Identity protection remains the hardest nut to crack in cybersecurity. Much cybercrime involves using stolen identities to commit identity fraud or take over accounts, or stealing and selling identity information to enable these crimes. Market solutions have thus far failed because establishing identities is a public good that only governments are truly positioned to provide. Thus, the Better Identity Coalition and other leaders in the field have looked to the U.S. Postal Service (USPS) to provide in-person identity-proofing services for online accounts, as it does for passport applications. While the USPS role would be useful for the online identity ecosystem, identity-proofing services would be far from the core mission of the postal service today: delivering the mail. Yet with mail volumes down and revenues declining, the postal service needs to find a way to stay relevant in the digital age, or it risks privatization, as proposed by the Donald J. Trump administration. Instead of taking on a limited role in in-person identity proofing, USPS should make identity services the cornerstone of a suite of new service offerings. These offerings would provide the security and privacy protections afforded by physical mail in the digital realm and help manage the transition away from postal delivery as a necessary service for most purposes.
The Need for Trusted Identities in the Digital World
Annual losses from identity theft are estimated at $16 billion for U.S. consumers and over $200 billion globally. Combating these losses is big business. Consumers pay up to $30 a month for services, such as LifeLock, that monitor for identity fraud and provide post-incident support. Businesses spend more than $19 billion per year to detect identity fraud. Yet despite these costs, there is no effective way to validate identities online. As the Better Identity Coalition puts it, “The lack of an easy, secure, reliable way for entities to verify identities or attributes of people they are dealing with online creates friction in commerce, leads to increased fraud and theft, degrades privacy, and hinders the availability of many services online.”
Why Market Solutions Fail
Although technology companies have made significant progress in securing access to accounts with multifactor authentication and single sign-on, validating identities for online use has become more difficult. Repeated losses of personally identifiable information (PII) in breaches such as those at the credit reporting firm Equifax and the hotel chain Starwood have led most security professionals to conclude that the “knowledge-based” model of identity validation, in which PII is used to validate identity, no longer suffices. Thus the need for an in-person “identity-proofing” event, in which an individual presents to a trusted party credentials that are then associated with an online identity, has regained traction.
Why the Postal Service
The postal service already provides identity validation to the Department of State for U.S. passport applicants and reportedly [PDF] intends to extend this service to other organizations. Thus the postal service, with its 34,700 post offices, is better positioned than other federal agencies to provide the public good of identity validation. But instead of accepting a limited role in identity validation, the postal service should build a series of other value-added services around it.
With mail volumes and revenue at USPS continuing to decline, the postal service needs to find a way to stay relevant in the digital age. Mail volume dropped 2 percent in fiscal year 2018 and 3 percent in fiscal year 2017. In fiscal year 2018, the postal service posted a $3.9 billion net loss. It has exceeded its statutory debt limit and defaulted on retiree health-benefit obligations. Revenue from first-class mail, marketing mail, and periodicals continues to decline. Revenue from package delivery is the only bright spot, with growth in the last three fiscal years—but the announcement by Amazon of efforts to move logistics and shipping in-house means that a big chunk of future USPS earnings in this area could be endangered.
A Twenty-First-Century Vision for the U.S. Postal Service
Despite this dire state, the postal service’s 2017 strategic plan fails to provide an innovative path forward other than the already failed attempts at cost control. Although it recognizes that its mission needs to change in an increasingly digital economy, USPS does not envision a significant role for itself in that economy beyond its current role in delivering packages for e-commerce sites. Instead, it should make digital identity the platform for a suite of new services in the digital domain. Using a portion of its 34,700 post offices to provide in-person identity proofing, it should offer each verified individual a USPS email account tied to that identity. It should then use this newly gained knowledge of who its actual customers are to improve real-world delivery, with the goal of purposefully reducing mail volumes over time as it transitions to the digital economy.
Providing Identity Validation
In this scenario, an applicant would begin the process by filling out an online application that collects biographical information such as their name, date of birth, social security number, cell phone number, and address. The applicant would then schedule an appointment at a participating post office. During the appointment, a postal worker would validate the information provided online against identity documents such as a passport, driver’s license, birth certificate, and social security card, in turn validating those documents against government databases. The applicant would also supply an email address that would be linked to their identity.
After verification is complete, when the applicant needed to prove their identity online they would supply their basic biographical information and the email address tied to their USPS-validated identity. That data would then be forwarded to USPS to be validated against its records. Use of an email address in this way could also replace the use of postal mail as an out-of-band backup validation method.
