We’ve mentioned these issues briefly before, but Mike Lindblom has a really important article in the Times today about privacy and ORCA:
Whenever someone buys an employer-subsidized fare card through one of 2,000 companies or institutions, the employer has the right to see that person’s travel records. A boss could check to see, for example, whether someone is abusing a subsidy by reselling ORCA cards or find out if an employee called in sick but rode the bus to the mall or the beach…
Personal fare-card information is technically available to news media and other groups, as well, though it’s unclear how forthcoming ORCA would be in providing it.
Read the whole thing.
ORCA hasn’t been a particularly well-run project, and I suspect it’s partly because no one is really in charge. Â So it’s important that the mainstream media shine a spotlight on the issues here.
I’m not really a privacy absolutist, but there some basic policy decisions that could improve things while still maintaining some fraud-prevention features. For instance, ORCA could notify card holders when an outside party requests their records. Deleting records after a time would also be helpful, except as anonymized data for traffic analysis.
What other changes would you like to see to the ORCA privacy policy?
when will i be able to buy juice with my orca card?
I got my daughter an ORCA card the other day, and was able to register it and verify its use from that evening online. That made me happy.
Now that it appears that anyone “at the agencies’ discretion” can be given that same information – and that of any registered ORCA card user – I’m more concerned that better attention wasn’t paid to basic privacy concerns.
I’m guessing that we may be in for both some legal and legislative gymnastics, up to and including a possible injunction against the entire system until these privacy issues are resolved, if only through better encoded policy.
Having read through the ORCA Privacy Policy Statement http://www.orcacard.biz/ERG-Seattle-Institution/jsp/static/ORCA%20Privacy%20Statement.pdf it seems way too open ended, and says effectively “we reserve the right to give any and all of your personal information to anyone who asks that WE feel has a right to know it”.
Good news: the controversy will raise awareness of the pass. Many, many regular passengers are paying little attention to the looming changes in January, and I expect to hear from many passengers angry that “nobody told them” that fares were going up; inter-system transfers would no longer be accepted, etc.
As a morning Metro driver, I get a lot of Sound Transit, Pierce, and Community Transit transfers STILL – and every time I mention the change coming, the person with the transfer says they had no idea.
Was your daughter able to get a child’s rate? I ordered and registered cards for my nieces, but customer service said I’d have to bring their orca cards and their student IDs or birth certificates to a service branch to reduce the fare. That was months ago, and their cards have sat unused.
Matt,
Had to go down there in person to get the Youth card. Didn’t need a student ID or birth certificate – the ORCA site says that proof of age is only required if it is “not obvious” that the person is underage. She passed muster.
As my daughter is approaching driving age, I darn well hope her card doesn’t go unused, as I’d rather see her use the bus for a variety of reasons.
The latest revision to the ORCA mail-order form includes instructions for ordering a youth card by mail with proof of age. Haven’t gotten mine back yet, but haven’t had the order declined, either.
Well the truly paranoid can pay cash for their cards and use only cash to fill them. There are still some potential problems there if you are really paranoid as the card number can be used to pull the transaction history and security camera footage will show who filled a particular card.
Since the 1980s, and certainly since the enactment of the so-called “Patriot Act”, anyone with a driving license, passport, checking account, retail loyalty card or ATM card has almost certainly lost any control over who has what information about themselves. This is a Seattle Times generated Tempest in a Teapot – had they chosen to do a thorough investigation on privacy issues, the focus of the story would NOT have been on ORCA.
This story was amazing! The real issue is not that employers will have access the information related to the cards they purchase for their employees…but rather that the “news media” does!! The Seattle Times does an article expressing concern about privacy, and they were the organization down in Olympia fighting to successfully insert language allowing the “news media” access to YOUR personal information. On top of that, the language is so vague it appears any blogger sitting in his basement can consider himself part of the “news media” and request this information.
THAT is the issue here! Not that your employer might take the time to see that you boarded the bus on Wednesday at 2nd and Marion with your employee ORCA card, but that anyone associated with the “news media” can pull your card data at anytime.
