Providing Location Privacy in Automated Fare Collection Systems

In many big cities around the world, public transport operators (PTOs) have introduced automated fare collection (AFC) systems, which greatly facilitate the collection and management of transactional data in their public transport systems. The benefits to the PTOs are clear: based on the fine grained data gathered on the usage of their services, they can optimize their transport systems, which may result in great savings, and thus, higher profit. AFC systems offer some benefits to the passengers too. For instance, they can enable the deployment of dynamic pricing schemes, which may be advantageous for passengers. But AFC systems also present serious privacy risks. The problem stems from the fact that electronic tickets have unique and fixed identifiers. Besides making the processing of transactional data easier for the PTO, unique and fixed identifiers are also the basis for many fraud detection and prevention techniques (e.g., blacklists). Unique and fixed ticket identifiers lead to at least two privacy problems. First, if the PTO can link particular tickets to particular persons, then it can track the whereabouts of some passengers. This could be possible, because many tickets (especially those for long term usage) may have some personal data associated with them, such as discounting rights (granted for students, elderly people, or disabled persons). By pulling together these personal data and the traces of the ticket observed in the past, the PTO may identify links between particular tickets and particular persons with high probability. Second, in many modern AFC systems, tickets are implemented on contactless smart cards. These cards execute their transactions with card readers (e.g., a ticket validating device) through wireless channels. Although the nominal range of typical contactless smart cards used in public transport applications is only a few centimeters, it has recently been demonstrated in [4] that they can be eavesdropped from a larger distance of a few meters. Hence, it is possible to install eavesdropping equipment in an unnoticeable way at places of transactions (e.g., at the entrance of metro stations), and collect transactional data, including the unique and fixed card identifers, for later off-line analysis. In this abstract, we address the second problem. Solutions to the first problem would require to substantially change the way AFC systems are engineered today, and PTOs would likely be reluctant to invest in that. On the other hand, the solutions that we propose for the second problem require changes only at the lowest layer of the AFC system architecture (i.e., in the protocols used between the contactless smart cards and the card readers), and they do not affect the higher layers (i.e., back-end processing).