Last week 404 Media published a report by Joseph Cox on how the New York Metropolitan Transit Agency’s website can be used as a remote stalking tool: anyone who knows a credit card number that was used to purchase or add value to an OMNY transit farecard could view a historical log of the last seven days of trips taken using the card, including the dates, times, and locations where the card was read at subway entrances or boarding buses.
Less than 24 hours after this report was published, this “feature” was removed from the MTA website.
But that doesn’t solve the problem.
The main problem with the MTA payment system — and similar systems in other cities — isn’t that anyone could access your trip history by typing in your credit card number (which every waiter you ever bought a meal from with that credit card has access to, and every domestic violence abuser in your household also knows).
The real problem is that the MTA transit system is building a permanent database of all your trips, period. The MTA is still logging transit passengers’ movements, and those logs are still available to the MTA itself, police, anyone the MTA chooses to share them with, or anyone who hacks into the TSA’s records.
If the MTA didn’t collect this data in the first place, there would be no way for anyone to abuse it.
Vendors of payment systems for transit don’t tend to care at all about traveler privacy — probably because their customers, the transit systems, also don’t care about traveler privacy.
Ordinary transit payment systems of a few decades ago involved paying cash, which is hard to trace. Those have gradually been replaced by electronic farecards with back-end databases that centrally record every trip.
For example, the San Francisco BART system used to let you buy a paper card with cash to take a trip. It made a record of every trip you made with that card, but you could buy a new card for each trip, so that there would be no link between one trip and the next. Or you could buy, say, a $20 card, and buy a new card when you used up that $20 in stored value. There was no link between one card and the next card you might buy for cash, and no surcharge or penalty for buying a new card for each trip or as often as you liked.
Now BART requires you to buy a reloadable plastic Clipper card that ties all your trips together in the database, or pay your fare with a smartphone app. Either the Clipper card or the smartphone app is tied to any credit card number that you use to buy or put value on the card or app account. The stored-value card thus ties each and every one of your subway trips into your entire financial history. BART has gradual removed all of its existing infrastructure for reading and issuing the paper cards, thus moving all of its riders into fully-tracked status.
You can buy a Clipper card for cash, but there’s a $3 fee for each new card — as much as the price of some BART rides — to discourage you from buying a new card for each trip, the way you could with paper cards. The $3 fee for a new Clipper card is waived if you link your Clipper card to a bank account or credit card, making it clear that the $3 fee is intended as an explicit price for partially opting out of some but not all tracking.
This trend in transit isn’t an isolated instance. Toll collection systems for motor vehicle drivers have gone the same route, eliminating cash payment of tolls. Once they established vehicle tracking systems to collect toll payments, they started adding readers along other highways that don’t charge you anything, but record the number of your E-ZPass, FasTrak, or similar sensor for other purposes like monitoring traffic flow — and, of course, warrantless police surveillance.
The US Federal government has given a big push to traveler tracking systems since the formation of the Transportation Security Administration. Currently, the identity of every passenger on a commercial airline must be reported in advance to the TSA. An airline can be fined or have its operating license revoked if it transports a passenger without getting an affirmative “OK to board that passenger on that plane” permission response from the TSA.
This system goes by different names for domestic flights and for international flights, but the systems work the same. These systems were built for the purpose of preventing “presumed-evil” citizens from traveling in their own country, on the basis of “pre-crime” predictions. There are no “pre-cogs” in the real-world, and this system is useless for any safety or security purpose, but it is useful to the government as a tool of discrimination, surveillance, and control.
Requiring travelers to identify themselves also enhances airlines’ revenues by helping them prevent people from reselling tickets or using tickets bought by others, as used to be common. Here as in other aspects of airline and airport operations, there’s a malign convergence of interest between government agencies’ interest in automated surveillance and control and the travel industry’s interest in automation for labor saving and profiling.
Airline reservation-viewing and check-in websites and apps, like the MTA website, are easy to exploit as remote stalking apps. Read the last name of the passenger and the reservation “record locator” printed on the tag stuck on a piece of luggage by the airline, and you can view their entire itinerary, including their return flight schedule, without their knowledge, on the airline’s website or in its app.
The TSA is, of course, building a central database of all international and some (as many as it chooses) domestic airline trips, and making that database available to other parts of the Federal government such as the classified spy agencies, the FBI and other Federal police agencies, and probably the state/federal police “fusion centers”.
Better not to collect logs of travelers’ movements in the first place. If systems are designed to respect the right to travel anonymously, travelers can’t be tracked and travel logs that don’t exist can’t be misused. Anonymity and “Do Not Collect” are fundamental to our freedom to travel.
Building automated infrastructure for totalitarian monitoring and control of citizens’ movements will not end well.