For what it’s worth, the spring 2007 UW CSE Soctech seminar developed FAQs on many of these issues:
http://soctech.cs.washington.edu/wiki/ORCA/ORCA
Candace Carlson (ORCA) and Rose Fallow (ERG) responded to requests so they’ve clearly known about privacy best practices for over 2 years.
joshuadf,
A concerning statement from your link:
“Every time you use your ORCA card, a record of the unique identifier of the card, the time and location of use is stored in the transit agency’s database. Over time, these records give a complete history of all your travel. At a minimum, employees of the transit agencies, law-enforcement, and the press will have access to that history. While these groups often have the best intentions when it comes to protecting your private data, it only takes one disgruntled employee or a lost laptop to put your private travel history in the hands of a malicious party.”
Why not social scientists (transport geographers/planners)? Folks who could do something productive with this information (and would need it to be anonymous to get IRB approval for their research)?
Employers and law enforcement and the press?! Not so much.
Chris,
I’m not sure I buy into the characterization of those concerned about privacy issues and ORCA as “paranoid”. I think that when personal data that includes one’s movements as well as bank account information, etc. becomes fully accessible public information – that’s grounds for concern. Cataloging the issues associated with people who’ve had to sort their lives out after identity theft alone should give one pause.
I know I won’t use ORCA until they make changes to the privacy policy. I don’t mind putting stuff out for public use, but I want to be in charge of it.
I was one of the students who worked on the privacy analysis that joshuadf linked to above. A lot of those concerns are still valid, but especially so for us as University students. There was a lot of concern at the time that since our student IDs were going to be combined with ORCA card functionality (replacing the U-PASS), there was going to be a really strong link between our transit history and our identity. Who would have access to that information? School administrators? Staff? Faculty? Thanks to our efforts, UW is taking a much more nuanced approach to protecting that information, but you have to be vigilant about this stuff.
These same issue largely apply to other employer-provided ORCA cards. Who has access to the transit history information? What will it be used for? I know it’s easy to say “just get an anonymous cash card if you are concerned about privacy” but the economic realities of employer-discounted transit-passes are such that we shouldn’t have to choose between our privacy and what we can afford.
Exactly – If I want to opt out of my employer’s subsidized ORCA card to protect my privacy, it’s going to cost me $972 per year at current rates.
And it’s a hassle to carry two cards. You can’t tap the reader with both cards in your wallet because it’ll say, “One card at a time, please.” And it’s not feasable to have one card with a pass and one card with cash, because some trips are paid partly by pass and partly by cash.
@Mike Orr, you don’t need 2 different orca cards to do cash and pass – I have a firm-subsidized monthly pass on my Orca, but when I registered it I can add cash to it as well (the call it the “e-purse”). It always takes my pass amount first, and the one time I took a $2.50 trip with my $2 pass, it said “Pass + $0.50” on the display. Worked just fine.
Yes, but your cash transactions are still tied to your unique card ID, so your employer, the newspaper, or the police could still browse your travel history out of curiosity or worse.
The point of having two cards is presumably so that one of them isn’t registered and isn’t tied into your employer’s data access.
If an employer subsidizes a transit pass, I believe they should have the rights to the records if they so desire. An employee can choose to use it or not. Or an employer could just reimburse people who buy passes themselves if they don’t care about audit rights.
The Times article mostly yaks about that issue, which is pretty cut-and-dried in my opinion.
The more important question as previous posters have touched on (and briefly mentioned in the article) is who else can get the data, how long is it kept, etc..
Do they? If, as in my case, the funds are taken pre-tax as a payroll deduction why should an employer be allowed to monitor your travels outside of work hours? If the employer is paying for a pass then you might look at it the same as providing a company car. I think it’s pretty clear that any time you are driving a company vehicle the owner has a right to know where and how it’s being driven if for no other reason than the registered owner can be held legally liable. But subsidizing a transit pass is more like a benefit. Just because an employer subsidizes your health care I don’t think anyone would agree that they have the right to know when and where you seek medical attention.
Another thing… many employers subsidize at rates less than 100%, but appear to be entitled to 100% of the information of the card.
If this stuff is more or less available with a public records request, there are tons of bad implications here: court evidence, tabloid investigations, stalking, etc. All good reasons not to use transit.
That’s the most shocking part about the whole thing in my opinion. Government and corporations keep tabs on us all the time but allowing anyone to get to them is too much.
