Canada Post collection of online signatures for mail tracking draws complaint
Complaint under the Privacy Act (the Act)
- This Report of Findings (the “Report”) relates to a complaint against the Canada Post Corporation (“CPC”) regarding its use and disclosure of electronic signatures for the purpose of confirming the delivery of tracked parcels.
- Specifically, the complainant raised concerns regarding how CPC informs the recipient of a parcel (the “addressee”) of the fact that they can exercise their right to “opt-out” of signing an electronic signature device which allows CPC to send a digitized image of their signature to its website for the purpose of parcel tracking by the sender. The complainant submitted that the label affixed to the electronic signature device does not adequately inform addressees that they can decline to allow CPC to display their signature online, or that there are other options available to addressees. Moreover, at the time of filing a complaint to this Office, the complainant raised concerns that there was in fact no label affixed to the electronic signature device at the Station T postal outlet in Ottawa, Ontario, to advise customers that their signature will be displayed online.
- Based on the concerns raised in the complaint, our investigation focused on the collection, use and disclosure of electronic signatures for the purpose of confirming the delivery of tracked parcels. In addition, our investigation reviewed the privacy and security controls implemented by CPC in relation to its tracking website to protect the electronic signatures that are displayed online.
- CPC submitted that paragraph 8(2)(a) of the Act authorizes it to disclose the signature of an addressee to the sender of a parcel for the purpose for which it was collected – as proof of delivery; therefore, it is not required to seek consent. However, it does offer addressees a choice of whether or not they want to have their signature posted online for the purpose of parcel tracking by the sender. CPC submitted that it affixes a label to the electronic signature devices at postal outlets which states: “I agree my signature may be viewed online”, and is of the view that this statement adequately informs addressees of their choice to opt-out of having their signature visible online. In addition, CPC advised that it has corrected the situation reported by the complainant and ensured that a label is affixed to the signature device at the Station T postal outlet.
- After considering submissions from the parties and reviewing the facts, we determined that this aspect of the complaint is not well-founded. Nevertheless, given that CPC provides customers with the option to decline having their signature displayed online, we remind CPC that it should then take steps to ensure consistency across its postal outlets by verifying that labels are affixed to all signature devices, and also to ensure that its employees are aware of the procedures and are able to sufficiently answer questions about the use and/or disclosure of customers’ signatures.
- Following our review of the privacy and security controls of CPC’s online tracking site, this Office made several recommendations to CPC to enhance the protection of the signature online. In response, CPC accepted our recommendations and is currently in the process of implementing the controls identified.
- After considering submissions from the parties and reviewing the facts, we concluded that this aspect of the matter is conditionally resolved. We request that CPC follow-up with our Office in 6 months to confirm its progress in the implementation of the privacy and security controls highlighted during this investigation.
CPC’s Initial Representations
Collection and Use of Signatures by CPC
- CPC provides parcel services under paragraph 5(1)(a) of the Canada Post Corporation Act which states:
5. (1) The objects of the Corporation are
(a) to establish and operate a postal service for the collection, transmission and delivery of messages, information, funds and goods both within Canada and between Canada and places outside Canada. - CPC is required by the Canada Post Corporation Act to collect the signature of recipients of mail that is subject to the Special Services and Fees Regulations (“Regulations”). These Regulations only apply to items as described in subsection 6(1):
- letter mail as defined in the Letter Mail Regulations; and
- letters referred to in the International Letter-post Items Regulations.
- CPC identified the purposes for which it collects the electronic signature of an addressee:
- As proof of delivery for registered mail, which is required by the Special Services and Fees Regulations;
- As proof of delivery to senders who have requested and paid for the service; and
- To meet the regulator requirements of the Universal Postal Union’s Parcel Post Regulations.
- CPC states that the collection of a signature from an addressee meets the requirements of section 4 of the Act, as the collection of this information is an integral part of an operating program of CPC – mail delivery.
- CPC relies on paragraph 8(2)(a) of the Act to then disclose the signature to the sender of the parcel or mail for the purpose for which it was collected – as proof of delivery. According to CPC, it is not therefore required to seek consent for disclosure of the signature.
