Transit agencies should be honest about ORCA card data

One entire ORCA card

The ORCA (“One Regional Card for All”) Card is a contactless, stored value smart card used for payment of public transportation fares in the Puget Sound region of Washington State.  The card, based on a standard ISO 14443 smart card (specifically, using the MIFARE DesFIRE chip) was introduced in 2009.

Concerned about privacy issues surrounding this system, I asked several related questions by submitting them using a contact form on the ORCA Web site on July 28, 2009.  In response, ORCA staff have avoided my questions, provided what now appears to have been false information, and ignored my requests for clarification.  It seems they’re also backing away from an agreement not to provide employers information about their employees’ off-work travel using public transit.

Among the questions I asked ORCA staff in 2009 was the following:

What, if any, information other than a serial number is stored on an ORCA card after it has been used?

Within a few days, someone from ORCA answered via e-mail from contactus@orcacard.com:

Any transportation value is stored on the ORCA card.

A couple hours later, I e-mailed them back to ask:

Are you sure that the only information stored on the card after it has been used is a serial number and any transportation value?  Other people I’ve spoken to are confident that much more information is stored on it, but I hoped to find out from an authoritative source on the matter:  you.

I received no response, so on August 20, 2009, I wrote:

I’ve not received a response from you.  Can you answer my question?

Months later, having received no response, I wrote (on December 21, 2009):

You told me in an e-mail dated July 31, 2009, that the only information stored on an ORCA card after it has been used is a serial number and any transportation value.  Can you please confirm that this is *all* that is stored on the card then?

A week later, they responded:

I’m not sure how this can be confirmed to you.

A couple days later, I wrote:

Please confirm or deny:  After an ORCA card has been used to pay for public transportation, precisely two pieces of information are stored on that card: 1) a serial number and 2) any stored value.

There is public confusion over this issue.  Some people believe that the card also stores information about when and where it has been used.  Your own Web site states, “The ORCA card contains built-in intelligence that processes and stores information for three different types of transactions”.  I am surprised that this can be achieved if, as you’ve told me, the card stores only a serial number and any stored value.

Despite several requests from me for more information, I have not received further contact from ORCA on this matter.

On February 23, 2010, I wrote:

Can you tell me whether ORCA cards truly store only transportation value and a serial number?  This seems unlikely.

Last year, Eric Butler released Farebot, free software (GPLv3; source code is available) that enables some smart phones running Android to read the data stored on an ORCA card (e.g., the Google Nexus S, which is equipped with an NFC chip).  In that announcement, Eric wrote,

Currently FareBot can parse and display balance and trip history information from Seattle’s ORCA card, and can dump raw data from any other MIFARE DESFire card including San Francisco’s Clipper card. FareBot is open-source and designed to be flexible so that hopefully other developers will add support for other types of cards.

When demonstrating FareBot, many people are surprised to learn that much of the data on their ORCA card is not encrypted or protected. This fact is published by ORCA, but is not commonly known and may be of concern to some people who would rather not broadcast where they’ve been to anyone who can brush against the outside of their wallet. Transit agencies across the board should do a better job explaining to riders how the cards work and what the privacy implications are.

So I wrote back to ORCA on February 8, 2011:

It’s now possible to read an ORCA card with a smartphone, and we’ve seen that much more than a just a serial number and transportation value is stored on the card.  Were you mistaken previously, or has the situation changed since your July 28, 2009, e-mail to me?

They still haven’t responded, so I e-mailed them again today.

Curiously, ORCA’s privacy policy, which states that it was last modified a few days after my most recent e-mail, on February 14, 2011 (I don’t have any older versions, so I can’t compare to find what changed), now contains a section that reads:

What electronic information can be “read” from an ORCA card?

