NRC Handelsblad, 7 May 2013: 'So you never travel unspoiled again. Four questions on privacy when using anonymous ov-chipcard'
“The travel details of an anonymous ov-chip card appear to be easy to see: just the number and expiry date are enough to track someone's movements.
The anonymous ov-chip card, of which some five million are in use in the Netherlands, is proving even less anonymous than thought. Users previously complained about the unique number on the chip, which can be used to link the card to the account holder after digital top-up. This would allow the company behind the public transport chip card, Trans Link Systems, or the government to find out who travels with which anonymous card. Now, especially with anonymous ov-chip cards, it also turns out to be child's play to track someone's travel behaviour closely. What does this mean? Four questions about the (not so) anonymous ov-chipkaart.
1. What exactly is going on?
Via the website http://ov-chipkaart.nl you can endlessly link ov-chip cards to your, possibly anonymous, account. With anonymous ov-chip cards, you only need the card number and expiry date for this, and both are on the card. Once linked, travel behaviour with bus, tram, metro or train can be tracked in near real-time via transaction statements. Every time someone checks in or out, it can be seen on the site, including the location where it happens. Simply copying the card number and expiry date of someone's anonymous card is enough.
With personal ov-chip cards, it is slightly more difficult, but not impossible either. This also requires you to enter date of birth and postcode, and the latter is not on the card. In both cases, cardholders are unaware that anyone else can see their travel details.
Viewing via the NS website is also possible, although the anonymous card must first be physically held at an NS card machine for this. So you have to hold someone else's card for some time for this. Or trust that next time that person presses 'collect product' at the machine, the link will also be completed.
2. What is bad about this?
It just depends on how you look at it. Some people have little problem with the fact that it is quite easy to track someone's travel habits undetected.
Anonymous ov-chipcard user Edo-Martijn Janssen thinks otherwise. He discovered how easy tracking via http://ns.nl is. He created an account for his anonymous ov-chip card under the name Pietje Puk who lives at NS headquarters. There, via an anonymous e-mail address, he then effortlessly linked ov-chip cards of family members, all of whose travelling habits Pietje Puk could thus track. He could also link a non-anonymous card. But at least for that, Janssen still had to visit the NS ticket machine. He is very surprised by the weakness in the website http://ov-chipkaart.nl, where card number and expiry date thus suffice. "A stalker can follow someone unnoticed this way. And a burglar can see when someone is away from home. Just to give some examples," Janssen says. But then they must have ever seen that ov-chipcard to know the number and expiry date. Janssen: "That's right. Closer to home, you can think, for example, of the partner who can easily be tracked in this way, an employer checking employees when they call in sick, or parents spying on their children."
3. What do privacy experts think of this?
"I'm kind of surprised by this," says Ronald Leenes, professor of regulation by technology at Tilburg University. "This shows that even the most basic issues around privacy can go wrong." His Tilburg colleague Corien Prins, professor of law and technology, agrees. "This should not be possible." But at the same time, she calls it "not the biggest privacy problem of the moment". Prins: , "I hope we won't all start talking about the ov-chipkaart again now, when we should be having a fundamental discussion about how far we want to go with surrendering privacy. For example, if you see what will soon be possible with facial recognition via cameras; I would rather talk about that."
At the Privacy First foundation, though, they are angry about the privacy leak found at http://ov-chipkaart.nl. , "It is a shame that everyone's travel details are so easily traceable. We take this issue very seriously and expect swift action from the responsible public transport companies, for example an e-mail notification when linking your public transport card to someone else's account. This again shows that privacy is not something you easily add afterwards. We advocate privacy by design, take privacy into account from the beginning. And that never happened with the ov-chipcard."
4. What does Trans Link Systems say?
According to a spokesperson for the company behind the ov-chipcard and http://ov-chipkaart.nl at the request of consumer organisations, it was also made possible for holders of anonymous public transport cards to view online transactions. That this also makes them easy to track is the consequence, she said. ,,We don't know anything else about those people. So when they log in, we can only ask them for their card number and expiry date."
D66 MP Stientje van Veldhoven has asked state secretary Wilma Mansveld (Infrastructure, PvdA) Meanwhile, asked what steps it will take to make the ov-chipcard more privacy-proof. Trans Link Systems' spokesperson said that in response, the company is now investigating whether it is "desirable and technically possible to adapt the system."
Source: NRC Handelsblad 7 May 2013, p. 27 (Economics). Author: Wilmer Heck.