Hey, how did that cop know I rode Metro?

Robert Gellman

Concerns about privacy are generating new technologies that shield identities. An old-fashioned identity protector is in your wallet. A dollar bill is a wonderful way to engage in commerce without leaving a trail of who you are and what you bought. Other examples include stored value cards such as the ones used for telephones or subways. You buy a card anonymously and add value to it as necessary. The card is not tied to your name or other identifier.

Recent news stories have begun to raise questions about just how nonidentifiable such records are. The New York Post reported that police analyze seemingly anonymous computerized subway fare cards to solve crimes and disprove alibis.

The cards seem anonymous, but they have serial numbers. Each time a card is used, New York City Transit computers record the date, time and location of a transaction. In one case, a criminal suspect said that he never left Staten Island on the day of a robbery. When the cops checked his fare card with the transit authority computers, his card showed it had been used on the day of the robbery to enter the subway near the crime scene. The information undercut the suspect's alibi and credibility.

I don't want to sound the privacy alarm too loudly over this report. Fare cards are still mostly anonymous, and it is surely difficult to trace an identifiable individual's movements through the system. But the typical rider is unaware of the fact that the cards can be used to trace individual rides. The card looks completely anonymous, but it isn't, and that is a privacy concern.

I have been using farecards for the Washington metropolitan transit system for years, and I routinely add value to my card before it runs out. I now wonder if someone who obtained my card could identify all my subway rides for those years. I would be happier if the transit authority told me more about what information is maintained, how long it is kept and rules for its access.

I doubt whether riders are actively worried about subway records. But I have another example that may be more unnerving, especially to those who work in an office. This example comes courtesy of Lauren Weinstein, the moderator of the Privacy Forum, an interesting Internet list server. The issue that provided this example can be found at www.vortex.com/privacy/priv.08.18.

Weinstein reports that virtually all color xerographic copiers imprint invisible identifying numbers. The identification numbers are repeatedly encoded as 'noise' through the reproduced image. This makes it impossible to circumvent the system by evading the identifiers with a screen.

The purpose of the ID number is to provide a way to find copiers used to counterfeit currency or other documents. The numbering algorithm is proprietary, and Xerox Corp. reportedly insists on a court order before it will decode a copy'except that it apparently does decoding for some government agencies without an order.

Is this another privacy invading technology? As with the transit fare cards, privacy concerns might be limited, but they are real. Suppose someone decides to anonymously make color copies of a political flyer? Suppose a whistleblower secretly makes copies of an agency document to give to investigators? In each case, identifying the machine that produced the copy could identify the source.

Workers' use of office copiers for private purposes is common, if improper. If nothing else, people might be disinclined to use the office copier if they knew they could be tracked. They would stick to black-and-white copiers, which don't have identification capabilities'yet.

Need to know

When technologies can surreptitiously track activities, even when there are no direct identifiers, users need to know more about the rules. It is not enough to tell citizens that the records are not identifiable. We may need to extend some elements of fair information practices to these technologies, too.

What's next? I don't put much stock in Internet rumors that the Treasury Department plans to include bar codes on currency so it can track individual bills and deter money laundering. Nowadays, when privacy is a major political concern, currency tracking is not a viable idea.

Nevertheless, I intend to buy a fresh, one-time-use fare card next time I ride the subway. You can't be too careful.

Robert Gellman is a Washington privacy and information policy consultant. His e-mail address is rgellman@cais.com.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above