Making USPS an Email Provider
Instead of associating the applicant with an existing email account, the USPS could offer the option to establish a separate USPS email account. In 2011 the U.S. Postal Service’s inspector general recommended this step, concluding that a USPS “emailbox” could provide valued, trusted services to USPS customers. This new email address would serve as a unique identifier, like a social security number. However, unlike a social security number, the email address would not need to be kept secret. While many individuals might choose to use an existing commercial provider, having a separate account for handling sensitive financial matters is widely considered a good cybersecurity practice. Having one for this purpose that comes with the same legal protections as physical mail today would be even better.
These email accounts would be required to be protected by multifactor authentication to ensure that criminals could not easily compromise them, as they could if only a username and password were required. Beyond technical security measures, the accounts would come with legal protections that exceed minimum protections for other email accounts. Such protections could include legal prohibitions on the sale of account information, targeted advertising, and interception.
The account could be paid for in a number of ways. Many Americans have realized that free online services are not truly free but are monetized through targeted advertising. Thus, many consumers are likely to pay for an email account that would not be mined for advertising and would provide value-added services such as identity verification. Banks, insurance companies, and other businesses that need to validate identities are also likely willing to pay the postal service on a per-transaction basis, and advertisers could be charged for the delivery of email messages to these accounts.
Tying Digital Identity to Real-World Delivery
USPS could use its new knowledge of the actual identity of its customers to bring mail delivery into the twenty-first century. At present, USPS delivers all mail to the provided address regardless of whether the addressee is associated with the address. Current efforts such as Informed Delivery add little value and are wide open to exploitation, but a program tied to actual identity could both preserve privacy and enhance revenue.
With consumers’ validated identity tied to an email address, USPS could offer truly valuable services. Anyone who has moved recently has dealt with the hassle caused by a twentieth-century mail system in a twenty-first-century mobile economy. The average American moves more than eleven times during their life. Yet people are still asked to list their permanent address on forms. USPS could, on a voluntary basis, track changes in address and automate the process of mail forwarding and address changes.
Addressing mail to an individual’s email address—or a barcode derived from it—could both increase efficiency and protect privacy while delivering mail to a physical address. Getting a package delivered would require disclosing just the zip code, not a full address, to a company in order to calculate shipping costs; moreover, the long tail of mail that needs to be forwarded (or does not get forwarded) when people move would be eliminated simply by changing the physical address in the USPS account.
Managing the Transition Away From Physical Mail
A USPS email account could also be used to eliminate duplicate and unwanted mail, even though USPS might not consider doing so to be in its business interest. An estimated 44 percent of junk mail is never opened, and 40 percent of the total is never recycled. The carbon emissions from junk mail are equivalent to those of nine million cars. Giving customers the equivalent of an “unsubscribe” option to physical mail could eliminate the hassle of sorting through junk mail and achieve significant emissions reductions. The postal service has set a goal to “be a sustainability leader,” and yet roughly 10 percent of its revenue is derived from delivering a product that its customers do not want. While motivated consumers can take steps to reduce junk mail, the USPS should manage this process, block delivery, and impose penalties for violations.
The Need for Congress to Act
USPS leadership has long pressed Congress for a series of changes to law that would allow the postal service to increase revenue. These changes have included allowing the postal service to increase rates on mail, eliminating Saturday delivery, and ending the ban on providing non-postal services. Congress has resisted making these changes because they would increase prices and reduce service. The objections are understandable if the postal service retains only its traditional service model of physical delivery. Congress should therefore only make those changes if it also mandates others that would move the service into a digital future. In short, mail volumes need to be actively reduced while digital services are created that can replace the need to physically deliver postal items other than packages. In exchange for these actions, Congress should do the following.
- Direct the postal service to offer digital identity services. Congress should require the postal service to develop and aggressively market a voluntary service for identity verification to its customer base. Such a service would include in-person identity proofing, as well as ongoing digital identity management coupled with a USPS email service.
- Require the Internal Revenue Service and other federal agencies to accept these validated identities. Individuals enrolled in the program should automatically have their validated identities made available to other federal agencies, and account access and enrollment in government services should be blocked unless done through a validated postal service identity.
Mandate a junk mail removal program. To manage the transition to the digital economy, mail volumes will need to be reduced so that daily delivery to every address is no longer required. A combination of trusted email accounts that can be used for business purposes and the ability to opt out of junk mail can significantly reduce mail volumes and provide related environmental benefits.
Critics will argue that market forces should determine whether the postal service continues to operate in the digital future. But allowing a long, slow decline and eventual privatization could leave taxpayers responsible for retirement and health-plan obligations to the five hundred thousand postal workers employed today. It would also be a missed opportunity to solve long-standing problems with validating identities in the digital realm and to make email a true substitute for physical mail. U.S. law gives the postal service the mission to “bind the Nation together through the personal, educational, literary, and business correspondence of the people.” At a time when many see the United States unraveling due to untrustworthy media, fake social media accounts, and active manipulation, the postal service is well positioned to once again bind the nation together by serving as the foundation for a new set of trusted services in the digital realm.