back to article Going lo-tech to avoid NSA snooping? Unlucky - they read snailmail too

Privacy-conscious US citizens looking to go retro in the wake of the ongoing controversy about PRISM-related snooping and the NSA harvesting metadata on an industrial scale will find little refuge in snail mail. The New York Times reports that the United States Postal Service photographs the exterior of every piece of mail …

COMMENTS

This topic is closed for new posts.
  1. John Sturdy
    Black Helicopters

    Time to start sending hand-written extracts of the Voynich Manuscript on postcards to any activists you know. It'll be decoded in no time! Likewise, Linear A and Rongorongo.

    1. Bumpy Cat

      I like the idea, but you might find yourself detained and beaten with a rubber hose until you provide the plaintext. I'd hate to have to make a breakthrough on Linear-A while being interrogated. They'd probably steal the credit too.

  2. Big_Boomer Silver badge

    Big Bubba (US movie remake of a classic UK novel)

    He's already here people. Big Bubba is soon gonna figure out how to read your mind so that he can protect you from your own thoughts. Prepare to become a Puppet of the State.

  3. EddieD

    Americans playing catchup...

    In "Spycatcher" Peter Wright details all the tricks they used for mail tracing in the 50s and 60s - and the various techniques used for extracting letters from sealed envelopes, using thing tweezers to roll the contents up, for example, and solutions they could use that would render the envelopes transparent/lucent.

    Apparently one Trade Union leader (a card carrying commie) used to preface all official letters with a salutation along the lines of "Hello MI5 you prying bastards"

  4. i like crisps
    Big Brother

    Photograph THAT !!!

    I'm going to start drawing little pictures of Obama sucking off George W Bush on my

    envelopes in future.

    1. Cliff

      Re: Photograph THAT !!!

      Ever wondered what's encoded in that barcode on your delivered envelopes?

      1. Annihilator
        Boffin

        Re: Photograph THAT !!!

        You mean RM4SCC? Hardly a state secret and easily decoded. First thing Royal Mail do when processing mail is to OCR the postcode (and throw out anomalies to a human) and stamp it on as a more easily readable delivery address – all subsequent routing uses that instead of OCR. Stamping it on in red ink makes for an interesting time around valentines day though.

        The bores of a day trip to a royal mail sorting office during school years :-|

    2. John Smith 19 Gold badge
      Happy

      Re: Photograph THAT !!!

      "I'm going to start drawing little pictures of Obama sucking off George W Bush on my

      envelopes in future."

      I think you'll find the other way around should cause much more offense.

      1. Anonymous Coward
        Anonymous Coward

        Re: Photograph THAT !!!

        At least put them in 69 for some non-partisan equality.

        1. imanidiot Silver badge
          Joke

          Re: Photograph THAT !!!

          Send a whole load of envelopes and draw a single frame of an animation on each. That should get them entertained :-P

  5. Anonymous Coward
    Anonymous Coward

    hmm ...

    ... so does the Royal Mail do this too?

    1. Anonymous Coward
      Anonymous Coward

      Re: hmm ...

      Hope so, maybe then I can find all my stolen, sorry, missing mail.

      1. Don Jefe

        Re: hmm ...

        Lost and undeliverable parcels with no return address are auctioned off by the pallet load in Atlanta a few times a year. Check it out.

    2. VinceH

      Re: hmm ...

      I believe OCR is used for sorting the mail - so the answer is "probably, yes."

      1. Anonymous Coward
        Anonymous Coward

        Re: I believe OCR is used for sorting the mail

        ok, but stamping the envelope with a coded version of number&postcode and throwing the image away is not the same thing as keeping a database of all/interesting images for later processing by the spyderati

        1. VinceH

          Re: I believe OCR is used for sorting the mail

          But how do you know they throw the image away and don't keep it in a database?

        2. Mr Booth

          Re: I believe OCR is used for sorting the mail

          Actually, of more interest to marketers. I used to work for a postal company, and the OCR machines we had were Siemens (yes) integrated mail processors (IMP). They could pretty much do everything. OCR readability was pretty good, I think the target was about 96-97% of all addresses.

          The most interesting thing was that the machines took a photograph of the letter, not just the address and could store it. The main purpose of this was that if there was an address that could not be read, the image was then flashed to a VDU where a human could then input the address and send it back to the IMP, which would then route the letter to the correct sorting bin.

