The Victorian information watchdog has revealed there are “no controls in place” for the millions of Australians that use Victorian public transport after a wide scale government breach saw travel data exposed.
In spite of the revelation, Public Transport Victoria (PTV) and the Department of Premier and Cabinet - who were responsible for releasing the information - has stopped short of admitting that personal information has been compromised.
According to The Age, “In May last year, PTV gave a hacking and data science conference unfettered access to travel data stored on about 15-million myki cards used in the three years to June 2018.”
The 1.8 billion ‘touch on’ and ‘touch off’ events on the cards included information about a commuter’s route and stop number and the specific train they were on,” writes Timna Jacks.
The office of the Victorian Information Commissioner has found the ease in which a third party could abuse the data, with a spokesperson saying “the dataset contains a wealth of information about the travel movements of Victorians, which was disclosed with no effective controls in place to guard against re-identification,” the report said.
“This could allow a malicious third party with access to the data to determine another individual's history of public transport journeys.”
“Members of the Victorian community would expect information about their travel movements to be afforded a high degree of protection.”
Steps taken by PTV have been called “inadequate” by the Information Commissioner, adding it was using “technical arguments” to deflect criticism.
Victoria’s Information Commissioner, Sven Bluemmel, told the media that “your public transport history can contain a wealth of information about your private life… It reveals your patterns of movement or behaviour, where you go and who you associate with.”
“This is information that I believe Victorians expect to be well-protected,” Bluemmel stated.
It is reported that when PTV were asked by the group organising the ‘Datathon’ conference if attendees could keep the information, or if a non-disclosure agreement needed to be signed, Public Transport Victoria responded: “No NDA to sign this year- you can do what you like with the data.”
The dataset was found by a collection of Melbourne University academics who were horrified by the ease in which they were able to identify themselves and access the data of their friends, and even a sitting MP.
The Victorian Information Commissioner’s report continued to explain that: “the dataset contains information about individuals; namely, the location of people at specific times they started or concluded a public transport trip. The dataset also allows more information to be inferred about those people, such as their typical public transport movement patterns.”
In response to the report being published, the Department of Premier and Cabinet has rejected the audit’s findings, denying any misuse of the public’s data and private information.
“The data did not contain any details of a person’s identity,” the statement read. “Instead, to use the data to re-identify an individual’s myki card travel history involves multiple steps, including cross-matching the data with information from other sources and private knowledge.”
Jeroen Weimar, Deputy Secretary of the Department of Transport has said that following the commissioner’s recommendations, a new set of guidelines for research ethics as well as privacy frameworks are set to be implemented.
“Careful sharing of data makes an important contribution to how we improve transport services for all Victorians- it’s vital we continue to update our privacy protections,” Weimar said.
The ABC has quoted lead researcher from the University of Melbourne’s School of Computing and Information Systems, Chris Culnane, who called the data release “shocking”, adding that “the fact that the privacy assessment was conducted didn’t pick up these dangers, when it was fairly obvious to us that if you release this type of information it’s going to be pretty easy to reidentify it - I think it is quite shocking that quantity of data was released without someone realising how identifiable it would be,” he said.
“The worst fears are being able to find someone for example, if you travelled with them once within the city and then you find out where they live or where they travel to work from. If someone is trying to find someone or stalk them then that kind of information is extremely valuable and sensitive to that person,” Culnane continued.
“Our analysis raises serious privacy, safety and security issues. It’s easy to imagine how information like this could be used by people who might have gone to cause harm,” he said.