MTA Website Doles Out Rider History Data With Just A Credit Card Number
from the watching-you,-watching-me dept
We’ve noted for years how there’s no limit of companies and organizations that over-collect data on your daily movement patterns, then fail to adequately secure that data. Whether it’s your mobile phone carrier, your smartphone maker, your favorite app, or a rotating crop of dodgy data brokers, our corrupt failure to pass even a baseline privacy law for the Internet era is the gift that keeps on giving.
A lack of regulatory oversight of data collection has normalized lazy data practices everywhere you look. Case in point: Joseph Cox at 404 Media discovered that in NYC, the MTA’s OMNY contactless payment system easily spews out a rider’s detailed subway ridership history if you plug in a user’s credit card number, which can often be obtained via the dark web:
“Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets,” Eva Galperin, the director of cybersecurity at activist organization the Electronic Frontier Foundation (EFF) and who has extensively researched how abusive partners use technology, told 404 Media. “Credit card info is not a goddamn unique identifier.”
This could have easily been avoided with a simple PIN or password. While OMNY users can sign up for a password protected account, the system defaults to the no password, no authentication option. 404 Media points to a 2019 study by the Surveillance Technology Oversight Project (STOP) that expressed concerns that the payment system could be easily abused:
“Given how often government agencies, including the New York Police Department (‘NYPD’), have abused surveillance data to target ethnic and religious minorities and how for- profit corporations face overwhelming pressure to monetize user data, OMNY has the potential to expose millions of transit users to troubling repercussions”
New York City is also taking heat for its longstanding Wi-Fi kiosk program LinkNYC, which still non transparently over-collects the data of users and passersby alike despite years of complaints by privacy activists.
There are two major reasons we don’t have even a basic privacy law for the internet era that holds governments, organizations, and corporations accountable for lazy security practices. One, the data collection is immensely profitable to just an ocean of companies and industries which lobby against reform in unison. Two, it routinely allows the government to avoid having to get pesky warrants.
It’s not clear how many privacy scandals we need to bear witness to before real reform actually occurs, but it’s abundantly clear we’re going to be waiting a long while.
Filed Under: location data, mta, nyc, privacy, security, subway
Companies: mta
Comments on “MTA Website Doles Out Rider History Data With Just A Credit Card Number”
2019? People were concerned about this when MetroCards became available in 1993, and some advised sticking to cash or tokens for that reason. Of course, MetroCard was not the earliest such system, and the same discussions had already happened elsewhere.
Financial pressure has been used to push these people toward surveillance. Sure, they could use cash, but on many transit systems that costs a lot more. Especially if monthly passes, or an equivalent—like “rides are free after paying via card on 15 days in a month”—require surveillance. That’s much more significant than something like one percent cash-back from a credit card, which is already enough to make people sell their privacy.
Non-surveilling methods are also made inconvenient: cash accepted only at certain stations or times, exact change requirements, etc.
That statement shows why a privacy law won’t work: the same is true of people in countries that do have such laws. One can get the credit card numbers of a European via the dark web too. And who seriously thinks that a transit company is gonna have better security than the credit card companies, who have been fighting off attacks—with financial consequences—for years? I’m sure many transit payment systems have already been compromised, and some of these compromises haven’t yet been noticed or fixed—especially if it’s only data being copied, not money or rides being taken.
Unfortunately, these new concerns are likely coming too late. Every decade, we’ve been reliably failing to convince people of the threat. We could’ve been more vocal in 1993 when MetroCard was launched, in 2003 when tokens were discontinued, in 2013 when Snowden revealed than everyone was spying on everything. Can we convince people to go back to cash in 2023? For now, we can still go into any bank and get a roll of quarters and stack of dollar bills to make exact change. That may not be true in 2033.
(‘Cause, again, no credit card company or transit system is gonna redesign their system for anonymity and give up this profitable data, no privacy law is gonna fix the leaks, and there’s no reason to think we’re about to design an unbreakable computer system.)
Re:
By the way, there’s nothing “easy” or “simple” about requiring a PIN or password. How that gonna work? An anonymous person buying a card with cash from a kiosk is gonna be prompted to use an on-screen keyboard to set a password? There will be no end of confusion, resulting in them calling for help. For people buying in person from an agent, the agent will be met with blank stares when they ask for a PIN or password to be set. They’ll give a little speech about the reasons; people with poor English skills still won’t understand, and others will say “I don’t think I’ll ever need that”, and the agent will have to skip the step or force them to set something anyway.
