Victorian Information Commissioner finds that Public Transport Victoria has breached the privacy of myki users. A cause of action?
August 15, 2019 |
In a brilliant piece of analysis Dr Chris Culnane, Associate Professor Benjamin Rubinstein and Associate Professor Vanessa Teague of the University of Melbourne have demonstrated in their paper released today titled Stop the Open Data Bus, We Want to Get Off that de identification of unit record level data does not work without substantially altering the data to the point where its value is reduced. The analysis was based on the data released by the Victorian Government in to a data science competition. The authors have demonstrated that a combination of only needing a small number of points of information to make an individual unique and poor quality anonymisation and security techniques makes it quite easy to reidentify individuals.
In the case of the myki data the authors found that “little to no de identification took place on the bulk of the data.” They found it was a straightforward task to re identify two of the co authors cards. They also established that is possible to identify a stranger from public information about their travel patterns, for example twitter to name just one source. They identified prominent individuals, in this case a Victorian MP, Anthony Carbines, by searching the database of MPs who have used a particular train station, the Rosanna station. They were able to narrow the user down the user to Mr Carbines.
Messrs Culmane etc have written a very useful campaign article which is less technical but no less informative titled Two data points enough to spot you in open transport records.
This fascinating paper and findings nails the lie that anonymisation as currently practiced works. It also highlights the inadequacy of the approach of regulators, such as the Australian Information Commissioner, who have accepted assurances given by those who claim to properly anonymise data. The rudimentary, naive and generally wrong analysis that the regulators adopt is typified by the vague and otherwise inadequate guidelines by the Australian Privacy Commissioner titled De identification and the Privacy Act. These findings make the Commissioner’s guidelines on when the data subject is ‘reasonably identifiable’ detached from day to day reality.
The Victorian Information Commissioner today published a report titled Disclosure of myki travel information which found that PTV breached IPP2.1, disclosing personal information for the purpose other than that for which it was collected, and IPP4.1, failing to take reasonable steps to protect personal information from disclosure, of the Privacy and Data Protection Act 2014. The PTV has been issued with a compliance notice.
The Information Commissioner issued a media report today stating:
Victoria’s Information Commissioner has published a report on an investigation into the release of myki data by Public Transport Victoria (PTV), which is now part of the Department of Transport. The report includes recommendations that call for stronger privacy protections for open data releases.
The investigation conducted by the Office of the Victorian Information Commissioner (OVIC) found that PTV breached the Privacy and Data Protection Act 2014 by releasing data that exposed myki users’ travel histories.
In July 2018, PTV released a large dataset which it claimed to have de-identified, containing information from 15 million myki cards to support a datathon event. The dataset recorded 1.8 billion myki ‘tap on’ and ‘tap off’ events between July 2015 and June 2018.
“Although the initiative was well-intentioned, failures in governance and risk management undermined the protection of privacy” Information Commissioner Sven Bluemmel said.
In September 2018, academics from the University of Melbourne notified OVIC that they located the dataset online and identified the travel histories of themselves and of others. OVIC then commenced an investigation into PTV’s release of the data in October 2018.
“Your public transport history can contain a wealth of information about your private life. It reveals your patterns of movement or behavior, where you go and who you associate with” Commissioner Bluemmel said. “This is information that I believe Victorians expect to be well-protected.”
Data experts at CSIRO’s Data61 were consulted on technical aspects of the investigation. CSIRO’s Data61 found personal information could be obtained from the PTV dataset without expert skills or resources.
“Our research found that when two myki card scans are known by time and stop location, more than three in five of those pairs of scans are unique and therefore more likely to be personally identifiable” said Dr Paul Tyler, Data Privacy Team Leader at CSIRO’s Data61. “So-called ’de-identified’ data can still carry re-identification risk especially in linked transactional data”
OVIC’s investigation found that PTV failed to address the possibility that individuals in the dataset could be re-identified by combining information in the dataset with information from other sources such as social media.
