A cybersecurity take on the Swedish postal system
Posted on Sun 15 September 2024 in reportage
I order "Strange Code" on eBay. I live in Sweden, and it ships from the US. $20 dollars, plus $4 in shipping: a good deal. It's supposed to arrive beginning of July, which is like saying that it's supposed to arrive in September because Sweden simply stops in July. You're lucky if you find somebody at the emergency room on the 12th of July to stitch back your fingers, but then most Sweds largely spend their summer preparing potato salads with their home-grown potatoes from their summer house and taking pictures of their smiling children roaming around among eco-villages before they all (adults included) go back to the prison of their daily life, so not too much request for ER personnel.
And in fact, my book shows up on eBay as waiting for customs clearance in mid-July, and it's only ~10 days later that I receive a (physical) mail asking me to confirm that I want to receive it (there's no cost attached, it's mysterious why I would need to confirm). I accept it on a Friday and I'm leaving the upcoming Tuesday for a month abroad, so I know already I will never receive it in time. Somebody has to ditch potato salads cooking to throw my package in a van and drive all the way to mine to deliver it. It's taken it 6 weeks to travel half the world and the last 10km will take it as much. I leave my ID to my partner so that she can pick it up for me, and that's where I felt like the case was settled.
How naive.
We get a (physical) mail declaring the package has arrived at the pickup point. It has a 7-days pickup deadline. If I were engaging in the potato-salads summer activity of the country, how would I make it? This goes against any patriotic sense. But she's home with a fair aversion for potato salads: she collects the mail and goes to the pickup point.
"It's a rekommenderat brev.", they say.
"It can only be handed out personally to the recipient.", they say.
"They need to sign, the ID is not enough.", they say.
Deadline for pickup is in one week and I won't be back before another three. She suggests they let her sign with my name – after all, she has my ID. The blast radius of laughter is heard in surrounding villages. Potato salad cookers can laugh really hard. She leaves, defeated.
I'm Italian, I don't tolerate stupidity, and I'm good at investing time in worthless battles, so I start making phone calls.
I ring the pickup point, I explain: I'm away 5 weeks, this package was delayed, I left my ID to my partner on purpose, I never had to sign for anything in my 5 years of living in potato-land, so I didn't know. "There's nothing we can do, but you have two options: a) change the recipient to your partner's name; b) extend the pickup deadline until you'll be back. We cannot take any decisions when it comes to mail, we can only act on the postal system decisions, so for anything please reach out to them." I thank them very much. Maybe potato salads have not entirely eradicated sense from this country.
I ring the post system. It turns out that, for this form of shipment,
- only the sender can change the recipient, and it costs 250 ridiculous crowns;
- the pickup deadline cannot be extended (and even if it could, it would be max 2 weeks, and I'd need 3. Thanks, potato eaters).
I try to instil some sense in Melinda and explain that I don't think that a US eBay reseller is going to want to invest even the time of a piss in changing the recipient, and neither Melinda nor I even have any idea how they would communicate it to the Swedish post system. Sweden prouds itself of being very international, but a lot of its rules and processes still only make sense in Swedish contexts, and they have no intention of changing that. She also says: "It costs 250 crows", and I rebut that I'm sure they have no intention of paying that amount. – "But they would invoice it to you."
For the first of many times in this story, I find myself fascinated and frustrated. This lady with the strongest African accent I've ever heard in a Swedish speaker, with whom I've already spent 15 minutes conversing (after as many minutes with the pickup point), is suggesting that I strike an epistolary correspondence with some digitally-illiterate owner of the online book reseller who probably profits $2 gross from each 2nd hand book, so that he may, at the peak of summer and in the poorly AC-ed basement-operations-center where he's dreaming of the tastiest potato salad, get on the phone with the Swedish post system to begin to understand how he would formally submit a recipient change, and how he would charge me the expense of that. All that within 6 days, or the package would boomerang back. The amount of complication is just fascinating. And all it would take is one single employee in this chain of human bots to look the other way while another hand strikes my name on a sheet of paper that will rot and eventually become new potato salads, and all this complication would vanish immediately. They're probably afraid of going to jail for having handed out a $20 book to a serial raper, or I don't know whom. I imagine the headlines they imagine: "Collects unauthorised package and goes out hitting knees with the spine of the book, 7 ladies on walkers injured severely. Pickup point crew under investigation."
I tell them many times: It's. A. Book. And it's on esoteric programming languages, nobody else wants it. I don't want it either at this point, but I've ordered it and I want it. I curse the seller, who picked this legacy form of shipping.
