Many people are worried about the privacy implications of the new Transport for London Oyster Smart Card. This promises greater convenience (and some introductory discounted fares) for travel on London Underground railways and Bus services, at the cost of greater surveillance of individuals, since each Oyster Card is uniquely numbered, and has to be swiped at the start and end of each journey. This self tracking behavior is reinforced by the poster advertising campaign and the policy of charging the maximum possible fare unless you swipe the card past the reader at the end of your journey, not just at the start.
The season ticket versions of the card have name and address and credit card details associated with them. Even the new pre-pay cards, which are more anonymous, unless you use a credit card or choose to register the card, still have a unique tracking serial number which can be tied to the omnipresent CCTV Surveillance on London Underground, and increasingly even on London Buses.
The system uses contactless MIFARE based smart cards with distinctive yellow readers at Tube station barriers and on buses.
There is no authentication mechanism e.g. a Personal Identification Number as with "Chip and PIN" credit cards, it depends only on whether the Oyster card is within range of a reader, typically 10 centimetres or so for the readers currently deployed by Transport for London (which is far less than what the equipment is actually capable of). The only security against being accidentaly overcharged or having your private details read or associated with a particular Oyster Card by people operating their own MIFARE scanners, is to shield the Oyster Card from unwanted radio signals. These private details includes information about the last 10 or so trips that you have made, which is data stored directly on the card, and which will be available to the 3rd party retailers who come on board the "electronic purse" aspects of the scheme.
The MIFARE system uses one of the Industrial Scientific Medical licence free frequencies at 13.56 MHz, so it is not illegal for other people to have or to use their own reader equipment.
One way to preserve your privacy somewhat is to shield the Oyster Card with aluminium kitchen foil. This seems to block the readers on the charge up ticket machines even when only the back of the Oyster Card is shielded i.e. you have to remove the Oyster Card from the shielded holder for it to be read/charged up:
Even if, like us, you do not think that non-Oyster Card readers are very common yet, there is still a case for shielding your Oyster Card. especially the pre-paid one which currently only operates in the central zones 1 to 3. If you travel into London from outside these zones, on a paper ticket which you present to the slot in a Tube ticket barrier on your right, you do not want money to be deducted from your zone 1 to 3 Oyster Card as well - it depends on your physical size as to how close the Oyster Card readers are to whatever pocket or handbag etc you keep your card in.
Similar use of aluminium foil to line pockets or handbags or shopping bags etc. will also block RFID tags on consumer items which have not been "killed" or disabled at the checkout (again, more of a potential problem in the future, rather than a big risk at the moment).
However, if you choose to use such radio frequency shielding techniques, be aware, that you currently run the risk of being suspected of carrying concealed weapons or explosives by the operators of the still rare but controversial "see under your, or your childrens', clothes" Passive Millimetre Wave Radar cameras and scanners being tested by the Police and other military security forces.
UPDATE:
We are getting visitors directed to this article via links from discussions about the security and privacy problems with the new US Biometric passport.
This involves some international "bait and switch" propaganda e.g. the US and UK governments claim "we have to introduce biometric passports because that is what the International Civil Aviation Organisation says we have to do."
Speak to anyone in the ICAO and they say "we are specifying biometric passports because the US and UK government were pushing this policy"
Biometric Passports need a chip inside them, and for some astonishing reason, probably to do with commercial lobbying, the ICAO has specified a contactless smartcard solution. All well and good, except that this is not a very tight specification, and the US Government, has chosen not to use any encryption in its passports, i.e. they have ignored all the technology and experience gained through the issue of millions of Mifare type contactless travel smartcards, like the Oyster card.
This means that US citizines will have their passport details secretely read , through their clothing or luggae, by unauthorised standard reader devices, some of which could be operating with more sensitive antenna and amplification in excess of the normal off the shelf equipment which has to obey local radio frequency allocation power limit regulations. This is a threat to the privacy of US citizens(and any other country stupid enough to copy the US system). In the worst case, there will be terrorist bombs and booby traps triggered by a specific individual's US Passport, or a generic "are there sufficient US passport holders in the imm3ediate area" type detonation command.
The way to overcome this is obviouslty to shield the passport in the same way as the Oyster Card above. However the same laws of physics apply, so you cannot put the chip and antenna into the cover of the passport if you intend to shield it with aluminium etc.
