[LINK] myki - a tracking device (was Re: more myki pain)

jore419-links at yahoo.com.au jore419-links at yahoo.com.au
Mon Apr 12 23:14:14 AEST 2010


>> Anyway, time will tell if and how Myki logs can be used for the
>> obvious things such as law enforcement and as court evidence, and
>> whether it can be used in real-time or only retrospectively.

> the short answer here is, yes, yes they are/will be. especially once
> someone realises the logs can be sync'd up with cctv, and so on.

precisely. one can point to the examples with the "oyster card" in the UK...

http://www.thisislondon.co.uk/standard/article-23440524-police-make-3000-requests-for-data-from-oyster-cards.do

http://www.guardian.co.uk/technology/2006/mar/13/news.freedomofinformation

http://news.bbc.co.uk/2/hi/uk_news/england/london/4800490.stm





________________________________
From: Steven Clark <steven.clark at internode.on.net>
To: link at mailman1.anu.edu.au
Sent: Mon, 12 April, 2010 2:09:46 AM
Subject: Re: [LINK] myki - a tracking device (was Re:  more myki pain)

> On Sun 2010-04-11 17:36:31 UTC+1000, Stilgherrian
> (stil at stilgherrian.com) wrote:
>
>> On 11/04/2010, at 5:24 PM, andrew clarke wrote:
>>> If someone has a particular reason for their destination to be
>>> unknown they could choose to not touch-off.
>>
>> This does, of course, represent changing the default position of
>> "government entity may track my movements" from "if I am
>> reasonably suspected to have committed a crime" to "always". I'm
>> not sure we should flip this switch without a serious public policy
>>  discussion.
>
> I'm curious who "owns" the Myki logs, is it the government or a
> private company?

the usual/default is that the owner of data (and databases) is the
entity collecting/compiling it. certainly the copyright in the
collection/database would be theirs. so, the corporation in this case.

[one of the very popular reasons for governments outsourcing services to
corporations appears to be to exclude the data and documentation
associated with that service provision from freedom of information and
other public disclosure regimes.]

> Anyway, time will tell if and how Myki logs can be used for the
> obvious things such as law enforcement and as court evidence, and
> whether it can be used in real-time or only retrospectively.

the short answer here is, yes, yes they are/will be. especially once
someone realises the logs can be sync'd up with cctv, and so on.

and let's not stop there. what about tax records, to establish that
certain expenses were actually incurred, and *probably* actually
associated with work (say, travel to/from on the tram) ...

> At this stage I'm not sure many people are too concerned about
> privacy issues, particularly when it's not clear at the moment
> whether Myki will even survive for more than a few years.

it's odd the broken things we put up with because they're what we've got
- and paid for. if it can be made to kind-of-work, it'll hang about for
a while.

> I'm guessing about 10% (or less?) of Melburnians use trains
> regularly, and last I heard, currently less than 10% of train
> travellers were using Myki.  So unless I'm mistaken, only a very
> small number of people in Melbourne will be giving privacy a second
> thought.

the problem is, it's almost always *after* you've been screwed that you
worry about privacy.

large scale systems like this ought to have had privacy (and security)
designed in from the beginning.

it's not as though anyone is vague about the legal obligations regarding
privacy, nor about the measures that can be taken to protect against
first, second, or even third order breaches. nor are we wading about in
the dark when it comes to the risk profiles involved.

> But it's certainly something to consider if the system is ever
> widely implemented and successful.  That seems like a big IF at the
> moment!

like sooo many ict implementations, it's all the basics that have been
overlooked or underestimated. privacy *cannot* be an afterthought:
unless it is built-in deeply, it tends to fall off.

rfid is fun to play with. you add in a wireless network at the backend
and we'll be enjoying stories about spoofing and data corruption at some
point.

privacy isn't just a paranoid amusement, it forms a key component of an
overall security-integrity system design and implementation.

> At least any travel logging will be largely transparent, ie. the
> card owner should know their card COULD be used to track their
> movements, at least to some degree.

how would such an asssumption equate with transparency?

transparency would require actual notice (preferably at every
transaction - people have crazy short attention spans about things that
occur in the periphery of what *they're* doing ... eg going to visit
martha), and accessibility of the actual data/records in some sensible
manner that enables the myki user to make sense of what they're being
shown ...

> Of course, their card could also be misplaced (or stolen) and used
> by someone else...

i wonder how hard it would be to clone myki cards? or spam/spoof/dos
attack the terminals?

-- 
Steven R Clark, BSc(Hons) LLB/LP(Hons) /Flinders/, MACS, Barrister and
Solicitor
Chair, Economic, Legal and Social Implications Committee, Australian
Computer Society
PhD Candidate, School of Commerce, City West Campus, University of South
Australia
"Finding a Balance between Privacy and National Security in Australia's
ePassport System"
_______________________________________________
Link mailing list
Link at mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link



      


More information about the Link mailing list