social media monitoring services to surveil individuals, including protesters demonstrating against everything from police brutality to COVID-19 lockdown measures.

"Government monitoring and retention of information about First Amendment-protected speech increases the likelihood that agencies will investigate or otherwise monitor people based on that speech," said Granick. "It also risks chilling expressive activity ... These risks and consequences are even more severe when the government uses powerful tools to compile digital dossiers and track online speech, networks, and associations."

Last year, EPIC filed a lawsuit under the E-Government Act of 2002 to stop USPIS from continuing the program, noting the agency has yet to publish a PIA.

Judicial Watch also sued the Postal Service last year, launching a Freedom of Information Act (FOIA) request for information about the surveillance effort.

"The questionable surveillance schemes appear to indicate that the government is weaponizing the nation's postal service to improperly spy on the citizens who fund it," said Judicial Watch. "Why would the government depend on the Postal Service to examine the internet for security reasons?"

The organization is also filing a FOIA request with the Postal Service for information on the devices used by the agency to hack cell phones.

Critics argue USPIS is pushing outside the scope of its mission and needs to be held accountable.

"In recent years, the Inspection Service has gone outside its mission to monitor protesters across the country using facial recognition and social media monitoring tools, without even implementing basic privacy protections required by federal law," according to Wiener. "The USPIS believes it's not subject to the baseline rules that govern other agencies."

The Postal Service is exempt from several rules that govern other agencies under the Postal Reorganization Act, leading some to question the proper role of USPIS.

"There's something very weird about having a law enforcement agency built into a postal service," Wiener told Just the News. "It's not a format you see anywhere else."

Several civil liberties experts expressed similar concerns to Yahoo News last year, questioning how the USPIS mandate can include some of its activities.

"If the individuals they're monitoring are carrying out or planning criminal activity, that should be the purview of the FBI," said Rachel Levinson-Waldman, deputy director of the Brennan Center for Justice's liberty and national security program. "If they're simply engaging in lawfully protected speech, even if it's odious or objectionable, then monitoring them on that basis raises serious constitutional concerns."

Just the News asked USPIS to respond to critics alleging the agency is violating Americans' privacy and civil liberties and going outside the scope of its mission. The agency declined to comment.