An ORCA Card’s microchip contains electronic information that does NOT include names but could include data in such fields as the type of card, Business Account ID number (if issued to an employer or other institution), the passenger type expiration date or date of birth (if present), fare products loaded onto the card including E-purse value and passes, the history of the prior ten (10) trip transactions (time, date, route and fare when the card was used) and the history of the prior five (5) revalue transactions (See Sec. 8.2). In order to keep the processing time to several milliseconds when an ORCA Card is tapped, the information on the card is generally not encrypted. However, date of birth or passenger type expiration date, if present, is encrypted.

The electronic information on the card can be read by ORCA reader devices. Anyone with physical possession of a card, whether or not he or she is the rightful owner, can use the card until it is empty or blocked, as well as read some of the electronic data at an ORCA service location.  It is also possible that an ORCA Card’s unencrypted data could be electronically “read” by a non-ORCA device if the card uses the same frequency and were to come within the range of the reader device. However, the unencrypted data which is not in plain text would require interpretation.

Even more curiously, their privacy policy also states:

What information can my employer access regarding my use of an employer-provided ORCA Card?

If your ORCA Card is given to you by an employer or other institution, that “Business Account” entity retains ownership of the card and can obtain access to data about transactions involving the card. Transaction data includes the date, time of day, fare and bus route, ferry or train station where a card was used. The ORCA system collects his data specific to the card serial number.

That conflicts with what I’ve been told.  Several years ago, I chatted with Christina Drummond, who at the time was director of ACLU of Washington‘s Technology and Liberty Project, who told me that ACLU-WA had successfully worked to convince ORCA not to allow employers to access travel records of employees.  A  July 15, 2008, news item on the ACLU-WA site supports this, stating:

After months of advocacy, the ACLU scored another win for privacy, this time with a new regional transit card. As with the Enhanced Driver’s License, we worked to limit the potential for tracking and monitoring of individuals without their knowledge.

Planned for 2009, the ORCA card system (One Regional Card for All) will allow riders seamlessly to use many forms of public transportation in King, Kitsap, Pierce and Snohomish counties. To facilitate fare payments, the ORCA system will record the date, time and route number when a person uses the card to pay for a bus, train or ferry.

In researching hundreds of documents obtained through public disclosure requests, our Technology and Liberty Project learned that transit agencies planned to collect and keep the travel information linked to each card – information that potentially could end up in divorce and custody cases and other legal proceedings. The ACLU also found that travel information would be available to schools and employers subsidizing transit passes. This would have allowed card holders to be tracked as they use public transit to go to work, church, shop or participate in political rallies.

After meetings with and testimony by the ACLU, transit officials responded in June to our privacy concerns by taking steps to ensure that organizations subsidizing transit passes will not be able to view individual transaction records through detailed reports on the Web. The information will be available, though, by requests made under the state’s Public Records Act.

I wonder what steps were taken to ensure those organizations would not be able to view individual transaction records and why ORCA now warns us that they’ll do what ACLU-WA reported that ORCA will not do.  The ORCA privacy policy also states:

20.0 Changes to this Privacy Statement

20.1 This Privacy Statement may change over time. We expect most changes will be minor. Significant changes will be posted in the “News” footer located at the bottom of the ORCA Website pages. The date of the most recent revision of this Statement will be identified at the top of the page and prior versions will be kept in an archive for your review upon your request.

20.2 We will post changes to this Statement at least ten (10) days before they take effect. Any information we collect under the current Privacy Statement will remain subject to the terms of this Statement. After any changes take effect, all new information we collect, if any, will be subject to the new Statement.

I’m curious how they segregate information collected during times at which various privacy statements were in effect and how we can verify that they do so.  Can I even see previous privacy statements?  Are ORCA subject to the Washington State Public Records Act?