You end up having to have a thickly laminated page, effectively a smartcard , bound into the passport booklet (border control visa ink pad stamps are not going to be phased out). You could then shield the covers of the passport booklet.
This means that instead of a convenient, rapid check like the Oyster card, such a passport will involve fumbling to get the covers open to expose the smartcard page inside, and then presenting it to the reader device. Why on earth couldn't they have used a contact smartcard, like millions of "Chip and PIN" credit cards, or an optical barcode system, which can be read by laser without the risk of it ever being read secretly through your clothes or luggae by radio ?
If the US style passport is not shielded (still an option), and people go for the home brew or commercial (there must be millions of leather and other passport wallets on the market) shielded passport holder, then experience with the Oyster Card shows that you will have to remove the passport from this shielded wallet for it to work. Simply flipping it open will not be sufficient, especially if the offical passport readers are deliberately detuned to only work at a vey short range (so as not to get confused by the next people in the invetiable queue).
All the worries about "see under your clothes" snooping devices applies even more to such shielded passports - this equipment is being introduced in airports first, as it is still expensive. Therefore there will be a number of "false positives" where people are suspected of carrying weapons, explosives or drugs, simply on the basis of their shielded passport holders which will show up in high contrast aginst their "naked" bodies.
Obviously when this happens too many times, the security gurds will become lax, and criminals will start to smuggle small amounts of drugs, explosives or sharp weapons, within the shielded passport holder itself.
Interesting post.
I am generally a big fan of Oystercard - makes accounting for travel easier, has the potential for intelligent fares (one day cards, loyalty etc).
The privacy issues are a concern and for me the issue is making the risks fully transparent and trying to ensure that no one is fooled.
Thanks for an interesting blog which I scan regularly!
any more info on jamming techniques would be appreciated
Thanks for your post. I too am not a great fan of giving out my personal details to all, specially to the likes of Ken L., who would only use it to track down your every move and think of ways to maximize his fares. As it is, too many organisations already have my details. I had thought that the prepay Oyster card would be ideal for me, now that I have been forced into using TFL (YUK!). Problem is, they won't sell me one unless I register. No amount of explaination works,even showing their leaflet which explains it. I do not mind paying the deposit, that makes sense. The idea of this card is great, only if it was'nt used to screw the poor defencless public. After all, it's only a glorified train ticket. (I await phone taps etc)
We certainly have not registered our pre-paid Oyster Cards. Perhaps it is worth trying to find some better trained staff at a different station ?
If you don't want to give your information to Uncle Ken, register with fake details. I did. Makes no difference whatsoever, and nobody has ever checked anything. I think I gave my real date of birth in case it's ever used as password verification or something, but that's it and I've never been asked for it anyway.
Great comments (thanks GOOGLE for bringing me here)
Im concerned with the subject though and thanks for making me aware.
One matter where there will be difficulty is (myself included) for the 'out of towners' who have to pay their TOC (train operating Company) for a zone 1 ticket (eg to get to VICTORIA) then, when passing through the gate, the OYSTER READER will deduct a zone 1 debit from the card when I have no intention to use the underground and then, on my return, will deduct another single on my way home - equating to paying for the zone 1 journey twice both ways when all I did was cross the border line.
On the other hand if I buy a train ticket from my TOC for a journey up to the zone 2 border (vauxhall) and then use my oyster card I will have to get off the train to validate it or may run the risk of payment avoidence claims.
Hmm another one of those amazingly good ideas thought up in an 'ivory tower' without any reference to whats going on on 'planet earth'
Maybe another attempt by Ken L to win the greater london travel franchise from Network Rail and the TOCS?
If so (and Ken if you are reading this) what a fiasco would have been last night (new years eve) if the unions had shut down the whole of greater london travel (if you do get to run the lot) based on their wish to renage on an earlier agreed terms and conditions?
I keep my Oyster Card in my leather wallet as opposed to the plastic wallet given free with it (and seen in the picture in the first post).
When I "touch in and touch out" it often doesn't work the first time I put the hidden face of the card in contact with the reader. Between the card and the reader there's one layer of leather and three thin silk layers (and sometimes a receipt, bank note, or something else).
The reader often flashes an error / unreadable message at me but, when pressing the wallet more firmly to the reader, it reads it okay and lets me through the barrier.
