Privacy for Public Transportation Thomas S. Heydt-Benjamin with Hee-Jin Chae, Benessa Defend, Kevin Fu University of Massachusetts at Amherst Department of Computer Science

Who knows your travel information?

Who knows your travel information? Transit Authority

Who knows your travel information? Law Enforcement

Who knows your travel information? That weird guy sitting across from you!?

What data are vulnerable?

What data are vulnerable? Unique card ID (not shown) Current Balance Entrance and exit date and station Details of merchandise purchase Beginning Balance

Why protect travel data? Sensative records are published in anonymized form Medical data for epidemiology and early detection of bioterrorism [Mandl 06] US law requires reporting of domestic abuse shelters [Sweeney 06]

Re-Identification

Exposure to data is a liability for the TA Data gets stolen 40 million records exposed due to improper data retention at CardSystems Solutions according to NY Times. Privacy preserving transit ticketing: Protects transit passenger Protects transit authority

Models and assumptions Who are our adversaries? What does privacy mean?

Adversaries TA (Transit Authority) Malicious third party: Mallory Global active adversary with respect to privacy Malicious third party: Mallory Active man in the middle adversary Wants to steal Alice's ticket Wants to identify and track Alice The passenger: Alice Wants to steal service from TA

What is privacy? Some transactions will be identifying passenger may provide credit card at purchase time Degree of privacy defined as: Degree of difficulty with which adversary can link identifying transactions with past and future transactions

Challenges

Challenge #1: Migration to RF technologies RF: Different threat model With magstripe, personal data unencrypted

Challenge #2: Systems Constraints Resource constraints Maintain compatibility with passive RFID transponders Communications: Support for offline operation

Challenge #3: State without privacy degradation Transfer between transit system segments but: transfers imply some degree of linkability Variable rate fare structure Many transit systems charge based on distance travelled Information necessary for fare calculation implies limit to anonymity

Approaches

Some popular approaches No secure channel Fails Challenge #1 (RF vulnerabilities) Per card symmetric key looked up by card id Fails Challenges #2 (offline) and #3 (privacy preservation) E (transaction) Sorry! I'm offline at the moment!

Approach to Challenge #1 (RF) Secure channel Protect against eavesdropping adversary Verifiable authorisation of reader Protect against middleman attack Protect against third party adversarial readers Good key management properties Graceful revocation Offline private key

Re-Encryption Authorisation Re-Cryptography E (nonce) E (nonce) Only works if reader has unexpired authorization key

Secure channel meets Challenge #1(RF) ??? E ($3000) nonce $3000

Meets constraints of legacy system (Challenge #2) Ticket stores only a single key Ticket performs only a single asymmetric crypto operation confidence of reader authorisation and session key Limits scope of damage when reader compromised Revocation: no computation, communication, or storage Suitable for offline authorisation

Ticket Types Passive RFID transponder Active mobile device Already has widespread deployment Has no user interface In order to communicate with user, must broadcast state! Active mobile device Has user interface Secure mobile devices for payment [Chaum 85] Active proxy for RFID privacy [Juels 05]

Ticket Types and State (Challenge #3) We observe that active transponders can provide privacy enhancements for many passengers, not just their owners $3000 ??? $3000 $3000 $200 $1.50

Current Approach to State (Challenge #3)

Current Approach to State (Challenge #3) TA Stores: Card #1234 = Alice Card #1234

Current Approach to State (Challenge #3) TA Stores: Alice entered at 17:30 Grand Central

This state is linkable to identity! Fails Challenge #3 TA Stores: Alice exited at 17:50 Hospital Station TA Computes: Trip fare = $3.50

This state is linkable to identity! Fails Challenge #3 TA Computes: Card #1234 (Alice) exited system 30 minutes ago Card #1234 (Alice) exited from adjacent station Therefore Transfer is valid

Our Approach to state is privacy preserving Parameterized single-show anonymous credential Proof of parameter validity in zero knowledge without revealing exact values For example: proof of non-expiry without revealing exit time Who are you? From subway, Unexpired

Summary of our approach

Future Work Cloning detection for online anonymous credentials systems exists [Damgård 05] Similar systems needed for offline environment Indistinguishability of active transponder and commercial passive transponder must be studied in greater depth Our preliminary measurements show our active transponder design to be indistinguishable.

Conclusions Existing systems offer insufficient protection both for passengers and for transit authorities Preservation of passenger privacy is possible without relinquishing features needed by TA Fraud Protection Transfers Variable rate fare structure