I guess ORCA should have a thing on their Web site so you can opt out of being required to be subject to a public records request if you have been the victim of domestic violence. I know this exists for voting information being public record.
If your employer subsidizes your health insurance, do they have a right to see your medical records?
If I subsidize any behavior you do (through taxes, fees, payments etc.) can I have your data, then?
Really?!
It is reported that employers provide these discount cards as a perk or an additional form of compensation. How do you make the connection then that they have the right to know how you use it. Should they be able to check your health care records and see your wife’s OB/GYN records because they pay part of your health insurance – which is a form of compensation. From that we can then argue that since they pay you they have the right to know how you spend that money and indeed dicate how it is spent. Our consitution used to protect us from government intrusion. But now we have corporate entities prying into every aspect of our private lives just becasue we work for them. This is nothing more than modern slavery. You are entitled to a certain number of sick days per year. It is your contractual right, you have every right to use them. Employers can not then turn around and cry “foul” if you happen to go to the store, or the museaum, or indeed even the beach on a day when you have called in sick. A corporations “desire” to make a profit and maximize productivity (notice I said desire not “right” because it is NOT a right) in no way trumps your right to privacy and self determination. It is not like you are using a company computer, a work tool, to do personal blogging with.
I’d also add that the last ten trips you took are recorded on the card itself in unencrypted form as well and can be read with an off-the-shelf reader. The read range is pretty short, so it’s hard to skim the card from a distance, but if you can get physical access to the card or sufficiently close, you can read the information.
Do you have a source on this?
I worked on this with another student at UW. He read the data from the cards and I helped decode the data block into the appropriate fields (trip, time, fare, etc).
Is it possible to “clone” the cards by skimming them?
I was the one who partially decoded the information.
We haven’t tried cloning the cards, both due to the fact that it’s likely illegal, and that looking at ORCA is a side-project for us, and we don’t have enough time to fully investigate everything.
That being said, the ERG contract states that ORCA supports two card types: the Mifare DESFire, and the Mifare Ultralight. The ultralight has NO encryption or authentication capabilities. If it’s possible to make an ORCA reader accept an ultralight card as a full DESFire card, then you should be able to clone them.
A couple of caveats: If they check the UID of the card, then you’d need to use a custom card to spoof the UID. Also, they might be able to detect discrepancies on the back end, particularly if it’s not a pass, so your card would likely get nuked after a day or two.
Read yesterday that Al Quaida can now hack into real-time video feed from the drones our forces are using to track them down. Add that to the steady parade of revelations about stolen social security and credit card information, and I hope the ACLU puts its meanest litigator on the injunction. If it’s in a database, you don’t need authorization for access. Just motive and opportunity, like they say on Law and Order.
I’ll be a lot more sympathetic to the rights of employers as a class when a lot more workers are unionized, and corporations cease to be granted the Constitutional rights that only human beings deserve. I suspect the Founding Fathers would have no problem adding “CEO” to the category of titles of nobility that document forbids. Can’t handle free people as workers? Don’t just send your work to China, get yourself a one-way ticket.
I support the ORCA program, mainly because as a former Metro driver and a steady passenger, I think paper transfers are a messy aggravation that starts arguments and slows service. I wish the system wasn’t introducing ORCA in a manner guaranteed to inflict hardship on the very passengers who most desperately need a simple, fair way to pay for transit. But that’s beside the point here.
Transit needs to know when and where I travel? Fine. It just doesn’t need to know it was me. And the last thing transit needs is to write a prize-winning script for Dorie Monson at his weenie-screaming worst.
Mark,
Um – LOL on your last sentence.
I’m still pretty supportive of the rights of employers to have access to information related to resources that they provide. Anyone wishing to keep their personal travel separate and private from their employers need only to get their own ORCA card and ride at will. Thing is – they shouldn’t have to have it unregistered and cash-only in order to feel that their identity and personal information is safe from public blabbing.
Say, excuse me, but let the employer set up their own spy agency if that’s what they want to do. There’s no reason to have the government develop an elaborate database around an essential service and then let the employers go on fishing trips looking up their employees lives.
