The ORCA (“One Regional Card for All”) Card is a contactless, stored value smart card used for payment of public transportation fares in the Puget Sound region of Washington State. The card, based on a standard ISO 14443 smart card (specifically, using the MIFARE DesFIRE chip) was introduced in 2009.
Concerned about privacy issues surrounding this system, I asked several related questions by submitting them using a contact form on the ORCA Web site on July 28, 2009. In response, ORCA staff have avoided my questions, provided what now appears to have been false information, and ignored my requests for clarification. It seems they’re also backing away from an agreement not to provide employers information about their employees’ off-work travel using public transit.
Among the questions I asked ORCA staff in 2009 was the following:
What, if any, information other than a serial number is stored on an ORCA card after it has been used?
Within a few days, someone from ORCA answered via e-mail from email@example.com:
Any transportation value is stored on the ORCA card.
A couple hours later, I e-mailed them back to ask:
Are you sure that the only information stored on the card after it has been used is a serial number and any transportation value? Other people I’ve spoken to are confident that much more information is stored on it, but I hoped to find out from an authoritative source on the matter: you.
I received no response, so on August 20, 2009, I wrote:
I’ve not received a response from you. Can you answer my question?
Months later, having received no response, I wrote (on December 21, 2009):
You told me in an e-mail dated July 31, 2009, that the only information stored on an ORCA card after it has been used is a serial number and any transportation value. Can you please confirm that this is *all* that is stored on the card then?
A week later, they responded:
I’m not sure how this can be confirmed to you.
A couple days later, I wrote:
Please confirm or deny: After an ORCA card has been used to pay for public transportation, precisely two pieces of information are stored on that card: 1) a serial number and 2) any stored value.
There is public confusion over this issue. Some people believe that the card also stores information about when and where it has been used. Your own Web site states, “The ORCA card contains built-in intelligence that processes and stores information for three different types of transactions”. I am surprised that this can be achieved if, as you’ve told me, the card stores only a serial number and any stored value.
Despite several requests from me for more information, I have not received further contact from ORCA on this matter.
On February 23, 2010, I wrote:
Can you tell me whether ORCA cards truly store only transportation value and a serial number? This seems unlikely.
Last year, Eric Butler released Farebot, free software (GPLv3; source code is available) that enables some smart phones running Android to read the data stored on an ORCA card (e.g., the Google Nexus S, which is equipped with an NFC chip). In that announcement, Eric wrote,
Currently FareBot can parse and display balance and trip history information from Seattle’s ORCA card, and can dump raw data from any other MIFARE DESFire card including San Francisco’s Clipper card. FareBot is open-source and designed to be flexible so that hopefully other developers will add support for other types of cards.
When demonstrating FareBot, many people are surprised to learn that much of the data on their ORCA card is not encrypted or protected. This fact is published by ORCA, but is not commonly known and may be of concern to some people who would rather not broadcast where they’ve been to anyone who can brush against the outside of their wallet. Transit agencies across the board should do a better job explaining to riders how the cards work and what the privacy implications are.
So I wrote back to ORCA on February 8, 2011:
It’s now possible to read an ORCA card with a smartphone, and we’ve seen that much more than a just a serial number and transportation value is stored on the card. Were you mistaken previously, or has the situation changed since your July 28, 2009, e-mail to me?
They still haven’t responded, so I e-mailed them again today.
What electronic information can be “read” from an ORCA card?
An ORCA Card’s microchip contains electronic information that does NOT include names but could include data in such fields as the type of card, Business Account ID number (if issued to an employer or other institution), the passenger type expiration date or date of birth (if present), fare products loaded onto the card including E-purse value and passes, the history of the prior ten (10) trip transactions (time, date, route and fare when the card was used) and the history of the prior five (5) revalue transactions (See Sec. 8.2). In order to keep the processing time to several milliseconds when an ORCA Card is tapped, the information on the card is generally not encrypted. However, date of birth or passenger type expiration date, if present, is encrypted.
The electronic information on the card can be read by ORCA reader devices. Anyone with physical possession of a card, whether or not he or she is the rightful owner, can use the card until it is empty or blocked, as well as read some of the electronic data at an ORCA service location. It is also possible that an ORCA Card’s unencrypted data could be electronically “read” by a non-ORCA device if the card uses the same frequency and were to come within the range of the reader device. However, the unencrypted data which is not in plain text would require interpretation.