So, if it struggles to read the card through a bit of leather and paper, then surely there is little risk of it accidentally deducting money from the card when you're just walking past the barrier and the Oyster Card is in your pocket? Similarly, how would anyone sitting next to me on a train with a scanner read the information on this (or a passport, etc.). I guess a stronger (unauthorised) scanner would do this easily would it?
From my experience I see no need for protecting the card with foil or some other means. Has anyone else had similar experiences to me?
@ IanC - how can you tell if your Oyster Card (or any other contactless Smart Card in common use, like door entry passes or the forthcoming contactless / RFID ICAO standard Passports) has been sneakily read by an unuthorised scanner or not ? You cannot.
When the Oyster system was being tested prior to going live, they did have to turn down the power on the yellow readers, as they were picking up Oyster Cards from the adjacent Tube gates. The 13.56MHz ISM licence free radio signals can be legally used at a power setting which is adequate for "portal" applications i.e. a doorway wide enough for a person to walk through, like an airport metal detector scanned by a reader on one side i.e. somewhat wider than a Tube gate.
So even "legal" scanning equipment will pick up your Oyster Card at a distance 8 or 10 times the TfL implemented power setting.
An illegal scanner (which would not have to even be a modified one, only one designed to work in a country like the USA where higher power levels and/or more sensitive antenna are permitted) could do so at an even longer range.
Provided that the TfL equipment is maintained properly (not something that is certain), then, it is likely, that there is little risk of having money falseley deducted from your Oyster card by TfL.
However, when stage 2 of the project rolls out, with Oyster Card readers in third party company hands, for the Electronic Purse function "cashless shopping", then all bets are off.
In reading the oyster cars, is the whole card read, or is there a chip inside, Essentially i want to cut out the chip and stick it to the back of my wallet, i just thouht this would be less hassle, so please tell me if cutting the card would render the oyster inoperable
@ Boy-o-flex - the chip is quite small - it is about half a centimetre square in the upper right hand of the card level with the word oyster (blue side up). It is easeier to see the slight blemish in the plastic where it is embedded, on the reverse i.e. in the top left corner.
However there is also a wire loop antenna, which is vital for the radio link and for powering up the chip, which runs around the circumference of the card, again, about half a centimetre from the edge.
If you have really good scalpel skills you could probably do it without damaging the system, but what will it achieve ?
The antenna will not work properly if it is bent or folded, which is why it is held nicely in place by the thin plastic card.
Thanks a lot, for your advice, i realise it is not possible to do what i had planned
actually some of what you've said is crap
You don't need to take the card out of the plastic wallet for it to be charged or read. There is no need to get it out What so ever. Thus no body being able to see your card number...
@ Matthew - You seem to have entirely missed the point. Perhaps you should read the whole thread again.
We were talking about preventing accidental deductions of money, or sneaky remote reading / tracking by unauthorised reader equipment, of the electronic ID number in the Oyster Card, by use of a simple homemade aluminium foil radio frequency shielding
lining the standard plastic wallet as illustrated by the photo.
I landed at this webpage by accident while Googling something else.
Here in Hong Kong, we've been using the Octopus card for about 10 years. Works the same way and has the same tracking functions as the Oyster. Additionally, the Octopus has also become (almost from Day One) our electronic money for groceries and other everyday shopping. The Octopus is made by Sony.
In the old days (i.e. about 3-4 years ago), our Octopus came with an antimagnetic pouch to shield it from accidental cash deductions. We've had people using aluminium foil, but they don't work as well as the antimagnetics. Maybe it's the same situation for London. Today, the readers are much, much more realiable and accidental deductions or card failures are almost unheard of.
What are the antimagnetic strips? You know, it's those plasticky magnetic things you stick on refrigerators. Thin and non-metallic.
Here's something interesting. I was in London in December 2005. I had an Oystercard with me, but I swiped my Octopus instead by mistake. The reader machine emitted a high-pitched noise, went kaput, and had to be reset by the staff. This was in Piccadilly Circus during the evening rush hour.
