Private Address Forwarding

Legal action last update 2014-01-04

I have a proposal for something I call "Private Address Forwarding" (PAF).

tl;dr proposal: Google Voice for postal mail. The USPS assigns you a unique ID, you tell them where to forward that ID, and they can't disclose who it belongs to or where it goes without court process or your permission. You could get mail that's just addressed to "PAF 13JS-00EG-C, United States", and it'd automagically get routed to you. You can also choose to give UPS, FedEx, etc permission to access the forwarding info if you want.

tl;dr benefits: Getting mail while preserving your privacy; never having to update your address w/ everyone when you move (just w/ the USPS); cheaper & easier than PO boxes.

Using an obscure, technical, never-before-used 2006 law, I've gotten the Postal Regulatory Commission (PRC) and USPS to start formally considering this proposal. (Obligatory: first! \o/.)

You can view all the relevant documents (including all public comments filed so far) on the PRC website here, or go to here and enter MC2013-60 as the docket number.

Coverage: Bruce Schneier, Association for Postal Commerce

Updates (RSS)

To stay updated: subscribe to the RSS feed of above updates; get emails from me (major developments only), and/or add an official PRC document filing alert for docket MC2013-60.

NOTE: The original schedule was contested by by the Public Representative and by me (plus an addendum because of the government shutdown).

The USPS opposed us on all of that, and I revised my request given the post-shutdown mootness of some of the issues and addressing the USPS' concerns. The PRC found that "taking the circumstances into account, including the nature of the Request, the revised procedural periods suggested by Petitioner are reasonable", completely siding with my revised scheduling request (though delaying whether it'd extend the schedule if the USPS produces the documents I've requested).

2013-11-13 2013-12-20: Response comments due.

2013-12-20: Response comments due. 2013-10-16 2013-11-18: Initial public comments due.

2013-11-18: Initial public comments due. 2013-10-16: USPS response due.

2013-09-18: Filed.

Have comments?

If you have any comments on this proposal, I strongly encourage you to send them in formally, after first discussing them informally.

Would you use PAF (and why)? How do you think my proposal could be improved? Do you think it's a bad idea? Unless you tell the PRC formally, they won't know, and your perspective won't be taken into account.

Of course, please do also share this widely, discuss it on the redfacegooghackblr, etc. (Please email me links to such discussions so I can post 'em here.)

To comment on the record:

File a formal comment through the PRC (preferred) Prepare your comments as a PDF document. Name the file "paf-com-[your-name].pdf", < 40 characters, no spaces or special chars. Address it to the Postal Regulatory Commission, refer to docket number MC2013-60, and be polite, clear, and concise. 12 pt Arial w/ 1.5 line spacing for body text; 1 inch margin; header w/ docket # & page #. You can copy the format of e.g. the PR's motion (pdf, docx) or use my gdoc template. If you're referring to someone else's comment, mention its title and date. Go here and register for a temporary online filing account. Check your email and click the verification link. When logged in, go here, select MC2013-60 as the docket number, title your document "Comment on MC2013-60 by [your name]" (if before Nov. 18) or "Reply comment by [your name] to USPS comments on MC2013-60", upload the PDF, and submit it. It'll probably take a day or so to get posted and visible.

File a formal comment through regulations.gov The Federal Register notice has a form that lets you submit comments. (I don't know how this interfaces with the PRC's own official filing system.) You can also call Stephen L. Sharfman, General Counsel at 202-789-6820 if you can't submit comments electronically.

Send your comments to the Public Representative The PRC appoints a staffer for each case as a sort of independent obudsman, to represent the interest of the "general public", called the Public Representative (PR). The PR for this case is James Waclawski (james.waclawski@prc.gov; phone (202) 789-6826; fax (202) 789-6861). You can contact Jim with any questions about this case. You can also contact him to tell him your thoughts, but note that he does not represent you, but rather his own independent view of the "general public"'s interests. So if you want your opinions represented, you should file formal comment in your own name. To quote him: "The Public Representative can answer procedural questions. However, the Public Representative does not represent individual members of the public and will not offer legal advice. Typically, a Public Representative does not act as a conduit for the positions of individual members of the public. It is best for individual members of the public to file comments directly with the Commission."