Electronic Signature Device
- CPC retail outlets use an electronic device to capture the signature of the addressee – the “RPS VeriFone” device is supplied by VeriFone, a company that provides secure electronic point of sale services and hardware. According to CPC, addressees that pick up an item at a postal outlet requiring a signature can choose whether or not they want to have their signature posted online for the purpose of parcel tracking by the sender. CPC created a label for the electronic signature device that states: “I agree my signature may be viewed online” to clearly indicate the choice to addressees. CPC confirmed that the label has been in use since 2006, and instructions were provided to postal outlets to affix the label below the signature window on the device, with the appropriate language option first.
- CPC explained that when a sender contracts with CPC to send a parcel and requests that a signature is captured as proof of delivery, the sender will have access to that signature through CPC’s online tracking tool – “Track”Footnote 1 – or by requesting a paper copy. For instance, if the addressee refused to have their signature viewed online, the sender can request a paper copy of the delivery confirmation, which includes the signature, via regular mail.
- According to the instructions provided by CPC, the “Publish Signature Online” button is automatically set to “YES” on the signature device. If an addressee does not agree to have their signature posted online, the CPC agent must touch the button to change it to “NO”. CPC is of the view that the statement on the device informing addressees of their choice to opt-out of having their signature visible online is effective, upfront and understood.
- Moreover,CPC submits that there are other ways the recipient of a parcel could inform themselves of the fact that they can refuse to consent to the posting of their signature online. In particular, they can:
- ask the delivery agent;
- contact CPC’s Customer Service;
- refer to the personal information bank Address Accuracy and Delivery of Mail Bank (CPC PPU 001), which indicates that CPC will collect and use the signature for ensuring the accurate delivery of mail; or
- refer to the Parcel Services Customer Guide, available on CPC’s website, which notes in section 2.2.2 “Tracking and Delivery Confirmation”: “… And, if you choose the signature option, the signature image will be available to view online alongside the item tracking information”.
- CPC further explained that the signatures as posted online are not the original image it receives – it uses proprietary software to degrade the image and also includes a watermark. Moreover, addressees are not required to use a signature that matches the one they use in any other context, as CPC does not verify the validity of the signature. Addressees may print their name or provide initials only. Further, the signature image is suppressed from viewing online 45 days after delivery. CPC is of the view that these steps adequately protect the signature from misuse. It stated that the current process has been in place since 2003 and has been improved and enhanced on a number of occasions to respond to concerns expressed by this Office, and also due to proactive changes by CPC to address the evolving privacy and security needs of its customers.
Station T Postal Outlet
- In light of the specific concerns raised by the complainant in this case, CPC confirmed that the label which is usually affixed to all electronic signature devices was in fact missing at the Station T postal outlet at the time of the individual’s complaint. CPC advised that the label was not placed on the new device when the former device was replaced. To correct the situation, CPC ensured that a label was affixed to the electronic signature device. It also provided a supply of labels to its service provider who repairs and replaces the devices, and sent a supply of labels out to all retail offices.
- During the course of the investigation, the complainant reported a second time that there was no label affixed to the device. CPC confirmed that the postal outlet had to replace its VeriFone devices, which required a new order of labels. During the transition, the devices were not equipped with CPC’s standard label; however, it reported that the situation has since been corrected.
Online Tracking Tool
- Our investigation also reviewed the security and privacy controls in relation to “Track” – CPC’s online tracking tool. Senders can track a package by entering the tracking number from the receipt or package (either 16 numeric digits, or 13 numeric and alphabetic characters), the Delivery Notice Card number (15 digits), or the Reference Number provided by the shipper and the shipping date.
- According to CPC, it uses a signature as confirmation that an individual has received a package, and displays the signature as part of the delivery certificate. The sender can save or print a copy of the JPEG signature image for their records, or contact CPC to request a hard copy of the signature.
- CPC submitted that a delivery certificate that includes a signature is a key element of the tracked services product – it is something that senders purchase, require, and expect as part of the service. Moreover, displaying the delivery certificate with a signature online is of value to CPC’s customers, and it is more convenient and efficient than having the sender call and request a hard copy from Customer Service.
