FareBot: reading ORCA cards on Android

Seattle’s ORCA card is a contactless stored-value card for transit applications delivered by Vix ERG. ORCA cards use a MIFARE DESFire chip, and are accepted by seven Seattle-area transit agencies, which use the card for both stored value and passes. Now, thanks to Eric Butler’s FareBot app (source on GitHub) for Android, Google Nexus S users can read data (including transaction histories) from their ORCA cards using the Nexus S’s NFC support. With NFC support, the Nexus S is able to not only read from and write to contactless smart cards, but also emulate a contactless smart card. In this application, the Nexus S is being used as a card reader.

It’s important to point out that you can’t do any of this with an account-based system (such as those proposed for open payment), because then the card contains no real data—instead, it serves only as a token to identify the account. You also can’t do this with a card—whether it may be Cubic’s GO CARD or Sony’s FeliCa—which does not comply with the ISO 14443 standard and thus cannot be read by an NFC-enabled device. While Cubic’s Tri-Reader supports the GO CARD modulation format, and many Sony PCs (among other devices) support the FeliCa modulation format, that’s far from true interoperability.

However, while the ISO 14443 specification ensures that any compliant card can be used with any compliant reader, it says nothing about the data stored on the card. That’s where the real work behind FareBot is—in decoding the data stored on the card to be able to display it in a useful format. This isn’t just a toy for geeks, either; apps like FareBot have real-world value. For example, say you’re riding a proof-of-payment system, and a fare inspector stops you. You present your card, and they tell you their device can’t read it. Instead of trying again, or trying a different device, they start writing you a ticket for non-payment (and don’t think it couldn’t happen). Imagine if you could then pull out your phone, tap your card, and show the fare inspector that you’d just touched in on a platform validator. The fare inspector doesn’t necessarily have to take your word for it (nor do they have to believe your phone) but it should give them some indication that something might be wrong with their equipment. This is what true data transparency is about: not just giving passengers access to a sanitized view of their account data through an API that lags behind real-time, but letting them directly access the data that’s actually on their card.

Finally, as you might expect, there’s some reverse-engineering involved in what FareBot does. Unfortunately, this is in violation of the ORCA Terms of Use. The precise language is as follows (emphasis added):

Users shall not use the ORCA Program, including but not limited to the ORCA Websites, ORCA Cards and ORCA Products, in an unlawful manner or for an unlawful purpose. Without limiting the foregoing, users shall not do, or attempt to do, any of the following without the Agencies’ express written permission in a non-electronic record: (a) attempt to access any area of an ORCA Website or ORCA equipment that the user is not authorized to access; (b) tamper with an ORCA Website or an ORCA Card or use any hardware or software intended to damage or interfere with the proper and timely functioning of an ORCA Website or ORCA Card; (c) intercept or collect any ORCA data or personal information from an ORCA Website, ORCA Card or ORCA equipment; (d) create a web page or site or computer application of any kind that deep links to or frames ORCA websites, any page of said Websites, or any graphics, trademark or other proprietary information of any kind located on said Websites without the Agencies’ express written permission; (e) use meta tags or any other type of hidden text utilizing ORCA Program or Agency names, trademarks or intellectual property rights on a web site without the Agencies’ express written permission; (f) alter, interfere with or deface information, graphics, trademarks or any- thing else on or obtained from an ORCA Website or ORCA Card; (g) use any robot, spider, scraper or other automated means or interface not provided by ORCA to access an ORCA Card, the ORCA Website or to extract data; (h) reverse engineer any aspect of the ORCA Websites or ORCA Cards, or do anything that might discover source code, or bypass or circumvent measures employed to prevent or limit access to, or change of, any area, content, value or code; (i) send or otherwise affect an ORCA Website, ORCA Card or any other service with software such as a virus, spyware or other code that could be illegal, harmful, deceptive or disruptive to the site, ORCA Cards, Card-holders, employers or others to whom ORCA Business Cards are issued, or to any Agency; or take any other action which might impose a significant burden (as determined by ORCA) on an ORCA Website or Card; (j) “frame” the ORCA Websites or otherwise make it look like ORCA or an ORCA Agency has a relationship to a person or entity that it does not actually have, or has endorsed someone or something for any purpose; or (k) take any action which imposes an unreasonable or disproportionately large load on an ORCA Website or ORCA Program network or other infrastructure.

The same terms of use also prohibit “deep linking” to the ORCA web site; such prohibitions are generally considered to be a farce and contrary to the fundamental nature of the Web. As the W3C Technical Architecture Group writes in its article “‘Deep Linking’ in the World Wide Web”, “any attempt to forbid the practice of deep linking is based on a misunderstanding of the technology, and threatens to undermine the functioning of the Web as a whole”. I consider the ORCA terms of use to be overly broad and in conflict with sensible cooperation with developers, but given that they are the terms in force, I would not be surprised if another DMCA takedown notice shows up in GitHub’s DMCA takedown repository. Even though FareBot does absolutely nothing untoward and poses no harm to the ORCA system, I can only assume that any legal team which would seek to prohibit “deep linking” would also file a takedown against a harmless (and useful) proof-of-concept.