Frequently Asked Questions for Institutional Partners
Who are institutional partners?
Institutional partners are organizations which contract with the transit agencies to provide ORCA cards to their members (employees, staff, students, etc). Currently, the only known ORCA institutional partners is the University of Washington, but there will likely be participation from companies like Microsoft and Boeing. The goal of such partnerships is to issue discounted passes to encourage using public transit as a commuting option.
How does transitioning to the ORCA card affect me?
ORCA provides a streamlined way to offer your members subsidized or free access to public transit. The system also includes detailed transaction histories of time and location of ORCA card use. This data can be used for more accurate billing and analysis ridership patterns, but these expanded capabilities are not without risk. Potential data breaches could reveal the travel patterns of the issued cards and so the use of such data must stay carefully within privacy laws.
What are the potential risks I expose myself, my organization and those issued ORCA cards to?
First, understand your liability. Your legal counsel can clarify what legal and public relation risks you may have and how to best protect yourself. Topics you may wish to investigate include privacy laws, member contracts, and systems for protecting personal data.
Secondly, understand that while ORCA usage data might inform internal decisions, it is also ripe for abuse. Both internal misuse and potential data breaches can lead to legal and public relations for your organization.
What can I do to help mitigate these risks?
When deploying your system, make sure to include your members at every stage. A little bit of discussion can often avoid a lot of misinformation, mistrust and misunderstanding. Also, consider allowing members to opt-out in a meaningful way while still retaining many of the benefits of the ORCA card. If it is possible to allow your members be fully anonymous, then do so.
Create a clear policy about what data you collect and how it will be used. This will clarify your responsibilities and inform your card carriers about what data will be gathered and how it will be used. The more you do to keep your member's information private, the more trust they will have in your organization.
The only guaranteed way to protect data from compromise is to not have it in the first place. To avoid potential breaches and the ensuing public relations and legal problems, only keep data which serves a clear purpose. Once that purpose is met, destroy the data. You can also collect only aggregate data. Aggregate data is often nearly as useful as per-user data and is far more (but not perfectly) anonymous.
Once data is collected, how you manage it is also important. One useful tool in data management is a tamper resistant audit log. An audit log keeps track of who accesses the data, the time the access was made and what, if any, changes were made. While audit logs do not prevent breaches, they are useful in catching problems earlier and understanding the depth of the problem once caught.
Finally, make sure you understand the risks involved with the data you keep. This involves both understanding the security that protects it as well as the potential for data mining. In both cases, bringing it outside experts from academia and industry can be very helpful.
What do I need to understand about the underlying technology?
There is nothing inherently insecure about RFID technology. It will likely be very difficult for a malicious party to track a rider by compromising the RFID chip in the ORCA card itself. Know that transit agencies and other institutional partners will have the ability to read the cards and thus the data you store on them. That said, the ORCA card can only be read from few inches away and uses strong encryption that protects all data on the card even when read. While encryption can help, but doesn't solve all problems unless properly used. Make sure to involve security experts when designing what data will be stored in your section of the card.
Again, it is far more important to understand the implications of the data than RFID technology. Understanding how data harvested by the transit agencies and institutional partners, is stored, shared, accessed and protected is essential.
I have concerns about this program. Who should I contact?
We recommend you speak with your HR representative from your company, your university or union representative. You may also contact the ACLU, transit agencies or soctech.