While the report indicates information could have been re-identified at the time the data set was released, the risk to individual myki card holders is now much lower. This is due to the time-bounded nature of the dataset and the limitations on travel history searches that can be undertaken on registered myki cards.
OVIC has issued the Department of Transport with a compliance notice requiring it to strengthen policies and procedures, data governance, training and reporting. The Department of Transport does not accept the Commissioner’s finding that the release of the myki dataset breached myki users’ privacy. However, the Department has committed to implementing the actions set out in the compliance notice.
“I welcome the Department of Transport’s commitment to implement the compliance notice and recommendations” Commissioner Bluemmel said. “The report and recommendations will support the responsible use of data to inform policy and service delivery for the benefit of all Victorians, while still respecting their right to privacy.”
While the Compliance Notice is better than nothing it has very little deterence effect or even a penalty for a serious breach. In the United Kingdom a similar egregious breach of this nature would attract a very significant monetary penalty. In the United States the Federal Trade Commission would levy a hefty fine and place the PTV under a 10 or 20 year agreement to be monitored and provide reports and information about steps taken to improve behaviour. The problem in Victoria is that the options are limited and the penalties are low.
This may be a case where a person or group of people could seek redress under section 77 of the Privacy and Data Protection Act 2014. The fact that the Information Commissioner has issued a Compliance Notice does not in and of itself mean a person does have a right to complain and then bring a claim. The penalties are far stronger, with an award of up to $100,000. The big drawback is that the Victorian Civil and Administrative Tribunal would hear the case. To date its jurisprudence in this area has been at best disappointing and sometimes unfathomable.
As with such breaches the coverage is both widespread and reputationally damaging. It is clear that the public are concerned. Stories of this nature do not get a run because there is no interest. It is curious then that Governments are so tone deaf to these concerns and are content to let inadequate laws continue without amendment and do nothing about the ineffectiveness of regulators. The Australian’s peace is typical of the coverage providing:
The identities of millions of Victorian public transport users were unlawfully leaked by Public Transport Victoria as part of a competition, the state’s information commissioner has found.
In July last year PTV released information from 15 million myki cards to the public as part of a “datathon” event, containing 1.8 billion “tap on” and “tap off” records between July 2015 and June 2018.
PTV had claimed the information had been de-identified, but academics from the University of Melbourne were able to use the data to track the travel histories of themselves and others.
Today the state’s data watchdog declared Victoria’s transport department breached privacy laws in releasing the data, which revealed the behaviour and movements of millions of Victorians.
“Although the initiative was well-intentioned, failures in governance and risk management undermined the protection of privacy,” Information Commissioner Sven Bluemmel said.
Most myki users in the dataset could be identified from just a few touch on or touch off events, according to lead researcher Chris Culnane from the University of Melbourne’s School of Computing and Information Systems.
“With just a handful of pieces of information about where someone boards or exits public transport, it’s possible to get an indication of where they live or work, their regular travel patterns, who they travel with, or if they travel alone — for example, children heading home from school alone,” Dr Culnane said.
“Our analysis raises serious privacy, safety and security issues. It’s easy to imagine how information like this could be used by people who might want to cause harm.”
Commissioner Bluemmel said OVIC has issued the Department of Transport with a compliance notice requiring it to strengthen policies and procedures, data governance, training and reporting.
The Department of Transport said it does not accept the Commissioner’s finding that it breached myki users’ privacy, but said in a statement it has committed to implementing the actions set out in the compliance notice.
“I welcome the Department of Transport’s commitment to implement the compliance notice and recommendations” Commissioner Bluemmel said.
“The report and recommendations will support the responsible use of data to inform policy and service delivery for the benefit of all Victorians, while still respecting their right to privacy.”
There was also significant coverage in the Guardian with Myki data release breached privacy laws and revealed travel histories, including of Victorian MP. The Age’s piece, No controls in place’: Myki details exposed in huge privacy breach is more hard hitting, appropriate in the circumstances. It provides:
Your personal information could be accessed by hackers and stalkers after a massive privacy breach by the government exposed the travel data of millions of Victorians, the state’s information watchdog has found.
