|
[Image] RealAudio A Moment of Sanity & PRIVACY Forum Home Page Fun! VORTEX REALITY REPORT Vortex Technology Home Page & UNREALITY TRIVIA QUIZ! Radio, Television, and Press Contact Information LISTEN! ------------------------------------------------------------------------ Your Signature For Sale? A PRIVACY Forum Special Report -- 1/17/97 Lauren Weinstein (lauren@vortex.com) PRIVACY Forum Moderator Greetings. By now most of us realize that our social security numbers, unlisted phone numbers, and all manner of other data items that (we thought) were personal and private have become simple commodities flowing openly between various commercial databases and information brokers and pitch-men. Problems ranging from credit nightmares to identity fraud have become commonplace with the help of these databases. It couldn't get much worse, right? Well, hold on to your pens, because it looks like we're poised on the edge of a new frontier in personal data commerce--signature databases. We all sign many documents in the course of daily living and it's generally assumed that signatures have some validity as an identifier, or else why use them? And we also usually implicitly assume that our signatures won't be made available to third parties on any kind of routine basis. But it looks like this is starting to change, with the mammoth U.S. shipping company United Parcel Service (UPS) taking the lead among what can only be assumed will be the first of many entities using new technologies to capture and disseminate signature data. There's been discussion here in the PRIVACY Forum in the past about the implications of those little computerized boxes that UPS delivery persons want you to sign when a package is delivered. Generally, all UPS business deliveries typically request a signature, while residential deliveries may simply be left outside on doorsteps unless the shipper requests otherwise. The signature boxes capture your signature electronically, and they're fed back to UPS headquarters. The idea was apparently that in case of a question about whether or not a delivery was received, these are supposed to be used to verify delivery status. The very existence of the signature capture system perturbed some people, but so long as the signatures stayed within UPS it didn't appear that an especially serious problem would arise. This might have now changed. You may have seen a new television commercial from UPS, touting their new system that allow shippers to electronically obtain copies of recipients' signatures for display on their screens (and apparently for printout as well). Given that it is relatively trivial (through the use of various "background" programs) to capture the video image or printer data from virtually any PC-based application, the availability of electronic signature data raises a number of concerns. Even though the signature data displayed in the actual systems is apparently somewhat pixelated, it still appears to be the case that with minimal processing a reasonable signature facsimile could be obtained. The big issue, of course, is whether such data could be "mined" on a large scale, sold to commercial databases, and become yet another component of our personal lives over which we've lost all control. This scenario is especially easy to imagine in the context of some entity shipping thousands of mail order packages per day, where large databases could be built up quite quickly. Is there any law to prevent such collection, or the sale and resale of signature data collected in this manner? Of course not! Wanting to get the straight information on this issue, I had a number of conversations with Mr. John Flick, the gentleman in charge of international public relations for UPS. I requested a spokesperson to do a recorded interview for PRIVACY Forum Radio, but this was ultimately declined. I was told that they felt they had researched the topic sufficiently before launching the service and that there really weren't any privacy issues involved. I was also told (in what's become a familiar refrain to privacy queries) that "nobody had complained about it before"--more on that below. Here's what I learned during my conversations. UPS has now established a service to which shippers can subscribe that allows them to electronically access recipient signature data. The service appears to be mainly aimed at shippers dealing with significant volumes of packages, so that they can obtain delivery data (including signature) without any manual interaction with UPS. From available information, it does not appear that shippers need to have had any problem with a shipment to obtain signature and other data via this system--they simply make the request through their computer and back it comes. Currently, this data is only provided via dialup to UPS computers. Since UPS already has basic package tracking data available via their Web site, I asked if there were plans to extend the signature delivery system to the Web or other Internet mechanisms as well. No information on this issue was available. I also asked if UPS contractually prohibits entities receiving signature data from providing, selling, or otherwise disseminating it to other parties. The answer is no, they do not have any such prohibitions. They also feel that any such prohibitions would be unenforceable given the lack of any laws addressing this issue. They add that they of course will stay abreast of any changes in this area and would abide by any new applicable laws. Basically, they simply do not consider dissemination of signatures to be a privacy issue. They point out that other organizations scan signature data (e.g. banks), and they feel that other shippers will be providing similar signature delivery services as soon as they are technically able to do so. They apparently do not feel that the large-scale distribution of signatures electronically to "end users" represents any kind of qualitative change from the status quo. They did have two suggestions for those persons who might disagree with their analysis: * Refuse to sign for packages They say that UPS delivery persons should still allow you to have the package even if you refuse to sign their box. Reports I've received, however, suggest that some UPS delivery persons are not aware of this policy. I might add that you can also request to sign one of their yellow "not present" slips instead of their signature capture box. Some delivery persons will not agree to this, however. * Don't sign your real signature UPS suggests that if you don't like their system, you can choose not to sign your real signature; instead you can sign with an "X", horizontal line, squiggle, or whatever. The delivery persons are not supposed to complain about this. Again, reports I've heard suggest that "your mileage may vary" with such a technique, depending on the particular delivery person. Of course, both of these techniques obliterate the usefulness of signatures for a very valid purpose, namely helping to verify delivery in case there is some problem or dispute later. It seems very unfortunate that such actions are suggested by UPS as the best means to "protect" your signature from routine, non-dispute-related dissemination to third parties. As I mentioned above, UPS says that they hadn't received any complaints or other concerns about their system until my call. As always, it's not always so simple to know exactly who to contact if, perchance, you decide you would like to express concerns about their signature collection and dissemination system. UPS agents who deal with "routine" complaints can be reached at: (800) 457-4022. You can ask agents to forward your comments onward to UPS management. However, I was able to obtain additional contact information that can be used for more direct access to the appropriate parties to hear your opinions on such matters: UPS Public Relations/Customer Resolution Tel: (404) 828-6000 Fax: (404) 828-6593 United Parcel Service Corporate Building 3, Floor 6 55 Glenlake Parkway Atlanta, GA 30328 You might want to make your feelings about the signature service, either pro or con, known to UPS via one of the above contact methods. UPS is certainly right about at least one thing. This is but the tip of the iceberg when it comes to the development of signature collection and dissemination systems. As usual, laws to protect individuals' personal information are lagging far behind technological developments. If you have concerns in this area, you might consider expressing them not only to the various commercial firms involved, but to your local, state, and federal legislators as well. --Lauren-- Lauren Weinstein lauren@vortex.com Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality Copyright © 2001 Vortex Technology. All Rights Reserved.