ip: YOUR SIGNATURE FOR SALE?

[Dave Farber <farber () cis upenn edu>]

Date:    Fri, 17 Jan 97 20:19 PST
From:    lauren () vortex com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: YOUR SIGNATURE FOR SALE? -- A PRIVACY Forum Special Report


Greetings.  By now most of us realize that our social security numbers,
unlisted phone numbers, and all manner of other data items that (we thought)
were personal and private have become simple commodities flowing openly
between various commercial databases and information brokers and pitch-men.
Problems ranging from credit nightmares to identity fraud have become
commonplace with the help of these databases.  It couldn't get 
much worse, right?


Well, hold on to your pens, because it looks like we're poised on the edge
of a new frontier in personal data commerce--signature databases.  We all
sign many documents in the course of daily living and it's generally assumed
that signatures have some validity as an identifier, or else why use them?
And we also usually implicitly assume that our signatures won't be
made available to third parties on any kind of routine basis.


But it looks like this is starting to change, with the mammoth U.S. shipping
company United Parcel Service (UPS) taking the lead among what can only be
assumed will be the first of many entities using new technologies to capture
and disseminate signature data.


There's been discussion here in the PRIVACY Forum in the past about the
implications of those little computerized boxes that UPS delivery persons
want you to sign when a package is delivered.  Generally, all UPS business
deliveries typically request a signature, while residential deliveries may
simply be left outside on doorsteps unless the shipper requests otherwise.
The signature boxes capture your signature electronically, and they're fed
back to UPS headquarters.  The idea was apparently that in case of a
question about whether or not a delivery was received, these are supposed to
be used to verify delivery status.  


The very existence of the signature capture system perturbed some people,
but so long as the signatures stayed within UPS it didn't appear that an
especially serious problem would arise.  This might have now changed.  You
may have seen a new television commercial from UPS, touting their new system
that allow shippers to electronically obtain copies of recipients'
signatures for display on their screens (and apparently for printout as
well).


Given that it is relatively trivial (through the use of various "background"
programs) to capture the video image or printer data from virtually any
PC-based application, the availability of electronic signature data raises a
number of concerns.  Even though the signature data displayed in the actual
systems is apparently somewhat pixelated, it still appears to be the case
that with minimal processing a reasonable signature facsimile could be
obtained.


The big issue, of course, is whether such data could be "mined" on a large
scale, sold to commercial databases, and become yet another component of our
personal lives over which we've lost all control.  This scenario is
especially easy to imagine in the context of some entity shipping thousands
of mail order packages per day, where large databases could be built up
quite quickly.  Is there any law to prevent such collection, or the sale and
resale of signature data collected in this manner?  Of course not!


Wanting to get the straight information on this issue, I had a number of
conversations with Mr. John Flick, the gentleman in charge of international
public relations for UPS.  I requested a spokesperson to do a recorded
interview for PRIVACY Forum Radio, but this was ultimately declined.  I was
told that they felt they had researched the topic sufficiently before
launching the service and that there really weren't any privacy issues
involved.  I was also told (in what's become a familiar refrain to privacy
queries) that "nobody had complained about it before"--more on that below.


Here's what I learned during my conversations.  UPS has now established a
service to which shippers can subscribe that allows them to
electronically access recipient signature data.  The service appears to be
mainly aimed at shippers dealing with significant volumes of packages, so
that they can obtain delivery data (including signature) without any manual
interaction with UPS.  From available information, it does not appear that
shippers need to have had any problem with a shipment to obtain signature
and other data via this system--they simply make the request through their
computer and back it comes.


Currently, this data is only provided via dialup to UPS computers.  Since
UPS already has basic package tracking data available via their Web site, 
I asked if there were plans to extend the signature delivery system to the Web
or other Internet mechanisms as well.  No information on this issue was
available.  


I also asked if UPS contractually prohibits entities receiving signature
data from providing, selling, or otherwise disseminating it to other
parties.  The answer is no, they do not have any such prohibitions.  They
also feel that any such prohibitions would be unenforceable given the lack
of any laws addressing this issue.  They add that they of course will stay
abreast of any changes in this area and would abide by any new applicable
laws.


Basically, they simply do not consider dissemination of signatures to be a
privacy issue.  They point out that other organizations scan signature data
(e.g. banks), and they feel that other shippers will be providing similar
signature delivery services as soon as they are technically able to do so.
They apparently do not feel that the large-scale distribution of signatures
electronically to "end users" represents any kind of qualitative change from
the status quo.  


They did have two suggestions for those persons who might
disagree with their analysis:


-- Refuse to sign for packages


   They say that UPS delivery persons should still allow you to have the
   package even if you refuse to sign their box.  Reports I've received,
   however, suggest that some UPS delivery persons are not aware of this
   policy.  I might add that you can also request to sign one of their
   yellow "not present" slips instead of their signature capture box.  Some
   delivery persons will not agree to this, however.


-- Don't sign your real signature


   UPS suggests that if you don't like their system, you can choose not to
   sign your real signature; instead you can sign with an "X", horizontal
   line, squiggle, or whatever.  The delivery persons are not supposed to
   complain about this.  Again, reports I've heard suggest that "your
   mileage may vary" with such a technique, depending on the particular
   delivery person.


Of course, both of these techniques obliterate the usefulness of signatures
for a very valid purpose, namely helping to verify delivery in case there is
some problem or dispute later.  It seems very unfortunate that such actions
are suggested by UPS as the best means to "protect" your signature from
routine, non-dispute-related dissemination to third parties.


As I mentioned above, UPS says that they hadn't received any complaints or
other concerns about their system until my call.  As always, it's not always
so simple to know exactly who to contact if, perchance, you decide you would
like to express concerns about their signature collection and dissemination
system.


UPS agents who deal with "routine" complaints can be reached at:
(800) 457-4022.  You can ask agents to forward your comments onward to UPS
management.  However, I was able to obtain additional contact information
that can be used for more direct access to the appropriate parties to hear
your opinions on such matters:


UPS Public Relations/Customer Resolution
Tel: (404) 828-6000   
Fax: (404) 828-6593


United Parcel Service Corporate
Building 3, Floor 6
55 Glenlake Parkway
Atlanta, GA  30328


You might want to make your feelings about the signature service,
either pro or con, known to UPS via one of the above contact
methods.


UPS is certainly right about at least one thing.  This is but the tip of the
iceberg when it comes to the development of signature collection and
dissemination systems.  As usual, laws to protect individuals' personal
information are lagging far behind technological developments.  If you have
concerns in this area, you might consider expressing them not only to the
various commercial firms involved, but to your local, state, and federal
legislators as well.


--Lauren--
Moderator, PRIVACY Forum
www.vortex.com