Despite the extraordinary violation, Public Transport Victoria (PTV) and the Department of Premier and Cabinet, which released the information, are refusing to admit that commuters’ personal information has been compromised.
In May last year, PTV gave a hacking and data science conference unfettered access to travel data stored on about 15 million myki cards used in the three years to June 2018.
The 1.8 billion “touch on” and “touch off” events on the cards included information about a commuter’s route and stop number and the specific train they were on.
By matching a few small details about a person’s life with the travel data, a commuter’s identity could be found out and their movements tracked by stalkers, abusers or people planning to breach court orders, the Office of the Victorian Information Commissioner has found in a stinging report.
“The dataset contains a wealth of information about the travel movements of Victorians, which was disclosed with no effective controls in place to guard against re-identification,” the commissioner’s paper released on Thursday found.
“This could allow a malicious third party with access to the data to determine another individual’s history of public transport journeys.
“Members of the Victorian community would expect information about their travel movements to be afforded a high degree of protection.”
When PTV was asked by organisers of the Datathon conference if users could keep the information or had to sign a non-disclosure agreement, PTV responded: ‘No NDA to sign this year – you can do what you like with the data.”
The information was subsequently published online for the conference from July to September last year and participants were told they were free to use the dataset in whatever way they liked.
One Datathon participant re-published the dataset online in full on their blog, where it remained from September 2018 until January this year.
A group of Melbourne University academics who found the dataset online, discovered that they were able to identify themselves, people they knew and even an MP.
The data also includes a description of the type of myki used (there are 70), indicating whether the card owner was part of the police, government, an asylum seeker, veteran or pensioner.
“The dataset contains information about individuals; namely, the location of people at specific times they started or concluded a public transport trip. The dataset also allows more information to be inferred about those people, such as their typical public transport movement patterns,” the report statedVictorians might soon be able to ditch their Myki cards as a new Android mobile ticketing system will be tested in July
The dataset could still be stored on the computers of the conference’s attendees or by those who accessed it online.
While PTV took some steps to de-identify the dataset before its public release, the commissioner found the process was “inadequate” and accused the agency of relying on “technical arguments” to justify the decision.
In its response to the report, the Department of Premier and Cabinet denied any wrongdoing and rejected the audit’s findings that personal information was disclosed.
“The data did not contain any details of any person’s identity. Instead, to use the data to re-identify an individual’s myki card travel history involves multiple steps, including cross-matching the data with information from other sources and private knowledge.”
Department of Transport Deputy Secretary Jeroen Weimar said that a new privacy and research ethics framework was being developed and the commissioner’s three recommendations were adopted.
“Careful sharing of data makes an important contribution to how we improve transport services for all Victorians – it’s vital we continue to update our privacy protections.”
The ABC coverage is also quite damning with Shocking’ myki privacy breach for millions of users in data release which goes much further than reporting on the report and the media release but interviewing an author, Dr Culnane, and like the Age report, highlighting the Departments extraordinary denial that it breached the legislation. The Commissioner noted that. It is difficult to see how it could sustain that position. That intransigence does not bode well for compliance in the future.
Given the Department denies any breach then perhaps a claim might be in the public interest. Let the Department explain how it reached such an extraordinary approach when its data was so easily reidentified, not to mention the extraordinary length of time it is kept. Again, VCAT is a weak vessel within which to carry such a case.
The ABC Report provides:
Just a few taps on and off, and a couple of tweets — that’s all it would take for a hacker or stalker to identify you and track down your movements with a myki.
In a concerning revelation, researchers have found that myki, in conjunction with social media, can be used to uncover a wealth of information about card users.
Myki is the reloadable ticketing system used on public transport services in Melbourne and regional Victoria.
Victoria’s Information Commissioner has today revealed Public Transport Victoria (PTV) breached privacy laws by releasing nearly two billion lines of what it claimed was de-identified data to support a data science competition in mid-2018.
