Smarter public transit comes at the cost of rider anonymity

Security experts were skeptical about the New York MTA’s switch to an OMNY tap-and-go system when it was first announced years ago. Then, in August, a 404 Media investigation revealed riders were right to be concerned. As it turned out, the ability to check trip history could be used by nearly anyone to follow specific riders' location patterns. MTA disabled the feature, but it pointed to a deeper problem that exists across modern public transit systems: they make it harder to opt out of having our sensitive data collected,

“You're building a better system, but you're also really stepping into a dangerous cybersecurity minefield,” said Brendan Saltaformaggio, associate professor specializing in cybersecurity at the Georgia Institute of Technology.

Payment information, location data and trip patterns can all be attached to our ridership data. Agencies say they use it to better understand how riders use the services and make improvements. But the flip side is transit agencies selling user data to advertisers like a lot of private companies do, or sharing it with law enforcement. We submitted Freedom of Information Act requests to several large police departments across the country — including in New York City, Baltimore and Chicago — for more information on requests they had made to local transit agencies for data over the past decade.

But even if the data just sits there, it’s increasingly vulnerable to a breach without secure infrastructure in place to protect it. Most ransomware gangs are motivated by money. So while your data could be at risk, the hackers are actually looking to threaten the public transit agencies into paying up to avoid a data leak or being locked out of their systems. It happened to the Washington Metropolitan Area Transit Authority in Washington, DC earlier this year, and in March a ransomware attack disrupted the Washington state bus system. That said, personal data can still be compromised in the process. Hackers leaked personal data after accessing San Francisco’s Bay Area Rapid Transit at the beginning of this year.

“These are organizations that run on shoestring budgets, usually heavily supported by taxpayers, who are probably not going to be very excited to see all of this money being spent purely on cybersecurity with hopes of not having an incident in mind,” Saltaformaggio said.

What exactly each agency does to protect your sensitive information varies widely. The Federal Transit Administration and the American Public Transportation Association both provide guidelines for agencies on how to handle the matter. But experts warn that agencies across the country are still vulnerable to attack, and struggle to keep the data they have access to secure.

Digitizing public transit payments makes sense. But while the public is leaning into going cashless, paper money will always be here to stay. “If an agency tried to get rid of cash payments, they might face some serious backlash because a significant portion of people still use cash to ride transit,” said Joshua Schank, managing principal at transportation and financial advisory firm InfraStrategies. Still, options to pay via an RFID-powered card, an app or even a digital wallet all became popular ways to pay — especially because adoption of these newer methods often comes with perks like allowing riders free transfers between stations or services. Some credit card companies even offer incentives like discounts on rides by partnering with the transit agencies on non-cash payment options.

Using exact cash to ride public transit is still possible in many places, but it means you lose out on the aforementioned perks. There are options to purchase a card with cash and still get those perks, but it's often much less convenient. To get a ConnectCard in Pittsburgh, I have to go to a third-party location in my neighborhood, buy a card for $1 and have cash out to reload it at that third-party location whenever it's empty. It costs $2.75 to ride the bus, so that card fare only adds up to about one-third of a ride.In New York, a physical OMNY card costs $5, or one ride on the subway plus most of your next trip. (It’s worth noting that OMNY currently has a deal selling cards for $1 at all OMNY vending machines, but that’s for a limited time only.)

Agencies stack on burdens for the consumer, incentivizing them to switch to data-collecting apps and RFID smart cards, almost punishing people trying to stick to cash — either because they value their privacy, or because they're among those without consistent access to banking. It shouldn't have to be more annoying, more expensive, or both just to maintain some anonymity while commuting to work.

There’s not much you can do about it, either. Like most data privacy issues, experts say we need federal regulation to put guidelines in place around how public transit agencies collect and use our data. Until then, it’s just another way we’re stuck exchanging our personal information for marginal convenience gains.

This article originally appeared on Engadget at

Leave a Reply