Danish ticketing system a threat to privacy
Like many countries, Denmark is replacing paper tickets for public transportation with electronic tickets. The Danish system, called Rejsekort (“travel card”), is a contactless chip card similar to the Oyster card in the United Kingdom and the OV-chipkaart in the Netherlands.
At the start of the journey, the passenger holds the card in front of a check-in card reader, and this procedure is repeated when changing to another transport vehicle (train, metro or bus). At the end of the journey, the passenger holds the card in front of a check-out card reader, and the fare for the completed journey is calculated and subtracted from the balance of the card. Check-in/out card readers are placed at all train and metro stations and in buses.
For passengers, the chip card offers convenience. It can be used for public transport in most parts of Denmark, and passengers do not have to be familiar with the complicated fare structure. For example, in the Greater Copenhagen area, there are eight different price levels for a ticket depending on the number of zones in the journey and, in some cases, the number of zones can differ between the outbound and inbound journey.
The Rejsekort card exists in personalised and non-personalised versions, the latter being called Rejsekort Anonymous. The personalised card, which requires proof of identity similar to opening a bank account, offers a number of incentives to citizens: greater fare discounts, automatic transfer of money from a credit card to the Rejsekort, and the possibility of transferring the balance to a replacement card if the Rejsekort is lost or stolen. Despite its name, the non-personalised Rejsekort is not really anonymous since all chip cards have a unique number, and all journeys along with the unique card number are registered in the back-end systems of the Rejsekort company. Passengers can, of course, get a new non-personalised card regularly to protect their privacy, but the price of the card itself is about 10 euro, and the remaining balance on the old card is lost.
From a privacy perspective, the Danish Rejsekort is a disaster, because the unique card number is connected to all journeys. The journeys of all card holders are registered in a central database, and this information is currently retained for five years, together with the citizen ID number (for the personalised card). Whereas mass public transport in trains and buses previously offered a relatively high degree of anonymity (save for the ever more pervasive CCTV surveillance cameras), it has now become similar to air travel where so-called Passenger Name Records (PNR) are created and stored for every journey. Unlike air travel, the anonymous travel option does still exist with the more expensive paper tickets.
There has been some public debate and criticism of the data retention practices in the Rejsekort system. The response from the publicly-owned travel card company has been that since the Rejsekort is a payment card (with limited applicability to paying for public transport), the Danish legislation for bookkeeping and measures against money laundering (based on EU law) makes it mandatory to keep information about every transaction, that is every journey, for five years. Furthermore, the travel patterns of every passenger are analysed for various fraud detection purposes. The Rejsekort is based on the Mifare Classic design which is lacking in terms of security. However, card hacking is not viewed as a problem by the Rejsekort company because the company believes that any attempted fraud can be detected in the back-end systems. In some sense, surveillance of passengers’ travel transactions is used to compensate for the inadequate security of the chip card.
The fare structure for the Rejsekort gives passengers an incentive to not to check out on long journeys or to check out before their final destination, especially when travelling by bus where the check-out card reader is placed inside the bus itself. According to the terms and conditions for the Rejsekort, a personalised card can be blocked after three journeys where the check-out is not done properly, and in that case the cardholder will be put on a blacklist so that she/he is unable to get a new personalised card for a year. The fraud detection system probably looks for uncompleted journeys and travel patterns that may otherwise indicate partial fare evasion, like premature check-out. The latter profiling involves cross-referencing with general customer information which could include the address of the passenger, but the precise details of the profiling for fraud detection are not known.
Because of the public criticism, the Danish government asked the law firm Poul Schmith (Kammeradvokaten) to investigate the data processing practices of the Rejsekort company. The report from the law firm was published on 29 March 2016. In an earlier assessment of the Rejsekort system, the independent Danish Data Protection Agency did not have any remarks about the five-year retention period for all journeys, but the report from the law firm concludes that there is no legal requirement to keep information about every journey for five years. It is only necessary to keep the information until the customer can no longer dispute the transaction, that is payment for the journey. The law firm indicates that this period could be three years as this is the statutory limitation period for simple financial claims in Denmark. A privacy-friendly argument for a shorter period than three years could also be made here, since a customer generally loses the right to dispute through inactivity. The official guidelines for the Danish bookkeeping administrative order contains an example with a telephone company where it is stated that only documentation about invoiced/paid amounts must be stored for five years, not details of the individual calls. When the telephone calls can no longer be disputed by the customer, the aggregate invoice is sufficient bookkeeping documentation. Clearly, the same principle must apply to a ticketing system like Rejsekort, but apparently the Rejsekort company had missed this detail in the official bookkeeping guidelines.
A second recommendation from the law firm Poul Schmith is that customers should give consent to the processing of personal data for fraud detection. Currently, no information at all is provided about this processing to the customers. This recommendation is a bit odd. The Rejsekort company argues that the processing can be done without consent because the legitimate interest exception applies to the fraud detection. Moreover, consent as a legal basis for processing hardly makes sense here since customers cannot really refuse (if they want a Rejsekort), and it seems rather unlikely that the Rejsekort company will provide sufficient information so that the consent actually becomes meaningful. Quite interestingly, there is a discussion in the report as to whether the consent to data processing for fraud detection will be coerced or not. The law firm argues that the consent is voluntary, but only because alternatives to the Rejsekort exist, especially single-journey paper tickets. These alternatives are however more expensive and more cumbersome to use.
The Rejsekort company has announced that it will follow the recommendations made by the law firm. This also applies to some of the minor points about reducing the number of employees with access to the central database with journeys, and ensuring written documentation for agreements with data processors.
What is rejsekort? (homepage of Rejsekort A/S)
Investigation of the processing of personal data in rejsekort by the law firm Poul Schmith (only in Danish, 29.03.2016)
(Contribution by Jesper Lund, EDRi member IT-pol, Denmark)