01.Opal cards and your privacy
Transport for NSW has announced that unregistered Opal cards, allowing anonymous travel on Sydney’s public transport network using the Opal system, will now be available at select Sydney train stations at pop-up kiosks. But they'll only be available on certain days, and not from regular ticket windows.
The kiosks will be open on Mondays and Tuesdays until the end of September and are located at Ashfield, Bankstown, Blacktown, Bondi Junction, Burwood, Campsie, Central, Chatswood, Circular Quay, Edgecliff, Epping, Hornsby, Hurstville, Kings Cross, Lidcombe, Liverpool, Macquarie University, Martin Place, Newtown, North Sydney, Parramatta, Penrith, Redfern, Rockdale, St Leonards, Strathfield, Town Hall and Wynyard stations.
One issue with the Opal cards is the amount and type of personal information captured when travelling on public transport, including when and where a user has travelled, and the provision of that information without obtaining express consent to third parties.
The government operators of smartcards in Brisbane, Sydney and Melbourne all say they may provide personal information to law enforcement officials upon request – in some cases without a warrant. And it’s not just police who may request access to information, but reportedly also agencies such as Centrelink, the Australian Taxation Office and local councils.
Travel card systems in other states allow users to easily choose an unregistered card (not connected to an account containing identifiable personal information), offering some privacy protection. However, Sydney’s Opal scheme lags behind, with customers forced into using registered cards, unless they’re able to get to one of the newly installed, temporary pop-up kiosks.
The worrying terms and conditions of Sydney's Opal card
, which contains some dubious clauses:
- The operator may disclose personal information or travel history to a law enforcement agency that is necessary for law enforcement purposes, for the investigation of an offence, for the enforcement of criminal law or to assist in locating a missing person.
- Opal reserves the right to make disclosures to relevant authorities where the use of the Opal ticketing system raises a suspicion that an offence under any law may have been or may be committed.
The NSW Greens are seeking an urgent intervention to allow Opal users to opt out of having their information shared.
Brisbane’s Go card and privacy issues
Brisbane's Go card hit the headlines in July 2010, when it was reported that operator TransLink provided police with the personal travel data of customers – and not just those who were suspects in an offence, but also those who may have been witnesses.
The Qld Information Commissioner announced a review into the handling of personal information and TransLink’s disclosure to the police. The review found:
- Requests for Go Card information made before the start of the review were not handled in accordance with the requirements of the Information Privacy Act on a number of occasions.
- In most cases when TransLink disclosed information, it did not have sufficient information to satisfy itself under the Information Privacy Act that the disclosure was necessary.
The Commissioner was satisfied with the improvements the Queensland Police Service and TransLink made to their processes after the start of the review, and made a further seven recommendations that were supported by the police and TransLink.
Melbourne’s Myki card
As with the Go card and Opal privacy policies, police don’t need to apply to a court for access to a Myki customer's private information – they simply need to request it in writing. It has been claimed that Myki’s operator, the Transport Ticketing Authority (TTA), has increasingly been handing over customer data to police.
Myki users can choose not register their cards, and it’s been reported that about half of all customers take this option.
Perth’s SmartRider card
The SmartRider can be used registered or unregistered, but it appears to have broader terms around disclosure. The Transperth website’s privacy statement says "Transperth’s Digital Information Services will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to legislative requirements or comply other with legal process; (b) protect and defend the rights or property of Transperth; and, (c) protect the personal safety of users of Transperth Website, or the public."
Transport smartcards and security risks
Apart from access to information by law enforcement officials, there are other concerns around privacy and transport smartcards.
Databases held by the smart transport card operators are large and valuable – tempting fodder for hackers. The transport operators may have top-notch security in place to protect the data, but as examples of several high profile data breaches over recent years have shown, security systems and software are vulnerable.
Third-party mobile apps and websites
The Myki, Opal and Go card websites all warn customers against using unofficial and unapproved third-party mobile apps designed to work with their smartcards. They also warn against allowing third-party websites to log into or access their personal account on the smartcard websites.
What is a public transport smartcard?
Sydney arrived late on the travel card scene, with the Opal introduced in 2014 – seven years after Perth, six years after Brisbane, five years after Melbourne, and two years behind Adelaide. It's still being rolled out across the various transport modes, with full implementation expected by the end of this year.
Public transport smartcards:
- Consolidate different types of transport onto one payment system, so users don't have to buy separate tickets for a bus and a train, for example.
- Allow easy or automated top-ups.
- Offer a travel history and tax invoices.
- May offer bonuses such as free travel.