Mail surveillance is widespread

Martin Shelton

Principal Researcher

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

Freedom of the Press Foundation (CC BY 4.0)

In the news

The Washington Post reports that law enforcement agencies are sending surveillance requests to the U.S. Postal Service to monitor the physical mail of thousands of Americans. According to data unearthed in a congressional probe, more than 60,000 requests by federal investigators and police captured data on 312,000 letters and packages between 2015 and 2023. Requests under the “mail covers” program are nearly always approved — as much as 97% of the time — and don’t require a court order that would ordinarily be required for email. These records pertain to only the outside of the mail, and law enforcement is still required to get a warrant for the content inside of the mail. Read more here.

What you can do

Physical mail is one of the most common ways large U.S. media organizations accept tips from the public. That’s why we think media organizations should advise sources that the exterior of their physical mail may not be private, and therefore they may prefer not to put their return address on the exterior of the envelope. (Of course, they can always still place the return address inside the envelope, if needed!) Read our guide to security considerations for confidential tip pages.

Get Notified. Take Action.

Updates from our team

This week we welcome our newest Digital Security Training intern, Kevin Pham! Raised by working-class immigrants, Kevin has long been at the forefront of digital organizing. From fact-checking disinformation campaigns with Viet Fact Check to assisting domestic violence survivors at Cornell Tech’s Clinic to End Tech Abuse, he hopes to bring new perspectives to the team!

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,

Martin

Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Beware fraudulent CrowdStrike emails

Last Friday, computer systems worldwide were taken down by a defective update from enterprise cybersecurity vendor CrowdStrike. In the wake of the outage, the U.S. Cybersecurity and Infrastructure Agency is warning of phishing emails, with attackers posing as CrowdStrike customer support.

What to do about AT&T breach

Around 110 million AT&T subscribers were affected by a data breach from May 1 to Oct. 31, 2022, TechCrunch reported.

Massive Authy leak, plus Proton Docs

The parent company for Authy, an application for two-factor authentication, has issued a critical security update to its Android and iOS users. According to BleepingComputer, hackers utilized leaked phone numbers from past data breaches to identify up to 33 million Authy users.