U.S. Postal Service: Update on E-Commerce Activities and Privacy 
Protections (21-DEC-01, GAO-02-79).				 
								 
Management of the U.S. Postal Service's (USPS) e-commerce program
has been fragmented, and implementation of e-commerce initiatives
has varied at different business units. Overall, USPS'		 
performance in this area has fallen short of expectations. Last  
year, the Postmaster General announced a sweeping management	 
restructuring that changed both the reporting structure and	 
program managers. USPS also revised its procedures for approving 
and implementing new Internet initiatives, including e-commerce. 
However, concerns persist about whether USPS' e-commerce	 
initiatives are being cross-subsidized by other postal products  
and services. USPS managers contend that e-commerce products and 
services must cover their incremental costs. GAO found that this 
goal has not been met and it is unclear when it might be	 
achieved. Without accurate, complete, and consistent financial	 
information, USPS cannot assess its progress toward its financial
performance goals for e-commerce. USPS also lacks clear and	 
comprehensive policies and procedures for reporting direct and	 
indirect revenues and costs for e-commerce and other new products
and services. As a result, reporting inconsistencies are likely  
to continue. In contrast, USPS has reportedly developed privacy  
policies and practices for its e-commerce customers that exceed  
those required by federal law.					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-02-79						        
    ACCNO:   A02599						        
  TITLE:     U.S. Postal Service: Update on E-Commerce Activities and 
Privacy Protections						 
     DATE:   12/21/2001 
  SUBJECT:   Agency missions					 
	     Electronic commerce				 
	     Internet						 
	     Postal service					 
	     Privacy law					 
	     Private sector practices				 
	     Reporting requirements				 
	     Strategic planning 				 
	     USPS Delivery Confirmation Initiative		 
	     USPS E-commerce Program				 
	     USPS ePayments Initiative				 
	     USPS National Change of Address Program		 
	     USPS NetPost Certified Initiative			 
	     USPS NetPost Mailing Online/NetPost		 
	     Cardstore Initiative				 
								 
	     USPS PosteCS Initiative				 
	     USPS Secure Electronic Delivery			 
	     Services/Electronic Postmark Initiative		 
								 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-02-79
     
Report to the Ranking Member, Subcommittee on International Security,
Proliferation, and Federal Services, Committee on Governmental Affairs, U.
S. Senate

United States General Accounting Office

GAO

December 2001 U. S. POSTAL SERVICE

Update on E- Commerce Activities and Privacy Protections

GAO- 02- 79

Page i GAO- 02- 79 U. S. Postal Service Letter 1

Results in Brief 2 Background 4 USPS Has Made Limited Progress in Responding
to Our

Recommendations 6 Federal Laws, Regulations, and Policies and Self-
Regulatory

Practices Provide Privacy Protection for E- Commerce Customer Information 20
Conclusions 34 Recommendations for Executive Action 36 Matter for
Congressional Consideration 36 Agency Comments and Our Evaluation 37

Appendix I Objectives, Scope, and Methodology 41

Appendix II USPS E- Commerce Initiatives 44

Appendix III Comments From USPS 45

Appendix IV GAO Contacts and Staff Acknowledgments 47 GAO Contact 47
Acknowledgments 47

Related GAO Products 48

Tables

Table 1: Selected Federal Privacy Laws That May Apply to USPS and Some
Private- Sector E- Commerce Providers 26 Table 2: Privacy Business Practices
Used by USPS and Selected

Private- Sector E- Commerce Providers 31 Contents

Page ii GAO- 02- 79 U. S. Postal Service Abbreviations

ABA American Bankers Association CBD Corporate Business Development COPPA
Children?s Online Privacy Protection Act DMA Direct Marketing Association
ECPA Electronic Communications Privacy Act EPM Electronic Postmark FTC
Federal Trade Commission NCOA National Change of Address OIG Office of the
Inspector General OMB Office of Management and Budget PRC Postal Rate
Commission SOHO small office and home office UPS United Parcel Services USPS
U. S. Postal Service

Page 1 GAO- 02- 79 U. S. Postal Service

December 21, 2001 The Honorable Thad Cochran Ranking Member Subcommittee on
International Security,

Proliferation, and Federal Services Committee on Governmental Affairs United
States Senate

Dear Senator Cochran: This report responds to your request to provide
further information about the U. S. Postal Service?s (USPS) activities in
the e- commerce area. 1 In our September 2000 report, 2 we recommended that
the Postmaster General (1) take appropriate actions to help ensure that e-
commerce and other related initiatives are appropriately identified and
maintain accurate and complete information related to the status of these
initiatives, (2) follow processes and controls that have been established
for developing and approving ecommerce initiatives, and (3) provide complete
and accurate information on costs and revenues for e- commerce initiatives.
Specifically, for this review, our objectives were to (1) determine what
actions USPS has taken to respond to the recommendations in our September
2000 report relating to its e- commerce activities; (2) update the status
and performance of USPS? e- commerce initiatives; and (3) compare federal
privacy laws, regulations, and policies that apply to USPS in the e-
commerce area to those that apply to private- sector providers and discuss
voluntary privacy protections provided by USPS and selected private- sector
providers.

To address the objectives of this review, we reviewed USPS documents and the
information available on USPS? Internet Web site as well as information on
some of USPS? partners and affiliates. We held discussions with USPS
officials responsible for e- commerce activities. We reviewed the material
we obtained for internal consistency and completeness, but we did not verify
the information provided by USPS or other e- commerce providers. We obtained
legal information on selected federal laws, regulations, and policies that
apply to USPS? e- commerce activities,

1 Electronic commerce, or e- commerce, refers to conducting business (e. g.,
buying and selling products and services) on the Internet. 2 See U. S.
Postal Service: Postal Activities and Laws Related to Electronic Commerce

(GAO/ GGD- 00- 188, Sept. 7, 2000).

United States General Accounting Office Washington, DC 20548

Page 2 GAO- 02- 79 U. S. Postal Service

including the privacy area. We also held discussions with staff from the
Federal Trade Commission (FTC) and officials from the Office of Management
and Budget (OMB) and obtained information from selected private- sector
providers of e- commerce products and services concerning their privacy
policies and protections. We did not review actual privacy practices of USPS
or selected private- sector providers, including associations representing
such providers; therefore, we could not assess either their voluntary
privacy practices or whether they were complying with all applicable privacy
laws. A more detailed description of our scope and methodology is included
in appendix I.

We conducted our review at USPS headquarters in Washington, D. C., between
January 2001 and October 2001 in accordance with generally accepted
government auditing standards. We requested comments on a draft of this
report from USPS, and its comments are discussed near the end of this
letter. We also received technical comments from USPS, FTC, and UPS as well
as oral comments from PRC, which we incorporated into the report where
appropriate.

Although USPS has several actions under way to respond to the
recommendations made in our previous report, it has made only limited
progress during the past year in resolving the problems that our
recommendations were aimed at correcting. USPS continues to have difficulty
defining, identifying, and classifying its Internet- related initiatives,
including e- commerce initiatives. Additionally, inconsistency remains in
the implementation of its processes and controls for developing, approving,
and monitoring the performance of e- commerce initiatives. Also, financial
information related to its e- commerce and Internet- related activities is
not complete, accurate, and consistent. In our opinion, a major factor
contributing to USPS? limited progress in this area has been its management
approach. Overall, the management of USPS? ecommerce program has been
fragmented, and implementation of ecommerce initiatives has been
inconsistent across the various business units involved in these activities.

To date, USPS has not achieved its expected performance for the ecommerce
program. We discussed our concerns about the program?s fragmentation,
inconsistency, and poor performance with the Deputy Postmaster General. He
acknowledged the difficulties USPS has had with this program, including
difficulty among the various business units in reaching agreement on which
initiatives are e- commerce. He noted several planned actions that would be
taken to address these problems. In Results in Brief

Page 3 GAO- 02- 79 U. S. Postal Service

September 2001, the Postmaster General announced a sweeping management
restructuring, which changed both the reporting structure and managers
responsible for the e- commerce program. USPS is also currently revising its
procedures for approving and implementing ecommerce and other new Internet-
related products and services. The Deputy Postmaster said that he intends to
have complete financial reporting in place on the e- commerce initiatives by
the end of calendar year 2001. We believe that actions taken by USPS to
ensure strong leadership, transparency, and accountability for results, if
fully implemented, are central to the effective implementation of USPS?
ecommerce program.

Concerns continue to be raised as to whether USPS? e- commerce initiatives
in the aggregate are being cross- subsidized by other postal products and
services. In response to our previous report, USPS officials noted that
?eCommerce products and services in the aggregate are to cover their
incremental costs and thus not be cross- subsidized.? To date, based on
financial information provided to us, this goal has not been met, and it is
not clear when this goal will be realized. Without accurate, complete, and
consistent financial information, USPS will not be in a position to assess
its progress toward its financial performance goals for its e- commerce
program. In addition, USPS does not have clear and comprehensive policies
and procedures that would address how all of the direct and indirect
revenues and costs associated with its e- commerce and other new products
and services are to be reported. Without comprehensive policies and
procedures in this area, inconsistencies in reporting are likely to
continue.

In contrast to its fragmented approach to e- commerce programmatic
activities, USPS has created a focused privacy program headed by a Chief
Privacy Officer and reportedly has developed privacy policies and practices
for its e- commerce customers that exceed those required by federal law. In
comparing the privacy protections that USPS reports that it provides to its
e- commerce customers with those of private- sector providers, we noted that
different federal privacy laws apply to USPS than to private- sector
providers. For example, the Privacy Act and the Postal Reorganization Act of
1970 do not apply to the private sector, while other federal laws, such as
the FTC Act, may apply to the private sector but not to USPS. In addition to
the requirements in federal privacy laws and in response to privacy
concerns, both USPS and selected private- sector providers told us that they
were voluntarily engaging in additional business practices to safeguard the
privacy of customers? personal information. For example, USPS and all of the
selected e- commerce

Page 4 GAO- 02- 79 U. S. Postal Service

providers we contacted reported that they had posted privacy policies on
their Web sites that stated how customers? information would be collected
and used, even though it may not be required by law. Given the myriad
federal and state privacy laws applicable in this area as well as the
numerous private- sector providers with varying privacy practices, we did
not attempt to determine which privacy practices might afford customers
greater privacy protection.

To address the concerns we raised, we are recommending that the Postmaster
General take steps to provide better transparency and accountability for
USPS? financial information related to its new products and services. In
commenting on a draft of our report, USPS? Deputy Postmaster General
acknowledged that while USPS had made progress in responding to our earlier
recommendations, it had not made all of the progress we would have liked.
Regarding the recommendations in the draft report, USPS said that it agreed
with our first recommendation to provide a comprehensive set of policies and
procedures for capturing, attributing, and reporting revenues and expenses
associated with its new products and services. For the recommendation
concerning annual reporting, USPS intends to take a different approach than
that contained in our recommendations, but says it believes that it will
meet the requirements in our recommendation. If these steps do not prove
effective, Congress may want to consider requiring USPS to have an annual
review by the Postal Rate Commission (PRC) on the performance of its new
products and services and PRC to submit a report to Congress annually on the
results of this review.

Congress and other stakeholders have raised questions about USPS?
participation in the e- commerce area. Some stakeholders have expressed
concerns that USPS is establishing e- commerce products and services in
competition with those already existing in the private sector, a role they
regard as not appropriate for a government entity. For example, USPS has
established an electronic bill payment and presentment service when many
private- sector companies in the financial services industry, such as banks,
already provide such services. In August 2000, USPS stated that it had a
valid and appropriate role to play in the e- commerce area: ?our long
history as a trusted provider of universal communications services for the
American people and the unquestioned value of our presence in and service to
every community make it logical and, we think, imperative that we continue
to develop the e- commerce products and services that our customers will
need and demand both now and in the future for their business and personal
lives.? Background

Page 5 GAO- 02- 79 U. S. Postal Service

USPS has stated that the pace of the e- commerce revolution is highly
uncertain and that the evolution of market and customer requirements will
increase the need for a more flexible, innovative, and responsive Postal
Service. 3 According to USPS, many of its direct competitors have taken
their business online, and many new competitors are threatening other parts
of its business. Further, competition is evolving through electronic
diversion and alternatives in the areas of electronic bill payment and
presentment, and payment options; secure messaging services; and digital
security services, such as digital certificate authorities. Intense
competition from online shipping services exists from two major competitors-
FedEx and United Parcel Service (UPS). The key players each have unique
approaches to new electronic business opportunities. According to USPS, it
also faces competition from foreign postal administrations, many of which
have developed a formal strategy for ecommerce development, in some cases,
supported by a dedicated business unit.