To participate in informal collaboration on the document:

Post a link to this page on your favorite blog / social network / bookmarking site / etc and discuss it there. (I'd appreciate if you email me a link.) Use the google doc. Highlight text -> 'insert' menu -> 'comment'. Please note that the PRC won't look at this though, and I can't edit it because it's already been filed. This is just for informal discussion; be sure to file your thoughts resulting from that discussion formally, as above. Email me directly or leave me an anonymous comment. I take constructive comments seriously and will try to integrate your ideas in any amendments I make — but you should still file your perspective formally so that the PRC sees them directly.

USPS' position on this proposal

On October 16th, the USPS filed a formal reply to my PAF proposal, an opposition to schedule extension, and a motion for late acceptance of the same.

I also had a phone call on the October 18th with the USPS lawyer on this case, which was helpful in better understanding their position and my response.

I of course encourage you to read their views yourself, but here's my attempt at a fair summary of them, as well as my tentative thoughts in response so far (in italics).

The USPS belives the PRC should deny my requests, have no further proceedings on this, and not ask the USPS do anything about it, except if the USPS independently chooses to propose something similar at some point in the (unlikely to be near) future, because:

Privacy They need to think through compliance with NIST security standards, the Privacy Act, how to make "mail processing equipment image recognition software" process PAF IDs, etc. I fully agree these things need to be thought through, and indeed I said exactly that in my original proposal. Having to think about privacy issues isn't an argument against doing so. The Privacy Act authorizes more disclosures than my proposal does, e.g. "to the Bureau of the Census for purposes related to census and survey activities, to other domestic government agencies for a civil or criminal law enforcement activity if the activity is authorized by law, and to a person upon a showing of compelling circumstances affecting an individual’s health or safety" and to "agencies and entities such as credit bureaus that perform identity verification and credit risk assessment services, or to government agencies when necessary in connection with decisions by the requesting agency to issue licenses, grants, or other benefits", I don't believe that the Census has a need to know anything about PAF IDs; they have other info on where people live. My proposal already includes standards for law enforcement disclosure. "Compelling circumstances" disclosure may be a reasonable addition. Credit bureaus should not have access without very explicit, optional user consent, because they're some of the biggest brokers of data mining that violate individuals' privacy. And presumably a user would consent to disclosure to a government agency when it's to their own benefit. The USPS already has some privacy protections via its "system of records for address change, mail forwarding, [etc]", "protective court order[s]"; exceptions for "domestic violence shelters", and because "permanent change-of-address [information]" is only given "to mailers … already in possession of [customer information]". These protections are completely inadequate for privacy of normal mail users, and nowhere near the level of privacy that would be given by my proposal. Any spammer, stalker, or PI can easily get change of address information (since they already have previous address information), and protective court orders are hard to obtain (let alone without proof of some specific risk, e.g. for someone who simply values their privacy). And PO boxes are not adequate either. Plus, these give no protection whatsoever for someone's continuing need to receive mail. Even if your new address isn't disclosed to people who have your old one, the moment you use it to order anything, it'll get cross-linked by data-mining brokers — and poof goes privacy. (And why shouldn't you have privacy from the people you buy things from, too?) I believe that everyone has rights to both privacy and to mail service, and that it should not be difficult to exercise those rights.