OPC’s Preliminary Analysis
- In addition to our review of CPC’s representations during the investigation, this Office also provided its preliminary views to CPC in a letter dated November 10, 2014.
- In particular, we highlighted the following observations toCPC regarding the sticker affixed toCPC’s VeriFone devices and its current procedure for customers to opt-out of having their signature displayed online:
- While CPC submits that there is a current procedure in place for customers to opt-out of having their signature displayed online, we raised concerns that the procedure may not be sufficiently clear so as to ensure that addressees provide informed and meaningful consent.
- Based on the current wording of the sticker on the VeriFone device, we considered that most addressees would assume that signing the electronic signature device is the only option available as a condition to receive the parcel.
- While CPC submits that customers may avail themselves of “other options”, we considered that these options were not communicated in a clear, comprehensive, or easy-to-find manner. Based on the complaint received, we felt that there was no evidence to suggest that any of the other options available to customers were widely understood or communicated by CPC’s service representatives, or through other obvious instructions at CPC outlets.
- We also raised concerns toCPC regarding the privacy and security controls of its online tracking site, and specifically, thatCPC had not adequately considered the inherent risks in the current functionality and design of the site to adequately safeguard customers’ signatures. Further to lab tests conducted by this Office, we highlighted the following concerns toCPC:
- the site does not use a secure protocol (“HTTPS”);
- the JPG signature image displayed online, while degraded, could be copied and manipulated using basic software; and
- the tracking numbers can easily be manipulated allowing for the retrieval of multiple delivery records, each potentially with signatures.
- We also noted that, whether the signature matches the one an individual uses in any other context or not, it is displayed in conjunction with other information on CPC’s tracking website to identify the addressee (name, the destination city). In our view, CPC should implement strategies to mitigate the risk of unauthorized access, use or disclosure of such information.
- Lastly, based on CPC’s submissions to this Office, we also questioned the overall necessity of capturing the addressee’s signature for the specific purpose of online parcel tracking by the sender. According to CPC, it uses a proprietary software to degrade the signature image; a watermark is included before the signature is displayed online; the validity of the signature is not verified; customers may opt-out of having their signature displayed online; and customers are not required to use a signature that matches the one they use in any other context. To this end, we questioned whether there may be less privacy-intrusive alternatives that would achieve the same end for CPC in providing the online parcel tracking service to its customers.
CPC’s Response to the OPC’s Preliminary Analysis
- In its response to this Office received on April 8, 2015, CPC maintained its position that the current process for individuals to opt-out of having their signature displayed online is upfront, effective and understood. Moreover, CPC submitted that addressees regularly exercise the choice of whether or not they want to have their signature posted on-line for the purpose of parcel tracking by the sender.
- To illustrate this, CPC provided statistical evidence that customers are in fact opting to have their signature suppressed from being viewed online. CPC submitted that over a 60-day period, more than 4,000 addressees opted out of making their signatures available online, and is of the view that customers do understand and exercise the choice to have their signature suppressed from online viewing. Moreover, CPC submitted that this product is somewhat unique as it provides addressees with the opportunity to interact directly at the point of collection with CPC delivery agents and/or retail clerks, where they can ask questions about the use or disclosure of their signature.
- In response to the concerns raised regarding the privacy and security controls of its online tracking site, CPC agreed that implementing the HTTPS protocol may help mitigate the overall risk to privacy. In addition, CPC advised our Office that it will undertake to enhance the security protections of signatures displayed online in order to mitigate the risks of misuse or inadvertent disclosure. CPC reported that relevant efforts are currently underway.
- In response to our question regarding the overall necessity of capturing a customer’s signature for the purpose of online parcel tracking, CPC stated that capturing a signature is a widely accepted and recognized industry standard. As a Crown Corporation, it has a commercial mandate and must conduct its operations on a financially self-sustaining basis, which includes leveraging technology and innovative means to meet its customers’ expectations. CPC submitted that it is critical that it keeps pace with other well-financed international competitors in terms of the value-added services that it offers to its customers. This includes continuing to capture a signature as part of the track-a-package product.