USPS offers a variety of e- commerce and Internet- related products and
services that deal with the delivery of money, messages, and merchandise.
Over the past year, USPS has added specific goals and strategies for its
ecommerce program. In September 2000, USPS stated that the e- commerce goal
for fiscal year 2001 was to ?Use the Internet channel to offer new and
enhanced products and services that provide the U. S. Postal Service with
revenue such as license fees and user charges.? More specific e- commerce
fiscal year 2001 goals included (1) generating $104 million in revenue from
e- commerce initiatives, (2) increasing customer traffic to USPS? Web
channel (USPS. com), and (3) improving customer overall satisfaction with
USPS? channel/ service offerings. In February 2001, USPS? three primary
goals for USPS. com, from which many e- commerce and Internet- related
offerings are accessed, were to (1) increase USPS revenue, (2) maximize
customer satisfaction, and (3) reduce costs for USPS. In June 2001, USPS
said that its goals were to use the best available and emerging
technologies, including the Internet, to enhance the value, availability,
and affordability of postal products and services for all customers and to
expand universal access to the delivery of messages, merchandise, and money
by providing customers with choices when doing business with USPS. Recently,
USPS appears to be narrowing its focus in the ecommerce area. In September
2001, the Postmaster General stated that ?I

3 USPS 5- year strategic plan, FY 2001 to 2005.

Page 6 GAO- 02- 79 U. S. Postal Service

will take a close look at our e- commerce activities and we will retain
those that support growth of our core products and others that are
profitable.?

Significant changes have affected the marketplace in the past year,
particularly in the e- commerce sector, with many dot. com companies going
out of business. Due to this market volatility, some e- commerce providers,
such as USPS, have experienced slower rates of adoption and lower revenue
than anticipated. Yet e- commerce plays an ever- growing role in the
national economy. According to a recent report, the number of American
adults with Internet access grew by 16 million in the second half of 2000.
More than half of those surveyed for the report who had Internet access had
bought a product online at one time or another. The Census Bureau of the
Department of Commerce estimated that total e- commerce sales for 2000 were
$25.8 billion, about 0.8 percent of total retail sales, and for the second
quarter of 2001, about 0.9 percent.

Privacy concerns are widely regarded as one of the main issues delaying
greater use of the Internet and e- commerce. In particular, consumers appear
concerned about the extent to which some Web site operators collect personal
information and share that information with third parties without the
consumer?s knowledge. Surveys have also shown that some potential e-
commerce customers avoid using these products and services because of fear
that their personal information will be misused.

Since we issued our report in September 2000, USPS has taken actions to
respond to our recommendations, but it has only made limited progress in
resolving the problems that our recommendations were aimed to correct. Over
the past year, USPS has continued to struggle with the management and
performance of its e- commerce program. Implementation of USPS? ecommerce
initiatives has continued in a fragmented and inconsistent manner. We
recommended that the Postmaster General (1) take appropriate actions to help
ensure that e- commerce and related initiatives are appropriately identified
and maintain accurate and complete information related to the status of
these initiatives, (2) follow processes and controls that have been
established for developing and approving ecommerce initiatives, and (3)
provide complete and accurate information on costs and revenues for the
financial data on e- commerce initiatives. USPS continues to have difficulty
defining, identifying, and classifying its Internet- related initiatives,
including e- commerce initiatives; and inconsistency remains in the
implementation of its processes and controls for developing, approving, and
monitoring the performance of e- commerce initiatives. Finally, financial
information related to USPS? e- commerce and USPS Has Made

Limited Progress in Responding to Our Recommendations

Page 7 GAO- 02- 79 U. S. Postal Service

Internet- related activities is still not complete, accurate, and
consistent. We discussed USPS? difficulties with its e- commerce program
with the Deputy Postmaster General. He acknowledged the difficulties and
described USPS? planned actions for addressing the problems. He stated that
USPS intends to be able to provide complete financial reporting on all of
its e- commerce initiatives by the end of calendar year 2001.

USPS continues to have difficulty defining and determining which of its
Internet- related initiatives are e- commerce initiatives. In our previous
report, we recommended that USPS take actions to appropriately identify e-
commerce and related initiatives and maintain complete information on their
status. At the time we issued our previous report, USPS defined its
ecommerce activities as those products and services that required the
Internet to do business and generated revenue to USPS through user charges
or licensing fees. Throughout our review, USPS was in the process of
revising this definition. According to the Deputy Postmaster General, USPS
was refining the definition to deal with what it says were anomalies that
have surfaced that made this definition confusing and inappropriate. In
October 2001, he stated that USPS? difficulty in reaching agreement among
its various business units on which initiatives were e- commerce was faced
by many companies where there was an overlap between ecommerce and core
product activities and infrastructure development to reduce costs.

Differing internal views about the definition and classification of
Internetrelated initiatives, including e- commerce initiatives, made it
difficult for USPS to provide us with a complete list of e- commerce
initiatives. Over the past few months, USPS officials explained the
difficulties they had experienced due to differing opinions as to how e-
commerce initiatives should be defined and what initiatives should be
considered e- commerce versus those that support or enhance existing core
products and services. E- commerce initiatives are just one subset of USPS?
new products and services, which may include other Internet- related
initiatives as well as retail and advertising initiatives. How an initiative
is defined and classified also affects how its costs, particularly indirect
costs, and revenues are reported. Without a clear understanding of which
initiatives are ecommerce, USPS cannot provide complete, accurate, and
consistent information on its e- commerce program.

USPS? criteria for different categories of e- commerce and other
Internetrelated initiatives have changed several times over the past few
months. In a letter dated December 4, 2001, commenting on a draft of this
report, the USPS Has Difficulty

Determining What Initiatives Are E- Commerce

Page 8 GAO- 02- 79 U. S. Postal Service

Deputy Postmaster General stated that USPS now defines as e- commerce ?those
products or services that require the Internet for the customer to do
business with us and whose primary objective is to directly generate new
revenue.? Further, he stated that USPS also said that it recognized that
some of its new products and services might either use the Internet or
generate new revenue, but only those that met both tests would be defined as
e- commerce. However, USPS noted that initiatives defined as ?non-
ecommerce? would not receive any less management scrutiny. Applying this
definition, USPS stated that it currently has 5 e- commerce initiatives:
ePayments, PosteCS, NetPost Certified, NetPost Mailing Online/ NetPost
Cardstore, and Secure Electronic Delivery Services/ Electronic Postmark.

USPS officials explained that the difficulty they have encountered in
attempting to define and classify e- commerce and Internet- related
initiatives is due to differences in the purposes for various initiatives.
They further explained that these different purposes could be grouped into
three major categories of Internet- related initiatives. First, some
initiatives are intended to directly generate revenue as stand- alone
products. Second, other initiatives may indirectly generate revenue by
supporting existing core products and services. Third, still other
initiatives may or may not generate revenue, but are primarily intended to
provide customers with easier access to other products and services.
Examples of these different categories follow.

An example in the first category would include eBillPay. According to USPS,
eBillPay, part of USPS? ePayments initiative, was developed primarily for
the purpose of directly generating revenue from retail customers and has not
generated revenue toward any existing core postal product, such as stamps.
Thus, USPS considers ePayments a stand- alone e- commerce initiative. Other
examples of stand- alone initiatives include NetPost Certified and PosteCS
(see app. II for more details on the initiatives). An example of the second
category of initiatives is the Postal Store (an enhancement of its previous
initiative, Stamps Online), which was intended primarily to provide an
electronic alternative for customers desiring to purchase stamps via the
Internet. Thus, according to USPS officials, it indirectly generates revenue
toward an existing USPS core product, that is, postage stamps, and is not
considered an e- commerce initiative. The third category of initiatives
includes Delivery Confirmation, which is a special feature added to other
products and services that is intended to provide customer ease of use as
well as generate direct revenue. USPS also does not consider Delivery
Confirmation to be an ecommerce initiative.

Page 9 GAO- 02- 79 U. S. Postal Service

USPS officials have noted that it has become increasingly difficult to
separate e- commerce initiatives from core products because in the future
many new products and services will involve some form of Internet component.
Since our previous report was issued in September 2000, USPS has implemented
four e- commerce- related initiatives or enhancements to initiatives that
were mentioned in that report, with the exception of Net Post Cardstore:
NetPost Mailing Online was implemented in September 2000, NetPost Cardstore
in December 2000, and NetPost Certified in January 2001. In addition, USPS
implemented enhancements to its ePayments initiative in September 2001. Two
other e- commerce initiatives- the Postal Store and MoversNet (MoversGuide.
com)- also mentioned in our previous report were implemented, but as of
December 2001, USPS no longer considers these to be e- commerce initiatives.

Overall management of USPS? e- commerce program has been fragmented and
inconsistent across the nine business units involved in developing and
managing e- commerce and Internet- related initiatives. There has been no
clear accountability or consistency in the development, approval,
implementation, performance and day- to- day monitoring of initiatives.
Since our September 2000 report recommending that USPS follow its processes
and controls for developing and approving e- commerce initiatives, USPS has
made several revisions to its processes for approving and implementing e-
commerce and other new Internet- related products and services. However,
over the past year inconsistencies remain in the implementation of USPS?
processes for its e- commerce activities. In September 2001, the Postmaster
General announced a sweeping management restructuring, changing both the
reporting structure and managers responsible for its e- commerce program.

Management of USPS? e- commerce program has been fragmented because of
various factors. The internal processes and requirements for developing and
approving e- commerce initiatives have been revised twice in just over 1
year. As noted in our previous report, USPS recognized that its New Products
Development process for reviewing and approving new products that it
established in 1996 was not suited to e- commerce initiatives. Consequently,
in May 2000, it set up the eBusiness Opportunity Board (eBOB) review and
approval process. The eBOB process was intended to result in quicker
approval of initiatives than had occurred using its previous review and
approval process for new products and services. However, over the past year,
the eBOB process was not consistently followed for business development and
planning for e- commerce USPS Is Revising Its

Management Structure and Processes for Developing and Overseeing Its E-
Commerce Initiatives

Page 10 GAO- 02- 79 U. S. Postal Service

initiatives. Since we issued our previous report, some business plans for
the e- commerce initiatives were not regularly updated to reflect changing
market conditions and required approvals were not always obtained
consistently under the eBOB process. Implementation of initiatives has been
inconsistent, with some initiatives being implemented either before business
plans were prepared or without business plan approval, such as NetPost
Cardstore.

In July 2001, about a year after setting up the eBOB process, USPS revised
its review and approval process, creating both another process- BizDev- and
a new management group- Corporate Business Development (CBD). BizDev was
intended to be a process through which all new business development ideas
would be channeled. In July 2001, CBD officials told us that they intended
to update business plans every 6 months. They also told us that business
plans were not only to contain new elements but were to be prepared
following more strict guidelines. For example, a USPS official noted that a
tool kit would be used to specify how business plans were to be written.

In September 2001, USPS announced a reorganization and shifted
responsibility for e- commerce initiatives to new management and to a new
group called Product Development. Although it is not yet clear what
processes will be used for approving and reviewing e- commerce initiatives,
and it is too soon to determine whether the fragmentation and inconsistency
across units has been addressed, recent actions to clarify management
responsibility appear to be a step in the right direction.

