Locational privacy in open payment
Locational privacy has long been an issue with automatic fare collection systems; when a system evolves beyond cash and tokens to using a stored-value card, inevitably someone asks a simple question: what happens to the records? Most computerized automatic fare collection systems keep a record of every swipe or tap. These records can make it possible to piece together a picture of a person's movements, particularly on systems with a zonal or distance-based fare, where data is collected on entry and on exit. When the STM introduced the OPUS card in Montréal, for example, I remember the vehement complaints about privacy, the people complaining that they couldn't be tracked with a paper ticket, while an OPUS card would contain their entire journey history.
With a conventional stored-value card, an AFC system's records may be used by the transit agency for operational and planning purposes, and may also be released to law enforcement agencies, upon receipt of a valid court order. There's also the risk of inadvertent disclosure, such as through an attack on the agency's systems. For privacy advocates, this risk of information disclosure, whether inadvertent or pursuant to a court order, raises concerns.
How does open payment change the situation? What happens when you throw mobile payment into the mix? Unfortunately, and perhaps predictably, the privacy situation has the potential to get worse. It's hard to say precisely, with so few open payment systems operational. But we can certainly envision what may happen. There's a possiblity, depending on how rules for transaction aggregation are established, that card issuers may not see each trip as a discrete transaction. Aggregation has yet to be fully explored by the industry, so for now we'll assume that each transaction is reported separately. Add a mobile payment network like Isis into the mix, and they'll end up with data when riders pay by phone. As more companies become involved in paying for transit, the privacy risks increase.
Credit card issuers do a great deal of data-mining on transaction records, and someday they may even use the information more directly. Imagine you're riding a transit system which uses open payment; you tap off at a station, and a few seconds later, you get a message on your cell phone with a coupon for a business a few blocks from the station. What may seem like a neat feature to some is an invasion of privacy for others, in much the same way as interest-based advertising on the Web.
In addition, with more companies involved in the process, the attack surface, or "the set of ways in which an adversary can enter the system and potentially cause damage", increases. Banks and cellular providers are not immune to suffering from hacks which result in information disclosure. Riders of transit systems may, in the future, find their journey histories being exposed to the Internet in much the same way as the personal details of Sony's customers have recently been exposed.
Open payment isn't inherently bad, and AFC systems certainly created risks to locational privacy even before open payment became popular. However, when open payment and mobile payment are added to AFC systems, the risks to locational privacy are exacerbated. The deployment of these technologies needs to be carefully managed to ensure that riders can take advantage of their benefits, without putting themselves themselves at risk of having their locational privacy compromised in unexpected ways.