Public transportation companies and authorities in the U.S., Canada and South Africa hand over private information about travelers gathered by electronic ticketing systems to law enforcement agencies on a voluntary basis, Privacy International said Monday.
"Every single authority and company we have spoken to so far has shocking practices," said Eric King, Privacy International's head of research. His organization is polling 48 transport authorities and companies operating transport services across the world, requesting data on how they deal with private information such as addresses and travel patterns linked to public transport chip cards.
So far, five organizations have responded, he said, adding that he did not want to disclose which organizations responded. "We don't want to penalize them for responding quickly," he said.
"In New York, the data on cards is stored for 120 days," King said, adding that the police there are not required to have a warrant to access information stored on cards used for the subways. This is a threat to travelers' privacy, he noted, adding that there is very little legislation anywhere that addresses electronic payment systems for trams, subways, trains and buses.
"The problem with smart cards is that they record a very fine grain of information," King said. The information held about users of the London Oyster card include, for example, address, telephone number, full name, email address and password, as well as the encrypted bank details of customers who purchase Oyster products using a debit or credit card, according to Privacy International.
In addition, the Oyster system also records the location, date and time of any trips validated by the transport cards, Privacy International pointed out. This information can be linked to personal data of users who pay for transport cards with credit or debit cards.
Transport for London (TfL), the government agency responsible for the Oyster card, retains customer names and contact details for two years after a customer uses a card for the last time, according to Privacy International. Details of debit and credit cards used to purchase an Oyster product are stored for a maximum of 18 months, the organization said.
During the first two months of 2012, TfL handled 264 requests from enforcement agencies, Privacy International's King said. TfL did not immediately respond to a request for comment.
London's Oyster card and New York's MetroCard have dozens of counterparts abroad, including the Clipper Card in San Francisco, the Octopus card in Hong Kong and the OV chip card in the Netherlands. These systems also retain data including names, addresses, phone numbers, email and credit card details, Privacy International said.
Personal information gathered by companies like TfL is very sensitive and can often be accessed by law enforcement agencies without a warrant, King said. Although law enforcement requests under the U.K. Data Protection Act (DPA) require evidence of relevant legislation or a court order, the situation is different in other countries, King said.
Conflicting laws led to privacy concerns during the introduction of the OV-chip card in the Netherlands, said Anita Hilhorst, spokeswoman for Trans Link Systems (TLS), an organization that was founded by the five largest Dutch public transport companies to implement a single payment system for public transport.
"We started with seven years of data retention at the request of the ministry of Finance," Hilhorst said. Later, the retention period was reduced to two years and after an audit by the Dutch Data Protection Authority, the retention period was reduced further to 18 months, she added.
Law enforcement agencies request OV-chip card data "a couple of times a week," said Hilhorst. The type of information depends on the request and cannot be disclosed by TLS, she said. One reason law enforcement requests OV-chip card data is to track down missing persons, she said. "Those requests are to be handled with great urgency," she said.
Privacy International's main goal is to warn travelers using public transit chip cards that their privacy could be in jeopardy due to legislative shortcomings and the data hunger of law enforcement agencies, King said. "We want to convince companies and authorities to demand a warrant," when law enforcement authorities request private data, he added.
Law enforcement agencies always want to increase the amount of data they can access, according to King. In the U.K., for instance, the new Draft Communications Data Bill, if passed, could be used to increase law enforcement access to personal data of travelers, he said. "The police say the amount of data they can access has been reduced over the years," he said. However, according to Privacy International, the personal data that can be accessed by law enforcement has only grown due to the introduction of the new electronic systems that store and track customer information.
Travelers who are worried about their privacy are advised to "always try and use a prepaid chip card paid for with cash," said King. Using electronic transit cards in that way makes it possible to travel anonymously. Concerned E.U. travelers can also file a subject access request that requires European data processors to disclose what personal data they store, King added.
Privacy International plans to disclose more responses from transit authorities and companies on its website in the future. The organization has polled organizations in English, Spanish, Portuguese and French speaking countries, which will be given another month or so to respond, King said.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to [email protected]