In our previous report, we found deficiencies in the financial information
that USPS provided on its e- commerce initiatives and reported that the
steps USPS took in this area were important and needed to be effectively
implemented. We recommended that USPS provide complete and accurate
financial information on costs and revenues for its e- commerce initiatives.
Without reliable financial information, USPS will not be in a position to
assess its progress toward meeting its overall financial performance goals.
USPS? ability to report accurate and complete financial data for its
Internet- related initiatives, including e- commerce, is important to the
budget process, ratepayers, and congressional oversight. USPS agreed with
this recommendation, and at the beginning of fiscal year 2001 began
instituting a standard financial reporting procedure for the seven ecommerce
initiatives that were planned or implemented at that time, which USPS
continues to refine. The Deputy Postmaster General stated in USPS? comments
on our draft report dated December 2001 that USPS Efforts to Improve

Financial Reporting Are Continuing, but Information Is Not Yet Accurate,
Complete, and Consistent

Page 11 GAO- 02- 79 U. S. Postal Service

intends to be able to provide complete financial reporting on its five
current e- commerce initiatives by the end of calendar year 2001.

Although some improvements have been made to the financial statements
provided to us during this review, these statements, which have been
prepared on a quarterly basis, still are not complete, accurate, and
consistent. In September 2000, we reported that because of the data
deficiencies, we lacked confidence that the financial information was
sufficiently reliable. USPS officials have since told us that USPS has made
progress in tracking and reporting e- commerce financial data, including
creating a detailed statement of revenues and expenses for each ecommerce
initiative; providing a more complete set of costs, such as tracking direct
costs on an initiative- specific basis; and providing training to help
managers report costs on a consistent basis. We agree that the financial
statements provided to us for fiscal year 2001, quarters 1 through 3, were
improved. They included more detailed information on expenses, such as
developmental and operational expenses; planned revenue and net income; and
actual net income (loss); as well as program information, such as volume,
number of accounts; and identification of opportunities for improvement.
However, these financial statements do not currently capture all of the
revenues and costs associated with the e- commerce initiatives, and it is
not clear how USPS plans to report the necessary financial information that
is not included in the current financial statements.

Numerous deficiencies remain in USPS? financial information for its
ecommerce initiatives. USPS has not reported aggregate data on its ecommerce
activities as a whole, which would be necessary to track its progress toward
USPS? financial goals for its e- commerce activities. In July 2000, USPS
stated that ?. . . infrastructure and other costs associated with eCommerce
. . . will be calculated as part of our ongoing obligation to appropriately
report those incurred costs.? However, in August 2001, USPS officials told
us that USPS did not yet have a system to attribute costs for infrastructure
that supports e- commerce products and services (e. g., the ?Web site
infrastructure? initiative). Additionally, in order to compile aggregate
costs on USPS e- commerce activities as a whole, the following information
would also need to be included:

 Any common costs to the e- commerce area that could not be allocated to
specific e- commerce initiatives.  Operating costs and revenues for any e-
commerce products and services

discontinued during the fiscal year, or whose development is discontinued
Financial Data Continue to

Be Deficient

Page 12 GAO- 02- 79 U. S. Postal Service

during the fiscal year, for the fiscal year that aggregate costs are to be
reported.  Depreciation costs for capital assets acquired for discontinued
ecommerce products and services that have not been written off or fully

depreciated. USPS stated last year that it would ?require that complete and
accurate cost, revenue, and performance data be tracked and periodically
reported to senior management? for each e- commerce initiative. We are
concerned that USPS may only be preparing quarterly financial statements for
its current five e- commerce initiatives. 4 Other Internet- related
initiatives, that are not considered e- commerce, have generated revenues
and expenses in fiscal year 2001 but are not tracked through quarterly
financial statements. For example, USPS data for the Delivery Confirmation
initiative, which is not considered e- commerce, showed revenues of over
$278 million and expenses of over $35 million through the first 3 quarters
of fiscal year 2001. Given USPS? difficulties in determining e- commerce
versus other Internet- related initiatives and the probability that many, if
not most, future new products and services that generate revenues will have
some Internet- related component, it is not clear why quarterly financial
statements are required only for e- commerce initiatives at this time. The
Deputy Postmaster General stated in USPS comments on our draft report dated
December 4, 2001, that ?This does not mean, however, that initiatives
defined as ?non- e- commerce? will receive any less management scrutiny.?

We also found that USPS reported inaccurate and/ or inconsistent cost and
revenue data on some e- commerce initiatives. For example, although some
postage revenues for Mailing Online were reported as e- commerce revenue,
the corresponding processing and delivery costs associated with this mail
volume were not reported as e- commerce costs. Further, as the following
examples show, revenue and cost data were calculated and reported
inconsistently in the quarterly financial statements provided to us:

 Revenues were reported differently across e- commerce initiatives. For
Mailing Online, 38 percent of the postage revenues were estimated as ?new

4 Financial statements provided to us were for EPM; ePayments, including
eBillPay; MoversGuide. com; NetPost Certified; NetPost Mailing Online,
including NetPost Cardstore; PosteCS, and the Postal Store. As of December
4, 2001, USPS no longer considered MoversGuide. com or the Postal Store to
be e- commerce initiatives.

Page 13 GAO- 02- 79 U. S. Postal Service

postage? generated by this e- commerce initiative- that is, additional
postage generated because Mailing Online gave customers an additional way to
mail material to consumers. 5 In contrast, no revenues generated by the
Postal Store were reported as e- commerce revenues- that is, according to
the Postal Store financial statement, the revenues generated via the sale of
postal merchandise (e. g., Postal Service bicycling merchandise, stamps, and
philatelic products) through the Internet- based Postal Store initiative
were not considered e- commerce revenues. Although no revenues for the
Postal Store initiative were reported as ecommerce revenues, all costs for
this initiative were reported as ecommerce costs. Thus, the net income
reported for this initiative factored in only the costs, but not the
corresponding revenues.  Although most financial statements covered only
one e- commerce

initiative, others covered multiple initiatives. For example, a single
statement for the ePayments initiative covered both eBillPay and other
ePayment enhancements that had not yet been implemented. In this statement,
eBillPay costs were not reported separately from other ePayment initiatives
that were under development. Thus, the net income that was reported was the
consolidated net income for the eBillPay initiative as well as the ePayment
initiatives.  No Postal Store costs were reported in fiscal year 2001 for 8
of 10 cost

categories that generated direct costs in prior years, including supplies
and services, equipment rent and repair, communications, and travel. USPS
stated that costs reported for these eight categories prior to fiscal year
2001 were ?start- up costs.? However, according to the Postal Store
financial statement provided to us, the total direct costs for these eight
categories prior to fiscal year 2001 were $1.4 million, while the
?Developmental/ Start- up Expenses? were only $800,000. Further, USPS said
that to the extent that such costs were incurred in fiscal year 2001 for
these eight categories, they were included under ?Other Allocated Expenses?
or ?rolled into a separate administrative budget for a wider function that
includes the Postal Store.? However, for other initiatives after their
start- up periods, costs for these eight categories continued to be
itemized, rather than being included as other allocated expenses.

According to a USPS official, the e- commerce financial statements are
provided to top USPS officials, including the Board of Governors and the
Postmaster General, so that they can have summary information on the

5 The 38- percent figure used to allocate Mailing Online information was
based on data compiled by USPS before Mailing Online was implemented.

Page 14 GAO- 02- 79 U. S. Postal Service

performance of the e- commerce initiatives. Complete, accurate, and
consistent information would assist these top USPS officials in tracking,
evaluating, and making decisions about the e- commerce initiatives. In this
regard, we have additional concerns that the financial statements for USPS?
e- commerce products and services were not as useful as they could have
been. These concerns include the following:

 Although the financial statements included quarterly revenue goals and
planned costs for the e- commerce initiatives, based on what had been
approved during the budgeting process, the statements did not include
revised revenue and cost expectations- that is, goals that have changed
during the fiscal year from the original budget goals- to clearly indicate
what goals e- commerce program managers are working to achieve.
Specifically, the financial statements did not disclose substantial downward
revisions made during fiscal year 2001 to planned revenues and costs.  The
financial statements reported total planned revenues for each ecommerce
initiative for the full fiscal year, but did not report total planned

costs for the full year. For example, planned advertising and program staff
costs were not included in the planned full- year costs reported in the
financial statements. In certain cases (i. e., ePayments and NetPost
Certified) these expenses have made up a significant portion of total
expenses.

During this review, we identified several issues concerning the ecommerce
financial data that remain unresolved, which include (1) whether some or all
of the revenues and the corresponding costs of ecommerce products and
services are being included with other postal product revenues for budgeting
and reporting purposes, including reporting to the PRC; (2) how capital
outlays and related depreciation costs for each e- commerce initiative and
discontinued initiatives are to be reported; and (3) how costs for e-
commerce products and services that are under development (e. g., in a pilot
or testing phase) are to be reported. Currently, USPS does not have clear
and comprehensive policies and procedures that would address how all of the
direct and indirect revenues and costs, including those mentioned above,
associated with its ecommerce and other new products and services are to be
reported. Without comprehensive policies and procedures in this area,
inconsistencies in reporting are likely to continue.

USPS is attempting to resolve the problems we have identified. The Deputy
Postmaster General discussed with us the difficulties USPS has encountered
in trying to refine its financial reporting. He stated that USPS

Page 15 GAO- 02- 79 U. S. Postal Service

intends to be able to provide complete financial reporting on all ecommerce
initiatives by the end of calendar year 2001. We also discussed with the
Deputy Postmaster General the difficulties involved in developing a
consistent approach to attributing all of the appropriate costs, both direct
and indirect, to its e- commerce initiatives. According to USPS, its
ecommerce products have some particular characteristics that must be
addressed when attributing costs, such as when a new product makes use of
already existing infrastructure (e. g., computer system). Other challenges
include determining how research and development costs should be attributed.

Concerns continue to be raised as to whether USPS? e- commerce initiatives
in the aggregate are being cross- subsidized by other postal products and
services. Without complete, accurate, and consistent information, USPS will
not be in a position to assess progress toward meeting its overall financial
performance goal that e- commerce products and services in the aggregate are
to cover their incremental costs and thus not be cross- subsidized. Although
USPS intends to provide complete financial reporting on its e- commerce
activities by the end of calendar year 2001, we remain concerned that USPS
may not meet this goal because of recent changes under way in USPS?
management structure and uncertainty about when USPS? e- commerce program
will stabilize. Given the difficulties USPS has had in distinguishing
between e- commerce, Internetrelated, and its core products and services
and, according to USPS officials, the probability that most new products and
services are likely to have some Internet- related component, in our
opinion, the need for improved financial information extends not just to e-
commerce initiatives but to all of its new products and services. For
example, revenues and costs for some ongoing Internet- related activities
that have been implemented do not have a financial statement (such as
revenues and costs relating to Web affiliates with banner ads/ links on
USPS. com, and other new revenues and corresponding costs generated by USPS.
com). Thus, we believe that financial reporting requirements should apply to
all new products and services.

Many stakeholders are interested in the performance of USPS? new products
and services initiatives. Congress has also repeatedly expressed interest in
more information about USPS? activities aside from its traditional mail
products and services. In the Conference Report accompanying the Fiscal Year
1998 Treasury, Postal Service, and General Government Appropriations Act,
USPS was requested to report on its nonpostal activities, including an
estimate of the net revenue generated. In Information Needed to

Address CrossSubsidization Concerns

Page 16 GAO- 02- 79 U. S. Postal Service

the Senate Report accompanying the Fiscal Year 1999 Treasury, Postal
Service, and General Government Appropriations Act, USPS was requested to
report on its commercial activities, including their revenues and costs.
More recently, in the Conference Report accompanying the Fiscal Year 2002
Treasury, Postal Service, and General Government Appropriations Act, USPS
was requested to provide a report detailing and supporting USPS? position as
to the scope of its existing authority under current law to introduce and
provide new products and services. The report also requested information on
USPS? use of such authority to provide new products and services.

In view of USPS? problems in distinguishing between e- commerce, Internet-
related, and its core products and services, and USPS? difficulty in
providing complete, accurate, and consistent financial information in this
area, Congress could take further action to help ensure better transparency
and more reliable information on all of USPS? new products and services. As
we mentioned previously, to develop complete and consistent financial
information, USPS needs to have clear and comprehensive policies and
procedures for reporting. We also believe that a regular review of USPS?
financial reports in this area is needed to ensure that the information is
reliable and complete. The review could include annual USPS information on
volume, revenue, and cost information related to its new products and
services. Such a review could be conducted by an independent entity, such as
an independent auditor or the PRC, in a manner similar to that required for
international mail. 6 The results of the review could be reported on an
annual basis to Congress. USPS officials told us that they would prefer a
review by an independent auditor. We would agree that such a review could
ensure that USPS is adhering to its policies and procedures and that
information was reported in accordance with generally accepted accounting
principles. If an audit by an independent auditor does not result in
acceptable financial information on USPS? new products and services, then
PRC may be another alternative for reviewing USPS? financial information in
this area.

