The Daily WTF posted an entry today that featured a picture of some mail that a bank sent out with some text on the envelope promoting saving paper. The joke was that someone received three pieces of it in two days.
In the picture, the recipient’s last name and address were blurred out but the barcode was left intact. One commenter pointed this out and another erroneously said that all it encoded was the Zip+4 and some check digits. I replied, indicating that the latter comment was confusing Zip+4 with POSTNET. The 11-digit POSTNET barcode, as shown, encodes the Delivery Point as well as the Zip+4. This is supposed to be unique for every deliverable address and is often the last two digits of the numeric part of the street address.
Using this page, I was able to decode the barcode and with simple Google and county property tax record searches, I was able to find out the recipient’s last name, address, phone number and pictures of his house (in a real estate listing). All this without resorting to any paid “private eye” searches or “hacking”.
Privacy is an illusion, especially when you’re not aware of all the ways it can be violated. While The Daily WTF is usually very good about anonymizing the stuff they post, this shows that it’s always a good idea to make your privacy your own responsibility.
Already in use is a new system called Intelligent Mail. It will become mandatory in 2011 in order to qualify for automation postage rates. The new barcode uses four symbols instead of the two used by POSTNET, for a much greater data capacity. In addition to Zip Code information, senders can encode such things as sender ID, item serial number and tracking numbers. The Postal Service has a privacy page especially for Intelligent Mail.
UPDATE 5/12/2009: They’ve done it again. This time The Daily WTF has published a letter with an Intelligent Mail bar code, which exposes the recipient’s full address, plus the sender ID and a serial number.