Security experts were skeptical about the New York MTA’s switch to an OMNY tap-and-go system when it was first announced years ago. Then, in August, a 404 Media investigation revealed riders were right to be concerned. As it turned out, the ability to check trip history could be used by nearly anyone to follow specific riders’ location patterns. MTA disabled the feature, but it pointed to a deeper problem that exists across modern public transit systems: they make it harder to opt out of having our sensitive data collected,
“You’re building a better system, but you’re also really stepping into a dangerous cybersecurity minefield,” said Brendan Saltaformaggio, associate professor specializing in cybersecurity at the Georgia Institute of Technology.
Payment information, location data and trip patterns can all be attached to our ridership data. Agencies say they use it to better understand how riders use the services and make improvements. But the flip side is transit agencies selling user data to advertisers like a lot of private companies do, or sharing it with law enforcement. We submitted Freedom of Information Act requests to several large police departments across the country — including in New York City, Baltimore and Chicago — for more information on requests they had made to local transit agencies for data over the past decade.