6 In 1998, Congress required PRC to review and report to Congress on USPS?
international mail products and services. The new requirement (39 U. S. C. sect.
3663) directs PRC to submit to Congress a comprehensive report on the costs,
volumes, and revenues of USPS? international mail services by July 1 of each
year. USPS is directed to provide to PRC, by March 15 of each year, the data
that it needs to prepare its report.

Page 17 GAO- 02- 79 U. S. Postal Service

To date, performance of the e- commerce initiatives has reportedly fallen
short of USPS? expectations. USPS officials said that this was because the
initiatives were relatively new, with most being less than a year old, and
that the business plans were overly aggressive. In September 2000 we
reported that, in some cases, business plans had been presented for approval
after e- commerce initiatives had been implemented. In addition, we found
that business plans had not been updated regularly to reflect changing
market conditions, thereby resulting in unrealistic performance
expectations. Without more timely and complete business planning, USPS
management will not be able to create a more realistic baseline against
which to measure and monitor the performance of each e- commerce initiative
and thus be able to determine whether a specific initiative should be
modified or discontinued. USPS has recognized that it needs to improve in
this area. USPS has begun updating and revising business plans and
developing mechanisms to more regularly monitor and report on the
performance of e- commerce initiatives. Further, in September 2001, the
Postmaster General said that he would be taking a close look at USPS?
ecommerce activities and that USPS will retain those that support growth of
its core products, as well as others that are profitable. Although USPS does
not yet have complete revenue and cost information on its original ecommerce
initiatives, none of the e- commerce initiatives for which financial
information was provided to us in seven financial statements for the 3rd
quarter of fiscal year 2001 were profitable. 7

In developing its fiscal year 2001 performance expectation for the overall
e- commerce program, USPS management used available business plans,
including one that had been prepared in 1996. According to USPS officials,
the goal for expected e- commerce revenue in fiscal year 2001 was $104
million. At the end of the first three- quarters of the fiscal year,
according to the financial statements provided to us, e- commerce
initiatives had generated less than 1 percent in actual revenues toward the
planned annual revenue goal of $104 million.

During our review, we noted that information in USPS? e- commerce business
plans had not been regularly updated to reflect changing market conditions.
For example, although acknowledging in the 1996 business plan that NetPost
Mailing Online?s use of new technology made it difficult to estimate its
market share and size, USPS did not update that plan until March 2001, after
it was implemented in September 2000, over 5 years

7 See footnote 4. Reported Performance for

E- Commerce Initiatives Has Not Met Expectations

Page 18 GAO- 02- 79 U. S. Postal Service

later. Expected performance in the updated plan had been revised to reflect
anticipated changes in the adoption rates and revised implementation dates
for this initiative, information that should have been provided in a more
timely manner to USPS management so that decisions could have been based on
more meaningful data. Some of the updated business plans provided to us
included revised forecasts of expected performance, based in part on USPS?
actual experience with its ecommerce initiatives. Business planning is very
important because, as we recently testified, 8 electronic government
initiatives should be supported by a well- developed business case that
evaluates the expected returns against the costs. The business case provides
the forum for the evaluation of the project?s costs, benefits, and
integration with the agency performance and results strategy.

Conditions affecting performance goals can change significantly during the
course of a year. For example, the March 2000 ePayments business plan, which
includes eBillPay, was updated a year later in February 2001. The February
business plan reflected substantially revised performance expectations based
on lowered forecasts by market analysts of consumer adoption of electronic
bill payment as well as USPS? actual experience in offering this initiative.
Revenue, cost, and operating contribution expectations for fiscal year 2001
had been decreased by about 96 percent, 66 percent, and 33 percent,
respectively, when compared to the expectations in the March 2000 business
plan. Without more regular updating, management may not be able to gauge an
initiative?s progress toward performance goals and thus determine whether
set goals are realistic.

USPS officials also told us that they recognize the need to more regularly
monitor the performance of e- commerce and Internet- related initiatives. In
addition to updating business plans every 6 months, USPS officials told us
in July 2001 that USPS was developing a performance report to track all new
products and services, including e- commerce initiatives, which it
reportedly implemented in September 2001. 9 The performance indicators

8 Electronic Government: Challenges Must Be Addressed With Effective
Leadership and Management (GAO- 01- 959T, July 11, 2001). 9 The performance
report is to contain up to 12 key performance indicators and is to display
the performance of the product or service- actual versus planned- for each
of the indicators. Key performance indicators used are to depend upon the
particular e- commerce initiative, but could include revenue, expenses, net
income; volume, operations, and marketing indicators; as well as trend
analyses.

Page 19 GAO- 02- 79 U. S. Postal Service

in the performance report are to be taken from the business plans for each
initiative, according to USPS officials. USPS management would then be able
to use these reports, or scorecards, to assess a particular product?s
viability or as a factor in their decisionmaking. In addition to monitoring
an initiative?s performance, it may be necessary to discontinue an
initiative should it continue to perform below expectations. USPS also
reportedly implemented a reporting tool in September 2001 that includes
information on its new revenue- generating business activities. Among other
things, the report is to identify those initiatives whose contribution,
after a specified implementation period, falls below their expected
contribution. After being given a certain amount of time for corrective
actions, such initiatives may be discontinued. 10

In May 2000, after the initiatives had been in place about a year, a USPS
official noted that the ?bubble burst and there was a market downturn?
referring to the recent economic slowdown. Business plans prepared in fiscal
years 2000 and 2001 that were provided to us projected that the Postal Store
and NetPost Cardstore would be profitable by the end of fiscal year 2001,
while the remainder of the initiatives would become profitable between
fiscal year 2002 and fiscal year 2005. In our 1998 report on new products
and services, we acknowledged that it might not be reasonable to expect all
new products to become profitable in their early years because new products
generally take several years to become established and recover their start-
up costs. 11 However, throughout this time, management needs to be provided
with timely and accurate information on each initiative?s performance so
that decisions can be made concerning whether the initiative is progressing
as planned or needs to be either modified or discontinued.

10 After a 6- month implementation period, USPS plans to actively monitor
products and place them on a critical list if their contribution falls below
plan for six consecutive accounting periods, after which time they may be
discontinued.

11 U. S. Postal Service: Development and Inventory of New Products (GAO/
GGD- 99- 15, Nov. 24, 1998).

Page 20 GAO- 02- 79 U. S. Postal Service

With respect to privacy protections provided to customers of e- commerce and
other Internet- related activities, USPS has stated that its customers are
afforded greater protection than those of private- sector providers, chiefly
because of the requirements in the combination of three laws- the Privacy
Act of 1974, the Electronic Communications Privacy Act (ECPA), and the
Postal Reorganization Act. Also, USPS recently stated that its voluntary
compliance with other federal privacy laws and guidance to which USPS is not
subject provides additional protection. Selected private- sector e- commerce
providers we contacted generally disagreed with USPS? contention that its
customers are afforded greater privacy protection, stating that private-
sector e- commerce providers, while not subject to the Privacy Act and the
Postal Reorganization Act, are subject to ECPA and several other federal
privacy- related laws and regulations, as well as applicable state laws that
do not apply to USPS.

In comparing the privacy protections USPS reports to offer its customers
with those privacy protections private- sector providers report to offer to
their customers of e- commerce products and services, we noted that
different federal privacy laws apply to USPS than apply to private- sector
providers. For example, the Privacy Act and the Postal Reorganization Act do
not apply to the private sector, but other federal laws, such as the FTC
Act, may apply to the private sector but not to USPS. In addition to the
requirements in federal privacy laws, and in response to privacy concerns,
both USPS and private- sector providers told us that they were voluntarily
engaging in additional self- regulatory privacy practices to safeguard
customers? personal information. We did not review actual privacy practices
of USPS or selected private- sector providers; therefore, we could not
assess either their voluntary privacy practices or whether they were
complying with all applicable privacy laws.

In comparing the privacy protections that USPS reports that it provides to
its e- commerce customers with those that private- sector providers report
that they provide to their customers, we noted that different federal
privacy laws apply to USPS than to private- sector providers. Although the
Privacy Act and the Postal Reorganization Act do not apply to privatesector
providers, the ECPA and other applicable federal privacy laws do.

The Privacy Act is a comprehensive privacy statute that provides certain
safeguards to protect individuals? personal privacy. The Privacy Act limits
Federal Laws,

Regulations, and Policies and SelfRegulatory Practices Provide Privacy
Protection for ECommerce Customer Information

Federal Laws and Regulations Apply to USPS and Private- Sector Providers of
E- Commerce Products and Services

Page 21 GAO- 02- 79 U. S. Postal Service

the collection, maintenance, use, and dissemination of personal information
by federal agencies, including USPS, and grants individuals access to
information about themselves. 12 Under the Privacy Act, USPS, its
contractors, 13 and other federal agencies are generally prohibited from
disclosing to third parties personal information maintained on individuals
(not businesses) without their consent. In addition, while under the Privacy
Act, USPS may be authorized to disclose personal information to other
government agencies under certain circumstances, the ECPA further restricts
any such disclosure. Under the ECPA, USPS may only disclose stored
electronic communications to a governmental entity possessing a search
warrant, or certain subpoenas. In addition, while the Privacy Act generally
prohibits the sale or rental of an individual?s name and address by a
federal agency, 14 the Postal Reorganization Act restriction on USPS goes
further. It provides that no officer or employee of USPS shall make
available to the public by any means or for any purpose any mailing or other
list of names or addresses of postal patrons or other persons, except for
census purposes or as otherwise specifically provided by law. 15

The Privacy Act allows individuals the right to sue federal agencies for
violations of the statute and provides for damages. In addition, the Privacy
Act provides criminal penalties and fines for willful, wrongful disclosure
of information and willful failure to meet the notice requirements of the
act. Depending upon the particular e- commerce initiative, information
collected by USPS from customers may include the following: name and
address, fax and telephone numbers, e- mail address, social security number,
and credit card information.

12 Under the Privacy Act, when agencies collect personal information about
an individual, they are to provide a notice to the individual that includes
the following: (1) the authority that allows the request of the information
and a statement on whether providing the information is mandatory or
voluntary; (2) the principal purpose or purposes for which the information
is to be used; (3) the routine uses that may be made of the information; and
(4) the effects on the individual, if any, of not providing all or any part
of the requested information. See 5 U. S. C. sect. 552a( e).

13 The Privacy Act requires USPS to apply Privacy Act requirements to its
contractors and makes a contractor and any of its employees liable for the
same criminal penalties to which federal employees are subject. Therefore,
the Privacy Act applies to Postal Service contractors in the same way that
it applies to USPS. See 5 U. S. C. sect. 552a( m).

14 See 5 U. S. C. sect. 552a( n). 15 See 39 U. S. C. sect. 412.

Page 22 GAO- 02- 79 U. S. Postal Service

On September 26, 2001, USPS implemented MoversGuide. com, an ecommerce
initiative that allows electronic change of address for postal patrons via
the Internet. Customer change- of- address information provided through
MoversGuide. com will be incorporated into USPS? National Change of Address
Program (NCOA). Through NCOA, USPS collects and disseminates change- of-
address information reported by postal customers to qualified private firms
licensed by USPS to provide address correction services. In July 1999 we
reported 16 that, in our view, the use of NCOA- linked data to create or
maintain new movers lists by USPS licensees, who are viewed under the
Privacy Act as if they were USPS employees, would not be consistent with
limitations imposed by the Privacy Act. USPS disagreed and told us that the
Privacy Act does not restrict USPS licensees or their customers? use of
NCOA- linked data to create or maintain new movers lists. We also reported
that USPS restricts its licensees from using NCOA- linked data to create or
maintain new movers lists through its licensing agreements as a ?good
business practice? not because USPS considers it to be required by law.