What information can my employer access regarding my use of an employer-provided ORCA Card?
If your ORCA Card is given to you by an employer or other institution, that “Business Account” entity retains ownership of the card and can obtain access to data about transactions involving the card. Transaction data includes the date, time of day, fare and bus route, ferry or train station where a card was used. The ORCA system collects his data specific to the card serial number.
That conflicts with what I’ve been told. Several years ago, I chatted with Christina Drummond, who at the time was director of ACLU of Washington‘s Technology and Liberty Project, who told me that ACLU-WA had successfully worked to convince ORCA not to allow employers to access travel records of employees. A July 15, 2008, news item on the ACLU-WA site supports this, stating:
After months of advocacy, the ACLU scored another win for privacy, this time with a new regional transit card. As with the Enhanced Driver’s License, we worked to limit the potential for tracking and monitoring of individuals without their knowledge.
Planned for 2009, the ORCA card system (One Regional Card for All) will allow riders seamlessly to use many forms of public transportation in King, Kitsap, Pierce and Snohomish counties. To facilitate fare payments, the ORCA system will record the date, time and route number when a person uses the card to pay for a bus, train or ferry.
In researching hundreds of documents obtained through public disclosure requests, our Technology and Liberty Project learned that transit agencies planned to collect and keep the travel information linked to each card – information that potentially could end up in divorce and custody cases and other legal proceedings. The ACLU also found that travel information would be available to schools and employers subsidizing transit passes. This would have allowed card holders to be tracked as they use public transit to go to work, church, shop or participate in political rallies.
After meetings with and testimony by the ACLU, transit officials responded in June to our privacy concerns by taking steps to ensure that organizations subsidizing transit passes will not be able to view individual transaction records through detailed reports on the Web. The information will be available, though, by requests made under the state’s Public Records Act.
20.0 Changes to this Privacy Statement
20.1 This Privacy Statement may change over time. We expect most changes will be minor. Significant changes will be posted in the “News” footer located at the bottom of the ORCA Website pages. The date of the most recent revision of this Statement will be identified at the top of the page and prior versions will be kept in an archive for your review upon your request.
20.2 We will post changes to this Statement at least ten (10) days before they take effect. Any information we collect under the current Privacy Statement will remain subject to the terms of this Statement. After any changes take effect, all new information we collect, if any, will be subject to the new Statement.
I’m curious how they segregate information collected during times at which various privacy statements were in effect and how we can verify that they do so. Can I even see previous privacy statements? Are ORCA subject to the Washington State Public Records Act?
It’s unclear to me who has provided what few answers I have received to my questions about ORCA. The ORCA article on Wikipedia states that the ORCA project is jointly managed by of Sound Transit and King County Metro (it cites a February 10, 2011, job posting for “Functional Analyst III – ORCA Operations”), and that the “system is centrally managed by ERG,” whose Web site once stated, “In April 2003, ERG signed an agreement with seven public transportation agencies for the establishment of a regional fare collection system covering Seattle and the Central Puget Sound area of Washington State,” but now redirects to a page at vix-erg.com, which reports a Microsoft SQL Server error (which suggests in multiple ways that this company does not take computer security seriously).
If our transit agencies insist upon keeping records of our travels via public transportation (or worse, allow some private company who runs IIS and SQL Server to keep those records), they should be honest about what they’re recording and about who can access that information.
Related information (some of which is referenced above):
- University of Washington Society and Technology Interest Group’s findings from 2007 ORCA seminar (missing; use Wayback Machine archive)
- “Travel Without Tracking: Employer Access to ORCA Info Restricted,” July 15, 2008, ACLU of Washington News
- “State leads way on RFID privacy” by Kristi Heim, Seattle Times, March 31, 2008
- “UW team researches a future filled with RFID chips” by Kristi Heim, Seattle Times, March 31, 2008
- “Is Big Brother watching your ORCA card?” by Mike Lindblom, Seattle Times, December 7, 2009
- “FareBot: Read data from public transit cards with your NFC-equipped Android phone,” by Eric Butler, February 7, 2011
- FareBot source code repository