- CPC contended that implementing enhanced security features will adequately address the concerns expressed by this Office and allow CPC to achieve a balance in ensuring it meets its commercial mandate while protecting the privacy of its customers.
Application
- In making our final determination, we considered sections 3, 4, 7 and 8 of the Act.
- Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form.
- Section 4 of the Act states that “no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution”.
- Paragraph 7(a) of the Act states that personal information shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.
- The Act states that personal information can only be disclosed with an individual’s consent – subsection 8(1) – or in accordance with one of the categories of permitted disclosures outlined in subsection 8(2) of the Act.
Analysis of Facts and Issues
- An individual’s signature is recorded, can be attributed to an identifiable individual, is a personal identifier, and is more than just a name – it is an individual’s personal calligraphic expression of their name. Therefore, a signature is clearly personal information under section 3 the Act.
- Consequently, any collection, use or disclosure of a customer’s signature by CPC must comply with the obligations under the Act.
Is CPC’s collection of the signature a contravention of the Act?
- Under the Canada Post Act, CPC is required to collect the signature of recipients of mail that is subject to the Special Services and Fees Regulations. CPC collects the signature as proof of delivery for registered mail, which is required by the Regulations; as proof of delivery to customers who have requested and paid for the service; and to meet the regulator requirements of the Universal Postal Union’s Parcel Post Regulations.
- While the collection of the signature itself was not raised as an issue in this complaint, we are nevertheless satisfied that CPC’s collection of the signature as proof of delivery meets the requirements of section 4 of the Act, as the collection is an integral part of an operating program of the CPC and its mandate to establish and operate a postal service.
Is CPC’s disclosure of the signature to the sender of a parcel a contravention of the Act?
- CPC relies on paragraph 8(2)(a) of the Act to disclose an addressee’s signature to the sender of a parcel or mail as proof of delivery. Under the Act, an individual’s consent is not required to use or disclose personal information for the purpose for which it was obtained or compiled, or for a use consistent with that purpose.
- In our view, the disclosure of the signature for the purpose of parcel tracking by the sender is consistent with the purpose for which it was collected and is in line with the requirements of paragraph 8(2)(a) of the Act. Therefore, CPC is not required to seek consent for this purpose.
Is CPC’s disclosure of the signature online a contravention of the Act?
- Our investigation revealed that to facilitate parcel tracking, CPC created an online track-a-package service. We confirmed that CPC uses an electronic signature device to send a digitized image of the signature to its online tracking website. A label is affixed to the device to inform addressees that they can opt-out of having their signature visible online. If the addressee opts out, the sender of a parcel or mail can alternatively request that a paper copy of the delivery confirmation, which includes the signature, be sent to them via regular mail.
- In our view, the online parcel tracking service is simply a tool created by CPC to facilitate parcel tracking. Therefore, the disclosure of the signature to the sender of a parcel through the online tracking tool is also consistent with the purpose for which the signature was collected, and is in line with the requirements of paragraph 8(2)(a) of the Act. Consequently, CPC is not required under the Act to obtain consent to disclose the addressee’s signature to the sender of the parcel, including via its online tracking service.
- Maintaining control over one’s personal information is a fundamental privacy principle. Seeking consent is one way that organizations can empower individuals to exercise some degree of control over how their information is used and disclosed. While CPC is not required to obtain consent to disclose the signature for the purpose of parcel tracking by the sender (including online via the track-a-package service), it nevertheless offers addressees a choice to opt-out of having their signature displayed online in order to facilitate this purpose.
- Based on the concerns raised in the complaint, this Office presented its views to CPC regarding the current wording of the label affixed to the signature device with a view to clarifying that there is in fact an option available to addressees. While CPC did not agree to modify the wording of the label, this does not, in our view, render CPC in contravention of the Act, as we have determined that the disclosure of the signature for the purpose of parcel tracking, including via the online tracking tool, is consistent with the purpose for which it was collected by CPC.
Is CPC adequately safeguarding the digitized signature that is displayed online?