While the Privacy Act places restrictions on the collection, maintenance,
use, and dissemination of personal information collected by federal
agencies, it does have its limitations. For example, the Privacy Act only
applies to personal information maintained in an agency?s ?system of
records.? 17 The Privacy Act defines a system of records as any group of
records under the control of an agency from which information is retrieved
by (not collected or maintained by) the name of an individual or by some
identifying number, symbol, or other identifying particular assigned to the
individual. In addition, the Privacy Act only applies to information about
individuals, not businesses. Furthermore, the act contains 12 exceptions to
its general prohibition on the disclosure of personal information. For
example, the act authorizes an agency to disclose a record for a routine
use, 18 for law enforcement purposes, pursuant to an order of a court of
competent jurisdiction, or to either House of Congress.

16 U. S. Postal Service: Status of Efforts to Protect Privacy of Address
Changes

(GAO/ GGD- 99- 102, July 30, 1999). 17 The Privacy Act requires USPS to
publish, in the Federal Register, a notice of all systems of records. 18
Routine uses are defined as those that are compatible with the purpose for
which the information was collected.

Page 23 GAO- 02- 79 U. S. Postal Service

Under the Postal Reorganization Act, as previously stated, USPS employees
and officers are prohibited from disclosing to the public lists of names or
addresses of postal patrons or other persons. In addition, the Postal
Reorganization Act exempts USPS from mandatory Freedom of Information Act
(FOIA) 19 disclosure for the name or address, past and present, of any
postal patron and for information of a commercial nature that would not be
disclosed under good business practice. 20 USPS told us that although it is
subject to FOIA requests for information, USPS would not release information
collected from e- commerce customers. USPS said that FOIA does not compel
disclosure that is otherwise prohibited by law. In this regard, USPS told us
that ?in our opinion, it would not be good business practice to disclose
private information obtained in the provision of electronic services.?

No comprehensive law comparable to the Privacy Act regulates the private
sector?s collection, maintenance, and dissemination of personal information.
Rather, the federal government?s policy, from the onset of the Internet, has
been to allow the private sector to regulate itself to the greatest extent
possible. However, Congress has regulated the private sector?s collection
and dissemination of personal information on a sectorby- sector basis when
it has found it necessary to do so. In addition, some private- sector e-
commerce providers may also be subject to the enforcement provisions of the
FTC Act, which prohibits unfair and deceptive practices in and affecting
commerce. 21 FTC has successfully used the FTC Act against private- sector
e- commerce providers who misrepresented, in a privacy notice, how they were
using personal information collected over the Internet. However, the FTC Act
can only be used in this manner if a private- sector company actually posts
a privacy notice- which is not always required by law.

Private- sector providers could be subject to the FTC Act and a variety of
federal laws that protect the privacy of personal information on a sectorby-
sector basis, such as the Gramm- Leach- Bliley Act, the Children?s Online
Privacy Protection Act (COPPA), and the ECPA, which prohibits

19 See 39 U. S. C. sect. 410( b)( 1), making USPS subject to FOIA, 5 U. S. C. sect.
552. FOIA provides persons with the right of access to a broad range of
records and materials related to the performance of agency activities, other
than those specifically excluded by law.

20 See 39 U. S. C. sect. 410( c)( 1) and sect. 410 (c)( 2). 21 Under the FTC Act,
FTC?s enforcement powers may not extend to financial institutions, common
carriers, and airlines, among others.

Page 24 GAO- 02- 79 U. S. Postal Service

disclosure of stored electronic communications to a governmental entity
without a search warrant or certain subpoenas. However, it does not appear
that USPS is subject to the FTC Act, the Gramm- Leach- Bliley Act, 22 or
COPPA. 23 (See table 1 for a description of these laws.) According to UPS,
one of the selected private- sector e- commerce providers we contacted,
private- sector providers, while not subject to the Privacy Act, are subject
to several other federal privacy- related laws as well as state laws and
regulations, in addition to ECPA, that do not apply to USPS. According to
UPS, these legal requirements may impose economic consequences for
noncompliance, while the Privacy Act and ECPA do not impose such
consequences upon USPS, in the absence of intentional violations of these
statutes.

Financial institutions, some of which provide electronic bill payment and
presentment services in competition with USPS, would be subject to the
privacy provisions of the Gramm- Leach- Bliley Act. 24 Among other things,
the Gramm- Leach- Bliley Act, enacted in November 1999, generally prohibits
financial institutions from disclosing nonpublic personal information to
nonaffiliated third parties without providing customers the opportunity to
decline such disclosures. 25 It also generally prohibits financial
institutions from disclosing account numbers to nonaffiliated third parties
for use in marketing, and requires financial institutions to give notice to
their customers of their privacy policies, including their policies
regarding the sharing of information with affiliates and nonaffiliated third
parties. Regulations implementing these privacy protections were promulgated
and became effective on November 12, 2000. Authority to enforce these
privacy protections is provided to a number of federal financial regulators,
state insurance authorities, and FTC, based on already existing jurisdiction
over the covered financial institutions. According to the American Bankers
Association (ABA), which

22 According to USPS, some of its eBillPay partners (including CheckFree and
Bank of America) are subject to the Gramm- Leach- Bliley Act. 23 Because
USPS is an independent establishment of the executive branch of the U. S.
government, it does not appear that USPS is subject to these acts. However,
the applicability of these acts to USPS has never been tested in court, and
FTC, which has responsibility for enforcing these acts, has not taken a
formal position on this matter.

24 15 U. S. C. sect.sect. 6801- 6809. 25 The Gramm- Leach- Bliley Act does not
prevent a financial institution from providing personal information to a
nonaffiliated third party that is to perform services for or on behalf of
the financial institution.

Page 25 GAO- 02- 79 U. S. Postal Service

represents financial institutions, the financial services industry, based on
Gramm- Leach- Bliley and other applicable statutes, provides vastly more
privacy protection than any other industry or government agency. ABA noted
that ?the volume of statutes, the examination of compliance with those laws
by the banking agencies, and the clear commitment by the industry to assist
customers in understanding these standards makes this evident.?

In addition, private- sector providers of e- commerce products and services
directed at children are subject to the provisions of COPPA. 26 COPPA
requires the operator of a commercial Web site or online service targeted at
children under the age of 13 to provide clear notice of information
collection and use practices; to obtain verifiable parental consent prior to
collecting, using, and disseminating personal information from and about
children under age 13; and to provide parents access to their children?s
personal information and the option to prevent its further use. On October
20, 1999, FTC issued a final rule to implement COPPA. 27 COPPA authorizes
FTC to bring enforcement actions and impose civil penalties for violations
of the rule in the same manner as for its other rules.

Table 1 focuses on how selected federal privacy laws may apply to USPS and
some private- sector providers of e- commerce products and services. In some
cases, USPS business partners may also be subject to these laws. In other
cases, the laws may apply to some, but not necessarily all, privatesector e-
commerce providers.

26 15 U. S. C. sect.sect. 6501- 6506. 27 16 C. F. R. Part 312.

Page 26 GAO- 02- 79 U. S. Postal Service

Table 1: Selected Federal Privacy Laws That May Apply to USPS and Some
Private- Sector E- Commerce Providers Citation Description Applies to

USPS a Applies to

some privatesector ecommerce

providers

Privacy Act of 1974 5 U. S. C. sect. 552a

Limits the collection, use, and dissemination of personal information about
individuals maintained by federal agencies in a system of records. Grants
individuals access to information about themselves. Requires federal
agencies to provide a notice informing individuals of the authority under
which the federal agency may ask for the information sought, the purpose for
which the information is intended to be used, the routine uses that may be
made of the information, and the effects of not supplying the information.
Provides for a private right to sue for violations of the act and criminal
penalties for willful violations. Requires federal agencies to apply
requirements of the act to its contractors.

Yes No Electronic Communications Privacy Act 18 U. S. C. sect. 2701 et seq.

Prohibits the disclosure by providers of an electronic communications
service or remote computing service of stored electronic communications to a
governmental entity without a search warrant or certain subpoenas.

Yes Yes Postal Reorganization Act of 1970 39 U. S. C. sect. 412 39 U. S. C. sect.
410 (c)( 1) and (c)( 2)

Provides that no officer or employee of USPS shall make available to the
public by any means or for any purpose any mailing or other list of names or
addresses of postal patrons or other persons, except for census purposes or
as otherwise specifically provided by law. Exempts from mandatory FOIA
disclosure the name or address, past or present, of any postal patron.
Exempts from mandatory FOIA disclosure information of a commercial nature
that would not be disclosed under good business practice.

Yes No Gramm- Leach- Bliley Act 15 U. S. C. sect.sect. 6801- 6809

Prohibits financial institutions from disclosing nonpublic personal
information to nonaffiliated third parties without providing customers the
opportunity to decline (? opt out? of) such disclosures. Limits financial
institutions from disclosing account numbers to nonaffiliated third parties
for use in marketing. Requires financial institutions to disclose their
privacy policies, including their policies regarding the sharing of
information with affiliates and nonaffiliated third parties.

No Yes Children?s Online Privacy Protection Act of 1998 15 U. S. C. sect.sect. 6501-
6506

Prohibits unfair and deceptive acts and practices in connection with the
collection and use of personal information from and about children under the
age of 13 on the Internet.

No Yes Federal Trade Commission Act 15 U. S. C. sect. 41 et seq.

Prohibits unfair and deceptive practices in and affecting commerce.
Authorizes FTC to seek injunctive and other relief for unfair and deceptive
practices. FTC?s enforcement powers may not extend to financial
institutions, common carriers, and airlines, among others. Has been used by
FTC against companies who have misrepresented, in a privacy notice, how they
were using personal information collected by them.

No Yes

Page 27 GAO- 02- 79 U. S. Postal Service

a Because USPS is an independent establishment of the executive branch of
the U. S. government, it does not appear that USPS is subject to the FTC
Act, the Gramm- Leach- Bliley Act, or COPPA. However, the applicability of
these acts to USPS has never been tested in court, and FTC, which has
responsibility for enforcing these acts, has not taken a formal position on
this matter. According to USPS, some of its partners (including CheckFree
and Bank of America) are subject to the GrammLeach- Bliley Act.

Source: GAO analysis of selected federal privacy laws.

When comparing the privacy protections offered by USPS and private sector
providers of e- commerce products and services, we found that the legal
requirements may vary depending upon the particular type of ecommerce
provider, product, or service. 28 These differences are of particular
interest with regard to the potential disclosure of personal information to
third parties. For example:

 Regarding personal information collected in connection with eBillPay and
competing electronic bill payment programs, both USPS and financial
institutions in the private sector are generally required by federal law to
provide notice to their customers of the uses to which personal information
may be put. The requirements to provide such notice are included in the
Privacy Act for USPS, and the Gramm- Leach- Bliley Act for the private-
sector providers. In addition, both USPS and private- sector providers of
electronic bill payment services are generally required under the Privacy
Act and the Gramm- Leach- Bliley Act, respectively, to provide their
customers with a choice 29 as to whether personal information will be
disclosed to third parties. The laws provide for disclosure under certain
circumstances. Exceptions to this general rule concerning the provision of
choice exist for both USPS and private sector providers. For example, with
respect to USPS, the combined effect of the ECPA and the Privacy Act would
authorize disclosure of personal information to third parties without
obtaining the prior consent of the individual for (1) a ?routine use? of the
information, (2) for law enforcement purposes pursuant to a search warrant,
(3) pursuant to certain court subpoenas, and (4) to either House of
Congress. In addition, under the Postal Reorganization Act, USPS is
generally prohibited from disclosing lists of names or addresses to the
public. Currently, under the routine uses for its eBillPay service, USPS

28 We only looked at selected federal privacy laws (see table 1). 29 USPS is
required to obtain customers? consent before disclosing information to a
third party (opt in), whereas financial institutions are prohibited from
disclosing nonpublic personal information to nonaffiliated third parties
without providing customers the opportunity to decline such disclosures (opt
out).