Operations / pragmatics They've thought of similar ideas before: Patent #7,295,997, in which merchants generate "[l]abel information [e.g.] a random number … to identify the customer [without] includ[ing] the customer's name or address information" and "the shipper may read … the label to determine the customer's name and address, apply [a] new label that has the customer's name and address to the package, and ship the package to the customer … [so that] the customer's information remains anonymous from the merchant." Patent application 20120011068 ("Mail My Way"), in which "a 'virtual address' or 'vanity address' is arbitrary character data defined by a mail recipient that is other than a physical address or mailing address of the customer … for use in lieu of their … physical address" Trademark application 8600747 ("Digital License Plate"), which concept includes "providing authentication of personal identification, secure storage of personal information, and encoding of identification information on valuable documents and products" Looks like they have indeed thought of similar things before, and I wasn't aware of them. This isn't an argument against my proposal, though. (If anything, it's an argument in favor.) "no system for storing records of coded customer identities and addresses for purposes of a product like [this] exists" … really? The USPS already maintains something virtually identical for storing records of PO Box holders' information, validating their ID, etc. "the feasibility of applying the concept to all types and shapes of mail (letters/card vs. flats vs. parcels)" It doesn't have to work for everything at once. E.g., PAF could be rolled out for letters/cards only at first. Iterative development is a good thing. Plus, letters only would enhance privacy. Allowing user-authorized access to PAF information to third parties only under a non-disclosure agreement "would raise legal and liability risks for the Postal Service". Again, it's OK if the first rollout doesn't include third party access. I'm not the USPS' lawyer so can't comment on liability for them, but I do believe that if PAF information is disclosed to third parties, an NDA is a non-negotiable requirement to adequately preserve user privacy. "refus[ing] PAF service to customers who are documented to have abused PAF or who have been convicted of mail fraud, identity theft, or abuse of legal process" would "[require] disclosure of a PAF customer’s name and actual physical location to third parties in order to confirm convictions or other necessary information. Alternatively, the Postal Service may have to collect such information from those third parties." That could be a potential plus (if handled with adequate privacy protections), but it certainly isn't a requirement . USPS regulations (DMM 508 §§4.4.5, 4.4.6, 4.9.1 & 4.9.2) already say that people can't have a PO box if they've abused it, etc etc. This is enforced simply by requiring the customer to make a sworn statement that they haven't, and lying on that (if discovered) has serious penalties. Again, as an initial step, the same approach would be adequate for my proposed restrictions on PAF users.

Authority The USPS says that it has "limited investigative and/or developmental resources", "postal management determines if and when to devote resources to examining such issues", the "responsibilities and prerogatives to allocate its scarce capital, technological and human resources within the context of overall financial, operational, and service objectives, as determined by postal management", and "the duty to evaluate the feasibility, direction and prioritization of diverse pre-decisional product development investigations" especially if "the present unavailability of the product in question [doesn't] violate[] any policy of Title 39 U.S.C.". The USPS also says that the PRC shouldn't "interfere with the process of determining new product concepts", "compel postal management to justify its current priorities", "schedule or require negotiations or dialogue between the Postal Service and a requester under section 3642(a)", or even "direct[] the Postal Service to expend resources to analyze or develop any form of the proposed product concept beyond any the Postal Service may independently choose". Based on my phone call, my understanding is that the USPS believes the PRC should legitimately be involved in changes under dispute (e.g. how GameFly is currently upset at preferential treatment given to Netflix on DVD mailers) — but that it's the USPS' sole authority (based on 39 USC §403(a) and "title 39 as a whole") to determine its priorities. They also belive that the PRC shouldn't ask them to do something new without their first having determined it to be feasible to do, that 403(a) etc gives them sole authority to choose what to investigate for feasibility in the first place, and that they shouldn't have to disclose any information about that. Essentially, they don't believe that the PRC has the authority to make them do something new , nor to investigate doing so — only to make changes to existing services. Certainly, the USPS has to determine feasibility etc., and its resources are limited; it probably can't do or even investigate everything that is proposed. And I don't claim that the lack of PAF IDs violates the law. However, the USPS goes too far in claiming (or implying) that it has the sole authority to make such determinations. 39 USC §3642 (a, b) clearly says that product list changes and criteria-fitting determinations are made "by the Postal Regulatory Commission", not by the USPS, and that changes may be proposed by "users of the mails, or [the PRC]". While the USPS may well have primary control over its operations, the USPS' argument that the PRC shouldn't "interfere with the process of determining new product concepts" or "compel postal management to justify its current priorities" directly contradicts Congress' intent with the 2006 Postal Accountability and Enhancement Act (PAEA). The PRC has clearly been given a mandate to oversee and decide exactly those things. Letting the USPS unilaterally refuse to allow PRC oversight would completely gut that mandate. Likewse, the USPS' argument that the PRC shouldn't "require negotiations" with a requester — or even to direct them to "expend resources" for " any … proposed product" that the USPS doesn't "independently choose" — would completely gut the power given by the PAEA to individuals (like me) to propose changes in postal services. Their position is basically a "Catch-22 argument" — that they shouldn't do something new unless they think it's feasible, but they also shouln't even be asked to determine whether it's feasible. I would strongly prefer to work cooperatively with the USPS, and I believe that they do have a primary role in determining practical issues of feasibility and the like. However, this kind of blanket "not invented here" rejection doesn't demonstrate good faith in having a cooperative discussion of products proposed by ordinary citizens.

