Mar 09 2018

If you build a surveillance system, the police will come.

There’s a cautionary tale for people who travel by public transit in the latest report on collaboration with Canadian police by the Toronto regional transit agency, Metrolinx.

If you build a system that keeps personally-indentifiable logs of when and where people go, eventually the police will want to exploit those logs for their own purposes — regardless of the original purpose for which the data was collected, or the policies that, at the time the data was collected, purported to restrict how it would later be used.

Like many public transit agencies in the USA, Metrolinx allows riders to use the same RFID-chipped stored-value farecard — called “PRESTO” in Toronto — to pay for travel on buses, subways, streetcars,  and commuter trains through the metropolitan area.

The system could be designed so that the value of the card is stored on the card, and the fare for each trip is deducted from the value stored on the card when the trip is completed.

Neither a central registry of cards and card values, logs of card usage, nor information linking cards to individual identities are necessary for fare payment or transit operations. But all of those features, with their surveillance potential, are designed and built into the system.  Most regional transit farecard systems in the US work the same way.

The latest report is that Metrolinx handed over travel logs and information identifying transit riders to law enforcement agencies, including agencies as far away as Edmonton, without asking for warrants or court orders or notifying the subjects of the data.

A Metrolinx spokesperson told the Toronto Star that, “in the ‘vast majority’ of cases, the information the agency divulged was either the card users’ partial trip history, or contact information such as their name and address.”

Any US transit agency that identifies riders and logs their movements could do the same. The only meaningful “Do Not Track” is “Do  Not Collect”.

Some transit systems allow farecards like this to be purchased anonymously. Others require them to be registered and linked to personally identifying information, or make certain fares or discounts, such as discounts for students, senior citizens, or people with disabilities, available only to those using registered and personally identifiable farecards.

In the Toronto area, 2.3 million of the 3.5 million PRESTO cards have been registered with Metrolinx so that the logs of when and where they are used are linked to the identities of the purchasers.

Metrolinx revised its privacy policy, after the Toronto Star reported that the agency had been “sharing” travel logs and information identifying passengers with police, sometimes without asking for warrants.  But that’s too little, too late. Policies can be ignored, violated, or revised after the fact in cases of real, imagined, or invented exigency. Metrolinx didn’t tell transit riders when the agency ratted them out to police, so there is no guarantee that the agency’s actions would ever be reviewed by courts.

What can be done? The lesson of what happened in Toronto is that policies cannot protect you against police who want information about you, and other government agencies that have collected information about you and are willing to collaborate with the poilice.

Pay cash for your tickets, travel anonymously, and insist on your right to do so.

2 thoughts on “If you build a surveillance system, the police will come.

  1. The article makes it sound like the chicken or the egg.

    I think the idea was to build the surveillance system from the beginning,

    Panopticon – the few watch the many.

    Synopticon – the many watch the few.

    Banopticon – some are not allowed to participate.

    A dense network of overlapping and connected authorities.
    Watching the individual close up, 24/7.

    Under the guise of the individual being predictable.

  2. I can’t speak to the Toronto system. Here in Chicago most likely part of the reason for using chipped cards rather than magnetic stripe cards was the desire to outsource the entire system. They engaged a third party, Ventra, who (I believe) didn’t see enough money in just providing transit cards. As a result the card was offered as a dual transit/debit card. The debit card side was always a bad deal for the consumer, as it was loaded with usage fees, but a great deal for Ventra. They’re now dropping the MasterCard co-branding, so apparently Ventra wasn’t getting enough people willing to pay the excessive fees. Unfortunately, they will still require registration in exchange for the ability to reload the card online or from their app, as well as for the ability to be included in reduced fare categories. I’m guessing this will be another bad deal for Chicago, in which Ventra will pull out as soon as their contract expires, since clearly the venture isn’t working out for them as they had hoped. What will happen to the logs is anybody’s guess.

Leave a Reply

Your email address will not be published. Required fields are marked *