          One of the crazier ideas was to create a database of every delivery point in the country, called NAD.. yes... National Address Database and assign an individual identifier for it and store the images for the letters going to each address. As company logos, etc, are often printed (and could be read by the OCR), it would eventually have built up a database on every household that a marketer would give their right testicle/ovary for. We would have known who you banked with, had insurance with, what loyalty programs you were a part of, who supplied your telecoms, power etc...

          Fortunately it didn't go ahead back then as storing and sorting that data on a daily basis was going to be very expensive....now, I don't know, the concept would be even easier and cheaper to implement.

          It's the not the spymasters, it is the marketers I fear.

          1. LateNightLarry
            Pint

            Re: I believe OCR is used for sorting the mail

            I remember hearing one time before I retired from USPS that just the financial transactions at all post offices nationwide totalled in excess of one BILLION lines of data ... EVERY DAY.

            I need a glass of Cabernet Sauvignon to be able to wrap my brain around that... but alas, El Reg won't let me have one...

      2. Don Jefe

        Re: hmm ...

        OCR is used where it is possible, but the system sucks and a huge percentage of stuff is hand sorted.

        1. VinceH
          Black Helicopters

          Re: hmm ...

          Hand sorted... because the optical character recognition sucks.

          The optical character recognition (or non-recognition, as the case may be) presumably happens after the address is scanned, otherwise it would suck 100%*. That scan, right there, that's the image for the database - regardless of whether the OCR worked.

          * It would be incredibly impressive if it could read the characters before it's been given the scanned image.

          Shit my effing brains sideways, I'm starting to sound like a conspiracy theorist.

    3. Intractable Potsherd

      Re: hmm ...

      Doesn't the effectiveness of this require the (extremely odd, in my opinion) addition of the sender's address on the envelope, as in many mainland-European countries? It isn't common in the UK to do it, and so the information to be gleaned is limited.

      1. Rampant Spaniel

        Re: hmm ...

        The senders address is very frequently on the front of American mail, just a cultural difference :-)

        As for the marketers mentioned above, I found stuffing the return paid envelopes they send full of free newspapers or taping them to a shoebox with a rock or two in it benefits the post office and your sanity greatly. Our postie loves it, she says the shoeboxes make usps about 40 bucks each in postage that the junk mailers have to pay. Not sure if this is legal in the UK though.

        1. Mike Moyle

          Re: hmm ...

          "The senders address is very frequently on the front of American mail, just a cultural difference :-)"

          I tend to put the return address on the flap in back so, unless they're routinely photographing both sides...

  6. Don Jefe

    Addressing

    The USPS has to deliver mail based on the physical address, not the addressee, so you can put anything you want on the envelope. I used to send letters with the return name Donald Rumsfeld addressed to George W. Bush. I'm hoping one day all the images they've archived will be used for historical research and it really confuses historians and grad students.

    1. Anonymous Coward
      Anonymous Coward

      Re: Addressing

      I would imagine that all postboxes collected from are bagged separately as in the UK. This way, you've got a pretty good idea of one of the endpoints and you know time to within the frequency of the collection period and you know exactly where the other endpoint is.

      All you need to do is find your "someone of interest" and look at the metadata revealing where communications have started. You'd have to be immensely skilled to be able to choose postboxes and times which seem random, while at the same time not being around any form of CCTV etc. etc.

      1. Jtom

        Re: Addressing

        Don't know about the UK, but residential mailboxes in the US are on the street. If you have outgoing mail, you raise a little flag on them to alert the mail deliverer. If you want to safely post something anonomously, just wait until you see a mail carrier, get ahead of him a bit, pop your letter in someone else's mailbox, and raise the flag. The homeowner won't have time to notice; chances of being on camera is small; when the letter was put in the box would be questionable back to theprevious delivery.

  7. yossarianuk

    Pidgeons

    So looks like the carrier pigeon is the way to go..

    1. Justicesays
      Joke

      Re: Pidgeons

      No good,

      I've heard there is an organization called "vulture squadron" whose job it is to intercept any passing pigeons, NSA whistle-blowers or Bolivian Presidents travelling by air.

      1. Anonymous C0ward
        Joke

        Re: Pidgeons

        I've heard that they're incompetent, and couldn't hit a pigeon on his perch if he was nailed there.

