The BigBrotherAward 2016 in the “Technology” Category goes to Berlin’s Public Transport Company (Berliner Verkehrsbetriebe, BVG). It has been in use in Berlin and environs since 2013 – the VBB “Fahrcard” (literally “ride card”), a contactless chip card, also referred to as “(((eTicket”. With it everything was supposed to be better, faster, more modern. It was not really faster – its introduction did not take quite as long as the completion of the new Berlin Airport, but indeed several years. Nor have the boarding process or ticket inspection become faster. Because the reading devices are terribly slow.
Perhaps that is because these are by no means just reading devices – actually they also write on the card each time. Namely: date, time, bus route and bus stop. And these log entries occur not only with the BVG, but also with other members of the Berlin-Brandenburg Transport Association (Verkehrsverbund Berlin-Brandenburg, VBB), namely: the Oberhavel Transport Company (Oberhavel-Verkehrsgesellschaft, OVG) and the regional East German Railway (Ostdeutsche Eisenbahn, ODEG). So their passengers carry a little data leech in their pockets. (Incidentally: The e-ticket in Hong Kong bears the rather fitting name “Octopus Card”. Although the Hong Kong card – in contrast to the Berlin variety – can be used anonymously.)
The passengers were unsuspecting. And they probably still would be, if it were not for the Berliner Fahrgastverband IGEB (a Berlin passenger association) and the online magazine golem.de. The passenger association deserves credit for having exposed this data leak. In December 2015 it discovered that BVG buses stored movement points on the contactless chip card with NFC technology (Near Field Communication, a form of RFID radio technology) – in particular, at which bus stop and at what time the passenger entered the bus on a certain route. Even though this is a monthly ticket, for which individual journeys are not relevant in any way!
Using the stored starting points, a movement profile can be generated. Ten entries can be stored on the card. And this logbook could actually be accessed by anybody with easily affordable equipment – a smartphone with NFC capability and the app Mytrack is all that was needed. And then, for example, someone might read-out his partner's card and ask her “Why did you start out so late yesterday to pick the kids up at the day-care centre?” or “What were you doing last weekend at the trade-fair premises?”
The BVG really went awry in this matter with their information policy. They lied to their customers for years. They claimed that it was technically impossible to store movement profiles on the tickets. But that is false, and if it were not for the passenger association IGEB and the technical research done by the online magazine golem.de, we would not have known what really went on. For there is a technical standard for e-tickets – the so-called VDV Standard. VDV stands for “Verband Deutscher Verkehrsunternehmen” (association of German transport companies). And from the start, this VDV Standard provided for the storage of data in a so-called transaction log – including movement data.
Then the Berlin-Brandenburg Transport Association VBB confirmed – but only upon repeated enquiry -- that the cards could do this in principle. The BVG made the excuse that they did not order this function from the manufacturer, but that the manufacturer simply implemented the (((eTicket Germany specifications. And so the BVG casually passes the buck to the card manufacturer. Still the BVG is to be blamed for negligence, since they are of course responsible for verifying the software they use. The problem existed since at least April 2015, but probably for several years previously. Subsequently the BVG informed the public that there was no question of a “data leak”.
Why does the official BVG advertisement with the rapping ticket inspector come to mind:
“Doesn't matter to me – doesn't matter to me – doesn't matter to me”
This show of haughtiness, irresponsibility, coolness and ignorance obviously is what many Berliners consider to be insignia of urbanity.
I do not. Some things do matter. I remember the New York bus driver on the bus I rode for an hour though Brooklyn on the way to Prospect Park. He had a friendly greeting for each passenger, helped those boarding and warned when starting off “Hold on, we're moving”. He was the host on this bus – he felt responsible and wanted everyone to have a good ride. The passengers rewarded this with an exhilarating, friendly atmosphere on board. This is exceptional for New York too, but it shows the difference between a passenger and just an instance of transport.
Yes, it does matter whether the BVG collects movement data on the cards. At the end of December 2015 they had to deactivate all reading devices in the buses. Now they offer to erase the data already stored on the cards. To have that done, the customers must visit the BVG customer centre. For a while scissors were the only means of removing the data – by cutting up the cards. Since mid-February the necessary software seems to be working.
This BigBrotherAward does not just apply to the BVG and the others in the VBB transport association, it is also meant as a warning to all the public transportation companies around the country, who are preparing to or have already put electronic tickets into service, for example the HVV in Hamburg, the VGF in Frankfurt and the RMV in the Rhine-Main area.