I would certainly object to an employer having access to my travel records, even if they provided the pass. If I use the pass for personal reasons on my own time, what business is that of my employer, even if they did provide the pass? The notion that they might want to crack down on people who sell their pass is a misuse of the technology. As Brian Ferris said, it is good to be vigilant about this kind of thing. We don’t want to cede our right to privacy just because technology makes it possible.
I see no reason why the monthly pass had to be rolled into Orca. Many riders are going to be overwhelmed with confusion in January. Not everyone has internet access or a credit card. Why can’t we go on buying passes at Bartell Drugs?
You’ll still be able to buy your pass in person.
Negotiations are under way with retailers to start selling and reloading ORCA cards. Some supermarkets in Seattle, Burien and Tacoma already service ORCA cards. More locations are coming soon, like next month in some Everett supermarkets.
You can also buy passes for your ORCA at self-service ticket machines at Link and Sounder stations with cash.
I believe the Bartell’s next to me sells ORCAs already, and as Oran says, places all around the region will soon. That’s pretty much the point of ORCA is that it combines monthly passes with e-purse, handling transfers and everything for you.
Which one is the Bartell’s next to you? Wait, don’t answer that – I’ll just file a public records request and find out based on your ORCA travel history.
Very good idea. In Vancouver BC, you can also get all-day transit passes at local equivalent of 7-11’s. ORCA day passes would be excellent.
To me, what you suggest would cure the worst unfairness about Orca introduction: creating one more hardship for the very people who deserve it least, poor working people with no credit cards.
Please contact your county councilmember, and your ST board member, and urge them to be sure ORCA service is widely and easily available before they start to essentially punish people for not having it.
My employer, a large Seattle-based non-profit, began offering ORCA cards today. They are free to all employees, which for me would be a $972 annual subsidy under current pricing. However, employees must sign the standard release allow the employer and transit agency access to personal travel records. When I followed up with my employer’s legal and HR teams, they indicated that they intended to mine employee data and that I would have no recourse or privacy, other than to reject the transit subsidy. I had to turn down the card. I’ll be using a cash-fed ORCA card for the next month or two, and after that I’m headed back to my car for good.
No one, particularly my employer, needs to see my travel history. Period.
Everyone, even gov and no-profit employees, have the right to alter contract verbage, including release agreements. It’s an “agreement” after all, and legally that means by signing BOTH parties have agreed to every bit of fine print.
@mount baker guy:
I wonder what would happen if you line-item veto the offensive parts of the agreement (Single strikeout in black with a tiny initial). Then quietly make yourself a copy. If you don’t point it out specifically, most folks aren’t even going to notice you did it. ( I did that on a non-disclosure agreement that had a paragraph of extremely offensive verbage (something along the lines of the ’employee isn’t allowed to work in similar industry in the same region for 5 years after termination’ – [uhmm NO] ), and went into a stack of signed docs to be filed and it was never mentioned after.
It depends on how they intend to mine the data, doesn’t it? One could glean a lot of useful information without knowing anything about the individuals using the cards…like the most common route used by our employees is route A, or our employees are averaging X transit trips per week. Versus, Mary is only using her card once a month, or Mary used the card to travel to Northgate on a day she called in sick.
The former might provide useful information to transit agencies and the employer, without violating anyone’s privacy, whereas the latter example would make most (all?) employees uncomfortable.
Yikes.
If an employer is paying for each individual trip, (cash card style) then the employer, from a federal tax basis does and should have a right to the information, even if it’s tied to a specific employee and not “Transit benefit pass #xyz123”. They do indeed “own” the card in that case, and an employee using such a card would in the same situation legally as an employee using a work computer on company time to check personal email. I would advise that employee to decline and request a pettycash reimbursement/PO system of buying a flat rate card instead.
If an employer is paying 100% for a flat-rate monthly pass per employee, there are zero grounds for them to need the specific trip info of their employees, whether the card is tied to a specific identity or not. Even in the case of fraud: the only need for specific trip info would be AFTER the card is reported stolen/lost. Can ORCA be set up to only record that data once the “Help, fraud/theft suspected!” button has been pushed?
If the employer is simply providing a pre-tax deduction flat rate card, i.e. the employee is really paying for it, but the company is administrating the discount via transit incentives, then it’s an ethics issue on the company’s (& ORCA’s) shoulders: they shouldn’t tie the card # to any specific employee so there’s no chance of getting sued later by an employee who feels that data was misused.