Scheduling The USPS disagrees with the schedule extensions proposed by the PRC's Public Representative and by me, because: our proposal would "be flawed by the absence of any opportunity for [the USPS] to reply to initial comments" I have no opposition whatsoever to the USPS having opportunity to reply to initial comments; indeed, I encourage it. So far no initial comments have been filed at all anyway. our proposal would "delay the Commission’s ability to even begin the process of sorting through the merits of the PAF proposal", "strain the Commission’s resources in a way that the current schedule seeks to avoid", and "delay the resolution of this docket well beyond the length of time applicable to concurrent proceedings of greater significance and complexity" True, it would be a longer process. However, the Commission doesn't particularly need to do anything for most of it (merely accepting comments), and the USPS can choose how much it wants to reply. The additional "strain" is minimal and delaying resolution would not impede other proceedings. By contrast, it would allow for true public commment and discussion — which I think justifies delay of a couple months. "proceedings should not be delayed solely for the purpose [of] permitting … [someone] to mount a publicity campaign or to recruit allies in support of its position. [Decisions should be made based on] the various relevant policies of title 39, not by the numbers of parties who subscribe to various views regarding the merits of a particular product proposal." I've intentionally delayed disseminating this proposal until after the USPS' reply was in, because I believe the public should comment on an informed basis. I agree that a view isn't more justified merely by the number of people holding it. However, widespread desire for PAF would certainly be a merit in itself , which gets to the question of prioritization. Calling my desire for true public participation in what are supposed to be public comment periods a "publicity campaign" is rather unfair and dismissive of the value of public participation in policy-making. "On the other hand, the Postal Service understands that the Commission may need to adjust the scheduled November 13th date for the filing of reply comments based on when it is able to resume full operations and declare that parties are on notice of pleadings filed today." At least we agree on that one. :-)



Modifications I intend to propose

Since reading others' comments on my original PAF proposal, I believe the following modifications would be beneficial:

Have PAF IDs generated using some kind of pseudo-random permutation generator (like this), rather than a general pseudo-random number generator, to avoid the birthday paradox effect (otherwise it'd take increasingly long to generate PAF IDs). Credit: Ryan Castellucci Allow users to configure their PAF IDs to refuse certain kinds of mail — primarily, bulk mail (aka spam) and any package large enough to contain a GPS device. Users could either grant an exemption to specific senders, or have a separate (more closely held) PAF ID without that restriction. Add some teeth to the recommendation that third parties not refuse to accept PAF IDs unless they have a legitimate need to know your actual address. The PAF ID alone should suffice for any shipment method (once the major shippers adopt my proposed user-authorization API). Credit: Ryan Castellucci However, I don't know how to do this. I don't know how to adequately define "legitimate need". Nor do I know whether this legal context (i.e. USPS regulations) even has the power to impose such a PAF ID acceptance requirement on third parties or how it could be enforced. Similarly, it'd be nice if mailing a GPS tracker to a PAF ID in order to breach the user's privacy were illegal, but I don't know if that's possible to do in thie context. Make the 1st PAF ID free (for humans). However, there are some pragmatic issues with that. Have a public API to tell whether a given PAF ID is valid for delivery. If there are possible mail-type restrictions, it would also say what kinds of mail that PAF ID accepts. With user opt-in consent, the API would also disclose the user's legal name. Credit: Chris Phoenix, cphoenix at gmail Have an audit log of all PAF ID accesses (whether by postal employees or third party API requests), to help deter / prosecute insider abuse. Credit: Matt Mastracci Permit transfer of PAF IDs to another party (though see below re secondary market abuse deterrance). Permit "vanity" PAF IDs (possibly at some reasonable cost), much like vanity license plates, in addition to purely random PAF IDs. This would be primarily for people for whom disclosing their name is not a problem. (They may also not per se care about protecitng the privacy of their location — though that would be preserved — but still want the convenience of a PAF ID.) Registration of a vanity address would require an extra annual fee (in addition to the general annual PAF maintenance fee). For individuals, the first 3 or so would be at a reasonable cost (~$30?). For corporations, the cost should be somehow proportional to the corporation's size and non-profit status. E.g. it'd be perfectly reasonable to charge Google or Microsoft on the order of $10k for the vanity PAF ID of their name, and probably reasonable to charge Goodwill on the order of $1k, but a small non-profit should probably get the same rates as individuals. Credit (for this and following parts): Yonatan Zunger To prevent collisions, vanity IDs would be case-insensitive and ignore any non-alphanumeric characters (just like random PAF IDs' hyphens are optional). Also, there would need to be some procedures (similar to those for vanity license plates, trademarks, and name changes) to ensure that vanity names are not obscene; are not so ambiguous as to probably confuse someone about who owns it; and that names that clearly reference a specific entity can only be registered by that entity. Also, there would need to be some combination of administrative burden and legal prohibition / enforcement ability to prevent secondary market abuse (like domain squatters), so that vanity names are only registered by people who actually want to use the name themselves. One vanity PAF ID in particular — "Santa Claus" and variants thereof — has already been registered by the USPS itself since 1912. The rules would be enforcable both by the USPS (with usual administrative appeals ability) and third parties (like a trademark owner or someone having the same name, claiming an equal or superior right to a given name), either to nullify the PAF ID and prohibit its use entirely (e.g. if it is too ambiguous or confusable, like someone trying to register "John Smith"), or to take it over entirely (e.g. if someone other than Google tries to register "Google"). Permit multi-address PAF IDs (for additional cost), primarily for corporate clients. For these, a single PAF ID would be actually delivered to the nearest / cheapest-to-send address on a list of addresses. For instance, if Goodwill has a PAF ID for donations, it would likely want such packages delivered to its nearest donation-processing center, of which there are hundreds. This would save money for the USPS and be more convenient for PAF users who have multiple locations. Credit: Yonatan Zunger

FAQ / issues

Again: I welcome comments, especially constructive ones. I'd appreciate being contacted directly so I can integrate your ideas into mine, but of course, you should definitely comment on the record if you have something you want to propose directly.

These are my responses to questions I've seen come up in discussions so far.

Privacy Couldn't this be defeated by mailing a GPS tracker? Yes. However, that's a lot more work than most people would do, and definitely more than it requires now. Don't dismiss imperfect privacy solutions; raising the difficulty level of an attack does reduce its likelihood. All security is about risk reduction; risk elimination is impossible. If a PAF ID is e.g. restricted against delivery of packages (letters only), a GPS attack would be harder. (Though again, yes, not impossible, if you have a device that can fit in and survive processing of a regular letter envelope.) Of course, other public records (e.g. house ownership) still can lead to you. All this does is provide you a way to give others a mailable address that doesn't itself disclose your physical address. If they already have enough other info on you, it's too late to try to protect your privacy from them. This is meant to incrementally improve your privacy and make things more convenient, not be a panacea. That doesn't exist. Sorry. Aren't there more securely private methods? The only one I can think of is to have your mail go through a lawyer who represents you, refuses to disclose your identity without a warrant, will fight any such warrant, and has excellent operational security. It's not the same kind of protection as a 4th amendment subpoena/warrant requirement, but it's still pretty good, and of course your lawyer could be behind a PAF ID themselves to get that added layer. Depending on how privacy-conscious and helpful your lawyer is, you could get your mail emailed to you as an encrypted scan and then immediately shredded. In fact, this is basically what many companies routinely do already by only disclosing the address of an "agent for service of process" rather than their physical location. Of course, the downside is that it's way more expensive than a PAF ID would be, and also has the time delay if you want to get a physical delivery. Wouldn't this help spammers? They already have your info. It might help them a little by reducing costs of sending duplicate mail, but then that reduces how many pieces of spam you get, so on that score at least it's win/win. If they have your real address or even PO box, they can (and do) cross-reference it with a lot more info (and know your location). This would at least give you some chance at establishing a new, non-datamined address. I'd like to have PAF users be able to preemptively refuse all bulk mail, which would cut down on spam significantly (though not completely, and not from companies you do business with). Unfortunately, I'm not sure the USPS would be willing to allow that. Bulk mailers are a major source of their revenue, and would be certain to vigorously oppose such an option. I intend to propose it anyway, but if you want to see it happen, please submit a formal comment in support.

