Public transportation companies and authorities in the U.S., Canada and South Africa hand over private information about travelers gathered by electronic ticketing systems to law enforcement agencies on a voluntary basis, Privacy International said Monday.
"Every single authority and company we have spoken to so far has shocking practices," said Eric King, Privacy International's head of research. His organization is polling 48 transport authorities and companies operating transport services across the world, requesting data on how they deal with private information such as addresses and travel patterns linked to public transport chip cards.
So far, five organizations have responded, he said, adding that he did not want to disclose which organizations responded. "We don't want to penalize them for responding quickly," he said.
"In New York, the data on cards is stored for 120 days," King said, adding that the police there are not required to have a warrant to access information stored on cards used for the subways. This is a threat to travelers' privacy, he noted, adding that there is very little legislation anywhere that addresses electronic payment systems for trams, subways, trains and buses.
"The problem with smart cards is that they record a very fine grain of information," King said. The information held about users of the London Oyster card include, for example, address, telephone number, full name, email address and password, as well as the encrypted bank details of customers who purchase Oyster products using a debit or credit card, according to Privacy International.
In addition, the Oyster system also records the location, date and time of any trips validated by the transport cards, Privacy International pointed out. This information can be linked to personal data of users who pay for transport cards with credit or debit cards.
Transport for London (TfL), the government agency responsible for the Oyster card, retains customer names and contact details for two years after a customer uses a card for the last time, according to Privacy International. Details of debit and credit cards used to purchase an Oyster product are stored for a maximum of 18 months, the organization said.
During the first two months of 2012, TfL handled 264 requests from enforcement agencies, Privacy International's King said. TfL did not immediately respond to a request for comment.
London's Oyster card and New York's MetroCard have dozens of counterparts abroad, including the Clipper Card in San Francisco, the Octopus card in Hong Kong and the OV chip card in the Netherlands. These systems also retain data including names, addresses, phone numbers, email and credit card details, Privacy International said.
Personal information gathered by companies like TfL is very sensitive and can often be accessed by law enforcement agencies without a warrant, King said. Although law enforcement requests under the U.K. Data Protection Act (DPA) require evidence of relevant legislation or a court order, the situation is different in other countries, King said.
Sign up for Computerworld eNewsletters.