Just as important as the employer “protecting themselves” from fraud is the employee’s right to equally protect themselves from fraud: the employee cannot be sure that the company will keep its database entirely secure from theft or hack.
Oh, and:
Employers have few rights to refuse my promised sick day – even if say, I’m a scientology-like cultist who only believes that neiman marcus cookies thrown in a bonfire on the beach will heal my flu symptoms (thus ‘justifying’ the hypothetical “trip to the mall and the beach” in Lindblom’s article).
The idea that police and press and employers need to know that, say, city-light worker Jane Doe, a 24 yo with a Visa card from Chase used her flat-rate payroll-deducted ORCA card to visit, say, Toys in Babeland after a trip from the Lusty Lady in the downtown core? not so much.
I don’t know, guys… I think I kinda agree with Erica on this one.
I certainly would like to see better concern for privacy issues, but this is true for just about every new thing happening right now — from Facebook to smart phones to OnStar to store loyalty cards.
Specific to employers using your ORCA data, she’s right. It sounds like they either have to request the data, or at least be provided a log-in to access reports. They then have to tie those report data from ST to their own employee data. And then they have to start data-mining. And, then they still need to have someone who knows where each route goes and what times you’re supposed to be where, etc.
That’s an awful lot of time and money to be spent unless they actually think someone is committing serious fraud.
Or if you’re out to get them. Intimidate them. Make them feel surveilled. It might be worth it for union-busting, etc.
Just because it’s costly doesn’t mean the cost is prohibitive. And just because the cost is prohibitive doesn’t mean it isn’t wrong.
Just sayin’
This is a pretty good illustration of a social and personal cost that isn’t figured very well in calculating the costs and benefits of this fare collection system.
In one respect, it’s a simple return to a time when everyone knew who you were and what you were supposed to be doing. The problem here is that those weren’t particularly good times- for example, in medieval Europe, the cities were the places where runaway serfs and ‘new men’ made the pot bubble and boil. In the countryside nothing changed.
In general, America has been a place where ‘new people’ did new things. Suddenly we’re learning that everyone can know everything about us. Maybe younger people will just grin and bear it, never having known a society where actual privacy still existed. Anyone who routinely is x-rayed by airport security is already accepting quite a bit. And I’m sure we’ve all had times when we’ve wished the boss was looking a little more closely over our co-worker’s shoulder.
To me, though, it’s another reason not to collect fares at all. Collect taxes and make the system free, just like elevators. As small as they are, we don’t feel like we’re surrendering a lot of privacy when we ride in an elevator.
I recieved a empty orca card and knowing i was going to make use of it today i went online to add e-purse value to it. At first all i could find online was that you had to register the card to add value to it, which requires a full name, mailing address, and phone number. this is not requesting – this is requiring. Myself whom beilieves in anonymity, and the fact that too much of our personal information is floating around for all to see dosent like to give my name or address or anything to anyone unless it is nessasry.
At the time, i did not know you could add value online to an unregistered ORCA card, and later thanks to someone on this blog i did find the website for that and successfully completed a transaction. I dispatched an e-mail to whomever handles the general ORCA questions (in this case Sound Transit), informing them they need to a) add the capability to add value to an unregistered card online, and b) that they need to reconfigure their system so that you only have to enter a minimal amount of data for a registered card (e.g. e-mail address only). I did get a response from Sound Transit, whom told me you cannot add value to an unregisterd card online (they dont even know their own system).
I went to use the card today, and it worked fairly falwlessly, of course i burned through my $5 e-purse quickly, but it did seem to handle transfers and everything quite well. It did confirm some of my beilief’s about the system (that you need ORCA only TVMs at all major transit stations to check balences which the orca “heads” are not good at telling you what you have going on or left on the card) plus it got me thinking about other lack’s of the system, such as a daypass. Also the recent write-up got me thinking as well about employer issued ORCA cards, and what happens if… Say for example you add e-purse value, or an additional pass to your employer card than leve their employ. Do they take the pass back, taking your add-on’s with, or they take their pass off “your” card, or?