GuyUK wrote:-
One matter where there will be difficulty is (myself included) for the 'out of towners' who have to pay their TOC (train operating Company) for a zone 1 ticket (eg to get to VICTORIA) then, when passing through the gate, the OYSTER READER will deduct a zone 1 debit from the card when I have no intention to use the underground and then, on my return, will deduct another single on my way home - equating to paying for the zone 1 journey twice both ways when all I did was cross the border line.
This is quite impossible when it comes to overground railway as PrePay is not allowed and will not let you pass through the gates, Prepay is purely a TfL thing, nothing to do with national rail.
If you have a Travelcard on your Oyster it wont matter how many times you swipe it, you wont pay extra.
A word of warning though the revenue protection will be piloting a new handheld reader which will be able to read your card from several feet away. The trails will be taking place on the Southern and SouthWest ToCs
Ha Ha Ha. Why the hell would anybody at TfL be remotely interested in you or your journeys at 4 in the morning to soho?
I think perhaps we could employ even better methods to avoid surveillance. lets all wear aluminium foil over our entire bodies to avoid those nasty radio waves and mean cctv cameras.
Im sure anyone of you would be well chuffed if a peadophile or rapist attacked you or someone you love and they couldnt be caught because they were wearing a tin foil jump suit and dark glasses.
Get over it. If you dont like oyster - buy paper tickets. if you cant afford paper tickets - walk. or get a bike. But remember - always pay in unmarked bills or big brother will get you. ooooooooooo!!!!!!
by the way - the company who developed the technology for the Oyster card also make military tracking equipment for the government, NATO and also US armed forced.
Are you scared yet? they can seeeee yooouuuu!!!
@ Thomson - TfL are already handing over your Oyster Card data to the Police etc.
http://www.mayor-of-london.co.uk/blog/2006/03/oyster_card_data_use_by_the_police.html
There are already open source tools available via the internet to allow people other than TfL, including criminals or terrorists, to track Oyster Cards remotely
e.g.
http://rfidiot.org
You may not value your privacy and security, but we do.
TfL could hand over the same information based on a Mag ticket serial number, althogh associating a person with the ticket is not as easy.
Will any of the open source tools available actually read (as opposed to attempt to read) an Oyster card? It's not just an open system - they would need the keys which will presumably eventually happen - then the keys will be changed and the whole process will restart.
@ rom - you do not need to be able to read what is stored securely on the Oyster Card, in order to use cheap, perfectly legal reader equipment and simple open source software, to log the time date and location of individual Oyster Cards, and thereby almost certainly the people who carry them, without those people's express permission.
This can all be done entirely independently of the Transport for London infrastructure, and their alleged safeguards.
If you could read what is on each individual card, then the system would be entirely compromised, and open to massive fraud, as you could then clone Oyster Cards and change or reset the amount of money stored on them, or on a programmable device which pretends to be an Oyster Card to a reader
Since the Phillips MiFare system has been in use around the world, and does not seem to suffer from such frauds, this second scenario seems unlikely, but the third party tracking without your permission or knowledge scenario does seem to feasible.
Can you identify individual cards wih the equipment you describe if you can't read the encrypted card data?
@ rom - take the analogy of using your web browser to connect to an internet bank or e-commerce website, which protects your financial details over the internet using a Secure Sockets layer (SSL) or Transaction Layer Security (TLS) encrypted session.
Your local network administrator or your Internet Service Provider cannot read your banking or credit card transactions because of the encryption, but they absolutely and routinely do know on what date and at which time and which IP address or URL you used to connect to the secure website, information which they may hand over to someone else either for law enforcement reasons, or simply for money.
Similarly with "proximity" or "contactless" or "RFID" smartcards or tags or tickets etc. the reader equipment has to be able to distinguish between two or more smartcards or tags which happen to be within range of the permitted strength radio signal ("collision avoidance"), otherwise, just as with an IP address on a computer network, some or all of the wrong data will end up at the wrong network card, usually preventing either of the non-uniquely addressed devices from working properly.
There are already various commercial marketing experiments in tracking unsuspecting individual members of the public, which are illegal in the UK because they do not obtain the explicit, individual's informed consent first, according to the Principles of Data Protection enshrined in the Data Protection Act e.g.
When, as with Transport for London, the technology is combined with CCTV camera surveillance, the threat to your privacy, and in the wrong hands, to your security is increased.
With any of these radio based schemes, they usually send out some characteristic information like a unique serial number, as part of the initial smartcard or device to reader handshake protocol, before any encryption can be established.
