This week has been an absolute shit storm for Melbourne public transport, and it looks like it’s only getting worse.
If you thought your biggest worry was whether Monday’s strike was gonna make you late for work, think again because researchers just found a major privacy breach that basically means anyone can stalk you using your myki details. Big yikes.
[jwplayer 8aPlNrtb]
Victoria’s Information Commissioner revealed today that a whopping 2 billion lines of data were released during a data science competition in mid-2018, which was obviously a major breach of privacy laws.
According to the ABC, information from over 15 million cards was made available online for the two-month duration of the Melbourne Datathon (whatever the hell a datathon is). The details of a whopping 1.8 billion trips were shared.
Basically, the information was meant to be de-identified for the event. However, it turns out that just means they removed the names attached to the myki card. SPOILER ALERT: that was a bad idea and it’s definitely possible to re-identify the data.
Terrifyingly, the data of Victorian Labor MP Anthony Carbines‘ myki card was able to be identified using the information available and a few harmless tweets he made.
Yep, they’re coming for our tweets. If you’ve ever made a “fuck, train is late AGAIN” tweet, you too could be at risk.
“The fact that the privacy assessment that was conducted didn’t pick up these dangers, when it was fairly obvious to us that if you release this type of information it’s going to be pretty easy to re-identify it — I think it is quite shocking that quantity of data was released without someone realising how identifiable it would be,” lead researcher Chris Culnane from University of Melbourne said.
If you’re like me, you’ve probably never even thought about how easy it would be to stalk the shit out of someone using their myki history. But apparently it’s really easy, which is fucking terrifying to say the least.
“The worst fears are being able to find someone for example, if you travelled with them once within the city, and then you find out where they live or where they travel to work from. If someone is trying to find someone or stalk them then that kind of information is extremely valuable and sensitive to that person,” Dr Culnane said.
“With just a handful of pieces of information about where someone boards or exits public transport, it’s possible to get an indication of where they live or work, their regular travel patterns, who they travel with, or if they travel alone, for example, children heading home from school alone.”
The Department of Transport shut down the claims, saying that the data isn’t personal information. However, if it only takes knowing the details of two or three trips someone has taken to reveal a wealth of private travel information, I reckon that’s pretty personal.
Dr Culnane is also pretty skeptical about the department’s efforts to avoid this happening again in future. Apparently, there is minimal transparency regarding the use of data by the department, which makes it difficult to prevent similar issues occurring in future.
To make matters worse, there’s not really much you can do to protect yourself. If you use public transport, you can’t just opt out of sharing your data.
Although you can choose not to link your name to your card, this doesn’t do much in the way of privacy protection, and it becomes a huge hassle if you lose your card.
The only thing you can really do is limit how often you reveal your PT habits on social media. I know, it’s really hard when you’re a public transport comedian like I am, but it could potentially protect you.
All of this privacy stuff is terrifying. I hate technology, I fucking HATE it. Make it stop.
