Oyster, Octopus and Metro cards: what happens to our data?

News & Analysis
Oyster, Octopus and Metro cards: what happens to our data?

Today, travelling within many cities around the world comes at a cost: privacy.

Electronic ticketing systems are proliferating, but it’s not clear how much information they collect or what they do with it. Privacy International has written to 48 transport authorities and companies operating transport services across the world requesting this data.

The kinds of personal information held about users of London’s Oyster card (which is used to travel by tube, train and bus) include full name, address, telephone number, email address and password, as well as the encrypted bank details of customers who purchase Oyster products using a debit or credit card. The Oyster ticketing system also records the location, date and time whenever an Oyster card is used to validate a journey. Transport for London (TfL) are currently making changes that will see Oyster retain customers’ names and contact details for two years after a customer last uses their card or buys an Oyster product. Details of debit or credit cards used to buy Oyster products are retained for a maximum of 18 months.

TfL reserve the right to share Oyster information with their subsidiaries and service providers and with the UK train operators that accept Oyster cards. The Data Protection Act 1998 allows TfL to disclose personal data in response to requests from the police and other law enforcement bodies. A request under the DPA must be supported by evidence of the relevant legislation or a court order.

In 2006, the Guardian reported that police had requested access to the personal information of Oyster customers 243 times, and that access had been granted 229 times. Then in 2008, London's Evening Standard reported that over 3,000 requests had been made in under a year. Since then, 22,000 requests have been made by the Metropolitan Police, according to figures released by London’s transport authority in February 2012, with 264 requests made in the first two months of 2012 alone.

The Oyster card has dozens of counterparts abroad, including the Clipper Card in San Francisco, the Metro Card in New York and the Octopus card in Hong Kong Special Administration Region of China. Like the Oyster card, these smart cards also retain data like uses’ full names, addresses, phone numbers, email addresses and credit card details.

The Clipper Card stores information about travellers’ journeys (including the date and time, the start point and the fare) for at least 60 days and it has been reported that the database is retained for seven years. No information is readily available about periods of data retention for New York’s Metro Card, but since EasyPayXpress customers have 120 days to query a fare one can infer that the information must be stored for at least this long. The New York Times reported in 2009 that it had become standard practice for police in New York to seize Metro Cards on arrest and access the records.

Despite the fact that public transport smart cards have been in use for over a decade, there is still a serious lack of legal clarity around the use and retention of data collected by the systems. Most countries’ laws authorise warrants in cases of ‘national security’, but this term is so vague and ill-defined that its use does little to mitigate the potential for abuse. There is little law to stand in the way of databases containing vast swathes of personal information - including your travel history for the past several weeks - being retained and shared with third parties. Further statutory provisions to protect citizens from potential privacy breaches are urgently required, as well as guarantees that unauthorised access to such data will be prevented.

Last month, Privacy International wrote to 48 transport authorities and companies operating transport services across the world requesting the following information:

  • What categories of information is collected about individual users? For example, name, address, phone number, email, identification number, or credit/debit card details.
  • What information is collected about how the travel card is used? For example, start point of journey, end point of journey, time and date of journey or fare paid.
  • Is the travel card used for anything other than transport? For example, to pay for small purchases, and if so, what information is collected about this type of usage.
  • How long is the data retention period? Is this data aggregated at any point?
  • Under what circumstances is information on individuals shared with law enforcement officers? For example, is a judicial or ministerial warrant or a subpoena required?

Responses are now trickling in and Privacy International will share the results once we have collated them. There is currently not enough data in the public domain to adequately understand the extent to which citizens’ travel and personal data is being used and retained. However, there are strong indicators that travelling by public transport in many parts of the world is no longer solely a financial exchange, but also a trade-off of civil liberties.