Page 28 GAO- 02- 79 U. S. Postal Service

provides personal information to its business partner, CheckFree, 30 and to
the Credit Reporting Agency in the provision of its eBillPay service. Under
the Gramm- Leach- Bliley Act, financial institutions in the private sector,
some of which provide bill payment and presentment services, are generally
prohibited from disclosing account numbers to nonaffiliated third parties
for use in marketing. However, financial institutions are authorized to
disclose personal information, without providing its customers the
opportunity to decline, or ?opt out? of the disclosure, to third parties
that perform services for or on behalf of the financial institution if
confidentiality of the information is provided for by contract.  Regarding
personal information collected in connection with the sale of

merchandise through an e- commerce program, USPS would still generally be
required under the Privacy Act to provide notice to its customers of the
uses to which personal information may be put and to provide a choice before
it is disclosed. The same exceptions, mentioned in the above example, to
this general rule would apply. On the other hand, a privatesector company
selling merchandise through an e- commerce program would generally not be
required by federal law to provide notice to its customers of the uses to
which personal information may be put or to provide a choice before it has
disclosed such information. However, if the e- commerce program targeted
children under the age of 13, the provider would be subject to the
provisions of COPPA. In addition, if certain private- sector companies
voluntarily provided notice that disclosure of personal information to third
parties would be restricted, FTC could bring an enforcement action against
the company for failure to follow those restrictions. 31

In response to concerns that have been raised by advocacy groups and others
about the privacy of customer information collected on the Internet, various
providers of e- commerce services in the public and private sectors began to
develop and adopt various business practices to protect the privacy of
customer information. In particular, consumers appear concerned about the
extent to which some Web site operators collect consumer information and
share that information with third parties without the consumer?s knowledge.
Surveys have shown that some potential e- commerce customers avoid using
these products and services because of fear that their personal information
will be misused. Both USPS and selected private- sector providers, including
associations that

30 See footnote 22. 31 See exceptions listed in footnote 21. The Use of
Self- Regulatory

Business Practices by USPS and Private- Sector Providers Can Also Protect E-
Commerce Customers? Personal Information

Page 29 GAO- 02- 79 U. S. Postal Service

represent such providers, have reported that they use many of these
voluntary privacy business practices.

A variety of tools and methods have been developed by both the public and
private sectors to develop, assess, and monitor their privacy practices. For
example, privacy policy generators, offered by such groups as the Direct
Marketing Association (DMA), Microsoft, and TRUSTe, have been used to create
draft privacy policies for private- sector providers. In addition, privacy
risk assessment tools, such as the Internal Revenue Service?s privacy impact
assessment, have been used to evaluate the privacy of customer information.
Finally, some private- sector providers have used privacy seal programs and
independent audits to develop, assess, and monitor their privacy practices.
Privacy seal programs, such as those administered by TRUSTe, BBBOnline, and
CPA Webtrust are independent, third- party enforcement programs that provide
a way to monitor company practices and enforce privacy policies. A number of
private- sector providers have also had independent entities, such as
accounting firms, conduct independent audits to determine whether they are
following their stated privacy policies. USPS notes it is also subject to
independent audits by us and the USPS? Office of Inspector General (OIG).

After discussions with key stakeholders, such as FTC staff and OMB officials
and selected private- sector providers, we compiled a list of voluntary
privacy business practices that the private and public sectors have
developed to protect customers? information. While we recognize that there
are numerous private- sector e- commerce providers, we contacted the
providers included in table 2 because they offered ecommerce products and
services similar to those offered by USPS. These providers include ABA,
whose members include community, regional and money- centered banks and
holding companies as well as savings associations, trust companies, and
savings banks; DMA, whose members include users and suppliers in the direct,
database, and interactive marketing field; and UPS, a leading delivery and
logistics company. We recognize that this list is not complete as self-
regulatory practices are continually being developed. We sent this list to
USPS and the selected private- sector providers and asked whether they used
these practices. We did not verify whether USPS or the selected private-
sector providers we contacted actually adhered to their privacy policies or
followed the privacy practices they said they used. We did not assess these
practices to

Page 30 GAO- 02- 79 U. S. Postal Service

determine their effectiveness, or address the security aspects of the
protection of customers? data. 32

Table 2 describes some of the privacy business practices that USPS and the
selected private- sector providers of e- commerce products and services
reported that they used. 33

32 USPS? OIG has previously conducted work in the security area and
according to an OIG official is currently working on a report dealing with
security, privacy, and access language issues related to USPS? e- commerce
initiatives.

33 The items checked do not necessarily represent business practices used by
all association members and may be considered a response based on a sampling
of members.

Page 31 GAO- 02- 79 U. S. Postal Service

Table 2: Privacy Business Practices Used by USPS and Selected Private-
Sector E- Commerce Providers Type of practice Description of practice USPS
ABA DMA UPS

Chief privacy officer Key officer position, which, may among other things,
establish and oversee company privacy policies and monitor privacy laws and
regulations and company compliance.

X XXX Privacy policy Privacy policy posted on organization?s Web site that

1. states what information is collected; X X X X 2. states how information
is collected; X X X X 3. states how information will be used; X X X X 4.
states whether information is used or shared with other partners,
affiliates, or third parties; X XXX 5. states whether and for what purpose
cookies are used; X X X X 6. states how information from and about children
will be handled; X X X X 7. provides consumer choice (opt in/ opt out of
information sharing); X X X X 8. states how information will be safeguarded
(security); X X X X 9. provides access to information for correction/
deletion; X X X 10. states how long information will be retained; X X 11.
provides adequate contact information for complaints; and X X X X 12.
provides a general statement that agents and vendors maintain
confidentiality and provide the same privacy protections as does the
organization.

X X X

Privacy guidelines

FTC has summarized four principles regarding the collection, use, and
dissemination of personal information, which it believes, should be
addressed in an organization?s privacy policy a 1. Notice (Data collectors
must disclose their information practices before collecting personal
information from consumers),

X XX 2. Choice (Consumers must be given options with respect to whether and
how personal information collected from them may be used for purposes beyond
those for which the information was provided).

X X 3. Access (Consumers should be able to view and contest the accuracy and
completeness of data collected about them). X X FTC?s fair information

principles 4. Security (Data collectors must take reasonable steps to ensure
that information collected from consumers is accurate and secure from
unauthorized use).

X XX OMB?s guidance and model language for developing federal Web site
privacy policies; and X Selected federal guidelines FTC?s regulations on
compliance with the Children?s Online Privacy Protection Act and the Gramm-
Leach- Bliley Act. X XX Industry association guidelines Guidelines provided
by industry associations to assist their

members in formulating self- regulatory privacy policies and/ or complying
with federal privacy laws/ regulations.

X XX

Page 32 GAO- 02- 79 U. S. Postal Service

Type of practice Description of practice USPS ABA DMA UPS Privacy tools

Privacy policy generators Privacy policy generators are designed to help
businesses develop their own privacy policies. In some cases, users complete
questionnaires that detail the site?s information policies. The information
is then used to create a draft privacy policy that the privacy policy
generator Web site sends back to the user. The policy can be amended or
supplemented by the user before it is posted on the user?s Web site. Privacy
policy generators include those offered by, among others, DMA, Microsoft,
and TRUSTe.

X X Privacy risk assessment processes Privacy risk assessment tools are
processes used to evaluate the

privacy of customer information in online information systems. For example,
the Internal Revenue Service?s privacy impact assessment is a guide to
provide system owners and developers of online information systems in
assessing privacy through privacy training, project data gathering to
address privacy issues, and identifying and resolving privacy risks, among
other things.

X XX

Third- party compliance audits

Privacy seal programs A seal program is an independent, third- party
enforcement program that provides a way to monitor company practices and
enforce privacy policies. They are designed to provide protection to
consumers by allowing Web companies to standardize privacy policies. Privacy
seal programs include, among others, TRUSTe, BBBOnline, and CPA Webtrust.

X Independent audits Independent audits by an independent entity, such as an

accounting firm, determine whether an organization is following its stated
privacy policy.

X XX

Technology solutions

Control of personal data by individuals Some technological solutions are
becoming available that enable

individuals to control their personal information and make decisions based
on their individual privacy needs, such as the Platform for Privacy
Preferences (P3P). When implemented, P3P- enabled Web sites will be able to
communicate automatically their stated privacy policies to users? browsers,
and compare these policies to users? preferences. Users can then decide
whether to release personal identifiable information to the Web site.

X

Other privacy efforts

Standard contract language Standard privacy clauses in contracts with e-
commerce providers? suppliers, contractors, and affiliates that ensure
consistency of privacy policies for customers.

X XXX Employee training Training provided to employees regarding the
protection of

customer?s personal information and the organization?s privacy policies and
practices.

X XX a See FTC reports, Privacy Online: A Report to Congress, June 1998;
Privacy Online: Fair Information Practices in the Electronic Marketplace,
May 2000. Source: USPS, FTC, OMB, and selected private- sector providers.

As shown in table 2, USPS and all of the selected private- sector providers
we contacted reported that they have privacy policies posted on their Web
sites that state how customers? information will be collected, safeguarded,
and used. They also reported that they incorporate standard privacy

Page 33 GAO- 02- 79 U. S. Postal Service

clauses in contracts with e- commerce suppliers, contractors, and
affiliates. USPS has reported that its contractors, such as its business
partner in offering USPS eBillPay, are bound by contract to the same
disclosure requirements that apply to USPS. USPS and the selected private-
sector providers stated that they either have a chief privacy officer or an
officer who performs the functions of a chief privacy officer. USPS stated
that it adhered to all, and some of the selected providers reported that
they adhere to most, of the FTC?s fair information principles (notice,
choice, access, and security). The selected private- sector providers
reported that they provide training to employees regarding the protection of
customers? personal information and the organizations? privacy policies and
practices. USPS officials stated that they plan to implement P3P (a
technological solution that is intended to enable individuals to control
their personal information and make decisions based on their individual
privacy needs) this fiscal year, and initiate a training program in the
future. Regarding processes, USPS? Chief Privacy Officer stated that USPS
has established, among other things, an internal cross- functional advisory
board, and a privacy assessment tool to ensure privacy compliance and set
security requirements in product development.

Regarding voluntary adherence to federal laws and regulations, USPS? Chief
Privacy Officer told us that USPS generally voluntarily follows the
requirements of the Gramm- Leach- Bliley Act, COPPA, FTC guidance related to
privacy issues, and OMB?s privacy memorandums. Further, the Deputy
Postmaster General stated in February 2001 that although USPS does not
consider itself subject to OMB guidance, it has decided to voluntarily
comply with the following two OMB Memorandums related to privacy matters.
First, OMB Memorandum M- 99- 18, issued in June 1999, requires federal
agencies to post clear privacy policies on their principal Web sites; to any
other known, major entry points to their Web sites; and to any other entry
points to their Web sites where the agency collects substantial personal
information from the public. The memorandum also requires such policies to
inform Web site visitors what information the agency collects about
individuals, why it is collected, and how it is used, and requires the
policies to be clearly labeled and easily accessed when someone visits the
site.

Page 34 GAO- 02- 79 U. S. Postal Service

Second, OMB Memorandum M- 00- 13, issued on June 22, 2000, details OMB?s
requirements related to cookies. 34 It established a new policy concerning
cookies by stating that cookies should not be used at federal Web sites, or
by contractors when operating Web sites on behalf of agencies, unless clear
and conspicuous notice is given and the following conditions are met: (1)
there is a compelling need to gather the data on the site, (2) the agency
takes appropriate and publicly disclosed privacy safeguards for handling
information derived from cookies, and (3) the head of the agency has
personally approved the use of cookies. In addition, the memorandum states
that it is federal policy that all federal Web sites and contractors when
operating on behalf of agencies shall comply with the standards set forth in
COPPA with respect to the collection of personal information on- line at Web
sites directed at children. In October 2000, we found that USPS used
persistent cookies, 35 which USPS fully disclosed in its privacy policy. 36
With respect to privatesector e- commerce providers, some may disclose the
extent and purpose of their use of cookies while others may not.