It’s unclear to me who has provided what few answers I have received to my questions about ORCA.  The ORCA article on Wikipedia states that the ORCA project is jointly managed by of Sound Transit and King County Metro (it cites a February 10, 2011, job posting for “Functional Analyst III – ORCA Operations”), and that the “system is centrally managed by ERG,” whose Web site once stated, “In April 2003, ERG signed an agreement with seven public transportation agencies for the establishment of a regional fare collection system covering Seattle and the Central Puget Sound area of Washington State,” but now redirects to a page at vix-erg.com, which reports a Microsoft SQL Server error (which suggests in multiple ways that this company does not take computer security seriously).

If our transit agencies insist upon keeping records of our travels via public transportation (or worse, allow some private company who runs IIS and SQL Server to keep those records), they should be honest about what they’re recording and about who can access that information.

Related information (some of which is referenced above):

10 comments

  1. The ORCA privacy policy actually used to say that the data was stored in encrypted form on the card. When we pointed out that it was in the clear, they quietly changed the statement to say “stored in unencrypted form.” I think Farebot caused them to clarify this further.

    To their credit, they no longer provide a web interface for employers to view your data. Originally they were planning on letting employers download huge reports with all their cards’ activities, but apparently now employers have to make a written request for data on a specific card.

    1. Karl: I filed a public records request with Sound Transit for all published revisions of the ORCA privacy statement.

      I’m curious why the reverse-engineering was necessary. Are ORCA specs exempt from the Public Records Act?

      1. ERG created the ORCA system, so the implementation documents belong to them and thus aren’t subject to the Public Records Act. Furthermore, the DESFire protocol is still kept confidential by NXP (although the relevant documentation was leaked recently, and it was easy enough to reverse-engineer before that).

        About the closest you can get is the contract between ERG and the transit agencies, which specifies things like what the card must hold.

        I don’t really buy their excuse that locking down the read access will add an unacceptable delay. The readers already mutually authenticate with the card to verify the card’s authenticity and to write transaction data back to the card. I believe they can simply set the access rights on the files to require mutual authentication before being read. The data doesn’t necessarily need to be encrypted over-the-air, but even if it is, the DESFire card has a hardware crypto accelerator.

        1. How, if at all, did the transit agencies with which ERG contracted verify that the system does what the contract stipulates that it must do?

          1. They hired a consultant for technical issues. I think they verified the operational requirements themselves, but I’m not sure.

            I’m sure they’ve deviated from the contract some, but probably with permission from the transit agencies. For example, the contract specifies that WEP encryption must be used on the WiFi link between the buses and the bases, but I’ve been told that they are using something significantly less vulnerable. They also changed the business partner web interface in response to privacy concerns.

          2. I’m really only interested in how they tested it because it seems that testing would require detailed documentation of how the system is expected to work, and if such documentation exists, I want to read it. If the contract specified that certain information on the card be encrypted, for instance, how do you suppose WSDOT verified that the information is actually stored that way?

          3. The transit agencies and their consultant has access to ERG’s design documents under an NDA. The contract itself is silent on many details, such as how the cards should be protected.

            Email me if you’d like to see what public records we got out of them (including the contract).

  2. Their privacy statement shows EXACTLY what is included on the card, which data is encrypted, and which data is left unencrypted. There’s nothing mysterious about it.
    The current privacy policy is at:
    http://www.orcacard.com/ERG-Seattle/common/images/ORCA%20Privacy%20Statement.pdf

    The oldest privacy policy is found at archive.org at:
    http://web.archive.org/web/20090509002011/http://www.orcacard.com/ERG-Seattle/common/images/ORCA%20Privacy%20Statement.pdf

    You can see multiple different versions of the document by accessing this page on archive.org:
    http://web.archive.org/web/*/http://www.orcacard.com/ERG-Seattle/common/images/ORCA%20Privacy%20Statement.pdf

  3. The RapidRide Fare Enforcement squad scans cards to see if you’ve paid your fare. I’ll bet this is why they keep unencrypted recent trip data on the cards.

Leave a Reply to Karl Cancel reply

Your email address will not be published. Required fields are marked *

WordPress › Error

There has been a critical error on this website.

Learn more about troubleshooting WordPress.