Right now i think ORCA is more of a shot-gun marriage than anything else. I still see several problems that need to be addressed before it goes totally mainstream, however with the forced cut-over date i’m sure it will help these issues get addressed in a timely fashion, especally when Ask Jessie from King 5 televison makes a few appearances around ST property.
The issues’s i see, the ORCA website is still poor, it needs a total redesign. When you click the button to feed your card, you should than be given the option of logging into your account (which you can put in as little or as much info as you want), entering your card number and proceeding that way (should work indepeant of having a registered card or not), or finding a sales outlet.
Also, the lack of facilitys at major bus-only transit centers/transfer points to check remaining value/add e-purse and product still is very concearing. With the old mag-stripe system that BART and WMATA use, the remaining value is printed directly on the card, with this system, and as complex as it is it’s easy to loose track of how much is left. And of course in many areas there’s no where to easily re-fill it near a transit hub of some sort.
Again, Lack of day-pass. if you had TVMs at the station, you could “sell” an ORCA card than load the day pass onto it, or just load a daypass onto an existing card. This would be good for people who dont use the system enough to justify having a monthly pass, yet they would have an ORCA card and just load the day pass on whenever they want to go (more than likely from a P&R or transit station, or could be online if they so choose, using a calender feature for whichever day they want). and of course daypasses should be sold for every day, not just weekends.
So what do other systems that have smartcards do? The Chicago Card and similar cards in NYC and Atlanta.
Orca may not have a choice about the disclosure. All data the government has is public records, except certain things that are protected. I don’t know if your travel history is a public record, but if it is, they have to give it to anyone who makes a request and pays the cost of tallying it. That would not include sensitive information like your SSN or credit card number, which is protected. An injunction or a change in state law could remedy the situation.
They have to keep the information at least long enough to settle fare disputes. People have been overcharged and complained, but so far I haven’t heard of anyone getting a refund. If the agencies someday decide to honor the refund requests that have been stacking up, they can’t tell what was charged if the records are erased.
Daypasses would be a great idea. Or better yet, a maximum daily fare. But with so many agencies and such long distances, it may be a while in coming. Most systems I’ve seen that have these have just one transit system, often only in the city. A maximum daily bus fare of $7 makes sense, but if Sounder is included, $12 or $20 would be more likely. (For the hypothetical person that travels from Tacoma to Everett and back.)
More readers – when you enter the University Station bus tunnell, there is ONE card reader on the left side at the bottom of the escalator. You have to walk out of the direction of desired travel and cross in front of people going up the esc. to the street to “tap” the card. There isn’t another card reader at the elevator or at the stairs going down to the platform, and there are no readers on the platforms. The reader being on the left side means that a right-handed person has to cross over – it just isn’t designed very well at all.
What they need to do in the Downtown Seattle tunnel is move the readers from the mezzanine level to the platform level since it’s being used by both the Link and by busses. There have been times when going from station to station in the tunnel that I have preemptively “tapped” my card (I have a pass) before going down to the platform because I didn’t know whether the Link or one of the busses will show up first.
The international station is like that. The Pioneer Sq station is not. And I agree it sucks.
How much does an ORCA reader cost? Is that the reason there’s not more readers? You’d think they could afford some semi-portable readers on the platforms, and later keep them as spares (or for special services like the sports/festival buses).
There are no readers at many Sounder station entrances, either — in Auburn, for example, the north entrances to the platforms have no readers; if you use the north entrance, you have to walk south 2+ railcar lengths to get to the first reader. Not good for the last-minute commuter who’s there in time to catch the train but not to run south a couple of cards, tag in, and then catch the train.
NEVER EVER EVER use any kind of RFID spy chip technology attached to your real name.
Pay cash, Buy a card under an assumed name, use your work spy card for WORK only or not at all. I don’t care HOW much more it costs me.
I have 4 of these cards under 4 different names, what do I have to hide? Nothing.. but I CRAVE my privacy and refuse to be spied on by ANY job, or any system.
I can not get my Jan 2010 orca card to work. Evidently when electronic data sent to the Transit Authority it was corrupt. I have spent 3 days now getting yelled at by Sound Transit drivers and told to get off their bus ! Luv the technology !
I seriously doubt that you’re getting “yelled at” by ST drivers, or being told to get off of their bus.
If it’s true – report it, but I call “BS”.