[Image] RealAudio
  A Moment of Sanity &                PRIVACY Forum Home Page
          Fun!
 VORTEX REALITY REPORT              Vortex Technology Home Page
   & UNREALITY TRIVIA
         QUIZ!           Radio, Television, and Press Contact Information
        LISTEN!
  ------------------------------------------------------------------------

                          Your Signature For Sale?

                 A PRIVACY Forum Special Report -- 1/17/97

                    Lauren Weinstein (lauren@vortex.com)
                          PRIVACY Forum Moderator

Greetings. By now most of us realize that our social security numbers,
unlisted phone numbers, and all manner of other data items that (we
thought) were personal and private have become simple commodities flowing
openly between various commercial databases and information brokers and
pitch-men. Problems ranging from credit nightmares to identity fraud have
become commonplace with the help of these databases. It couldn't get much
worse, right?

Well, hold on to your pens, because it looks like we're poised on the edge
of a new frontier in personal data commerce--signature databases. We all
sign many documents in the course of daily living and it's generally
assumed that signatures have some validity as an identifier, or else why
use them? And we also usually implicitly assume that our signatures won't
be made available to third parties on any kind of routine basis.

But it looks like this is starting to change, with the mammoth U.S.
shipping company United Parcel Service (UPS) taking the lead among what can
only be assumed will be the first of many entities using new technologies
to capture and disseminate signature data.

There's been discussion here in the PRIVACY Forum in the past about the
implications of those little computerized boxes that UPS delivery persons
want you to sign when a package is delivered. Generally, all UPS business
deliveries typically request a signature, while residential deliveries may
simply be left outside on doorsteps unless the shipper requests otherwise.
The signature boxes capture your signature electronically, and they're fed
back to UPS headquarters. The idea was apparently that in case of a
question about whether or not a delivery was received, these are supposed
to be used to verify delivery status.

The very existence of the signature capture system perturbed some people,
but so long as the signatures stayed within UPS it didn't appear that an
especially serious problem would arise. This might have now changed. You
may have seen a new television commercial from UPS, touting their new
system that allow shippers to electronically obtain copies of recipients'
signatures for display on their screens (and apparently for printout as
well).

Given that it is relatively trivial (through the use of various
"background" programs) to capture the video image or printer data from
virtually any PC-based application, the availability of electronic
signature data raises a number of concerns. Even though the signature data
displayed in the actual systems is apparently somewhat pixelated, it still
appears to be the case that with minimal processing a reasonable signature
facsimile could be obtained.

The big issue, of course, is whether such data could be "mined" on a large
scale, sold to commercial databases, and become yet another component of
our personal lives over which we've lost all control. This scenario is
especially easy to imagine in the context of some entity shipping thousands
of mail order packages per day, where large databases could be built up
quite quickly. Is there any law to prevent such collection, or the sale and
resale of signature data collected in this manner? Of course not!

Wanting to get the straight information on this issue, I had a number of
conversations with Mr. John Flick, the gentleman in charge of international
public relations for UPS. I requested a spokesperson to do a recorded
interview for PRIVACY Forum Radio, but this was ultimately declined. I was
told that they felt they had researched the topic sufficiently before
launching the service and that there really weren't any privacy issues
involved. I was also told (in what's become a familiar refrain to privacy
queries) that "nobody had complained about it before"--more on that below.

Here's what I learned during my conversations. UPS has now established a
service to which shippers can subscribe that allows them to electronically
access recipient signature data. The service appears to be mainly aimed at
shippers dealing with significant volumes of packages, so that they can
obtain delivery data (including signature) without any manual interaction
with UPS. From available information, it does not appear that shippers need
to have had any problem with a shipment to obtain signature and other data
via this system--they simply make the request through their computer and
back it comes.

Currently, this data is only provided via dialup to UPS computers. Since
UPS already has basic package tracking data available via their Web site, I
asked if there were plans to extend the signature delivery system to the
Web or other Internet mechanisms as well. No information on this issue was
available.

I also asked if UPS contractually prohibits entities receiving signature
data from providing, selling, or otherwise disseminating it to other
parties. The answer is no, they do not have any such prohibitions. They
also feel that any such prohibitions would be unenforceable given the lack
of any laws addressing this issue. They add that they of course will stay
abreast of any changes in this area and would abide by any new applicable
laws.

Basically, they simply do not consider dissemination of signatures to be a
privacy issue. They point out that other organizations scan signature data
(e.g. banks), and they feel that other shippers will be providing similar
signature delivery services as soon as they are technically able to do so.
They apparently do not feel that the large-scale distribution of signatures
electronically to "end users" represents any kind of qualitative change
from the status quo.

They did have two suggestions for those persons who might disagree with
their analysis:

   * Refuse to sign for packages

     They say that UPS delivery persons should still allow you to have the
     package even if you refuse to sign their box. Reports I've received,
     however, suggest that some UPS delivery persons are not aware of this
     policy. I might add that you can also request to sign one of their
     yellow "not present" slips instead of their signature capture box.
     Some delivery persons will not agree to this, however.

   * Don't sign your real signature

     UPS suggests that if you don't like their system, you can choose not
     to sign your real signature; instead you can sign with an "X",
     horizontal line, squiggle, or whatever. The delivery persons are not
     supposed to complain about this. Again, reports I've heard suggest
     that "your mileage may vary" with such a technique, depending on the
     particular delivery person.

Of course, both of these techniques obliterate the usefulness of signatures
for a very valid purpose, namely helping to verify delivery in case there
is some problem or dispute later. It seems very unfortunate that such
actions are suggested by UPS as the best means to "protect" your signature
from routine, non-dispute-related dissemination to third parties.

As I mentioned above, UPS says that they hadn't received any complaints or
other concerns about their system until my call. As always, it's not always
so simple to know exactly who to contact if, perchance, you decide you
would like to express concerns about their signature collection and
dissemination system.

UPS agents who deal with "routine" complaints can be reached at: (800)
457-4022. You can ask agents to forward your comments onward to UPS
management. However, I was able to obtain additional contact information
that can be used for more direct access to the appropriate parties to hear
your opinions on such matters:

UPS Public Relations/Customer Resolution
Tel: (404) 828-6000
Fax: (404) 828-6593

United Parcel Service Corporate
Building 3, Floor 6
55 Glenlake Parkway
Atlanta, GA 30328

You might want to make your feelings about the signature service, either
pro or con, known to UPS via one of the above contact methods.

UPS is certainly right about at least one thing. This is but the tip of the
iceberg when it comes to the development of signature collection and
dissemination systems. As usual, laws to protect individuals' personal
information are lagging far behind technological developments. If you have
concerns in this area, you might consider expressing them not only to the
various commercial firms involved, but to your local, state, and federal
legislators as well.

--Lauren--
Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"
--- http://www.vortex.com/reality

Copyright © 2001 Vortex Technology. All Rights Reserved.