NRC Next, 16 April 2013: 'Your jealous ex knows exactly where you travel anonymously'
“The travel details of an anonymous ov-chip card are easy to see. All you need is the number and expiry date. This is the second 'leak' in the card's anonymity.
The anonymous ov-chip card, of which some five million are in use in the Netherlands, is proving even less anonymous than thought. Users previously complained about the unique number on the chip, which can be used to link the card to the account holder after digital top-up. This would allow the company behind the public transport chip card, Trans Link Systems, or the government to find out who travels with which anonymous card. Now, especially with anonymous ov-chip cards, it also turns out to be child's play to track someone's travel behaviour closely. What does this mean? Four questions about the (not so) anonymous ov-chipkaart.
What exactly is going on?
Via the website http://ov-chipkaart.nl you can endlessly link ov-chip cards to your, possibly anonymous, account. For anonymous ov-chip cards, you only need the card number and expiry date, both of which are on the card. After linking, the travel behaviour with bus, tram, metro or train via the transaction reports can be virtually real-time are tracked. Every time someone checks in or out, it can be seen on the site, including the location where it happens. Just penciling in the card number and expiry date of someone's anonymous card is enough for that.
With personal ov-chip cards, it is slightly more difficult, but not impossible either. This also requires you to enter date of birth and postcode, and the latter is not on the card. In both cases, cardholders are unaware that anyone else can see their travel details.
Viewing via the NS website is also possible, although the anonymous card must first be physically held at an NS card machine for this. So you have to hold someone else's card for some time for this. Or trust that next time that person presses 'collect product' at the machine, the link will also be completed.
What's bad about this?
It just depends on how you look at it. Some people have little problem with the fact that it is quite easy to track someone's travel behaviour unnoticed. Anonymous ov-chipcard user Edo-Martijn Janssen thinks otherwise. He discovered how easy tracking via http://ns.nl is. He created an account for his anonymous ov-chip card under the name Pietje Puk who lives at NS headquarters. There, via an anonymous e-mail address, he then effortlessly linked ov-chip cards of family members, all of whose travelling habits Pietje Puk could thus track. He could also link a non-anonymous card. But at least for that, Janssen still had to visit the NS ticket machine. He is very surprised by the weakness in the website http://ov-chipkaart.nl, where card number and expiry date thus suffice. "A stalker can follow someone unnoticed this way. And a burglar can see when someone is away from home. Just to give some examples," Janssen says. But then they must have ever seen that ov-chipcard to know the number and expiry date. Janssen: "That's right. Closer to home, you can think, for example, of the partner who can easily be tracked in this way, an employer checking employees when they call in sick, or parents spying on their children."
What do privacy experts think about this?
"I'm quite surprised by this," says Ronald Leenes, professor of regulation by technology at Tilburg University. "This shows that even the most basic issues around privacy can go wrong." His Tilburg colleague Corien Prins, professor of law and technology, agrees. "This should not be possible." But at the same time, she calls it "not the biggest privacy problem of the moment". Prins: "I hope we don't all start talking about the ov-chipkaart again now, when we should be having a fundamental discussion about how far we want to go with surrendering privacy. For example, if you see what will soon be possible with facial recognition via cameras. I would rather talk about that."
At the Privacy First foundation, though, they are angry about the privacy leak found at http://ov-chipkaart.nl. , "It is a shame that everyone's travel details are so easily traceable. We take this issue very seriously and expect swift action from the responsible public transport companies, for example an e-mail notification when linking your public transport card to someone else's account. This again shows that privacy is not something you can add afterwards."
What does Trans Link Systems say?
According to a spokesperson for the company behind the ov-chipcard and http://ovchipkaart.nl at the request of consumer organisations, it was also made possible for owners of anonymous ov-chip cards to view online transactions. That this also makes them easy to access, she says, is the consequence of this. ,,We don't know anything else about those people. So when they log in, we can only ask them for their card number and expiry date." She does not address the fact that the NS website still requires activation at a vending machine in any case and that cards can be linked unnoticed.
Source: NRC Next 16 April 2013, p. 11 (author: Wilmer Heck). See also http://www.nrc.nl/nieuws/2013/04/16/reisgedrag-gebruikers-anonieme-ov-chipkaart-eenvoudig-in-te-zien/