A mail cover is a request, made by a law enforcement agency to the U.S. Postal Inspection Service, to record the outside of mail addressed to or from a specific person or address before it is delivered. No envelope is opened. Nobody reads the letter inside. What gets recorded is everything visible from the outside: sender name and address, recipient name and address, postmark date and location, size and weight of the piece, and the class of mail.
That is a narrower slice of information than reading the letter itself. It is also, for anyone trying to map out who talks to whom, often enough. A list of every piece of mail a person sends and receives over a period of weeks reveals a correspondence network: which attorney, which advocacy group, which family member, which unfamiliar name that shows up every month.
How a Cover Gets Approved
The legal basis for mail covers is a Postal Service regulation, not a statute passed by Congress and not a warrant issued by a judge. Under 39 CFR 233.3, a law enforcement agency submits a written request to the Postal Inspection Service, and a postal inspector (not the requesting agency, at least on paper) decides whether to approve it. The regulation requires that the request serve a legitimate law enforcement purpose, and covers are typically approved for periods of 30 to 120 days, renewable.
There is no notice to the person whose mail is being covered, no adversarial hearing, and no judge in the loop before the fact. The oversight is internal to the Postal Inspection Service itself, which is the same agency running the program.
It is not mail opening. Opening a sealed letter without consent requires a warrant supported by probable cause, the same as it would for any First Class mail under the Fourth Amendment. A mail cover only records what is printed or written on the outside of the envelope, which courts have long treated as functionally public in the way an envelope handed to a postal worker is public.
The Program the Public Found Out About by Accident
Mail covers existed quietly for most of the 20th century, used mostly in narcotics and organized crime investigations. What changed the public's awareness of the program was a 2013 New York Times report, which surfaced two things at once.
The first was routine: a postal worker in upstate New York, Leslie James Pickering, a former Earth Liberation Front spokesperson turned bookstore owner, received a mail cover notice meant for internal postal staff rather than for him, and realized his mail had been tracked for years after he stopped any activist involvement.
The second was broader: the same reporting described the Mail Isolation Control and Tracking program, created after the 2001 anthrax mailings, under which every piece of mail processed by the Postal Service is photographed on the outside as a matter of course, as a biohazard and threat-tracing measure. A mail cover request against a specific person draws on images the system already has, rather than requiring new physical surveillance to be set up from scratch.
Photographing the exterior of a threatening letter after an anthrax attack and building a standing image archive of every letter mailed in the country are two very different scales of the same idea. The first is incident response. The second is infrastructure. — the distinction that made the 2013 reporting land
Why the Envelope Matters More Than People Assume
Content and metadata get treated in law and in public conversation as if they were on opposite ends of a privacy spectrum: content is sensitive, metadata is administrative. Anyone who has spent time on the analysis side of an investigation will tell you that is backwards for the purpose of building a map of a person's life. A single letter's content answers one question. A record of every piece of mail sent and received over three months answers dozens: who is the recipient's lawyer, what advocacy group are they donating to, is there a new name in the correspondence that wasn't there last quarter.
This is the same argument privacy researchers have made for years about internet metadata, phone metadata under the pen register standard, and location data. Mail covers are the oldest working version of it, and they run on a legal standard well below what a warrant requires.
| Mechanism | Standard required |
|---|---|
| Opening a sealed letter | Warrant, probable cause |
| Mail cover (exterior only) | Internal Postal Inspection Service approval, no judge |
| Pen register on a phone line | Court order, relevance standard (lower than probable cause) |
| Content of an email in transit | Warrant under most current interpretations |
What Was Learned, and What Changed
The 2013 reporting prompted an internal Postal Service Office of Inspector General audit of the mail cover program's approval and record-keeping practices, which found gaps in how requests were logged and tracked internally. The recommendations were procedural: better documentation, clearer file retention. The underlying legal standard, a postal regulation rather than a statute or a warrant requirement, was not changed. It remains 39 CFR 233.3 today.
Congressional proposals to require judicial authorization for mail covers have surfaced periodically since the disclosure and have not passed. The program continues to operate on the same administrative footing it has run on for decades.
What This Means If You Send or Receive Anything by Mail
There is no consumer countermeasure for a mail cover in the way there is a countermeasure for browser fingerprinting or a tracking pixel. You cannot encrypt the outside of an envelope. Anyone whose threat model includes correspondence with a source, a client, or an organization that might draw law enforcement attention should know the exterior of that mail, sender, recipient, date, and frequency, is available to be logged without their knowledge and without a warrant, for as long as the requesting agency can justify the renewal.
For anything where the content itself matters, not just the fact that correspondence happened, mail was never built for confidentiality against a legal request; it was built for confidentiality against a stranger opening someone else's letter. Digital correspondence has the opposite failure mode when it is end-to-end encrypted: the content is protected even from the operator of the service, though metadata (who emailed whom, and when) is its own long-running problem, discussed in our metadata surveillance piece and our breakdown of national security letters.
Where Haven Fits
Haven encrypts message content end to end for chat and PGP-encrypts email content, so the body of what you write is not readable by us or by anyone who compels us. We do not run a postal service and cannot speak to what happens to a physical letter once it leaves someone's hands. What we can say is that the design goal for any communication tool serious about a real threat model is the same one the Postal Service's mail cover program demonstrates the limits of: content protection and metadata protection are different problems, and a tool that only solves one of them has told you it solved the whole thing.