Melinda tries to extend the pickup deadline, refusing to acknowledge that 2 weeks is less than 3 but well aware that I'm gonna be asked to score the help I received, so she tries to be helpful. I guess she'll be on vacation next week and is just trying to make sure I won't find her when I ring again in one week. Alas, not even that succeeds: the sadist who designed rekommenderat brev has done it spotless: a rek can't be extended. "I click on the button but the system says nej, Stefano." The system is already an autonomous entity. I ask if there may not be another way, somebody with more power. So she texts in a group chat asking for help. We wait for an answer. "Usually there's always somebody available", she says. I friendly inquire what type of chat it is, and it turns out it's the chat of the desperadoes working on August 9th at 4pm. I know nothing will come out of it. Two minutes later somebody has tried clicking the same button as Melinda, except on another screen, and "the system says no, Stefano, I'm very sorry." I don't know how, but I refrain from shouting "Holy crap just connect me with a neurotypical christian and leave me my package!" Instead, I say I meant a superior, somebody that maybe, just maybe, can see another button on their screen. "No, Stefano, the system works the same even for the director. I am very sorry, I would really like to help you, with all my heart, but the system says no." I know she means it. I know she's just loaning her index finger to carry through the will of her electrical master.
Gospel of The System.
We honour The system.
This is ridicolous. Where is the database admin who can just run an ALTER TABLE SET expiration = 20never? Just give me 20 minutes of shell access to your system and I'll sort this out myself.
And then comes what I've been waiting to hear for the whole call: "But speak with the pickup point: they hold the package and it's their decision how to hand it out." The good old passing the buck, I would have been disappointed without any occurrence of it.
We say bye like old childhood friends, both of us half an hour older and me still without book.
I ring the pickup point again and detail my findings: it's impossible to extend the pickup deadline; the thought of eBay USA changing the recipient is pure fantasy; it's a $20 book that pilgrimaged half the world for 2 months; I'm in Italy being banqueted by mosquitoes and various forms of 4+ legged insects. I suggest I can show up in a videocall while my partner signs; of sending them an email with a signed sheet of paper where I declare I allow her to sign, or from which they could cut out my signature and glue it to their trashy sheets. I venture in philosophical ramblings about the meaning and value of signatures in human communities, about the fact that whatever signature I want to question is automatically up for legal debate, whether it's me who signed or not, and that whatever signature I don't want to question, even if it were the squibbly sketch of a drunk kraken, has an unquestionable legal value; that it's all a matter of human trust. It's comical that I could bring the pickup point to court, an that my lawyer would call for testimony the old lady with one and a half cataracts who took the signature and who, under oath at the EU court of justice, would be forced to testify that "no, they who signed for the package didn't quite look like that handsome guy over there", while winking to my father.
He reiterates that they have protocols that they can't break, that he doesn't know why Melinda told me that the pickup point can do what they want, that he's an expert in post (does he put it in his CV? Is that what they base pickup point recruitment on?) and that it's not true, and that he's a bot anyway and he wouldn't dare to even take responsibility of pissing with the seat down. I ask if they cannot hold the package under their desk for 3 weeks. I know the answer even before it's uttered: "No, it's not on us to decide. If we don't send back the package on the deadline, the system will mark it as lost and I'm not even sure what that would entail for you." Gospel of The System, plus they probably need the space for the gargantuan amounts of potato salads to feed their rule-abiding minds.
"I was thinking about the delegation thing though. It should be possible to give your partner fullmakt through the post system and then we would be able to hand her the package. Some rekommenderat brev can't be picked up even with delegation, but this one luckily can. Check that out. Otherwise, the director will be back Monday morning so I recommend you ring again then if you want to speak with the maximum authority."
I think of the sunken cost fallacy and of how I could have spent this hour doing billable work, end up less stressed that this, and buy not one, but two copies of the book.
I ring the post service again to confirm. For a second I hope that it's not Melinda to pick up the phone so I can dish out my misery to somebody else and hope their compassion will give me my book. The African accent is unmistakable and it's Melinda again. I say my name and greet her like the old friends we've become. I know enough of her that I could almost invite her out for dinner. There's a trace of dissonance between what the pickup point said and whan she says: "No, this one must be handed out personally to the recipient, no delegation will work." Of course. "I am deeply sorry Stefano." As Lily does to Robin and Barney in How I Met Your Mother, I'd like to put Melinda and the pickup point crew in a locked room and say: "you'll come out once you'll have decided under what conditions I can have my book." I'd also have a whipping Marshall out of the door for good measure.
I hang up and I tell myself the odds that the delegate will work are 50-50. I could as well try.
