UPS signatures raise concerns
The delivery service's move to widen its online presence raises concerns that digitized signatures could be used by others.
The service lets anyone sending a package to not only find out if their package has been received but also who exactly received and signed for it.
Sounds pretty convenient, but maybe too convenient. Privacy experts are worried that even with UPS's safeguards, our personal signatures could become yet another piece of private information that could be taken, cataloged, stored, and even sold--right along with our names, ages, and Social Security numbers.
The UPS technology is the latest example of a growing concern over how online access to personal information can unintentionally invade the privacy of individuals or be used for fraud. Many Netizens have been shocked to learn how readily available their Social Security numbers or other private information is through online databases that can charge very little for the information.
The security issue was underscored again today as UPS signed deals with three major search engines, arranging to have a button placed on their Web pages to facilitate delivery tracking. Although the deals do not specifically involve digitized signatures, they could expose UPS to millions more surfers. (See related story)
Lauren Weinstein, president of Vortex Technology and moderator for The Privacy Forum, isn't worried about what UPS is going to do with the signatures. The service has strict rules about keeping signatures private and never, ever selling them. Instead, Weinstein is concerned about other people who might use the UPS system to harvest the signatures for themselves.
The UPS technology allows the service to put electronic copies of handwritten signatures online: Customers who send packages can log on a dial-up service and use the shipping number to view the signature of the person who signed to receive the package. Only the person (or company) who sent the package can view the signature.
But it wouldn't take much for an unscrupulous company to use the technology to send out a mass mailing of packages (perhaps working with a mail-order catalog) to begin collecting signatures. As the company which sent the package, it'd have access to the signatures. And even though UPS's software doesn't readily allow copying of signatures, it's not hard alter the software so signatures can be captured, Weinstein said.
"My concern remains that the widespread dissemination of personal signatures without any mechanism for realistically controlling how they are captured, used, abused, sold, or given away is a potentially very serious issue," Weinstein said. "Under current law, if somebody wanted to skywrite a name, Social Security number, and signature, nobody could do anything about it."
Weinstein is worried that the availability of a person's actual signature will make for a do-it-yourself fraud kit. Other privacy experts are concerned about the selling of private information in general.
It's not that private information has never been available. In fact, databases used by private investigators and others have existed for years. But the Net makes both gathering and disseminating information we consider private--from our names to what kind of music we prefer--all that much easier.
"Personal information has become a valuable commodity," said David Sobel, an attorney with Electronic Privacy Information Center. "There has always been a very large industry devoted to compiling and selling information about people. If you now layer on top of that what can conceivably go on the Internet, you're talking about the possibility of compiling much more detailed information."
In this case, UPS has thought of some safeguards: Only the person who sent the package can view it, and the company provides no mechanism to allow the viewer to capture the signature or print out the screen, spokeswoman Pat Steffan said in a January interview.
Moreover, Steffan said, UPS has spent $4 billion to build a "system that's bulletproof. It is a commitment made to our customers to protect their information."
And Steffan said emphatically that UPS will not sell signatures. "UPS will not, is not, and has no plans to sell signatures," she said. "We have built the confidence of over 1 million customers. We cannot break that confidence, and no one else can get into our database to get that information."
Weinstein doesn't question UPS's sincerity. But he says that even a very mediocre hacker could use the UPS software to capture signatures with a few technical tricks or a little creative programming.
"I think the problem comes up with what's done with the information," Weinstein said. "This isn't to say UPS is taking a database and creating it and selling it en masse."
But he added that they have provided a mechanism for others to do that very easily.
Right now, government agencies legally are prohibited from disseminating much of your personal information. But there are no laws preventing businesses from buying and selling whatever information they can collect on their own and they do so with great regularity.
Weinstein said that when she called to explain the problem, "UPS told me that if people are concerned about their signatures, UPS suggested that people don't use their real signatures."
But that doesn't address the larger problem. "At this stage in the game, the legal system is so far behind that once you give out any personal information on yourself, it becomes free game. It becomes a commodity," Weinstein said. "The underlying issue is we need a legal structure where people have control of their private information."