MTA Website Doles Out Rider History Data With Just A Credit Card Number

by
Karl Bode
from Techdirt on (#6ECAX)
Story Image

We've noted for years how there's no limit of companies and organizations that over-collect data on your daily movement patterns, then fail to adequately secure that data. Whether it's your mobile phone carrier, your smartphone maker, your favorite app, or a rotating crop of dodgy data brokers, our corrupt failure to pass even a baseline privacy law for the Internet era is the gift that keeps on giving.

A lack of regulatory oversight of data collection has normalized lazy data practices everywhere you look. Case in point: Joseph Cox at 404 Media discovered that in NYC, the MTA's OMNY contactless payment system easily spews out a rider's detailed subway ridership history if you plug in a user's credit card number, which can often be obtained via the dark web:

Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets," Eva Galperin, the director of cybersecurity at activist organization the Electronic Frontier Foundation (EFF) and who has extensively researched how abusive partners use technology, told 404 Media. Credit card info is not a goddamn unique identifier."

This could have easily been avoided with a simple PIN or password. While OMNY users can sign up for a password protected account, the system defaults to the no password, no authentication option. 404 Media points to a 2019 study by the Surveillance Technology Oversight Project (STOP) that expressed concerns that the payment system could be easily abused:

Given how often government agencies, including the New York Police Department (NYPD'), have abused surveillance data to target ethnic and religious minorities and how for- profit corporations face overwhelming pressure to monetize user data, OMNY has the potential to expose millions of transit users to troubling repercussions"

New York City is also taking heat for its longstanding Wi-Fi kiosk program LinkNYC, which still non transparently over-collects the data of users and passersby alike despite years of complaints by privacy activists.

There are two major reasons we don't have even a basic privacy law for the internet era that holds governments, organizations, and corporations accountable for lazy security practices. One, the data collection is immensely profitable to just an ocean of companies and industries which lobby against reform in unison. Two, it routinely allows the government to avoid having to get pesky warrants.

It's not clear how many privacy scandals we need to bear witness to before real reform actually occurs, but it's abundantly clear we're going to be waiting a long while.

External Content
Source RSS or Atom Feed
Feed Location https://www.techdirt.com/techdirt_rss.xml
Feed Title Techdirt
Feed Link https://www.techdirt.com/
Reply 0 comments