Privacy International warns of public transit card hazards

Travelers' private information is handed over to law enforcement agencies on a voluntary basis, organization says
  • (IDG News Service)
  • — 29 October, 2012 16:55

Public transportation companies and authorities in the U.S., Canada and South Africa hand over private information about travelers gathered by electronic ticketing systems to law enforcement agencies on a voluntary basis, Privacy International said Monday.

"Every single authority and company we have spoken to so far has shocking practices," said Eric King, Privacy International's head of research. His organization is polling 48 transport authorities and companies operating transport services across the world, requesting data on how they deal with private information such as addresses and travel patterns linked to public transport chip cards.

So far, five organizations have responded, he said, adding that he did not want to disclose which organizations responded. "We don't want to penalize them for responding quickly," he said.

"In New York, the data on cards is stored for 120 days," King said, adding that the police there are not required to have a warrant to access information stored on cards used for the subways. This is a threat to travelers' privacy, he noted, adding that there is very little legislation anywhere that addresses electronic payment systems for trams, subways, trains and buses.

"The problem with smart cards is that they record a very fine grain of information," King said. The information held about users of the London Oyster card include, for example, address, telephone number, full name, email address and password, as well as the encrypted bank details of customers who purchase Oyster products using a debit or credit card, according to Privacy International.

In addition, the Oyster system also records the location, date and time of any trips validated by the transport cards, Privacy International pointed out. This information can be linked to personal data of users who pay for transport cards with credit or debit cards.

Transport for London (TfL), the government agency responsible for the Oyster card, retains customer names and contact details for two years after a customer uses a card for the last time, according to Privacy International. Details of debit and credit cards used to purchase an Oyster product are stored for a maximum of 18 months, the organization said.

During the first two months of 2012, TfL handled 264 requests from enforcement agencies, Privacy International's King said. TfL did not immediately respond to a request for comment.

London's Oyster card and New York's MetroCard have dozens of counterparts abroad, including the Clipper Card in San Francisco, the Octopus card in Hong Kong and the OV chip card in the Netherlands. These systems also retain data including names, addresses, phone numbers, email and credit card details, Privacy International said.

Personal information gathered by companies like TfL is very sensitive and can often be accessed by law enforcement agencies without a warrant, King said. Although law enforcement requests under the U.K. Data Protection Act (DPA) require evidence of relevant legislation or a court order, the situation is different in other countries, King said.

Conflicting laws led to privacy concerns during the introduction of the OV-chip card in the Netherlands, said Anita Hilhorst, spokeswoman for Trans Link Systems (TLS), an organization that was founded by the five largest Dutch public transport companies to implement a single payment system for public transport.

"We started with seven years of data retention at the request of the ministry of Finance," Hilhorst said. Later, the retention period was reduced to two years and after an audit by the Dutch Data Protection Authority, the retention period was reduced further to 18 months, she added.

Law enforcement agencies request OV-chip card data "a couple of times a week," said Hilhorst. The type of information depends on the request and cannot be disclosed by TLS, she said. One reason law enforcement requests OV-chip card data is to track down missing persons, she said. "Those requests are to be handled with great urgency," she said.

Privacy International's main goal is to warn travelers using public transit chip cards that their privacy could be in jeopardy due to legislative shortcomings and the data hunger of law enforcement agencies, King said. "We want to convince companies and authorities to demand a warrant," when law enforcement authorities request private data, he added.

Law enforcement agencies always want to increase the amount of data they can access, according to King. In the U.K., for instance, the new Draft Communications Data Bill, if passed, could be used to increase law enforcement access to personal data of travelers, he said. "The police say the amount of data they can access has been reduced over the years," he said. However, according to Privacy International, the personal data that can be accessed by law enforcement has only grown due to the introduction of the new electronic systems that store and track customer information.

Travelers who are worried about their privacy are advised to "always try and use a prepaid chip card paid for with cash," said King. Using electronic transit cards in that way makes it possible to travel anonymously. Concerned E.U. travelers can also file a subject access request that requires European data processors to disclose what personal data they store, King added.

Privacy International plans to disclose more responses from transit authorities and companies on its website in the future. The organization has polled organizations in English, Spanish, Portuguese and French speaking countries, which will be given another month or so to respond, King said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service
Topics: security, Identity fraud / theft, privacy
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
Use WhistleOut's technology to compare:
Mobile phone plans & deals
Mobile phone models
Mobile phone carriers
Broadband plans & deals
Broadband providers
Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?