Our Sponsors:

Read more »

Our Members

Many thanks to Carl Woestwin and Charles Macaulay some of our many supporters.

ALL MEMBERS »

Smart card: What your ORCA never forgets

If you carry an ORCA card, it's easy to find out where you've been lately. In fact, there's an app for that.
ORCA cards tell all

ORCA cards tell all Matt Fikse-Verkerk

Crosscut's recent story on the Seattle Police Department's license plate scanning systems prompted more than one "Hey, can't track me" response.

Your ORCA Card begs to differ.
 
The ubiquitous ORCA (One Regional Card for All) used by area transit agencies is surprisingly smart: It holds an unencrypted record, on the card itself, of your 10 most recent trips and five ORCA financial transactions. If you’re a rider with an age-based discount, your date of birth is also encrypted on the card. The system was designed and is operated by the Australian company, VIX Technology.
 
If you’re an ORCA card carrier, it is easy find out where you've been lately. Yes, there's an App for that. FareBot is the brainchild of Seattle software developers Eric Butler and Karl Koscher (see Related Stories box). It is available free for Android-based smartphones equipped with near-field communications (NFC) capability. (Near-field is the same technology used by ORCA and other transit cards worldwide.)

You can launch FareBot in a few seconds. Just hold your phone near anyone’s card and voila! You get a detailed rundown of where that person has "tapped on" and off any area train, bus or ferry lately.
 
"It's a little scary because you can get a lot of information," says FareBot creator Butler. "I can't easily come up with a reason why the card needs to store trip history unencrypted — or at all. Removing this travel history while keeping the current balance would ease most privacy concerns."
 
The technology behind the card is where things get really interesting. The ORCA servers are more elephant than whale because they never forget. They retain data from every ORCA trip taken since the system went live in April 2009. Starting later this year, ORCA data older than 25 months is due to be "archived" but not deleted, according to Sound Transit.

The American Civil Liberties Union made several privacy recommendations to the ORCA consortium when the Card was being developed in 2007. Most of those concerns still apply. Chief among them were the risk of storing travel data on the card itself and the long-term aggregation of travel info tied to specific card numbers. The ACLU was concerned that such data might be used for other purposes in the future.

Those years of travel data represent a mind-bending amount of information.
 
By January 2013 an average of 391,699 ORCA boardings occurred daily. As of January 24th, 1,425,254 total ORCA cards had been issued. If you do the math, you'll see that the system is storing billions of taps, or trips.
 
Sound Transit is the lead administrative agency for ORCA. Its privacy policy states that the agency does not retain personally identifiable information associated with ORCA cards. The agency also says that when credit cards are used to make purchases, everything except the last four digits of the card are "masked" in the system. But in the burgeoning world of networked, relational Big Data, it is not difficult to envision a government agency or employer associating a card (each has a unique ID number) with an individual and obtaining highly detailed information — years of it — about that person’s travel history without his or her knowledge.
 
Getting details from the ORCA system (officially the Regional Fare Coordination System) takes effort but is not impossible. The transit agencies that participate (Sound Transit, King County Metro, Community Transit, Kitsap Transit, Washington State Ferries, etc.) are signatories to a byzantine "Interlocal Cooperation Agreement" that governs ORCA operations. Requests for information could be made to or filled by any of the participating transit systems.

Organizations that provide ORCA cards to their employees are the ones most likely to be able to get detailed usage information. Those organizations own the cards and can access the information on them, according to Sound Transit spokesperson Geoff Patrick. Patrick says that, to date, about 60 companies have requested detailed information about card use. When Crosscut asked for a list of those companies, we were referred to the member transit systems for details. 


Like what you just read? Support high quality local journalism. Become a member of Crosscut today!

Comments:

Posted Wed, Feb 13, 6 a.m. Inappropriate

Ah yes, the stalkers best friend app. Think about this story while the State contemplates placing transponders on all vehicles for taxing by the mile purposes.

Cameron

Posted Wed, Feb 13, 7:34 a.m. Inappropriate

This is a great piece of investigative journalism. Many people willingly give up their personal location data to private companies by enabling GPS on their smart phones and then using mapping apps and traffic conditions apps. But it is amazing these public transit agencies wouldn't take some basic security measures to protect the data on ORCA cards. Its rather frightening that the person standing next to you on a bus or train could be reading your identity and travel history.

Posted Wed, Feb 13, 12:11 p.m. Inappropriate

A lot of ORCA users get their cards through their employer (free or with a subsidy), which means they can't be anonymous.

bigyaz

Posted Wed, Feb 13, 1:38 p.m. Inappropriate

Couple this with the transponders Cameron mentions, the Good to Go transponders, and SPD's drones, then add in all those loyalty program cards and anything like private life will be a thing of the past--if it's not already.

mspat

Posted Wed, Feb 13, 8:25 p.m. Inappropriate

When we will hit the tipping point and people start saying NO?

Posted Thu, Feb 14, 3:38 p.m. Inappropriate

Really? I could give two rips if someone can see what buses I have been on recently. Seems like some people have delusions of self-importance.

They are protecting all of the data that needs to be protected. Unless someone can start using the money in ORCA purse or stealing my debit card transaction information, who cares?

Not sure I think this is great journalism. "Hackers find a way to hack something and steal innocuous infomation." Can someone explain to me what I am missing?

The one positive thing that will come from this is both "geeks" will land six figure jobs at tech companies (maybe even with ORCA) doing RFID security and app development.

Posted Wed, Feb 20, 11:47 a.m. Inappropriate

I'd think that the historical data would be invaluable in transit planning.

talisker

Login or register to add your voice to the conversation.

Join Crosscut now!
Subscribe to our Newsletter

Follow Us »