This is what betrays your privacy / security to an unauthorised attacker.
With things like mobile phones , actively pinging devices or cards from an unauthorised reader is illegal because of the controlled monopoly which the mobile phone networks have paid billions of pounds for exclusive use of that radio frequency. Anyone doing this will have their equipment seized etc.
With Licence Free, Industrial Scientific Medical band frequencies, such as those used by the Oyster Card, the new Biometric Passports, BlueTooth, WiFi etc, there is no such thing as an "unauthorised" radio transmitter, provided that it keeps within the agreed power limits, something which is much harder to enforce than just the mere presence of a transmitter on a particular frequency. The popularity of such devices also makes the required equipment cheap, and available worldwide.
If you have voluntarily signed up to be tracked by such schemes, and are getting the benefit of some service or getting money to do so, then that is fair enough, but to do it without the informed consent of those being snooped on, often for the financial benefit of third parties, is wrong.
Doesn't really answer my query. You said:
"With any of these radio based schemes, they usually send out some characteristic information like a unique serial number, as part of the initial smartcard or device to reader handshake protocol, before any encryption can be established"
Do you know whether this is the case with Mifare based systems like the current Oyster cards? I'm trying to understand whether there is a way of identifying individual cards using the methoods you describe, or there is a perceived threat because someone might be able to identify individual cards.
@ rom - it is only a question of economics.
There are already of thousands of "legitimate" Readers which can cope with MiFare and usually several other similar variations of protocols as well, around the world, not in the direct control of Transport Authorities, since other countries have successfully implemented third party commercial schemes to use their equivalent cards to allow the purchase of non-travel ticket items e.g. newspapers, sweets etc. from third party commercial companies.
Transport for London's scheme seems to have foundered , for the moment. as they cannot seem to sort out the financial aspects properly.
These retailers not only have access to the unique serial numbers of any passing customers and non-customers within radio range, but they can obviously read the actual stored data as well i.e. the amount of money, and in some cases the transaction history of purchases at other vendors.
If this technology gets "cracked" with Open Source tools, that does not increase the existing vulnerabilities, it only reduces the cost of exploiting them.
Attacks which are not worth investing in to compromise a small amount of money stored on a travel ticket, and a limited travel location history, certainly are worth investing money and effort in, when the same technology is used in a vastly more valuable target like a Biometric Passport or Identity card.
Illegally boosting the radio signals to much greater ranges than the legitimate equipment is tuned for within the permitted legal power levels, is only a question of better / bigger antennas and amplifiers.
None of these privacy and security threats posed by individual technologies should be looked at in isolation, it is the combination of mobile phone tracking, CCTV surveillance combined with RFID tracking etc.(as personal items so tagged get more widespread) which needs to be considered.
I love the Oyster card. Whenever I rob a bank I simply send a friend, wearing similar clothing, on a day out around town using my card. Perfect alibi.
I am so scared. At this moment i have a Oyster Card and doubtless there are probably 40+ satellites looking at me, there is also a silent black helicopter hovering above my roof scanning my flat with a death ray and as i sit typing this with a tin foil hat on my head i am really scared. I am sure that the government is so interested in my mundane life that i am being followed by people like Agent Smith from the Matrix and just yesterday someone got on my train and got off the same stop as me. Because of this i had to run the whole way home.
No really people i could not care less about what organisations "follow" me around i have better things to do with my life than talk rubbish all day long.
@ wam434 - if you really have "nothing to hide, nothing to fear", then why not post your real name, address and other contact details here ?
No ? Perhaps you actually do have something you wish to keep private from criminals and commercial and government surveillance ?
Well it seems most of london are being mugged off with oyster card prices !!!!
Not me i've found a way of getting all my journeys half price(yep child price)
and will do this for as long as i can ....
so to red ken "up yours" your system is'nt fool proof.......
@ darren - sounds like fraud, unless you are using a discount photo card issued to various students or unemployed or disabled people.
Hi
I have been a bad boy I got on a bendy bus for one stop without swiping my oyster card i got off my card was taken off me and I had to give my address. Probably not the place but are there any tips on an excuse I can use. I agree with some of your other posts big brother is everywhere there is absolutely no way I would have anything other than a pre paid card I don't want red ken tracking my every move.
Does anyone know the types of fines handed out?
Start an OysterCard sharing club at your office - empty cards go in the pot. Take a new one to recharge, use and put back in the pot when empty. The card is not going to be able to give anything but recent history of your movemens and not profile can be built up. Even better if you can use several card sharing schemes.
@ dug - a good idea. We swapped the particular Oyster Card in the photo with someone else's last year.
It is possible to cut an oyster card down to any size larger than the chip itself. Yes you will have to disconnect the antenna but a magnifying glass, the thinnest piece of wire, a smidgen of non heat metallic bond and a little manual dexterity means that you can easily reconnect a makeshift antenna externally and cellotape it in place. All data is initially lost. But if the card is powered up as a new card it will work. My contraption measured approx one inch by one and a half. I wedged it in behind the battery cover of my Blackberry. It could not always be read by the blue handheld readers as the bendy bus inspectors will attest. But all other readers worked and with the payment reciept they were ok. I had big fun for two weeks before it died. R.I.P.
P.S. It did take four cards to get there.
Identity Stronghold makes an inexpensive shielded card sleeve to keep your Oyster or other contactless cards in. They also have a shielded passport sleeve and a shielded ID badgeholder. This is the same as keeping your card wrapped in foil but much more convenient as it doesn't tear easily. Their website is idstronghold.com
If you want to get a weekly or monthly pass on an Oyster card and don't want to register your details, you can do this by buying a pre pay card and purchasing your travel pass (with cash-not debit card) through a newsagent. As most of you are aware, an underground station would not sell you a travel pass unless its registered.
On the subject of travel, does anybody else agree that the London Lite paper is another bombardment of trash which is an insult to people's intelligence and is another tool designed to distract people from the real concerns our society is facing?
Front page of the Daily Mail today reveals a new law being implemented TOMORROW which will allow the Government to spy on all our mobile and landline calls:
http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=484752&in_page_id=1770&ct=5
This is staggering. How on earth could a law like that be implemented without debate and consultation? We are firmly entrenched in a Police State. The masses need to WAKE UP.
@ Lynsey - useful advice on Oyster Cards - remember also that you can swap them between friends and family (adjusting for any money on them at the time), which can blur the picture of your own personal journey patterns, but which will not affect the bulk data if it is used for traffic planning and service improvement purposes (we can but hope).
Regular readers of Spy Blog should be more aware than most people about the Communications Data Retention and the Cryptographic Keys snooping regulations which come into force on 1st October.
Technically there has ben "public consultation", sort of, although the mainstream media and Members of Parliament have not bothered to hold the Government to account over their proposals.
Spy Blog even ran a couple of sub-blogs last year, to try to stimulate some deabte on the proposed Codes of Practice under the Regulation of Investigatory Powers Act 2000:
RIPA Part I Chapter II consultation - Acquisition and Disclosure of Communications Traffic Data
and
Code of Practice for RIPA Part III - Investigation of Protected Electronic Information
However, the Labour Government went ahead with one of the policy options on which they were allegedly consulting the public (regarding the identification of dead or seriously injured people) , by issuing an Order right in the middle of the supposed 13 week public consultation process, They could not even be bothered to pretend that they were considering the responses to the consultation, before going ahead regardless.
This destroys any trust that these consultations are anything more than exercises in propaganda spin and manipulation.
We also pointed to the actual Secondary Legislation (a year later than originally threatened) , which was sneaked through amongst a batch of other repressive measures just before the Parliamentary summer recess, by the supposedly now "open and transparent and accountable" Gordon Brown regime, who is still using the same cynical manipulations as Tony Blair:
A flurry of repressive Labour government Secondary Legislation passes unnoticed by the mainstream media and opposition politicians
I have a Freedom Pass Oyster Card and on screen at stations can look at my usage. Is there any way I can look on web for my total usage after inputting my card identity number?
Regards,
Tim.
Zune and iPod: Most people compare the Zune to the Touch, but after seeing how slim and surprisingly small and light it is, I consider it to be a rather unique hybrid that combines qualities of both the Touch and the Nano. It's very colorful and lovely OLED screen is slightly smaller than the touch screen, but the player itself feels quite a bit smaller and lighter. It weighs about 2/3 as much, and is noticeably smaller in width and height, while being just a hair thicker.