And here the sadism of the post potato eaters really peaked at mathematical precision: only a team of cryptographers could conceive the fullmakt protocol. The delegation must be handed in on physical paper and personally by the delegator; alternatively, by a third party, who must not be the delegated, and who has validated (informally, at least, thank god) the delegator's signature. I ring up a friend and ask him to be prepared to sort this out for me: go to my place, get my partner's signature, and then leave the sheet at a post service point. Except, in a extra effort to make this service unusable (Sweden is a master in pretending to offer services that it's impossible to actually claim), the map of the service points that accept delegations is inaccessible. I ring the pickup point again and they spell out a few addresses on the phone for me, the closest is at "only" 5 km and is likely open from 11 to 12 on odd days of full moon. The level of complexity has reached record levels: I'm on a grass field in the Italian mountains practically getting an allergic reaction to the tens of mosquito bites per second I'm scoring, collecting addresses of Swedish post offices, to relay them to a friend who's gonna bike through half the town to collect signatures on a sheet of paper so that my partner may finally get me a book that will never live up to the expectations. Another person (6 in total) is now involved in a project that would need its own project manager and Trello board. So many hours in the wind, all not to accept a fake signature. But at least now the puzzle is clear, it's only a matter of putting it together.
Then I discover that the fullmakt starts being valid 7 days after it's handed in. I've only got 6 left before Strange Code returns overseas. 7 days is the full warehousing period: this system is designed so that you may not delegate anybody to pick up a package you received; you must have planned it in advance, just like you have to do if you want to get drunk in this country. When not in rage, I'm absolutely fascinated at the security measures around packages pickup. For my package, given its declared value, I was not even required to pay import fees. For what they know, what they are treating like a human kidney could well be half a cubic meter of bubble-wrap.
But hey, I have a background in crypto too and I used to think like they thought. So let's make the intellectual exercise: what would an adversary need to have to claim a package intended for me, given all the rules the committee of potato saladists have devised for rek?
- Know that I received a package
- Know its alphanumeric code (= have access to either my phone or my mailbox)
- Know what it contains (I'm describing it on the phone, and the clerks can check that it makes sense through the soft packaging)
- Have my ID
- Have access to me, or have somebody that can plausibly pretend being me and make all these phone calls
- Be resident in the same apartment as me, as shown in the public online Swedish registers (okay, technically you can fool the registry office to the extent that you could self-register at my apartment and it would be on me to claim that you don't live here, but I'm pretty sure the post system doesn't know this)
What I will state is now:
Theorem – A person satisfying all the requirements above is either a) a honest party who I've entrusted with picking up my package; b) a dishonest partner/flatmate who has power over me. Furthermore, in the case of b), given their power, the dishonest party can likely carry their intents through by means of psychological violence, so no rule will protect me from them.
The proof is trivial and left as an exercise to the reader.
So dear god on earth: what's the point of all this secrecy? To match the level of security, they should store all packages in a vault. The pickup point computer password is probably 123456, or it's written on a post-it stored on the potatoes box, making that the absolute weakest link in the chain.
Further, nobody has even offered me (nor has my offer ever been taken) to authenticate my identity with my BankID, which is a very Swedish form of digital signature every citizen has on their phone. You can almost get married remotely just by authenticating yourself through your BankID. You could be on the shores of Canary Islands, and I can guarantee you that that's the national sport in November. The whole authentication thing is so quick that what may start as a premarital beach sunset fornication session may well result in child conception within marital boundaries. Apparently, dropping prospective taxpayers is deemed worth of less bureaucracy that educating oneself on esoteric programming languages (and while I write this, it does actually feel like a wise arrangement).
On Monday I ring again the pickup point asking of the director. I feel resigned but I give him my pitiful story. I hold myself back from making up that the package actually contains the ashes of a very dear American relative. I get bored by my own voice at this point, but out of my negotiation knowledge I make one single change in my narrative: I don't suggest any solution, and I ask him how he thinks we should do. I have the third déjà vu when he says "I'm gonna ponder over the matter for a while and get in touch with the post through our own channels. I'll ring you back shortly." The count of people involved in the project has just risen to 7, likely 8 given that I don't think he'll get Melinda on the phone.
An hour later they ring back, a new female voice: "If your partner comes with her and your ID, she can take the package."
I'm exhausted and bewildered: "So she doesn't need to sign?"
"If she comes with her and your ID, it's fine."
"Stay there, I'll send her running."
9 people have worked throghout the week to get me a package that has always been within arm's reach. They broke the rules, in the end. Yes: it's possible even in Sweden. It just takes some persistance, and they need to break them their way.
If you were wondering, it was now even that great of a book.