The data detailed the routines gathered from more than 15 million cards, recording 1.8 million “taps on” and “taps off” between July 2015 and June 2018, and was released and made available online for the two-month long 2018 Melbourne Datathon event.
Millions of myki card holders involved
It was de-identified to the extent that the card IDs — the name of the person using the card if it is registered to them — was removed.
But researchers at the University of Melbourne discovered they could re-identify their own data, and the data of someone they’d travelled with, and link all the trips using the same card.
More worryingly, the researchers found they could identify someone unknown to them.
Victorian Labor MP Anthony Carbines was able to be identified and have his travel history uncovered, with his permission, by combining the data and some of his tweets about using public transport.
Lead researcher Chris Culnane, from the University of Melbourne’s School of Computing and Information Systems, said the data release was “shocking”.
“The fact that the privacy assessment that was conducted didn’t pick up these dangers, when it was fairly obvious to us that if you release this type of information it’s going to be pretty easy to reidentify it — I think it is quite shocking that quantity of data was released without someone realising how identifiable it would be,” he said.
“I think it’s important though to be mindful that as custodians of public information we’ve accepted the recommendations of the [Information] Commissioner,” he said.
Mr Carbines urged commuters to be mindful of what they shared on social media.
But he said he would continue to tweet about his train trips to give people confidence their elected officials were using public transport.
Dangers posed by weak privacy protections
Dr Culnane said that most Myki users in the dataset “could be identified from just a few touch-on or touch-off events”.
He said he was concerned about what that meant for vulnerable members of society.
“The worst fears are being able to find someone for example, if you travelled with them once within the city, and then you find out where they live or where they travel to work from. If someone is trying to find someone or stalk them then that kind of information is extremely valuable and sensitive to that person.”
“With just a handful of pieces of information about where someone boards or exits public transport, it’s possible to get an indication of where they live or work, their regular travel patterns, who they travel with, or if they travel alone, for example, children heading home from school alone,” Dr Culnane said.
“Our analysis raises serious privacy, safety and security issues. It’s easy to imagine how information like this could be used by people who might want to cause harm.”
Victoria’s Information Commissioner, Sven Bluemmel said: “Your public transport history can contain a wealth of information about your private life.
“It reveals your patterns of movement or behaviour, where you go and who you associate with.
“This is information that I believe Victorians expect to be well-protected.”
Victoria’s Department of Transport said it did not accept that it breached myki users’ privacy, and argued that the dataset itself didn’t contain personal information
But it has nonetheless committed to implementing the actions set out in compliance notice it had been issued with.
A Victorian Government spokesperson says while sharing data is “extremely important” — leading to the creation of apps like Tram Tracker — “we need to ensure there are rigorous privacy protections in place.”
Lessons learnt?
Dr Culnane was sceptical about the department’s ability or willingness to avoid the same problems in future.
“Given what has been the response from the Department of Transport on this issue, there is a lack of transparency at the moment about what went on, and how they are going to avoid the same mistakes in the future.
“This isn’t the first case of de-identification failing and re-identification happening. And part of the reason for that is because there isn’t an open discussion of what the problems are.
“And because we haven’t got that level of transparency, it’s likely we are going to keep seeing these things happening again in the future.”
Dr Culnane questioned why Myki needed to keep three years of data of individual journeys, and that any usefulness of that data could be gleaned from aggregated data.
What can you do to protect yourself?
If you use a myki, you have no option to withhold your data.
If you think that by not registering your myki, linking it to your name, will protect you, think again, Dr Culnane said.
He urged commuters to take a closer look at how they reveal their travel habits on social media.
“Generally, there’s not a lot you can do if you have to engage with the public transport system. There is no option to withhold that data. But we have to kind of take a broad look and say well, what information are we putting out there publicly on social media?”
“Can we reduce the type of information that maybe reveals allocation? And just be a little bit more cautious about what date we share with organisations as well as social media to try to reduce our data footprint overall.”