        1. xperroni
          Trollface

          Re: Pidgeons

          I've heard that they're incompetent, and couldn't hit a pigeon on his perch if he was nailed there.

          As for Bolivian presidents...

        2. Anonymous Coward
          Anonymous Coward

          Re: Pidgeons

          I don't buy the incompetence accusation, one of the squadron gets decorated with medals on an almost weekly basis.

  8. Anonymous Coward
    Anonymous Coward

    Encrypted email

    I've been trying to get my email encrypted and this certificate stuff is a joke. For example 'startcom.org' is a trusted certificate authority for all the major browsers. Yet its DNS shows only a PO box number:

    P. O. Box 1630, Eilat, Israel ,IL

    You can get a free email certificate from them,

    https://cert.startcom.org/

    But they insist on a proper address and lots of personal details. So presumably no PO box address is acceptable.

    I don't see why we would use a certificate authority, a first time public key exchange system used in OTR systems and SSH would get rid of this and encrypt email again.

    And the NSA won't object because they only collect 'metadata', and not content. Since they're not lying at all, they would have no reason to object if we all switched to SSH style key exchanged email.

    1. NomNomNom

      Re: Encrypted email

      out of interest how does SSH work. Presumably you need the public key of whoever you are communicating with, but how do you know it's their public key and someone in the middle hasn't sent you theirs?

      1. Barely registers

        Re: Encrypted email

        Because their public key is in the certificate which is digitally signed by a higher certificate authority that you _do_ trust.

        It all comes down to trust, and right now, I've precious little of it.

      2. Anonymous Coward
        Anonymous Coward

        SSH

        Basically, to have a trusted channel, you have to communicate the SSH keys over some other trusted channel - a face-to-face meeting, for example.

      3. Anonymous Coward
        Anonymous Coward

        Re: how do you know it's their public key and someone in the middle hasn't sent you theirs

        Well, I guess you could get some trusted authority to certify that the key does indeed belong to who it claims to belong to...

        Say, isn't this where we came in?

        1. Rukario
          Black Helicopters

          Re: how do you know it's their public key and someone in the middle hasn't sent you theirs

          "trusted authority"

          an oxymoron

      4. Anonymous Coward
        Anonymous Coward

        Re: Encrypted email

        SSH is a first time public key exchange system. MOST SSH server has a key which is self signed. A public part of it is given to the client on the first connect, and each subsequent connect the fingerprint of the key is checked to make sure it hasn't changed.

        For a man in the middle attack to work, they have to intercept each and every SSH connection, starting from the very first intercept.

        If they miss the first intercept then they can't intercept subsequent connects. If they intercept later ones, the key is wrong and the client flags a fake key that doesn't match the original.

        It's secure even without a certificate authority, because of time. Time moves forward, by the time you realize you want to intercept a connection, it's already too late the key has been exchanged. You can even make it totally secure by installing the key by a trusted route, making even the first intercept impossible.

        However for a certificate authority the new key can be changed at any time, and a certificate authority confirms the new key. So man-in-the-middle attacks on that system are viable if you can create a new certificate. Even after the first key exchange.

        So really the only thing stopping an intercept is a company who give only a PO box in Israel as an address.

    2. Anonymous Coward
      Anonymous Coward

      Re: Encrypted email

      I suppose if Mossad reading your mail makes you feel more secure...

      1. Destroy All Monsters Silver badge
        Devil

        Re: Encrypted email

        Aren't they in your Ericsson Switch?

    3. brooxta

      Re: Encrypted email

      Re StartCom certificates: I guess it's a case of you pay your money and you make your choice, or you don't and you can't.

      I've been on a similar path these last few weeks with encrypted email and certificates etc. Seems to me that if you really want encrypted email you need to go down the PGP/GnuPG route and exchange public keys with trusted individuals and anything else is the icing on the cake.

      You can set up Postfix (not sure about the alternatives I'm afraid) to remember details about other SMTP server's certificate fingerprints, which should mitigate against StartCom attempting to MITM your communications (remember the certificate authority doesn't see your private key at any point, they just sign your CSR). And if you are using DHE or ECDH ciphers then you have "forward secrecy" protecting past SMTP traffic at least...

      But it appears that most active SMTP servers are not set up to handle SSL or TLS protected traffic, so PGP/GnuPG remains the best bet. FWIW I have set up my own server to handle encrypted SMTP, on principle!

