It seems like every morning brings new headlines that herald the end of our digital privacy as we know it. These stories spark outcry, worry, and — counterintuitively — no small amount of apathy.
The MTA’s One Metro New York (OMNY) program has become one such subject of public concern. The program intends to give New Yorkers the ability to pay their fare with contactless bank cards or devices that are linked to digital wallet software such as Google Pay, thereby eliminating the frustrating bottlenecks that result from incorrectly swiped MetroCards. Since May, contactless turnstiles have been added to over 16 stations along the 4, 5, and 6 lines; OMNY organizers project that all Metro-controlled subways, buses, and commuter rails will have fully transitioned to the tap-and-go system and outmode the MetroCard by 2023.
For many, the change is a welcome shift into a more convenient and tech-savvy future.
“OMNY is designed to save New Yorkers their most precious commodity: their time,” MTA chairman Pat Foye told attendees at the program’s launch at Manhattan’s Bowling Green Station in May.
New Yorkers seem to be along for the ride, even if they don’t quite share Foye’s fervor. As New York resident Amy Schaefer recently commented for the Gothamist, “I’m into technology in the sense of making life a little easier and faster as long as it’s safe and identity protected and all of that.”
New reports, however, indicate that OMNY may not be able — or willing — to keep its users’ data under wraps.
At the beginning of October, the Surveillance Technology Oversight Project (STOP) released a new report outlining the organization’s grievous concerns about OMNY’s lack of consideration for travelers’ privacy rights. As the researchers write:
“This new, wireless payment platform also allows the MTA, and potentially third parties, to collect an alarming amount of information about transit users. OMNY will allow the MTA to track when and where specific transit users enter the system, for example, to take the subway, train, or bus. Combined with a weak Privacy Policy, available only through the OMNY website, and existing MTA surveillance tools, OMNY provides the MTA with unprecedented surveillance capacity.”
The points STOP makes are compelling, if more than a little Orwellian. However, the concerns they make are well-researched. The organization notes that the language of OMNY’s privacy policy is remarkably vague for the amount of data it collects. For example, while OMNY specifies that users who have registered accounts can see their trip data by entering a credit card number, it does not mention how long the MTA will keep that data.
Worse, this obfuscation seems to be more of a trend than an exception. As researchers point out, “OMNY’s privacy policy includes non-limiting language—phrases like ‘may include’ and ‘without limitation’—making it difficult for users to know exactly what information of theirs is being tracked and how it’s being used.”
Alarming, too, is the idea that riders may not be able to avoid OMNY’s tracking capabilities in the future. While passengers can currently opt to use their cash-backed MetroCards to avoid sharing their data with the MTA, that option will be null once OMNY achieves its final rollout in 2023. It is worth pointing out that the MTA has indicated that a cash-backed “OMNY card” will eventually be available for purchase; however, little is known about when such cards will hit the market. Moreover, given the shift towards tap-and-go fare transactions, it seems far more likely that the MTA will promote the use of digital — and thereby trackable — payments.
STOP’s report outlines a distinctly dystopian vision for the future. It suggests that MTA will use the data it collects to surveil New York’s residents, abuse data to target ethnic and religious minorities, and give for-profit the means to monetize user data without permission.
But are we truly one step closer to an Orwellian reality? I don’t necessarily think so. The consequences STOP outlines are possible and worrying, of course. Still, it seems unfair to write New York off as a surveillance state — especially given that STOP itself admits that its report is a preliminary one and that the matter requires more information for a proper investigation.
Moreover, representatives from Cubic, one of the companies behind OMNY, say that the upgraded system has been designed with security in mind.
“These payment systems are based on retail payment system standards issued by the payments industry,” Cubic president Matthew Cole recently told reporters for CBS, “so it’s got all of the highest standard of the payments industry security you would expect in any payment system.”
His point does have backing in practice, as well. London’s transit authority, for instance, has been running Cubic’s advanced transit payment for years without any cases of hacking. Moreover, statistics collected by the New York Times indicate that “contactless trips made with smartphones or with credit or debit cards now account for about 25 percent of the fares,” while contactless payments outnumber those made by Oyster Cards (London’s MetroCard equivalent) at about 80 stations.
However, this isn’t to say that OMNY is in the clear, either. Any organization that collects a significant amount of consumer data runs the risk of fielding a costly breach. Just last November, Cubic faced potential disaster for its systems in San Francisco when a virus spread across 900 computers at the city’s Municipal Transport Authority offices. At the peak of the event, a hacker threatened to release stolen MTA data unless the agency paid a ransom of roughly $73,000 in bitcoin. Thankfully, the incident was resolved without a data dump or payment; however, the episode does stand as a case study for what can happen when bad actors target organizations that collect potentially sensitive data.
The fact is, most people are probably going to use OMNY, even if they are concerned about the system’s privacy risks. To borrow Amy Schaefer’s quote once more, we’re “into technology in the sense of making life a little easier and faster as long as it’s safe and identity protected and all of that.”
The “all of that” is important. It reflects our care, but also our apathy.
After all, this is just another episode in a long-standing trend. We’ve seen the worst-case scenarios play out for Equifax, Yahoo, Target, JPMorgan Chase, and Citibank — and yet, despite our worry, we don’t interrupt our use of their services unless we are directly affected. We don’t read the full terms and conditions, we don’t change our passwords, we don’t bother to express more than shock at a data breach unless it affects us — and even then, we aren’t as alarmed as we should be. According to one survey conducted by Digital Guardian, one out of five Americans faced a compromised online account in 2012.
Here’s the issue — while it is OMNY’s responsibility to protect consumer data, that alone cannot protect consumer privacy. Customers need to take steps to instill a broader consumer mindset change, one that promotes data awareness and informs more cautious information-sharing. The truth is, hackers are always going to hack, and — if recent scandals have taught us anything — companies are going to monetize the data we give them.
It’s not enough to shrug off our concerns with an “all that” as we step on our next train of thought. If we do, we’re one day going to find ourselves struggling to regain our digital footing after a breach, wondering why we didn’t act even when we saw it coming.
Thanks for sharing this dark yet insightful information regarding our beloved MTA. Unfortunately as you stated, complacency for the sake of convenience is the reason why we are so willing to compromise our freedom. Hope to read more articles from you. Thanks again.