The MTA’s switch to OMNY machines is a privacy nightmare
The end of the multi-decade-old MetroCard system is nigh. Last month, the MTA announced MetroCard vending machines would be totally replaced with One Metro New York, or OMNY, kiosks starting in 2023, which would push New Yorkers toward the new tap-to-enter system.
The subway might be badly in need of a tech update, but the new system threatens an inescapable tracking regime that puts our very freedom at risk.
OMNY’s tap-to-enter terminals are already in stations, and its new, more expensive, $5 prepaid card is available today at some retailers. However, its rollout to become the only option across all stations and programs means that New Yorkers will have no choice but to cede all the rider data OMNY can pick up, with no certainty over how it will be exploited.
The new kiosks will be operated by the Cubic Corp. Early designs and the program’s presence thus far imply that there will be a strong push for straphangers to use tap-to-pay transactions, especially with their phones.
Cards like the ones these new machines will be supplying are likely to follow the model of other Cubic Corp. cards, including San Francisco’s Clipper and London’s Oyster cards. The OMNY card will likely have a persistent identifier that makes tracking people throughout the city an easy task.
Tying those journeys to a real name and personal information becomes significantly easier if you link that card, or a phone or credit card, with an OMNY account. Accounts have users’ names, payment information, and every web tracker and cookie the OMNY account management site might decide to deploy—along with data scraped from social media—associated with their method of entry.
While the MTA’s MetroCard is also run by Cubic, that system was deployed in 1991 and doesn’t have quite the same tracking capabilities. Transit justice organization TransitCenter reported that the MTA has stated OMNY will give the city “near-instantaneous” reporting on rider tap-ins and travel, an improvement from weeklong delays for MetroCard data. Tap-to-pay with a phone leverages near-field communication (NFC) technology, a system with its own issues that exacerbate the OMNY system’s existing privacy concerns.
Who will they share this new trove of data with? The current legal landscape and previous experience with Cubic tells us that warrantless access to this data is both permitted and commonly exercised.
The NYPD has accessed MetroCard data in pursuit of cases in the past. Cubic-run systems have a history of extensive cooperation with law enforcement. London’s Oyster card received more than 3,000 requests for data from police in a year. The Clipper card released data to police with only a subpoena. The existing MetroCard, Ventra card, and similar systems have been used by law enforcement officers, public prosecutors, and lawyers to both free and convict citizens, with the current MetroCard system already making up a part of the NYPD’s massive surveillance program.
Once it acquires that data, New York’s justice system has already proven more than willing to share it with U.S. Immigration and Customs Enforcement. The NYPD’s various programs reported on by journalists, nonprofits, and its own disclosures under the POST Act also show that it is ready and willing to combine data sources, enriching what is now real-time information with the user data flowing from all over the web, available to anyone willing to pay. Now that will be connected to OMNY user accounts and the mobile provider data attached to your phone, which can be linked with your OMNY account and tap-ins.
Outside of sharing data with NYPD and ICE, Cubic administers services for the military and intelligence agencies. Cubic’s website does not appear to have a privacy policy stating what it does with data it might store on behalf of subsidiaries like OMNY.
Cubic’s owners are only more worrying. In 2021 the private equity firms Veritas Capital and Evergreen Coast Capital purchased Cubic, taking it off the stock exchange and making the ways it makes money much less transparent. Veritas Capital’s statement about data use, required under the California Consumer Privacy Act, seems to indicate that it collects and shares information from companies in its portfolio. Veritas Capital’s portfolio of companies includes multiple defense contractors and the Department of Homeland Security’s biometrics database.
Evergreen Coast Capital appears not to have a website or a public privacy policy or a CCPA statement. However, it has purchased major audience tracking firm and wannabe ad tech company Nielsen. One of the other firms it partnered with noted that “Nielsen will be even better positioned to deliver the best measures of consumers’ rapidly changing behaviors across all channels and platforms.”
The data itself is well suited for “enrichment” by joining to other data sets. Multiple entities besides the NYPD and ICE will be incentivized to do so. There is a great deal of money to be made selling user data.
The linkup of easier-to-access systems plus real-time data means whole new risks.
A phone already emits enough data to make it trackable, regardless of OMNY use. However, while data brokers can find and sell plenty of user records already, one of the hardest things to supply is subway rider data. Current tracking practices mean purchasers of mobile service providers’ data can attach users to locations, in many cases using triangulation from cell towers (and, in some cases, tracking web surfers).
But subway lines travel above and below the street level so riders’ mobile identifiers mix with walkers, shop visitors, and drivers—or are blocked entirely. The subway represents one of the last few areas where our signals go dark (or at least get a little fuzzy, especially since, unlike many other systems, New Yorkers don’t tap to exit).
But once the various identifiers attached to a mobile device are combined with a persistent OMNY ID—through accessing your account on the web, buying a card with your mobile device, tapping into the OMNY system with a phone’s NFC system—the final bits of accuracy will be resolved. Even paying in cash may not be enough to prevent the data from being joined by syncing records with time stamps.