Although USPS has actions under way to respond to the recommendations in our
previous report, it has not yet fully addressed them. Over the past year,
USPS has continued to struggle with the management and performance of its e-
commerce program. Implementation of USPS? ecommerce initiatives has
continued in a fragmented and inconsistent manner. USPS has had difficulty
both identifying and classifying its Internet- related initiatives, which
include e- commerce initiatives. Further, it does not have reliable
financial information for all of its e- commerce and Internet- related
initiatives. USPS is attempting to resolve the deficiencies we identified
and has recently reorganized its management structure for its e- commerce
program. We believe that efforts to establish better transparency and
accountability for performance results are steps in the right direction.

34 A cookie is a short string of text- not a program- that is sent from a
Web server to a Web browser when the browser accesses a Web page. The use of
cookies allows the server to recognize returning users, track on- line
purchases, or maintain customized Web pages.

35 Persistent cookies specify expiration dates, remain stored on the
client?s computer until the expiration date, and can be used to track users?
browsing behavior by identifying their Internet addresses whenever they
return to a site.

36 See Internet Privacy: Federal Agencies? Use of Cookies, GAO- 01- 147R,
Oct. 20, 2000). Conclusions

Page 35 GAO- 02- 79 U. S. Postal Service

USPS has aggressively taken a number of steps to implement a privacy
program. Although the selected private- sector providers we contacted and
USPS are subject to different privacy- related laws, both have reportedly
developed privacy policies and practices that exceed those required by
federal law. Given the myriad federal and state privacy laws applicable in
this area as well as the numerous private- sector providers with varying
privacy practices, we did not attempt to determine which privacy practices
might afford customers greater privacy protection.

Concerns continue to be raised in Congress about whether USPS? ecommerce
initiatives in the aggregate are being cross- subsidized by other postal
products and services. In responding to our previous report, USPS told us
that in providing e- commerce products and services, it would ensure that in
the aggregate, the revenues generated by such products and services would
cover their direct and indirect costs as well as make a contribution to
overhead. To date, although USPS does not yet have complete revenue and cost
information on its original e- commerce initiatives, based on the financial
information that was provided to us, none of the e- commerce initiatives
were profitable. Without complete and reliable financial information on its
e- commerce initiatives, USPS is hindered when assessing its progress toward
meeting its e- commerce performance goals or determining whether and when
those initiatives that are not meeting their goals should be modified or
discontinued.

Although USPS intends to provide complete financial reporting on its
ecommerce activities by the end of calendar year 2001, we remain concerned
about its ability to meet this goal because of recent changes under way in
USPS? management structure and uncertainty about when USPS? e- commerce
program will stabilize. Given the difficulties USPS has had in
distinguishing between e- commerce, Internet- related, and its core products
and services and, according to USPS officials, the probability that most new
products and services are likely to have some Internetrelated component, we
believe that the need for improved financial information extends not just to
e- commerce initiatives but to all new products and services. Further, we
are concerned that currently USPS does not have clear and comprehensive
policies and procedures that would address how all of the direct and
indirect costs associated with its e- commerce and other new products and
services are to be reported. Without comprehensive policies and procedures
in this area, inconsistencies in reporting are likely to continue.

Accordingly, we believe that the Postmaster General should take steps to
develop reliable and consistent financial information for all of its new

Page 36 GAO- 02- 79 U. S. Postal Service

products and services. If these steps do not result in better transparency
of and accountability for USPS? new products and services, Congress may want
to consider requiring USPS to have an annual review by the PRC on the
performance of its new products and services, including its ecommerce
activities, and PRC to submit a report to Congress annually on the results
of this review.

To ensure that USPS develops reliable and consistent financial information
for all of its new products and services, we recommend that the Postmaster
General

 develop a comprehensive set of policies and procedures for capturing,
attributing, and reporting revenues and expenses associated with its new
products and services and that are consistent with PRC?s cost attribution
policies;  provide an annual report to the Senate Committee on Governmental

Affairs, House Committee on Government Reform, and PRC showing its revenues
and expenses for new products and services individually and in aggregate
that has been audited by an independent entity for the purpose of
determining that the report was prepared in accordance with the Service?s
policies and procedures and generally accepted accounting principles; and 
provide the audited report for fiscal year 2001 by May 1, 2002, and by May

1 for each subsequent year. In view of congressional interest in USPS? new
products and services and the difficulty USPS has had in providing reliable
information on its Internet- related activities, if the steps taken by USPS
do not prove effective, Congress may wish to consider

 requiring USPS to report annually to PRC on the performance of its new
products and services, including its e- commerce activities, and  having
PRC evaluate the quality of the data and submit a report annually to

Congress on the results of this review. The information provided by USPS
could correspond to that currently provided to PRC and Congress for the
volumes, revenues, and costs of its international mail products and
services. Recommendations for

Executive Action Matter for Congressional Consideration

Page 37 GAO- 02- 79 U. S. Postal Service

USPS provided comments on a draft of this report in a letter from the Deputy
Postmaster General dated December 4, 2001. These comments are summarized
below and included as appendix III. We also incorporated technical comments
provided by USPS, FTC, and UPS officials into the report where appropriate
as well as oral comments provided by PRC?s Director of Rates, Analysis and
Planning on the Matter for Congressional Consideration.

USPS said that the draft report pointed out some areas in which it had done
a good job and other areas that it said we believed it had considerable work
to do. USPS acknowledged that it while it had made progress in responding to
our earlier recommendations, 37 it had not made all of the progress we would
have liked. With respect to its privacy protections, USPS said that it
appreciated our evaluation. It said that in this area of evolving law,
regulation, and good business practice, it was confident that it was an
industry leader. Through the protections it provides, USPS said, that its
customers have strong assurance that their privacy is respected and
protected. As we noted in our report, in contrast to its fragmented approach
to e- commerce programmatic activities, USPS has created a focused privacy
program headed by a Chief Privacy Officer. USPS reportedly has developed
privacy policies and practices for its ecommerce customers that exceed those
required by federal law, and is also voluntarily engaging in additional
self- regulatory privacy practices to safeguard customers? personal
information.

USPS said that it was continuing to implement several organizational and
process changes that would result in a better and more sharply focused
approach to developing and launching not only e- commerce initiatives but
also other new products and services. Further, USPS said that in the
restructuring of a number of headquarters functions by the Postmaster
General in early September, marketing was one of the areas in which
significant changes had been made. All units responsible for developing and
rolling out new products and services, including e- commerce, have now been
combined into one department to increase management oversight, program
discipline, and financial control over the initiatives.

We believe that such steps, if properly implemented, should assist USPS
management in resolving the fragmented approach to management that we
observed during our review. It appears to us that this fragmented

37 See GAO/ GGD- 00- 188. Agency Comments

and Our Evaluation

Page 38 GAO- 02- 79 U. S. Postal Service

approach was due, in part, to many business units having responsibility for
e- commerce initiatives. However, since USPS is still in the process of
implementing organizational changes, it may take some time before the
results of this reorganization are apparent.

USPS said that it was no longer struggling with a definition for ecommerce.
It now defines its e- commerce initiatives as ?those products or services
that require the use of the Internet for the customer to do business with us
and whose primary objective is to generate new revenue.? USPS said that the
reason for the emphasis on new revenue was that by expanding its product
base, it could develop additional revenue streams to help its ?bottom line.?
USPS also said that it recognized that some of its new products and services
might either use the Internet or generate new revenue, but only those that
met both tests would be defined as e- commerce. However, USPS noted that
initiatives defined as ?non- ecommerce? would not receive any less
management scrutiny. Applying this definition, USPS stated that it currently
has 5 e- commerce initiatives: ePayments, PosteCS, NetPost Certified,
NetPost Mailing Online/ NetPost Cardstore, and Secure Electronic Delivery
Services/ Electronic Postmark.

While we believe that it is important for USPS to have a good definition for
e- commerce, it appears to us that USPS faces considerable challenges in
consistently applying its revised definition and in categorizing its new
products and services that involve use of the Internet in a manner in which
its various stakeholders would concur. For example, USPS? revised list of e-
commerce products and services did not include revenue- generating
advertisements and links to advertisers placed on USPS? Web site. It is
unclear to us why these advertisements would not fit USPS? definition since
they require use of the Internet and are likely there primarily to raise
revenue. Our recommendations that USPS develop policies and procedures for
reporting revenues and expenses and provide financial reports on all of its
new products and services are aimed in part at addressing the challenge that
USPS has faced, and continues to face, in consistently applying an e-
commerce definition.

With respect to the recommendations contained in the draft report, USPS
agreed with our first recommendation that it provide a comprehensive set of
policies and procedures for capturing, attributing, and reporting revenues
and expenses associated with its new products and services. It noted that
these would be consistent with cost attribution policies as required in the
Postal Reorganization Act and sound business practices for new product
introduction and costing. We believe that providing such policies and
procedures would be a step in the right direction if properly

Page 39 GAO- 02- 79 U. S. Postal Service

implemented. It is important that such polices and procedures ensure that
USPS tracks and reports consistent information on all of its new products
and services and that they are consistent with PRC cost attribution
policies.

In response to our recommendations concerning annual reporting, USPS said
that it would continue its practice of program- specific profit and loss
statements, and that these reports would be available to appropriate Senate
and House Committees, GAO, and the PRC. USPS noted that these reports would
cover those products and services not subject to PRC jurisdiction for
pricing, for which a process is already in place to examine their costs and
revenues. USPS said that since its financial statements are audited on an
annual basis by an independent certified public accounting firm, it planned
to have the profit and loss statements reviewed by the accounting firm at
the same time for adherence with its reporting policies and generally
accepted accounting principles. USPS said that the statements would be
submitted by May 1 of each year to the Senate Committee on Governmental
Affairs, the House Committee on Government Reform, and to the PRC. In
preparing these statements, it is important that USPS be able to track
revenues and expenses of all of its new products and services individually
as well as in the aggregate so that it can develop complete and consistent
program information and ensure that there is no cross- subsidization.
Without an aggregate report, USPS and others will have difficulty
determining whether USPS is recovering its overall costs. We plan to discuss
our views on reporting new products and services financial data with USPS
officials as they develop their approach to implementing our recommendations
over the next few months.

USPS offered no comments on the Matter for Congressional Consideration in
this report. In oral comments, the PRC Director of Rates, Analysis and
Planning said that if Congress elects to require USPS to report annually to
PRC on the performance of all of its new products and services, then certain
aspects of USPS reporting on international products and services would be a
good model to follow. He noted that PRC had a formal proceeding with the
input of interested parties to establish reporting policies and procedures
in the international area. He also said that PRC?s review provides assurance
that the data in this area conform to its reporting policies and procedures.
PRC has made recommendations for improving the quality of USPS financial
data in the international area. In its most recent report, PRC noted that
USPS had made improvements that enhanced the reliability of PRC conclusions
regarding the potential for cross- subsidization of international mail.

Page 40 GAO- 02- 79 U. S. Postal Service

We are sending copies of this report to the Chairman, Subcommittee on
International Security, Proliferation, and Federal Services, Senate
Committee on Governmental Affairs; the Chairman and Ranking Minority Member,
Senate Committee on Governmental Affairs; the Chairman and Ranking Minority
Member, House Committee on Government Reform; Mr. John E. Potter, Postmaster
General/ Chief Executive Officer; Mr. George Omas, Chairman, Postal Rate
Commission; and other interested parties. We will also make copies available
to others on request. Staff acknowledgments are included in appendix IV. If
you have any questions about this report, please contact me on (202) 512-
8387 or at ungarb@ gao. gov.

Sincerely yours, Bernard L. Ungar Director, Physical Infrastructure Issues

Appendix I: Objectives, Scope, and Methodology

Page 41 GAO- 02- 79 U. S. Postal Service

For this report, our objectives were to (1) determine what actions USPS has
taken to respond to the recommendations in our September report relating to
its e- commerce activities; (2) update the status and performance of USPS?
e- commerce initiatives; and (3) compare federal privacy laws, regulations,
and policies that apply to USPS in the ecommerce area to those that apply to
private- sector providers and discuss voluntary privacy protections provided
by USPS and selected privatesector providers.

