Privacy International warns of public transit card hazards

Travelers' private information is handed over to law enforcement agencies on a voluntary basis, organization says

Public transportation companies and authorities in the U.S., Canada and South Africa hand over private information about travelers gathered by electronic ticketing systems to law enforcement agencies on a voluntary basis, Privacy International said Monday.

"Every single authority and company we have spoken to so far has shocking practices," said Eric King, Privacy International's head of research. His organization is polling 48 transport authorities and companies operating transport services across the world, requesting data on how they deal with private information such as addresses and travel patterns linked to public transport chip cards.

So far, five organizations have responded, he said, adding that he did not want to disclose which organizations responded. "We don't want to penalize them for responding quickly," he said.

"In New York, the data on cards is stored for 120 days," King said, adding that the police there are not required to have a warrant to access information stored on cards used for the subways. This is a threat to travelers' privacy, he noted, adding that there is very little legislation anywhere that addresses electronic payment systems for trams, subways, trains and buses.

"The problem with smart cards is that they record a very fine grain of information," King said. The information held about users of the London Oyster card include, for example, address, telephone number, full name, email address and password, as well as the encrypted bank details of customers who purchase Oyster products using a debit or credit card, according to Privacy International.

In addition, the Oyster system also records the location, date and time of any trips validated by the transport cards, Privacy International pointed out. This information can be linked to personal data of users who pay for transport cards with credit or debit cards.

Transport for London (TfL), the government agency responsible for the Oyster card, retains customer names and contact details for two years after a customer uses a card for the last time, according to Privacy International. Details of debit and credit cards used to purchase an Oyster product are stored for a maximum of 18 months, the organization said.

During the first two months of 2012, TfL handled 264 requests from enforcement agencies, Privacy International's King said. TfL did not immediately respond to a request for comment.

London's Oyster card and New York's MetroCard have dozens of counterparts abroad, including the Clipper Card in San Francisco, the Octopus card in Hong Kong and the OV chip card in the Netherlands. These systems also retain data including names, addresses, phone numbers, email and credit card details, Privacy International said.

Personal information gathered by companies like TfL is very sensitive and can often be accessed by law enforcement agencies without a warrant, King said. Although law enforcement requests under the U.K. Data Protection Act (DPA) require evidence of relevant legislation or a court order, the situation is different in other countries, King said.

Conflicting laws led to privacy concerns during the introduction of the OV-chip card in the Netherlands, said Anita Hilhorst, spokeswoman for Trans Link Systems (TLS), an organization that was founded by the five largest Dutch public transport companies to implement a single payment system for public transport.

"We started with seven years of data retention at the request of the ministry of Finance," Hilhorst said. Later, the retention period was reduced to two years and after an audit by the Dutch Data Protection Authority, the retention period was reduced further to 18 months, she added.

Law enforcement agencies request OV-chip card data "a couple of times a week," said Hilhorst. The type of information depends on the request and cannot be disclosed by TLS, she said. One reason law enforcement requests OV-chip card data is to track down missing persons, she said. "Those requests are to be handled with great urgency," she said.

Privacy International's main goal is to warn travelers using public transit chip cards that their privacy could be in jeopardy due to legislative shortcomings and the data hunger of law enforcement agencies, King said. "We want to convince companies and authorities to demand a warrant," when law enforcement authorities request private data, he added.

Law enforcement agencies always want to increase the amount of data they can access, according to King. In the U.K., for instance, the new Draft Communications Data Bill, if passed, could be used to increase law enforcement access to personal data of travelers, he said. "The police say the amount of data they can access has been reduced over the years," he said. However, according to Privacy International, the personal data that can be accessed by law enforcement has only grown due to the introduction of the new electronic systems that store and track customer information.

Travelers who are worried about their privacy are advised to "always try and use a prepaid chip card paid for with cash," said King. Using electronic transit cards in that way makes it possible to travel anonymously. Concerned E.U. travelers can also file a subject access request that requires European data processors to disclose what personal data they store, King added.

Privacy International plans to disclose more responses from transit authorities and companies on its website in the future. The organization has polled organizations in English, Spanish, Portuguese and French speaking countries, which will be given another month or so to respond, King said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityprivacyIdentity fraud / theft

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?