An Internet privacy watchdog organization filed a lawsuit recently in the United States District Court for the District of Columbia against the United States Postal Service. In Electronic Privacy Information Center (“EPIC”) v. United States Postal Service, et al., EPIC alleges that the USPS’s law enforcement unit (yes, that exists), has been tracking and collecting Americans’ social media posts for years.
Details regarding the surveillance effort known as the “Internet Covert Operations Program” or “iCOP” were made public when EPIC filed suit in August 2021. Postal Service analysts working for iCOP comb through social media sites to look for “inflammatory” postings, such as information about planned protests, and then share their findings with other government agencies. There are few public details, however, about the scope of iCOP’s operation, how it collects data, and where it stores the data that it collects. EPIC’s counsel told Law360 in August that EPIC filed its lawsuit, at least in part, to obtain more information about how the Postal Service uses the data that it collects.
In its complaint, EPIC alleges that by enacting iCOP, the Postal Service severely overstepped its mandate to ensure public safety within the U.S. mail system.
Primarily, EPIC alleges that the Postal Service failed to adhere to federally mandated privacy guidelines before initiating iCOP surveillance. The E-Government Act of 2002 requires federal agencies to conduct a privacy impact assessment before enacting regulations or programs that will affect privacy rights, and to advise the public before initiating a new collection of information or developing or procuring surveillance technology. The federal agency must identify in any privacy assessment the type of information it seeks to collect, how it will use the information, how it will notify or provide opportunities for consent, and how it will store data. Once the assessment is finished, the federal agency must use the assessment to narrowly tailor its surveillance, and must publish the results of the assessment.
The Postal Service filed a Motion to Dismiss on October 19, in which it argues that EPIC has no standing to standing to sue over iCOP because neither EPIC nor its members suffered a cognizable legal injury, because iCOP did not appropriate “personally identifiable information” such as Social Security Numbers or biometric identifiers such as fingerprints. The Postal Service also argued that, even if EPIC could establish standing, the Postal Service is not subject to the E-Government Act, and, therefore, did nothing wrong by failing to conduct a privacy assessment. Moreover, the Postal Service argued, the E-Government Act was not intended to provide a private right of action for the public, but instead, to improve internal agency decision-making in matters that involve privacy.
EPIC’s lawsuit appears to present a unique challenge to law enforcement surveillance, in that it does not challenge the constitutionality of the surveillance, but rather, raises only a procedural challenge. EPIC’s lawyer’s comments in the press suggest that the Postal Service could remedy the alleged injury to EPIC by simply conducting and publishing the results of the privacy assessment.
If the court determines that EPIC lacks standing because its members suffered no cognizable injury, the court would not have to delve into the viability of the Postal Service’s argument that iCOP is excepted from the E-Government Act. If EPIC clears the standing hurdle, however, the court may join a growing number of federal courts that have weighed in on the legality of law enforcement surveillance.