Government Couldn't the government seize / redirect a PAF ID? Yes. They can do that already with the current system. And yes, the NSA probably will get a full dump anyway. These aren't changes. If the government goes through due process successfully, or if they choose to violate the Constitution, they can already do all that and more. Plus, the USPS already scans your mail. Could I use this for my driver's license or the like? I see no reason why not. (I've personally had a PO box listed on my driver's license before.) Of course, cops will need access to your real address so they can confirm a claim that you live where you say you do, arrest you if there's a warrant, etc. But there's no need for cashiers, bouncers, Amazon.com, etc to know that. Shouldn't this be free / cheaper? Preferably, yes. I'm hoping the USPS would agree to let everyone have at least 1 free PAF ID. Ideally, I'd prefer that it cost only nominal amount for you to give a different PAF ID to every separate entity you deal with, so you can detect when they sell your info and cut them off. That would be like "virtual account numbers" that some credit cards & banks offer or Google's application-specific passwords. However, the USPS is currently operating at a loss, and this will cost money to implement. They're going to want this to be profitable for them in order to OK it, and they have to be on board or it won't happen. Also, the price should be high enough to deter abuse by spammers and the like.

Doesn't a private mailbox or PO box already do this? No. If it's not government run, you have zero 4th amendment rights; they can legally hand over your stuff without even a subpoena, even if you have a private agreement with them that says they won't. You can sue them for breaking the agreement, but you wouldn't be able to stop the disclosure or its use against you in court. Note that this also means you should be careful if you give e.g. FedEx/UPS access to your PAF ID, because though my proposal calls for them to have a mandatory non-disclosure and non-retention policy, they could still violate it. This is one of the reasons why I also think you should have multiple IDs. If it's run by the USPS, you have 4th amendment due process rights on disclosure. Yes, they can still get a warrant, and you could lose a John Doe motion to suppress a subpoena, but it's more than nothing. Mailing twice (sender → intermediary → you) is more expensive and time consuming. In that sense, PAF IDs are very similar to the military's use of APO/FPO mailing addresses (though those provide no due process protection against the government, and PAF IDs would). You're only allowed to have a PO box where you live. If you move, you have to get a new one (which is a hassle) and update your address with all third parties who send you mail. With a PAF ID, you only have to make one update, with the USPS, and it doesn't matter where you live (as long as the USPS delivers there). You're not allowed to have multiple PO boxes. You can have multiple PAF IDs — and e.g. segregate addresses you use for work, personal mail, private purchases, etc. (You would however need to tell your bank about it, have multiple credit cards, or the like, so that payment address verification still works. It's necessary to reduce credit card fraud.)

Are you some sort of shill? Um, no. Take a look at my projects and presentations. You'll see I have a long history of strongly supporting civil liberties and privacy in particular. I'm a whitehat hacker. Proposal (Schedule - Comments (formal, privacy, operations, authority, FAQ - Shameless plugs gdoc ) - Updates informal ) - USPS' position scheduling ) - My planned changes Shameless plugs If you're interested in this, you might also be interested in two other things I'm doing: