Sunday, February 26, 2006

Oyster cards, privacy and security

Not that I'm claiming I started it or anything but there has been something of a flurry in the press lately about the Transport for London Oyster Card and how easily it can be used to track down an individual's movements. No one did come back last time to tell me how an Oyster card worked, (well except Ian Brown ) but from the Register and Independent on Sunday articles, it seems you need nothing beyond the actual card in your hand to access journey information at a kiosk, but slightly more security operates when you try to get the info on-line from your own PC:

"The IoS claims that Oyster journey data can be extracted at a ticket machine using the card, or online by keying the serial number of the card. As far as The Register is aware, however, internet access is slightly more secure than this, requiring a username and password or the serial number, and mother's maiden name or similar, from the application form. These are not, however, insuperable hurdles for the suspicious spouse or close friend, and access to the individual's email account would probably be enough for a snooper to change passwords and gain access to the account itself."

As the Register point out, the current basic level of security helps no one. Either close down access altogether - why do you need to access details of your OWN journeys? you KNOW where you've been!! - or add some decent security like a password for ticket machine access.

And as they also add, the problem will more pressing if/when , as planned for a year or so, the Oyster Card scheme is extended to become a smart card wallet, used in DigiCash like ways to pay for small purchases like milk and papers.


Simon Bisson said...

Actually, you do need access to your own journeys, if you're making expenses claims against travel on a pre pay card. How else are you going to prove you made the journey?

Lilian Edwards said...

Ahh good point!
No receipts available I guess?

Watching Them, Watching Us said...

We have been worried enough about the lack of security and privacy of the Oyster Card to use aluminium foil to shield ours for over 2 years now. See:

"Foiling the Oyster Card"

The BBC also now report that the Police are increasingly using the Oyster Card data for criminal investigations, and it is not clear if this involves database trawling of innocent travellers' data or not, especially in conjunction with the omnipresent CCTV surveillance systems on London Transport.