Then, if the password isn’t required every time they use the card (do we really want everyone typing passwords at turnstiles?), they’ll forget it by the time they ever think to download their history. And we’ll need a password reset procedure.
A compromise would be leave the cards passwordless when sold, and only allow people to view the history for trips made after they’ve set a password. But the only way this data doesn’t leak is if it doesn’t exist in the first place, and can’t exist. That means a cash-like system, which co-incidentally brings us back exactly one more decade to 1983: see “Blind Signatures for Untraceable Payments” by David Chaum.
Re: Re:
If you buy a metro card there is no reason to connect it to a credit card. When you need a refill, swipe it, enter amount, swipe credit card – metro card good to go again. There is zero need to connect the metro card to a credit card in that use case. The option here is to connect your metro card to an account so you can add funds to it online etc.
If on the other hand your credit card is your metro card the prudent thing here is that you need to create an account to access the travel history.
And that is how it works with the metro system I use.
Re: Re: Re:
Umm… “swipe credit card”? It seems rather naïve to think the transit card won’t then be connected to the credit card in some database. Of course, if you’re not extremely careful, your travel records alone could de-anonymise you.
Re: Re: Re:2
I guess you always pay in cash then? At some point you have to give companies some trust when you pay with a credit card.
Since I currently live in the EU there’s an added incentive for companies to keep my personal data secure unless they want to break the GDPR and be slapped by hefty fines.
Re:
How did Ben Franklin state it? Something like “Those who would trade their privacy for financial convenience deserve neither.” I think that was it….
Re: Re:
“The problem with quotes on the Internet, is that it is hard to verify their authenticity” -Abraham Lincoln
You know how many libraries stopped keeping histories of who checked out what item? Maybe that’s the right approach. Of course libraries and transit systems need to know general usage stats to manage their services, but do they need to know exactly who is reading or riding?
Re:
That’s always the excuse. Before about 1990, they’d collect data with simple infrared person-counters over bus doors, station entrances, etc. Now that they know sometimes know literally every transfer a person makes, and where they exit, where’s our transit utopia? If the new data is better, the difference is marginal.
Anyone who rides transit regularly—or drives a bus or works at a station—could identify areas for improvement, if the transit agencies cared to listen. But, actually, many people have described difficulty in making them care. I used to ride a packed bus every day. When it filled up, the driver would call it in, and the next time the schedules were updated, there would be zero additional buses on the route. When I complained, I was told they’d consider my comments; but the frequency never came below 12 minutes, which was not frequent enough. (Luckily, my stops were located such that I could usually squeeze on, unlike the unfortunate people who’d then watch us drive by.)
Now I bike, and can get around without being tracked—at maybe 20% of the cost, amortized. Unfortunately, there’s still winter, and general bad weather, which means that whenever I do take transit, the service is at its most delayed and most crowded.
Libraries hardly need much data at all, so it was easy for them to store less. For each book, they can record how often it was out vs. available, what the general waitlist size looked like, maybe which proportion of the borrowers were children. Unfortunately, their computer systems still hold highly personal data at any given time, and possibly for much longer if their security is breached (by “lawful access” or otherwise). I say they should return to paper for the most part. It’s hard to remotely steal all the library records that way, and easy to destroy them when a book’s returned.
Re: Re:
That data isn’t how they actually decide how to route, where to open new routes/stops, and where to shut them down. So no, even a marginal difference would be like fantasyland.
Re: Re:
You’re right about it always being the excuse. So if they aren’t using the extremely detailed data to improve service, then they certainly won’t mind being required to not collect it and fall back to aggregate usage statistics, right? I’m sure the decision makers and elected officials in charge of the budget for public transit systems across the country care deeply about the public’s opinions and have only the public’s best interests– Just kidding.
Librarians are okay in my book, though, pun intended. One time I obtained a pdf of a very expensive and hard to find book which was missing two pages. I looked it up on WorldCat and started emailing libraries, and every single one of them got back to me even if they couldn’t help. The sixth or seventh library I tried responded with apologies that they don’t offer scanning services, but attached a scan of the two pages anyway. I love librarians.