Researchers found they could identify commuters by their travel histories. (ABC News: Danielle Bonica)
Just a few taps on and off, and a couple of tweets — that’s all it would take for a hacker or stalker to identify you and track down your movements with a myki.
- Victoria’s Information Commissioner finds Public Transport Victoria breached privacy laws
- The breach happened when data about the travel of more than 15 million myki cards was released for a data science competition
- The Commissioner says the Department does not accept the release breached myki users’ privacy
In a concerning revelation, researchers have found that myki, in conjunction with social media, can be used to uncover a wealth of information about card users.
Myki is the reloadable ticketing system used on public transport services in Melbourne and regional Victoria.
Victoria’s Information Commissioner has today revealed Public Transport Victoria (PTV) breached privacy laws by releasing nearly two billion lines of what it claimed was de-identified data to support a data science competition in mid-2018.
The data detailed the routines gathered from more than 15 million cards, recording 1.8 million “taps on” and “taps off” between July 2015 and June 2018, and was released and made available online for the two-month long 2018 Melbourne Datathon event.
Millions of myki card holders involved
It was de-identified to the extent that the card IDs — the name of the person using the card if it is registered to them — was removed.
But researchers at the University of Melbourne discovered they could re-identify their own data, and the data of someone they’d travelled with, and link all the trips using the same card.
More worryingly, the researchers found they could identify someone unknown to them.
Victorian Labor MP Anthony Carbines was able to be identified and have his travel history uncovered, with his permission, by combining the data and some of his tweets about using public transport.
Lead researcher Chris Culnane, from the University of Melbourne’s School of Computing and Information Systems, said the data release was “shocking”.
“The fact that the privacy assessment that was conducted didn’t pick up these dangers, when it was fairly obvious to us that if you release this type of information it’s going to be pretty easy to reidentify it — I think it is quite shocking that quantity of data was released without someone realising how identifiable it would be,” he said.
MP Anthony Carbines was one of the travellers identified by researchers. (Parliament of Victoria)
Mr Carbines said that as a Member of Parliament he did not expect to have a lot of privacy and that myki data was collected for good reasons, to improve services.
“I think it’s important though to be mindful that as custodians of public information we’ve accepted the recommendations of the [Information] Commissioner,” he said.
Mr Carbines urged commuters to be mindful of what they shared on social media.
But he said he would continue to tweet about his train trips to give people confidence their elected officials were using public transport.
Dangers posed by weak privacy protections
Dr Culnane said that most Myki users in the dataset “could be identified from just a few touch-on or touch-off events”.
He said he was concerned about what that meant for vulnerable members of society.
“The worst fears are being able to find someone for example, if you travelled with them once within the city, and then you find out where they live or where they travel to work from. If someone is trying to find someone or stalk them then that kind of information is extremely valuable and sensitive to that person.”
“With just a handful of pieces of information about where someone boards or exits public transport, it’s possible to get an indication of where they live or work, their regular travel patterns, who they travel with, or if they travel alone, for example, children heading home from school alone,” Dr Culnane said.
“Our analysis raises serious privacy, safety and security issues. It’s easy to imagine how information like this could be used by people who might want to cause harm.”
Victoria’s Information Commissioner, Sven Bluemmel said: “Your public transport history can contain a wealth of information about your private life.
“It reveals your patterns of movement or behaviour, where you go and who you associate with.
“This is information that I believe Victorians expect to be well-protected.”
Victoria’s Department of Transport said it did not accept that it breached myki users’ privacy, and argued that the dataset itself didn’t contain personal information
But it has nonetheless committed to implementing the actions set out in compliance notice it had been issued with.
A Victorian Government spokesperson says while sharing data is “extremely important” — leading to the creation of apps like Tram Tracker — “we need to ensure there are rigorous privacy protections in place.”
The data release recorded 1.8 billion myki tap-on and tap-off events between July 2015 and June 2018. (ABC Radio Melbourne: Nicole Mills)
Dr Culnane was sceptical about the department’s ability or willingness to avoid the same problems in future.
“Given what has been the response from the Department of Transport on this issue, there is a lack of transparency at the moment about what went on, and how they are going to avoid the same mistakes in the future.
“This isn’t the first case of de-identification failing and re-identification happening. And part of the reason for that is because there isn’t an open discussion of what the problems are.
“And because we haven’t got that level of transparency, it’s likely we are going to keep seeing these things happening again in the future.”
Dr Culnane questioned why Myki needed to keep three years of data of individual journeys, and that any usefulness of that data could be gleaned from aggregated data.
Privacy experts say passengers should be cautious about revealing travel plans on social media. (ABC News: Danielle Bonica)
What can you do to protect yourself?
If you use a myki, you have no option to withhold your data.
If you think that by not registering your myki, linking it to your name, will protect you, think again, Dr Culnane said.
He urged commuters to take a closer look at how they reveal their travel habits on social media.
“Generally, there’s not a lot you can do if you have to engage with the public transport system. There is no option to withhold that data. But we have to kind of take a broad look and say well, what information are we putting out there publicly on social media?”
“Can we reduce the type of information that maybe reveals allocation? And just be a little bit more cautious about what date we share with organisations as well as social media to try to reduce our data footprint overall.”