To determine actions taken by USPS to respond to our recommendations, we
attempted to obtain an updated definition of what USPS considered to be an
e- commerce initiative and a listing of e- commerce initiatives, which were
also to correspond to USPS? updated definition. We asked for a description
of each initiative, along with available supporting documentation. During
our review, USPS was in the process of defining, identifying, and
classifying its Internet- related initiatives, which include ecommerce
initiatives, as well as updating its definition of e- commerce. Ecommerce
initiatives are just one subset of USPS? new products and services, which
may include other Internet- related initiatives as well as retail and
advertising initiatives. USPS provided us with information on initiatives
that were implemented, piloted, or planned as of September 2001, but did not
finalize its definition of e- commerce initiatives or its listing of
Internet- related initiatives, which were to include e- commerce
initiatives, until December 2001. We obtained additional information on USPS
e- commerce initiatives from the Postal Rate Commission (PRC) and other
public sources, such as the USPS Internet site.

To update the status and performance of USPS e- commerce initiatives, we
obtained documentation from USPS on its goals and strategies, expected
performance, and results through the third quarter of fiscal year 2001,
relating to its e- commerce initiatives. The documentation included, for
example, available performance measures, targets, and expected performance
and results; documentation of processes applicable to USPS e- commerce
initiatives and the approval of specific initiatives under those processes;
e- commerce business plans, minutes of the eBusiness Opportunity Board and
relevant meetings of the Board of Governors; and available financial data.

We interviewed USPS officials responsible for USPS e- commerce initiatives,
including the Deputy Postmaster General, the Vice President for e- Commerce,
the Vice President for Corporate Business Development, and other e- commerce
program officials. We also interviewed officials Appendix I: Objectives,
Scope, and

Methodology

Appendix I: Objectives, Scope, and Methodology

Page 42 GAO- 02- 79 U. S. Postal Service

responsible for compiling financial data. In all cases, we obtained, when
possible, documentation to corroborate oral statements.

To obtain information on financial results for the e- commerce program, we
obtained information from USPS on revenues and expenses generated by its e-
commerce initiatives through the third quarter of fiscal year 2001, although
some did not have reported revenues because they had not been implemented by
that time. 1 However, these data were not provided for all of the e-
commerce and other Internet- related initiatives included on lists that USPS
provided to us in August 2001. We did not review or independently audit the
overall integrity of USPS? data, but we examined it for consistency,
clarity, and completeness.

To compare federal privacy laws, regulations, and policies that apply to
USPS in the e- commerce area to those that apply to private- sector
providers, we built on information already compiled in our previous report
on USPS e- commerce activities as well as in other GAO reports on Internet
privacy. We interviewed USPS officials, including USPS? Chief Privacy
Officer, as well as OMB officials and FTC staff. We reviewed documents and
other information obtained from USPS and selected private- sector providers.
We reviewed the material obtained for internal consistency and completeness,
but we did not verify the information provided by USPS or the selected
private- sector providers. We also reviewed USPS information as well as
information on some of its partners and affiliates that was available on
their respective Internet sites. We also reviewed reports and studies on
Internet privacy prepared by FTC and the Congressional Research Service,
among others. We researched and analyzed selected federal privacy laws
including the Privacy Act, the Postal Reorganization Act of 1970, the
Electronic Communications Privacy Act, the GrammLeach- Bliley Act, and the
Children?s Online Privacy Protection Act.

To provide information on voluntary privacy policies and protections
provided by USPS and private- sector providers of e- commerce products and
services, we obtained written information from USPS and selected private-
sector providers. While we recognize that there are numerous private- sector
e- commerce providers, we selected the United Parcel

1 The financial statements were for EPM; ePayments, including eBillPay;
MoversGuide. com; NetPost Certified; NetPost Mailing Online, including
Cardstore; PosteCS, and the Postal Store. As of December 4, 2001, based on
USPS? comments on our draft report, USPS no longer considered MoversGuide.
com or the Postal Store as e- commerce initiatives

Appendix I: Objectives, Scope, and Methodology

Page 43 GAO- 02- 79 U. S. Postal Service

Service (UPS), the Direct Marketing Association (DMA), and the American
Bankers Association (ABA) because they, or their members, offered ecommerce
products and services similar to those offered by USPS. For example, they or
their members offered or used e- commerce services such as electronic bill
payment and presentment services, online shipping services, and direct mail
marketing. ABA members include community, regional, and money- center banks
and holding companies as well as savings associations, trust companies, and
savings banks. According to ABA, most community banks are members and
substantially all large banks are members of ABA. The DMA?s members, users
and suppliers in the direct, database, and interactive marketing field, may
provide similar services to those of USPS or be customers of USPS? e-
commerce services. DMA has more than 4,700 member organizations, commercial
as well as not- for- profit, from the United States and over 53 nations on 6
continents. UPS is a leading delivery and logistics company.

We did not review actual privacy practices of USPS or selected privatesector
providers; therefore, we did not assess either their voluntary privacy
practices or whether they were complying with all applicable privacy laws.
Given the myriad federal and state privacy laws applicable in this area, as
well as the numerous private- sector providers with varying privacy
practices, we did not attempt to determine which privacy practices might
afford customers greater privacy protection.

We conducted our review at USPS headquarters in Washington, D. C., between
January 2001 and October 2001 in accordance with generally accepted
government auditing standards.

Appendix II: USPS E- Commerce Initiatives Page 44 GAO- 02- 79 U. S. Postal
Service

Initiative a Description of initiative Intended customers Status

Electronic Postmark (EPM)

Creates a secure electronic time and date stamp for electronic
communications and provides evidence of any tampering. EPM has been
incorporated with other initiatives, such as PosteCS.

Financial, legal, medical, government, and educational organizations

Implemented 4/ 2000.

ePayments (e- BillPay)

Provides integrated ePayment solutions: eBillPay allows consumers to pay
bills, businesses to send bills, consumers to pay each other, and consumers
to receive financial statements.

Consumers and businesses

eBillPay was implemented 4/ 2000, and the other enhancements were
implemented 9/ 2001. Internet Change of Address and Move Related Products
and Services (MoversNet. com) (MoversGuide. com)

MoversNet includes three products and services: the hard copy publications-
Movers Guide and Welcome Kit- and the Internet application called MoversNet.
com. Currently MoversNet. com allows downloading a form for customers to
submit changes of physical addresses and is accessible via the USPS Web site
and via direct link. It is offered through a strategic alliance with a
private company. MoversGuide. com, an enhanced version of MoversNet, allows
change of address orders to be accepted electronically and securely via the
Internet, with proper identity validation.

All postal customers

MoversNet was implemented summer 1996. MoversGuide. com was implemented 9/
2001.

NetPost Cardstore Allows customers to send greeting cards via a Web
interface. Customers can choose from a menu of existing cards for multiple
business and personal occasions.

All postal customers

Implemented 12/ 2000.

NetPost Certified Allows secure electronic exchange of data and documents.
The program is supported by digital certificates and electronic postmarks
issued by USPS. The service is currently in use with government agencies.

Government agencies Implemented

1/ 2001. NetPost Mailing Online

Allows mailers to electronically transmit their documents, correspondence,
newsletters, and other First- Class Mail and Standard- A mail (primarily
advertising mail), along with mailing lists, to USPS. Electronic files would
then be securely distributed to printing contractors who print documents,
insert them into addressed envelopes, sort the mail pieces, and transport
the mailing to post offices for processing and delivery.

Small Office and Home Office (SOHO) customers

Implemented 9/ 2000.

PosteCS An electronic courier service, it provides a secure, private,
Internet based document delivery system. USPS has joined with Canada Post
and LaPoste of France to provide this service globally.

Large to medium size businesses and SOHOs

Implemented 5/ 2000.

Postal Store The Postal Store, formerly StampsOnline, allows postal
customers to purchase stamps, philatelic products, phone cards, and other
USPS merchandise via the Internet.

All postal customers Postal Store

replaced Stamps Online in 11/ 2000. a These e- commerce initiatives, with
the exception of NetPost Cardstore, were included in our

September 2000 report. As of December 4, 2001, USPS no longer considered
MoversGuide. com or the Postal Store as e- commerce initiatives.

Source: USPS data, fiscal years 2000 and 2001.

Appendix II: USPS E- Commerce Initiatives

Appendix III: Comments From USPS Page 45 GAO- 02- 79 U. S. Postal Service

Appendix III: Comments From USPS

Appendix III: Comments From USPS Page 46 GAO- 02- 79 U. S. Postal Service

Appendix IV: GAO Contacts and Staff Acknowledgments

Page 47 GAO- 02- 79 U. S. Postal Service

Bernard L. Ungar (202) 512- 8387 Teresa Anderson, Hazel J. Bailey, Joshua
Bartzen, Kenneth E. John, Jill Sayre, and Albert Schmidt made key
contributions to this report. Appendix IV: GAO Contacts and Staff

Acknowledgments GAO Contact Acknowledgments

Related GAO Products Page 48 GAO- 02- 79 U. S. Postal Service

Electronic Government: Challenges Must Be Addressed With Effective
Leadership and Management (GAO- 01- 959T, July 11, 2001)

Internet Privacy: Implementation of Federal Guidance for Agency Use of
?Cookies? (GAO- 01- 424, Apr. 27, 2001)

Bank Regulators? Evaluation of Electronic Signature Systems (GAO- 01- 129R,
Nov. 8, 2000)

Internet Privacy: Federal Agencies Use of Cookies (GAO- 01- 147R, Oct. 20,
2000)

Internet Privacy: Comparison of Federal Agency Practices With FTC?s Fair
Information Principles (GAO- 01- 113T, Oct. 11, 2000)

Internet Privacy: Comparison of Federal Agency Practices With FTC?s Fair
Information Principles (GAO/ AIMD- 00- 296R, Sept. 11, 2000)

Internet Privacy: Agencies? Efforts to Implement OMB?s Privacy Policy

(GAO/ GGD- 00- 191, Sept. 5, 2000)

U. S. Postal Service: Postal Activities and Laws Related to Electronic
Commerce (GAO/ GGD- 00- 188, Sept. 7, 2000)

U. S. Postal Service: Electronic Commerce Activities and Legal Matters

(GAO/ T- GGD- 00- 195, Sept. 7, 2000)

U. S. Postal Service: Status of Efforts to Protect Privacy of Address
Changes (GAO/ GGD- 99- 102, July 30, 1999)

U. S. Postal Service: Development and Inventory of New Products (GGD99- 15,
Nov. 24, 1998)

U. S. Postal Service: Unresolved Issues in the International Mail Market

(GAO/ GGD- 96- 51, Mar. 11, 1996). Related GAO Products

(393008)

The General Accounting Office, the investigative arm of Congress, exists to
support Congress in meeting its constitutional responsibilities and to help
improve the performance and accountability of the federal government for the
American people. GAO examines the use of public funds; evaluates federal
programs and policies; and provides analyses, recommendations, and other
assistance to help Congress make informed oversight, policy, and funding
decisions. GAO?s commitment to good government is reflected in its core
values of accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents is through the
Internet. GAO?s Web site (www. gao. gov) contains abstracts and full- text
files of current reports and testimony and an expanding archive of older
products. The Web site features a search engine to help you locate documents
using key words and phrases. You can print these documents in their
entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as ?Today?s Reports,? on its Web
site daily. The list contains links to the full- text document files. To
have GAO e- mail this list to you every afternoon, go to www. gao. gov and
select "Subscribe to daily e- mail alert for newly released products" under
the GAO Reports heading.

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U. S. General Accounting Office P. O. Box 37050 Washington, D. C. 20013

To order by Phone: Voice: (202) 512- 6000 TDD: (202) 512- 2537 Fax: (202)
512- 6061

GAO Building Room 1100, 700 4th Street, NW (corner of 4th and G Streets, NW)
Washington, D. C. 20013

Contact: Web site: www. gao. gov/ fraudnet/ fraudnet. htm, E- mail:
fraudnet@ gao. gov, or 1- 800- 424- 5454 or (202) 512- 7470 (automated
answering system).

Jeff Nelligan, Managing Director, NelliganJ@ gao. gov (202) 512- 4800 U. S.
General Accounting Office, 441 G. Street NW, Room 7149, Washington, D. C.
20548 GAO?s Mission

Obtaining Copies of GAO Reports and Testimony

Order by Mail or Phone Visit GAO?s Document Distribution Center

To Report Fraud, Waste, and Abuse in Federal Programs

Public Affairs
*** End of document. ***