Interesting observation

Worried about the information Facebook has on you? What about TfL?

We take protecting the privacy of our customers extremely seriously (How to keep data truly safe? Don’t collect it in the first place, 4 April). Aside from cases where it is essential that we know the identity of a holder of an Oyster card – such as when checking customers are entitled for free or discounted travel – there is no requirement for anyone to share their personal details with us.

For all cards, including those Oyster cards where proof of identity is required, we deliberately break the link in our systems between the card and the journeys made with it as soon as that link is no longer required for customer support, such as processing fare refunds.

No, not what they say they do, what could they possibly do?

10 thoughts on “Interesting observation”

  1. I read somewhere that the Guardian App hoovers a colossal amount of data from anyone mug enough to install it on their phones and flogs it.

    But that doesn’t matter as the Guardian are the Good Guys.

  2. TfL are mere infants compared the the telephone companies, who know where everyone is at all times.

  3. Flog it.


    Having taken a quick gander; when creating an account, TfL want the usual stuff – email address, a password (there are some challenge/response questions of the “mother’s maiden name/first pet” type (FFS), and they require a landline number, and obviously, payment details (the default value is to have auto-topup enabled). For delivery of the card, a physical address is required, not surprisingly.

    Once the card is in use, they’ll have a sequence of waypoints and times, along a customer’s route, where the card was used.

    Ignoring any personal data at this point, TfL could easily create a form of surge pricing or differential/segmented pricing structures from the route data alone.That is, a card user travelling from Chelsea or Kensington into the City or Mayfair could be charged a significantly higher amount than one arriving in the City from Tower Hamlets or the Peoples Republic of Haringey. Kiss goodbye to zones 1-5. Alternatively, TfL could charge according to the mode of transport used in combination with route and time of day.

    To get malicous; Tfl also controls the hackney/private hire licensing process and the congestion charge. Not impossible that the median voter in a particular borough could be punished
    by dropping fares originating there so low that the place is turned into a giant car park. The reverse is also true; voters could be encouraged to return the correct candidate or be rewarded for doing so. TfL could royally fuck up Uber (or similar) by making acceptance of Oyster a requirement, thus controlling their prices/revenue and margins directly.

    Further, by referencing other information the TfL may already have operational access to, indirect action is becomes possible; EE report a gender pay gap too large for your liking? Examine the owner of the IP blocks that user traffic requests originate from.

    Finally (but probably not), route data might allow politicians or councils to adjust business rates, council tax, planning requirements or anything else down to very local levels.

    For an attacker; I’m reminded of the hole exposed in military security by the users of fitness tracking apps at one of the bases in Afghanistan. Using route data alone, it might be possible to identify a location for an attack that would probably be expected to have an outsize effect on a particular set of users – journeys from Cricklewood to Whitehall for junior or middle ranking civil servants?

    The quoted text talks about breaking the link between the card and those waypoints, but clearly one was generated in the first place, and there’s no mention of when it gets broken, or of the conditions that need to be met for it to be broken. It’s not stated whether the link can be easily recreated procedurally afterwards, although it’s fairly easy to imagine some conditions under which the security service or the Met might be able require TfL to do this. Additionally, it seems likely that the payment processors or LEA might require the link to be in place for longer than many card users might reasonably imagine to be the case.

    Additionally, even if the link is broken irredeemably, then a successful attacker that has gained access to that database might be able to inject a sequence or set of journeys that can not be tied to any user; this would royally screw any legitimate (or otherwise) use of the data.

  4. When vancouver introduced electronic fare cards system they loudly declared how all the data they were going to collect would be so useful for setting fares (surge pricing/rush hour pricing was one option they mentioned) and services etc. I believe it was actually part of the rationale as the savings in fare evasion wouldn’t cover the cost of the scheme according to reports.
    There seemed very little concern in the media about how this data could be misused though, but then the fact it was years late (which also usually means well
    Over budget) and still doesn’t work as planned seemed to slip past the media as well

  5. I fear we’re getting closer to disproving Hayek on the impossibility of central planning.

    Which is why these things must always be attacked on principle, not on the grounds of their assumed hopelessness.

  6. Ducky,

    I’m not sure what card you are referring to, but if it’s Oyster, mine was paid for with cash (at a station) and has always been topped up with cash at the machines… No account needed, no login, I’m guessing not one jot of identifying data?

    I should perhaps bin it at some stage and get another, just in case some lying Rail Nazi one day fakes insisting on knowing who I am (and then automatically hoovers up loads of old travel data stored by the card)?

  7. And re Oyster, I know people who simply keep spares with cash on them, so that – if they have visitors to the metropolis – they can hand them out for temporary use on buses and stuff like that (one can no longer pay cash as you go on buses in London, one must either have a pre purchased ticket or Oyster). Again, no useful relevant ID links.

  8. Back when I was unemployed and did enough in-city bus journeys to buy a bus pass, the link between pass and holder’s identity was broken the moment you’d handed over your money and they’d checked you had a UB40 in your grubby mitt. Similarly for the pensioners in the queue with me, s/UB40/pension book/. Same when I bought stored value cards in Hong Kong in the 1990s. There is zero requirement for a travel stored value card to contain anything relating to the holder.

Leave a Reply

Your email address will not be published. Required fields are marked *