Frequently Asked Questions For Policy Makers
What is the ORCA card?
The ORCA (One Regional Card for All) card is a new RFID-based transit pass that will be used to pay for bus, train, and ferry transit in the Puget sound region. It will unify the fare systems of Sound Transit, King County Metro, Community Transit, Everett Transit, Pierce Transit, Kitsap Transit and the Washington State Ferries.
What are the benefits of the ORCA card?
For riders in the Puget Sound region, the ORCA card provides a more streamlined transit experience by seamlessly integrating payment systems for area buses, trains, and ferries. ORCA uses RFID, contact-free technology, meaning that riders need only place the card within a few inches of a reader to pay their fare, often without removing it from their wallet or purse. Fare payment will be faster and more convenient as result. The ORCA card will function in a similar manner to a phone card, meaning that riders can buy prepaid cards in various denominations, and manage and recharge the cards at kiosks, online, by phone, or through the mail. If riders interact with multiple transit systems, they will now need only one transit pass for all their travel needs.
Participating institutions in the Puget Sound region (such as the University of Washington, Microsoft, and Boeing) may benefit by providing their employees with ORCA cards that support additional features such as "quick pay" at local businesses or personalized access to institutional services.
The seven participating transit agencies will benefit from more precise data and statistics on ridership and transit patterns.
Are there privacy risks and how big of a concern are they likely to be?
There are a number of privacy risks that educated riders are likely to be concerned about. These risks are all based on the possibility that the security of a rider's personally identifiable information (PII) will be either accidentally or maliciously compromised. This could happen in a number of ways and through various interfaces to the ORCA system.
Generally speaking, it will be very difficult for a malicious party to track a rider by compromising the RFID chip in the ORCA card itself. The ORCA card can only be read from few inches away and uses strong encryption that protects all data on the card even when read.
PII is much more likely to be leaked from the databases which contain data collected on ORCA transactions. Every time a rider uses his or her ORCA card, a record of the card's unique identifier, as well as the time and location of use is stored in the transit agency's database. Over time, these records give a complete history of all your travel. At a minimum, employees of the transit agencies, law-enforcement, and the press will have access to that history; various parties at participating institutions may also have access to that history. While these groups often have the best intentions when it comes to protecting PII, it only takes one disgruntled employee or a lost laptop to put private travel history in the hands of a malicious party.
Are there other ways I can be tracked by the ORCA card?
Every time you use your ORCA card, a record of the unique identifier of the card, the time and location of use is stored in the transit agency's database. Over time, these records give a complete history of all your travel. At a minimum, employees of the transit agencies, law-enforcement, and the press will have access to that history. While these groups often have the best intentions when it comes to protecting your private data, it only takes one disgruntled employee or a lost laptop to put your private travel history in the hands of a malicious party.
The privacy risks are concerning PII, but only location history is stored, correct?
It may be that only location history is stored, but we feel that the definition of PII should be applied more broadly to include location data. Recent studies have shown (see Krumm 2007 or Gruteser 2005) that location history alone provides a set of "footprints" that can uniquely identify individuals. As such, location information should be considered as sensitive as name, social security number, or other common PII.
Are there other risks?
Another risk is in the cost of maintaining a large amount of PII in a public database. Such databases are often subject to audits which can be very costly and time consuming.
What actions can policy makers take to address these risks?
In general, it will be helpful to urge transit agencies to reconsider storage and retention of large amounts of PII and location data as well as to educate the public regarding potential privacy issues. It's also possible that stronger legislation can help. For an example of a bill that tries to address some of these and other issues surrounding RFID (see House Bill 1031).