And the BigBrotherAward points out a number of other concerns:
1. The technology behind the FahrCard / e-tickets is obscure to the customers. The normal stamp on my paper ticket is legible and I can carry it with me. Electronically collected data are mostly out of my reach.
2. The BVG and the VBB transport association have gambled away customer confidence through their incompetent actions and by playing down the privacy issues. They have proved that it is best not to trust them.
3. We question the very principle: why is it necessary at all to record the journey from A to B on the ticket?
In order to answer these questions, let us get off the BVG bus and direct our attention to transportation as a whole. We need to broaden our view and have the courage to think big.
Public transportation nearly everywhere in Germany is already by about 70% financed from public funds and not by the passenger. And that is appropriate, since environmentally friendly mobility, accessible to everyone, is a public concern and serves the common good. Besides, individual traffic by motor car is also heavily subsidised.
In order to reduce car traffic in towns and elsewhere, many places are considering eliminating tickets and fares altogether. Then each and every person can travel anywhere at no charge. Thus public transportation expands its ridership, saves the cost of selling and checking tickets, and the environment profits as well. Internationally, many examples prove that it works.
The Belgian city of Hasselt for example: In 1997 – as the car traffic in town had become unbearable – the new mayor, Steve Stevaert, suggested to forgo building a bypass road and instead make the town’s bus service free of charge. The bus routes were expanded, 15-minute bus intervals established, and parking fees in town raised. The plan bore fruit – the gratis buses are a hit and the quality of life in town has greatly improved for everyone. Several other towns around the world have followed this example, among them are Tallinn in Estonia, Aubagne (a suburb of Marseille) in France, Manchester in Great Britain and Calgary in Canada. There is a whole line-up of cities worldwide in which we would not need a ticket for trains and buses. And in Germany towns and municipalities have taken interest in gratis public transportation, for example Tübingen. In Berlin the parliamentary group of the Pirate Party carried out a feasibility study which showed that a ticketless system would work there.
The semester tickets offered by many universities, where the student ID becomes a season ticket, are an important achievement because young people become accustomed to travelling by bus and train and refrain from acquiring a car.
There is a good reason to examine this topic right now. Predictions indicate that when self-driving vehicles come onto the market, traffic will increase enormously. Then mum won't have to go on that time-consuming tour to three schools, but rather the self-driving car will deliver the offspring individually to their lessons. And the businesswoman, who doesn’t like the stress of driving herself, may in future switch from the Intercity Express train to her own car with auto-pilot. Therefore transport companies and politicians should take countermeasures now and offer attractive short and long distance public transport as an alternative.
Back to Berlin and the legal basics:
We recommend that the BVG read the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), paragraph 6c for “mobile personal data storage and processing media”. Section 1: “The authority issuing a mobile personal data storage and processing medium (…) must inform the parties concerned, in a generally comprehensible form about the manner in which the medium functions, including the nature of the personal data being processed” and in section 3: “Communications that trigger data processing must be distinctly recognisable for the parties concerned.” Well, that didn't quite work in Berlin. And while you're at it, those responsible at the BVG, go on and read, for future developments, paragraph 3a about data minimisation.
Alexander Dix, the former data protection officer for Berlin, demanded appropriately: Passengers must be given the option to use the program and make payment without leaving a trace. The ticket vendor must provide customers with a way to purchase pre-paid tickets using a pseudonym and pay by cash. Keep that in mind, dear transport services, if you want to offer e-tickets. Otherwise …
Final Stop: Total Surveillance – please disembark
We demand: In addition to all the other important aspects such as environmental protection, climate protection and attractive mobility at fair prices, data protection must be included in any considerations for future short and long distance transport services. The registration of all passengers and routes travelled by bus or train may seem by some to be a trifle. But it is an important jigsaw piece in the overall picture of total surveillance. As the decision of the Federal Constitutional Court (Bundesverfassungsgericht) on telecommunications data retention remarked: A single measure might somehow seem acceptable – but if it tilts the surveillance “balance sheet” such that citizens feel they are being watched each step of the way, then it is not compatible with our basic free and democratic order. The constitution gives us the right to move about freely – and its first article regarding personal dignity stipulates that we can do this without being constantly monitored, registered and recorded.
And that does indeed matter.
Congratulations on your BigBrotherAward and may you always enjoy boundless mobility, dear BVG.