There's a contactless payment card scheme for public transport in London (the Oyster card); it's one of a number of ways in which you can pay for journeys on the tube, buses and various other forms of public transport in the capital. (You can still buy individual tickets with cash or credit cards, or have an underground fare payment added onto a rail ticket bought for a journey into London, for instance).
A couple of years ago, The Register commented on the privacy implications of granting individuals access to the audit log of their journeys, and noted the risk of other indivduals gaining access for uncharitable purposes. Last year in Tokyo (where there are several contactless payment card schemes for public transport, including Suica, Pasmo and others) I noticed that one could buy Faraday shields to prevent hackers leaching the e-cash off your contactless card.
Nevertheless, regardless of the potential for 'peer-to-peer' attacks arising out of such schemes, there's no denying that many people feel their convenience outweighs the risk.
I wonder, though, whether they will have second thoughts if this report is accurate; acccording to the last Sunday's Observer newspaper, the security services are to seek mass access to the Oyster scheme's repository of travel records. This would extend beyond their current power to inspect the records of specific individuals already under investigation, and create the opportunity for profiling, pattern-matching and behavioural prediction across the entire database (apparently amounting to some 17 million users).
To put this in context, we should remember that the principle recommendation of Sr James Crosby's report into the National Identity Register was as follows: its primary purpose should be to enable citizens to assert their identity "with ease and confidence". This is dramatically at odds with the scheme's multiple purposes as set out in the primary legislation and public statements of policy.
If Sir James' recommendation were followed, function creep on the scale being contemplated for Oyster records would be far more obvious than it might be if the scheme proceeded on the basis of the original welter of proposed justifications (fraud reduction, counter-terrorism, benefit access, border security, etc. etc.).
In 1939, UK Identity Cards were introduced for the three specific purposes of conscription, rationing and security enforcement. By the time they were abolished in 1952, some 39 public sector agencies were making use of citizens' identity records. Lord Chief Justice Goddard's summary in the case of Wilcock v. Muckle is frequently cited in this context, including in this concise paper by Dr. Jon Agar at Cambridge University.
"It is obvious that the police now, as a matter of routine, demand
the production of national registration identity cards whenever they
stop or interrogate a motorist for whatever cause. Of course, if they
are looking for a stolen car or have reason to believe that a
particular motorist is engaged in committing a crime, that is one
thing, but to demand a national registration identity card from all and
sundry ... , for instance, from a lady who may leave her car outside a
shop longer than she should, or some trivial matter of that sort,...is
wholly unreasonable.
This Act was passed for security purposes, and not for the purposes for
which, apparently, it is now sought to be used. To use Acts of
Parliament, passed for particular purposes during war, in times when
the war is past, except that technically a state of war exists, tends
to turn law-abiding subjects into lawbreakers, which is a most
undesirable state of affairs."
It seems quite legitimate, then to examine very critically proposals to take a scheme which was introduced to make urban transport payments quicker and more convenient, and turn its audit records to predictive law-enforcement on a mass scale.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}
I have problems with any mass databasing of customers profiles. That would be fine if the details were not being used by the nanny state, which i think is the real issue, and not to forget the fraudsters, who will undoubtably receive access to our records, not by hacking but by Royal mail unsecured delivery. 1984 for the third time.
Posted by ed on March 19, 2008 at 02:36 PM GMT+00:00 #
"The time has come," the Walrus said,
"To capture lots of data:
Of cars --and trips--and income-tax--
And travel where you pay to
Avoid the queues (or maybe not)--
And more stuff we'll think of later."
"But not on us!" the Oysters cried,
Turning a little blue.
"We are so insecure, that would be
A dismal thing to do!"
"The night is fine," the Walrus said.
"Do you admire the view?
Posted by Richard Veryard on March 19, 2008 at 05:06 PM GMT+00:00 #
"It seems a shame," the Walrus said,
"To play them such a trick,
After we've chivvied them so far,
With carrot and with stick!"
The Carpenter said nothing but
"The data's spread too thick!"
"O Oysters," said the Carpenter,
"You surely can't object?
You would have told us if you did..'
But protest came there none--
And this was scarcely odd, because
They'd silenced every one.
Posted by Robin Wilton on March 19, 2008 at 05:42 PM GMT+00:00 #
Actually, in a way Oyster may not be such a bad model. Yes it records the data, but it only records it for a short time (less than a month, from memory) before it is deleted. The Swiss e-purse worked the same way: the data was kept for 90 days and then anonymised for statistical purposes only. That strikes me as a reasonable compromise: if someone's been murdered or something then the police might reasonably ask who was around at the time, but can't trawl back through years of data.
Posted by Dave Birch on March 28, 2008 at 04:32 PM GMT+00:00 #
Sure - but isn't there still an issue about matching 'purpose of collection' with 'purpose of use'? I think my principal problem with the proposals for access to the Oyster records is that they weren't envisaged when the scheme was rolled out.
Doesn't that mean that Oyster users have signed up to a scheme on the basis of one set of assumed privacy rules, and now find that their data will be disclosed according to a very different set of rules (including mass 'fishing' of the kind which would not otherwise be acceptable even under a Section 28 exemption)?
Posted by Robin Wilton on March 28, 2008 at 04:44 PM GMT+00:00 #
That's a good point, but I wonder if trawling through the Oyster records -- albeit they are only kept for a short time -- is conceptually any different from trawling through the CCTV at a station. It's "public" transport!
Posted by Dave Birch on March 28, 2008 at 10:39 PM GMT+00:00 #