- Notwithstanding the above, given that CPC has leveraged technology to facilitate parcel tracking, it must also take steps to ensure that the digitized image of the signature which is displayed online is managed in accordance with the Act – which means that CPC must implement the appropriate controls to protect the digitized image of the signature from unauthorized access, use or disclosure. Following our examination of the security and privacy controls implemented to protect the digitized signatures displayed online, we were not satisfied that CPC had adequately considered the inherent risks in the current functionality and design of the site to adequately safeguard addressees’ signatures.
- As a result of the concerns we raised to CPC, we are pleased to note that CPC has committed to strengthening its online tracking website by implementing specific privacy and security controls. In particular, CPC agreed to implement the HTTPS protocol to mitigate the overall risk to privacy. At the time of writing this Report, we confirmed that HTTPS level security is now in place on CPC’s websiteFootnote 2. In addition, we confirmed that relevant efforts are underway by CPC to enhance the security and privacy protections of signatures displayed online.
Findings
- Based on the above, we are satisfied that CPC’s collection of the signature for the purpose of parcel tracking by the sender meets the requirements of section 4 of the Act.
- We are also satisfied that disclosure of the signature for the purpose of parcel tracking by the sender meets the requirements of subsection 8(2)(a) of the Act. What this means is that CPC is not required to seek consent in order to disclose an addressee’s signature to the sender for the purpose of parcel tracking – including via the online tracking tool. While addressees are offered a choice of whether or not they want their signature displayed online, we are nevertheless satisfied that disclosure of the signature for the purpose of parcel tracking by the sender is consistent with the purpose for which it was collected and consent is therefore not required. Consequently, there is no obligation under the Act for CPC to modify the language of the label affixed to the electronic signature device.
- Based on the above, we have concluded that this aspect of the complaint is not well-founded.
- Notwithstanding, we were not satisfied that CPC implemented adequate controls to mitigate the risks for unauthorized access, use or disclosure of the digitized signatures displayed online. In our view, this creates an increased vulnerability for the personal information of addressees’, including an increased risk for the unauthorized disclsoure of an addressee’s signature which would render CPC in contravention of section 8 of the Act.
- As CPC accepted the recommendations made by our Office and is well-advanced in the implementation of the controls identified to enhance the protection of the signature online, we have concluded that this aspect of the matter is conditionally resolved.
- We ask that CPC follow-up with our Office in 6 months to confirm its progress in the implementation of the privacy and security controls highlighted during this investigation.
Other
- As CPC’s general practice is to provide customers with the option to decline having their signature displayed online, we take this opportunity to remind CPC that it should then take steps to ensure consistency across its postal outlets by verifying that labels are in fact affixed to all signature devices. Moreover, given that CPC asserts that the current process provides addressees with the opportunity to interact directly at the point of collection with CPC delivery agents and/or retail clerks, we also encourage CPC to take measures to ensure that its staff is aware of the procedures and are able to sufficiently answer questions about the use and/or disclosure of customers’ signatures.
- In addition, while we have determined that the collection, use and disclosure of an addressee’s signature for the purpose of parcel tracking by the sender meets the requirements of the Act, we nevertheless take this opportunity to again raise a general question regarding the overall necessity of capturing a signature for the specific purpose of online parcel tracking. Despite CPC’s representations on this question, we maintain that it is not clear what added benefit there is for this specific use of the signature given that CPC offers addressees a choice to opt-out of having their signature visible online, they are not required to use the signature they use in any other context, and the signatures are modified (watermark).
- We understand that CPC has a commercial mandate to conduct its operations on a financially self-sustaining basis, which includes leveraging technology and being innovative to keep pace with its competitors; however, it is nevertheless an institution subject to the Act and must meet its obligations to protect the personal information it collects, uses and discloses for its operating programs and activities. While we are pleased that CPC has committed to enhancing the security features of its online tracking site, there may be other, less privacy-intrusive alternatives that would achieve the same end for CPC in providing the online parcel tracking service to its customers, and we would encourage CPC to reevaluate the necessity of capturing the signature for this purpose.
- Date modified: