Director of Privacy, Technology & Surveillance Project
December 31 is the end of an era for Torontonians. It’s the last day, ever, that we can use a metropass on the Toronto Transit system. From January 1 2019, the Presto electronic payment system takes over, and that means that our ability to travel by bus or subway through the city untracked has radically decreased. We could buy a metropass with cash, use it every day all month by showing it to a fare collector, and no record that connected us with that card would be created. Not so with Presto.
Presto, now in operation in Greater Toronto, Hamilton and Ottawa transit systems, is developing a reputation as the system we love to hate. But the gripes you hear floating around about the switch from pass to Presto are focused on the fact that the Presto system is plagued with dysfunctional card readers, auto-fill errors that leave riders unexpectedly out of funds, and vending machines that are better at taking money than spitting out new cards. These are all irritating, but they’re likely to get fixed over time.
The big issue that we’re not talking much about at all is privacy—when Presto becomes the only option, anonymous travel becomes pretty much impossible. That’s because of the way the Presto system is designed, as a re-loadable card that requires people to create an account and probably link a credit card to maximize benefit and convenience.
Presto is optimized to operate for identified users. When we become an account holder, benefits include the ability to cancel a card if it’s lost, the ability to check to confirm we’re only getting charged for the trips we’ve taken, and the ability to automatically re-load a card by linking it to a credit card. But all that convenience comes at a cost. Every ride is tracked. Every time we tap the card our presence is recorded. That information can be shared with police, transit safety officers or special constables, without a warrant in many cases. The records are stored for at least five years, according to the Presto terms of service. And to be clear, much of the data collection is not a necessity, it’s a design choice. Many of the benefits—including online reload and reviewing charges—could be possible without recording your location every time you tap, that’s just not the way the system was designed.
Technically, you could pay for a presto card and a monthly pass in cash at a service counter and avoid all that data collection by choosing not to register the card. Your trips would still be linked to the card, but not explicitly to your identity. Of course, you’d lose the option to cancel the card if it gets lost (making it much like the metropass), to autoload or autorenew. But the next month, if you didn’t want the data to accumulate, you’d have to replace the card and pay cash for another one. So privacy becomes hard, it becomes more expensive, and when those two factors combine, it becomes more and more unlikely.
It’s reasonable at this point to be asking, why should this matter? Why care? Everyone collects data now, right? Of course, the answer to that is increasingly, routinely, yes. And that’s the biggest reason why the Presto card should give us pause. Realistically, it wasn’t designed to be the ultimate transit surveillance device. No one sat down and said, how much information can we scoop up about transit users? Rather, the conversations were probably very much about user convenience, about providing features to make using transit easier, and about reducing costs for the transit authority, and the data collection was a means to an end without much thought about other implications. Presto is just an example of the way the world now works—and that’s the problem.
Because it’s happening in all aspects of our lives again and again—things we use to navigate our daily routines are being connected, networked, generating data either purposely or incidentally, which then can be used in ways that may benefit us, or may not, but either way it’s largely out of our control. Transit passes, cell phones, thermostats, watches, cars, even sex toys, everything is collecting information. Sometimes the data is needed to make a device do cool stuff. Often it’s also collected whether or not it’s needed for the initial functionality because it can add to the value proposition for the creator if the device makes money when it’s bought and then more money, perpetually, as its use creates a potentially profitable data stream.
We are moving, incrementally, device by device, towards a world where the price of participating in modern society is surrendering the sometimes trivial, sometimes intimate, but fundamentally personal minutiae of our daily lives to whoever has found a way to collect it. Each little piece feels, well, little. Each trade-off feels minor, often made in the context of an immediate gain—I want that app now, click yes and move on. But in our big data, algorithm-driven world, all those tiny bits, all those walks, talks, clicks and swipes, are being combined to create a portrait of us that can help reveal things to others that we don’t even know about ourselves. And we don’t know who those others are, most of the time, or what they will do with the information, or even if or how their actions will affect us. Maybe they will, maybe they won’t, and often we’ll never know.
We need to think about this, not blindly acquiesce. We need to make choices, not accept products that either deliberately or accidentally fail to include privacy protections as part of the design of the technology, and of the policies that surround it. We need better laws to protect us. We need to not fall for the old wheeze, if you’re not paying for it, you’re the product, because increasingly, we ARE paying for it but we’re still the product and we’re becoming convinced that we should be the product. We have to get past the notion that data is the new oil to fuel innovation and that cutting off the flow will shut down the machinery of the nation, because while oil comes from the remains of prehistoric organisms, data comes from—and has consequences for—living, breathing, humans. Of course businesses, even governments, want the capacity to collect information if it is useful or profitable, but that doesn’t mean we have to hand it over unquestioningly. We need to decide how much convenience is worth, and whether the benefits we get are worth what we give up in exchange, keeping in mind that privacy isn’t just a privilege, it’s a right, and we deserve it.
Presto isn’t the worst offender, it’s just a typical one. When the last metropass is swiped, probably a minute before midnight on December 31, the occasion will go unmarked. But we’ll have a little less privacy on January 1. As we begin a new year, we should resolve to demand better.