Public Transport Victoria (PTV), now part of the state’s Department of Transport, breached the law when it released supposedly de-identified data relating to the use of Melbourne’s Myki card.
The Office of the Victorian Information Commissioner found that PTV breached the Privacy and Data Protection Act 2014 with the release of the data, which OVIC said allowed the travel history of users of the smart card ticketing system to be identified.
The data was released by PTV in mid-2018 as part of a “datathon” event. The data set released by the agency included details of 2 billion touch-on and -off events involving more than 15 million Myki cards.
Although the IDs of individual cards were obscured in the data, trips on a single card were still identifiable.
University of Melbourne of Melbourne researchers Dr Chris Culnane, Associate Professor Benjamin I. P. Rubinstein, and Associate Professor Vanessa Teague found that they were able to identify passengers if they knew only two of their previous “touch events”.
The trio contacted OVIC with their concerns.
The PTV dataset included the type of Myki card as well as the time of the touch events.
“Some card types can indicate sensitive elements, for example, a Federal Police Travel Pass, a Federal Parliamentarian Travel Pass or a State Parliamentarian Travel Pass,” a write-up by the researchers states.
The researchers were also able to obtain the identity of a Myki card used by a Victorian MP, based on their tweets about using public transport.
“This work highlights how a large number of passengers could be re-identified in the 2018 Myki data release, with detailed discussion of specific people,” the trio’s paper (PDF) states.
“The implications of re-identification are potentially serious: ex-partners, one-time acquaintances, or other parties can determine places of home, work, times of travel, co-travelling patterns—presenting risk to vulnerable groups in particular.”
“Your public transport history can contain a wealth of information about your private life. It reveals your patterns of movement or behaviour, where you go and who you associate with,” Information Commissioner Sven Bluemmel said.
“This is information that I believe Victorians expect to be well-protected.”
OVIC said today it had issued a compliance notice to the Department of Transport, and that the department will be “monitored” for the next 18 months.
OVIC said that the department had not accepted the finding that the release of the dataset breached Myki users' privacy.
The Melbourne Uni researchers in 2016 also revealed that the federal Department of Health had improperly de-identified data it released. That led to a government attempt to criminalise re-identification of supposedly anonymised data; that legislation stalled, however, amid concern over the impact on researchers.