    4. Anonymous Coward
      Anonymous Coward

      Re: Encrypted email

      I was going to say use PGP but now it looks like it is owned by Symantec.

      Anybody know if it any good?

      1. Anonymous Coward
        Anonymous Coward

        Re: Encrypted email

        I strongly suspect that "The Man" isn't the issue with encryption being any good, I always work on the principle that if "The Man" wants to know something about me, they'll know and I won't know anything about it. They'll know before it's encrypted, is more along the lines of what I'm getting at. So I work on a balance that I don't do anything particularly wrong, nothing to arouse suspicion and even the things which I do aren't going to elicit the kind of money being spent that would be required as it would be totally disproportionate.

        For me, encryption is about preventing scrotes getting my personal emails or my bank details, even then the bank details are the more important. If someone got my emails, they'd know what I've bought over the last few years and find some truly tedious waffle. I don't encrypt my files at home as a rule, because the consequences of losing the keys would be very annoying indeed.

        In the same way that the bank I used to work for didn't encrypt data to tapes, because loss of keys would be an impossible situation. What they did instead was not allow tapes to leave a datacentre, ever, except in shredded form.

  9. rcorrect
    Big Brother

    When I find myself agreeing with all these international neanderthals that means my government is beginning to concern me.

    In Soviet Russia United States of America...

  10. Destroy All Monsters Silver badge
    Facepalm

    Quality improvement etc.

    And they STILL manage to lose mail, have mail not delivered, bounced, addressed wrongly, disappear up the arse of the Postal Service and whatnot.

    Working on the important things, are we?

  11. Werner McGoole

    Eh?

    I'm not quite sure I follow this. If you post something scurrilous and the police get involved, they have access to the package you posted. Why do they need a picture of it when they can take their own?

    Obviously, if they can trace the original picture, they can find where it was posted (but if it was a bomb, the pattern-matching software might not have have much to go on). But a postmark does this and more simply too.

  12. John Smith 19 Gold badge
    Meh

    physical systems are the *only* thing that can overwhelm the NSA's processing ability

    Because there just aren't enough snoops to process every physical item in the way every digital item can be stored.

  13. Phredd

    Another Possibility is

    Revert to RFC 1149

  14. BornToWin

    People are really stupid

    Is any of this information about goverments in countries all around the world including Europe and the U.S. monitoring electronic communications and in some instances snail mail when there is legitimate reason to do so, some revelation for the populace? If so you've been living under a rock for the past 30+ years.

  15. Winkypop Silver badge
    Coat

    100% certified safe method

    Don't have any friends or acquaintances!

  16. Anonymous Coward
    Anonymous Coward

    Jesus Christ, am I the only person that's been paying attention to this?

    They've been opening the snailmail for decades and have never hidden the fact. It even says in the story that this was being reviewed in '76, and that wasn't a secret meeting either. Why is this news to anyone?

    I mean, I'm glad people are finally getting angry about it but it's very odd that it took so long.

    John Smith 19: "Because there just aren't enough snoops to process every physical item in the way every digital item can be stored"

    Actually, there are. The NSA employs tens of thousands of people to open the physical mail and, again, has done so for decades.

    It's like watching people come out of those sleep machines in Alien.

  17. Beauchamp

    To and from?

    I would say that it seems unlikely that they would collect meta-information from the letter contents.

    Most likely is that they are collecting only the To: and From: fields for their database. The connections between people are the richest source of information that is likely to be easily derivable from such communication since anything that was hidden in the message could not be routinely looked for.

    After all is said and done there are a very, very large number of ways to hide information in what seems to be plaintext.

    I'm particularly interested in how they could conceal that a letter has been opened.

    1. Anonymous Coward
      Anonymous Coward

      Re: To and from?

      "I'm particularly interested in how they could conceal that a letter has been opened."

      What makes you think they tried? I had post opened on the way to me from the US and it came with big stamp on it saying "this mail has been opened and inspected by" whatever department it was. That was in 1983.

  18. Anonymous Coward
    Anonymous Coward

    Where there's a will, there's a way

    So, you just make an arrangement in advance where it is agreed that all mail going to to a given address is sent without a return address and inside said mail is another envelope and in that envelope another one with postage on it and the address where that letter is going. Your buddy drops that one into the mail. It also has no return address. And it too, could be going to another forwarder. Kind of a snail mail version of TOR.

This topic is closed for new posts.

Other stories you might like