Will riders ever feel safe returning to buses and trains?
Hoping the answer is yes, transit systems are implementing contactless (or touchless) payment systems in an effort to overcome patrons’ COVID-19-related fears of contact with strangers and unhygienic surfaces.
At the same time, there are concerns that data collected by some of these systems could be used by police or by federal Immigrant and Customs Enforcement (ICE) agents to surveil or arrest riders based on their recorded travel patterns.
The smartphone apps, pre-loaded with funds via a credit/debit card or digital wallet (think Apple Pay, Google Pay or Paypal) allow riders to pay the fare by tapping or hovering their phone over the farebox.
For patrons, the touchless systems capitalize on apps that provide conveniences such as maps and next bus/next train information and, because they are available for smartphones, they provide the ability to pay without using a farecard. The apps also hold the promise to riders of faster boarding, access to multiple transit systems without separate ticketing, and discounts based on age, income, residency, or number of trips.
And they claim to be eco-friendly by minimizing paper tickets or plastic farecards.
When farecards were first introduced 25-or-so years ago they enhanced security by cutting down on cash payments. Less cash on vehicles decreased opportunities for theft by outsiders or by employees. Eliminating—or greatly reducing—cash also resulted in fewer fare disputes, which, despite recent controversies over wearing masks, remain the major cause of assaults on employees.
Though the new contactless systems provide few direct security improvements, riders find them convenient and hygiene-friendly. For transit systems, they provide faster and more accurate ridership data, leading to cost-effective scheduling, and better platform and vehicle management.
For instance, a bus route with few riders could use a smaller bus than a busier route, saving fuel and equipment costs. A six-car train reduced to four-cars on weekends could be also reduced on Fridays if ridership was consistently low that day. Conversely, addressing patron’s concerns about crowding, systems could deploy larger buses or longer trains as ridership increases.
Several large systems have introduced contactless payments with little fanfare or complaint. That includes Atlanta’s Breeze; Washington, DC’s SmarTrip; Chicago’s VENTRA; Seattle’s ORCA; and the California Bay Area’s CLIPPER.
But in New York, where the Metropolitan Transportation Authority (MTA) is replacing the 25-year-old MetroCard with the OMNY (One Metro New York) Fare Payment Program, transit advocates have raised privacy concerns.
The Transit Center (transitcenter.org), a self-described group working to “improving urban mobility…to make cities more just and environmentally sustainable,” recently sponsored a webinar based on its report, “Do Not Track: A Guide to Data Privacy for New Transit Fare Media,” which advises riders on how to use the new touchless system while still protecting their privacy.
Webinar speakers worried that OMNY data could be obtained by the New York City Police Department (NYPD) or by federal Immigrant and Customs Enforcement (ICE) agents to surveil or arrest riders based on their travel patterns recorded by OMNY.
Although the Center acknowledges that registered OMNY users provide exactly the same data now collected by MetroCard and E-ZPass NY (the MTA’s automatic toll collection system), speakers envisioned, the data being used to track individuals. The concerns, for instance, were that the NYPD might use bus or subway taps to monitor mosque attendance, or that ICE could pick up and detain illegal immigrants based on regular use of particular stops or stations.
Identical concerns about the lack of privacy regulation in the OMNY system were raised in 2019 by the Surveillance Technology Oversight Project (STOP).
Its report, “OMNY Surveillance Oh My: New York City’s Expanding Transit Surveillance Apparatus,” singles out the MTA’s data protection policy as insufficiently limiting the authority to collect and store rider data. The report also highlighted concerns that OMNY will be built, hosted and managed by the Cubic Transportation System.
Outside management of rider data is common. Cubic, which recently agreed to be bought by private equity firm Veritas Capital and U.S. hedge fund Elliott Management, according to its website, currently manages more than 400 transit smart card systems around the world, representing about 70 percent of the global market.
