The MTA’s switch to OMNY machines is a privacy nightmare

The end of the multi-decade-old MetroCard system is nigh. Last month, the MTA announced MetroCard vending machines would be totally replaced with One Metro New York, or OMNY, kiosks starting in 2023, which would push New Yorkers toward the new tap-to-enter system.

The subway might be badly in need of a tech update, but the new system threatens an inescapable tracking regime that puts our very freedom at risk.

OMNY’s tap-to-enter terminals are already in stations, and its new, more expensive, $5 prepaid card is available today at some retailers. However, its rollout to become the only option across all stations and programs means that New Yorkers will have no choice but to cede all the rider data OMNY can pick up, with no certainty over how it will be exploited. 

The new kiosks will be operated by the Cubic Corp. Early designs and the program’s presence thus far imply that there will be a strong push for straphangers to use tap-to-pay transactions, especially with their phones. 

Cards like the ones these new machines will be supplying are likely to follow the model of other Cubic Corp. cards, including San Francisco’s Clipper and London’s Oyster cards. The OMNY card will likely have a persistent identifier that makes tracking people throughout the city an easy task.

Tying those journeys to a real name and personal information becomes significantly easier if you link that card, or a phone or credit card, with an OMNY account. Accounts have users’ names, payment information, and every web tracker and cookie the OMNY account management site might decide to deploy—along with data scraped from social media—associated with their method of entry. 

While the MTA’s MetroCard is also run by Cubic, that system was deployed in 1991 and doesn’t have quite the same tracking capabilities. Transit justice organization TransitCenter reported that the MTA has stated OMNY will give the city “near-instantaneous” reporting on rider tap-ins and travel, an improvement from weeklong delays for MetroCard data. Tap-to-pay with a phone leverages near-field communication (NFC) technology, a system with its own issues that exacerbate the OMNY system’s existing privacy concerns. 

Who will they share this new trove of data with? The current legal landscape and previous experience with Cubic tells us that warrantless access to this data is both permitted and commonly exercised. 

The NYPD has accessed MetroCard data in pursuit of cases in the past. Cubic-run systems have a history of extensive cooperation with law enforcement. London’s Oyster card received more than 3,000 requests for data from police in a year. The Clipper card released data to police with only a subpoena. The existing MetroCard, Ventra card, and similar systems have been used by law enforcement officers, public prosecutors, and lawyers to both free and convict citizens, with the current MetroCard system already making up a part of the NYPD’s massive surveillance program. 

Once it acquires that data, New York’s justice system has already proven more than willing to share it with U.S. Immigration and Customs Enforcement. The NYPD’s various programs reported on by journalists, nonprofits, and its own disclosures under the POST Act also show that it is ready and willing to combine data sources, enriching what is now real-time information with the user data flowing from all over the web, available to anyone willing to pay. Now that will be connected to OMNY user accounts and the mobile provider data attached to your phone, which can be linked with your OMNY account and tap-ins. 

Outside of sharing data with NYPD and ICE, Cubic administers services for the military and intelligence agencies. Cubic’s website does not appear to have a privacy policy stating what it does with data it might store on behalf of subsidiaries like OMNY. 

Cubic’s owners are only more worrying. In 2021 the private equity firms Veritas Capital and Evergreen Coast Capital purchased Cubic, taking it off the stock exchange and making the ways it makes money much less transparent. Veritas Capital’s statement about data use, required under the California Consumer Privacy Act, seems to indicate that it collects and shares information from companies in its portfolio. Veritas Capital’s portfolio of companies includes multiple defense contractors and the Department of Homeland Security’s biometrics database.

Evergreen Coast Capital appears not to have a website or a public privacy policy or a CCPA statement. However, it has purchased major audience tracking firm and wannabe ad tech company Nielsen. One of the other firms it partnered with noted that “Nielsen will be even better positioned to deliver the best measures of consumers’ rapidly changing behaviors across all channels and platforms.”

The data itself is well suited for “enrichment” by joining to other data sets. Multiple entities besides the NYPD and ICE will be incentivized to do so. There is a great deal of money to be made selling user data.

The linkup of easier-to-access systems plus real-time data means whole new risks.

A phone already emits enough data to make it trackable, regardless of OMNY use. However, while data brokers can find and sell plenty of user records already, one of the hardest things to supply is subway rider data. Current tracking practices mean purchasers of mobile service providers’ data can attach users to locations, in many cases using triangulation from cell towers (and, in some cases, tracking web surfers).

But subway lines travel above and below the street level so riders’ mobile identifiers mix with walkers, shop visitors, and drivers—or are blocked entirely. The subway represents one of the last few areas where our signals go dark (or at least get a little fuzzy, especially since, unlike many other systems, New Yorkers don’t tap to exit).

But once the various identifiers attached to a mobile device are combined with a persistent OMNY ID—through accessing your account on the web, buying a card with your mobile device, tapping into the OMNY system with a phone’s NFC system—the final bits of accuracy will be resolved. Even paying in cash may not be enough to prevent the data from being joined by syncing records with time stamps. 

What that accuracy will be used for remains very unclear. Across multiple reports the city and OMNY program have failed to give details when asked about issues of privacy and data security. OMNY’s privacy policy permits the use of extensive data collection, including device identifiers on a phone, registration, credit card data, scraping social media, cookies, and “web beacons.”

The privacy policy does not put into place many limitations for use either. OMNY says “we may share your Personal Information among our affiliates and subsidiaries,” which could very well include Cubic, and who knows who else. 

The policy permits OMNY to create new products by anonymizing data, but what methods it uses and how easy the anonymized data would be to join to other data to de-anonymize it, the policy doesn’t say.

The Surveillance Technology Oversight Project notes that the process of generating anonymized data products “would require large volumes of data to be useful, indicating that the MTA and Cubic will store rider data for a long period of time.” It’s also quite clear that it will “respond to requests from public and government authorities” without noting under what requirements or conditions.

There seems to be no guarantee against expanding data collection with OMNY in the future, once the heat of the rollout is off. Cubic has proven very willing to expand toward controversial facial recognition technology. Face capture might not be too hard to do since OMNY terminals seem to have cameras installed, even though New York City has declared these cameras will not be used toward that end. 

Cubic also has had no problem launching its own ad system. If Cubic eventually chooses to become a data broker directly, the amount of data it could become involved in joining could worsen the already highly invasive nature of such systems. OMNY data could even become part of the sale of New York transit advertising.

Outfront, which sells most of the poster space in the subway, claims to use “footfall measurement” and “proximity targeting technology.” JCDecaux runs advertising on a number of bus shelters and newsstands, and its marketing mentions the use of Bluetooth beacons and the same type of near-field chips that power the OMNY system.

This highly accurate information isn’t just valuable monetarily. The TransitCenter report on OMNY notes that the data it creates introduces “the possibility of real-time social controls. The impulse to use transit to restrict people’s movement and limit collective expression is well-documented in the U.S. and abroad.”

The report cites Hong Kong using data from its transit system to determine which stations to shut down to best deter protesters, and cities that shut down transit to stop Black Lives Matter protests.