road toll transponder hacked
Sherri Davidoff
alien at MIT.EDU
Wed Aug 27 12:06:54 EDT 2008
dan at geer.org wrote:
> Look for general tracking to appear everywhere.
Anonymous travel is dead. Even for subway riders who still use tokens
and citizens that bicycle around town, the proliferation of cameras,
facial recognition technology, biometrics and RFID tagging will render
anonymity obsolete within a generation.
I believe the public's next battleground is to gain control over what
*happens* to our data, and how it's used. Right now there is very little
transparency. Transportation organizations are collecting a lot of
information about people, and there is very little public input or
disclosure regarding uses, length of storage time, or standards for
securing this data.
Boston's MBTA, for example, does not consider the CharlieCard's serial
number to be personal information, and it therefore reserves the right
to store rider histories associated with each card *indefinitely*. Even
when CharlieCards are obtained "anonymously" (not the majority) they can
always be linked to the financial transactions DB which also stores the
card serial number (ie. if you even once pay with credit card, your
CharlieCard is not anonymous any more). This isn't publicized; it's
information I obtained by doggedly calling the MBTA's IT department.
I believe the public should have the following rights:
- The public should have regular input on how long personal data is
stored and how it is managed.
- Disabled people and senior citizens should have access to the same
level of privacy as everyone else. (Right now in Boston, they cannot
obtain a CharlieCard without having their personal information
associated with the card and permanently stored by the MBTA.)
- Transportation organizations should be required to publicly disclose
what data is collected about individuals, and how long that data is stored.
- Individuals should be able to easily find out who has accessed their
travel histories and the purpose of disclosure.
- Transportation organizations that store personal data should be
subject to regular external audits to ensure that they are in compliance
with standards, and that they have implemented appropriate measures to
secure personal data. A summary of these results should be made public.
Personally, I don't want to have a history of my travel stored in any
database. Right now, purchasing a one-time CharlieTicket is a 30 cent
surcharge per ride, but it is the only way to take the subway in Boston
without creating a travel history. Privacy in public transportation
should be equally accessible to all citizens, regardless of financial
resources.
Sherri
--
http://philosecurity.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list