Social justice advocates are not the only ones concerned about externally managed data. During a webinar held within days of the Transit Center’s, cybersecurity experts talked about transit systems’ awareness of how much of their data is collected, how it is stored, and whether it is safe from hackers.
In a recent study that assessed transit agencies’ understanding of cybersecurity vulnerabilities and threats, the Mineta Transportation Institute (MTI) found “highly suspect” claims from more than 70 percent of transit cyber personnel that their agencies had not had many (or any) cybersecurity incidents.
Because the figure differed drastically from other industries, the report asked whether transit was so different or, more likely, that incidents were not being identified or reported.
While none of the report’s examples involved breaches of customer data, it found that more than 80 percent of surveyed agencies outsource their customer payment function to a vendor such as Cubic, in large part to comply with Payment Card Industry Data Security Standards (PCI DSS), established by the PCI Security Standards Council, that are designed to reduce the risk and cost of credit card fraud.
How concerned about their data should customers be?
For customers who choose not to link the card to their phones because they prefer to purchase a contactless ONMY farecard that will be available at retail locations or vending machines by year’s end, the answer is most likely: no more concerned than they are now.
These cards, if purchased with cash will not identify the rider. And if purchased with a credit or debit card, will show, like MetroCard and E-ZPass, only as a charged purchase.
An unregistered card does not save a traveler’s routes, patterns, or travel times, unless the rider registers the card and authorizes using credit/debit card having funds added when the card falls below a certain dollar amount. When funds are added to a registered card, the rider received a printout that shows card usage.
In New York, where riders are not required to tap out (use their farecard to exit), the printout provides only entry data. This is because rides are not priced on distance or time travelled. In cities where rides are priced based on distance or time travelled, patrons must tap out, which means that rider data includes entry/exit points as well as time in transit.
Since New York rides are not priced based on distance or time travelled, exit data does not exist for the system. But in cities requiring entry and exit swiping, rider data records time in transit and entry/exit points.
Riders who register their cards often do so to take advantage of discounts, which are not yet offered on OMNY, but are available via MetroCard and on other city’s farecards. In such cases, the rider must provide personal data verifying the right to receive the benefit.
For instance, a person requesting a senior discount must show proof of age. In New York a senior MetroCard includes a photo to help limit use to only the person to whom it was issued, although enforcement is rare.
In Seattle, ORCA, which is valid on all the city’s transit modes, offers a low-income adult fare that requires applicants to submit proof of income. Many cities offer discounts to disabled people or college students that require the applicant to submit personal information.
In New York, the sheer number of taps is likely to inhibit outside agencies requesting data for all but the most serious surveillance operations. Although OMNY is available at each of the City’s 472 subway stations, on all 5,800 buses, and at Staten Island Railway stations, in March it accounted for only 10 percent of system entries.
According to the MTA, that translated into a weekday average of 307, 000 taps. This figure will, of course, grow as riders return to transit and they begin to move away from MetroCard, which will be eliminated in 2023, and as OMNY expands to include discounted fares.
Facing personal security concerns, what should a rider do?
Transit agencies believe the contactless systems are what riders want and will help the transit systems provide better service. Toward those ends, they will encourage riders to use their smartphone, smartwatch, or other wearable device; to register their touchless cards, and to sign up for automatic refills or various discounts.
But riders are not required to use a registered card or their smart devices. And some won’t want a personalized dashboard that tells them—and possibly others—when and where they have travelled.
Some riders will forgo discount options because they want more privacy, whether for philosophical reasons or because of concerns their data might be obtained by a law enforcement agency or compromised by a hacker.
In today’s connected world, these choices are no different from the ones everyone must make many times a day.
Dorothy Moses Schulz, Ph.D., is an emerita professor at John Jay College of Criminal Justice, CUNY, and a retired MTA-Metro North Railroad Police captain. She has served transit agencies across the country as a safety and security consultant and is an adjunct fellow with the Manhattan Institute.