What that accuracy will be used for remains very unclear. Across multiple reports the city and OMNY program have failed to give details when asked about issues of privacy and data security. OMNY’s privacy policy permits the use of extensive data collection, including device identifiers on a phone, registration, credit card data, scraping social media, cookies, and “web beacons.”
The privacy policy does not put into place many limitations for use either. OMNY says “we may share your Personal Information among our affiliates and subsidiaries,” which could very well include Cubic, and who knows who else.
The policy permits OMNY to create new products by anonymizing data, but what methods it uses and how easy the anonymized data would be to join to other data to de-anonymize it, the policy doesn’t say.
The Surveillance Technology Oversight Project notes that the process of generating anonymized data products “would require large volumes of data to be useful, indicating that the MTA and Cubic will store rider data for a long period of time.” It’s also quite clear that it will “respond to requests from public and government authorities” without noting under what requirements or conditions.
There seems to be no guarantee against expanding data collection with OMNY in the future, once the heat of the rollout is off. Cubic has proven very willing to expand toward controversial facial recognition technology. Face capture might not be too hard to do since OMNY terminals seem to have cameras installed, even though New York City has declared these cameras will not be used toward that end.
Cubic also has had no problem launching its own ad system. If Cubic eventually chooses to become a data broker directly, the amount of data it could become involved in joining could worsen the already highly invasive nature of such systems. OMNY data could even become part of the sale of New York transit advertising.
Outfront, which sells most of the poster space in the subway, claims to use “footfall measurement” and “proximity targeting technology.” JCDecaux runs advertising on a number of bus shelters and newsstands, and its marketing mentions the use of Bluetooth beacons and the same type of near-field chips that power the OMNY system.
This highly accurate information isn’t just valuable monetarily. The TransitCenter report on OMNY notes that the data it creates introduces “the possibility of real-time social controls. The impulse to use transit to restrict people’s movement and limit collective expression is well-documented in the U.S. and abroad.”
The report cites Hong Kong using data from its transit system to determine which stations to shut down to best deter protesters, and cities that shut down transit to stop Black Lives Matter protests.
The threats from OMNY’s tracking will be increasingly inescapable. The new machines will push riders toward using an account, tapping to enter with their phone, or—more likely—both. Buying a card with cash is sure to get harder, and its eventual elimination would hardly be a new idea.
Then there seems to be a plan to force children into using the tap cards, with the recovery of lost cards likely to be tied to creating an account. OMNY will almost certainly be pushing the poor and disabled to register. Judging from MTA documentation and OMNY’s privacy policy, the Reduced Fare Program intended to help less-fortunate New Yorkers will either require registration for an OMNY account or at least heavily push users in that direction.
According to the OMNY privacy policy, applicants for the Reduced Fare Program will be required to give up “name, age, address, contact information, and any qualifying disabilities” along with other personal information. The discounts from fare capping will also incentivize people away from using physical cards, as free rides seem much easier to get with a registered account.
To what benefit? The OMNY program has spent $772 million, more than $100 million over budget. At least one other city has reported that these types of cards make their social service programs harder and more expensive to run.
The promised end of “please swipe again” via tap-to-pay is not certain. Pockets and wallets are filling with an increasing number of NFC devices and cards. Straphangers may find themselves slowed by “card clash,” where two NFC cards or devices attempt to pay at the same time. This may mean being charged twice, or being forced to reorganize your wallet and try again, pushing toward more phone use.
The poorly defined privacy policy means that OMNY may share its data freely with city agencies and the NYPD, and perhaps all levels of law enforcement and intelligence agencies. The worst case is your OMNY data may be shared not only among state entities but anyone who OMNY uses in its marketing campaign, thus the entire sketchy ad tech ecosystem, and potentially more directly through other advertising-related deals.
Our privacy shouldn’t be up for grabs or for sale. New Yorkers shouldn’t roll over and allow ourselves to be made vulnerable to the type of manipulation programs like OMNY could enable. Multiple advocates have noted that the city and OMNY could do more to respect our privacy. OMNY could collect less data or even just retain it for a briefer period. It could drop account registration.
OMNY could state it will not record or leverage user data for the purposes of marketing, avoiding leaking our data into the ad tech ecosystem. The MTA can demand clearer and more binding terms in the privacy policy and a Terms of Service that promises to users that their data will not be exploited. The city and OMNY could pledge to a robust auditing policy that would allow the city or, even better, independent experts to examine the system regularly and assure its data is safe and truly anonymized.
There are so many improvements needed to the New York City subway right now, a system that this month had temperatures exceeding 100 degrees Fahrenheit on some platforms. The improvements that OMNY may provide are not worth what riders would be giving up.
Aram Zucker-Scharff is the engineering lead for privacy and security compliance at The Washington Post. His writing has appeared in outlets including Wired, The Atlantic, and Columbia Journalism Review. He is a born-and-raised New Yorker and currently lives in Queens.
(30)