Nelz's Blog

Mah blogginess

ClipperCard - Personal Privacy Audit

For the past few months I’ve been commuting from San Francisco to Palo Alto via CalTrain, which was the impetus for me to finally get a Translink card ClipperCard. (I actually got my card right at the tail end of stock of Translink-branded cards, just before they renamed the whole system. At that time you could either order the card from the website, which was an ineffectual joke, or you could cough up five bucks and get just get a new one at your local Walgreen’s, which is what I did.)

Not that I have a whole lot to hide nor do I wear a tinfoil hat, but every once in a while I like to do a personal audit of where my privacy could be (or is) getting invaded. So, I’ve been collecting informal data points about my experience with the ClipperCard, which is what leads to this post.

What They Expect

Here is my daily paper trail (all times are approximate):

  • 0800: “tag on” an inbound #14 MUNI near Duboce & Mission
  • 0810: “tag on” an outbound #47 MUNI near 11th & Mission
  • 0840: “tag on” at the CalTrain station at 4th & King
  • CalTrain conductor scans my ClipperCard on the 0844 Southbound train
  • 0926: “tag off” in Palo Alto on the Southbound side of the tracks
  • 1700: “tag on” at the CalTrain station in Palo Alto on the Northbound side of the tracks
  • CalTrain conductor scans my ClipperCard on the 1706 Northbound train
  • 1744: “tag off” at the CalTrain station at 4th & King
  • 1746: “tag on” to an inbound #47 MUNI at 4th & King
  • 1800: “tag on” to an outbound #14 MUNI at 11th & Mission

Ways to Mess With the System

  1. I have a monthly pass for the CalTrain. I’ve realized that my pass doesn’t ever require that I tag on and tag off, as long as it responds appropriately to the on-train scanning by the conductors.
  2. The only times I’ve gotten away without being scanned by a CalTrain conductor is when the train is packed to standing-room-only because of a baseball game in the city. You might be able to sneak past the conductors, but I wouldn’t count on it.
  3. Similarly to CalTrain, I don’t really need to tag on to the MUNI busses, as long as my monthly pass resolves itself to a Fare Inspector. Most of the drivers will either look at you funny or explicitly require you to least flash your card by the reader. However, you can get a beep out of the readers by placing your card on the reader, but then removing it quickly. The reader realizes there’s some kind of card in front of it, but I’m assuming it can’t figure out exactly whose card is there, so it gives an error-sounding beep. This usually satisfies the drivers. (Only once in a month of doing this did a driver shame me into fully tagging the reader.)

What They Can (Still) Learn

If I didn’t take the pains to mess with my own data, you could have a pretty good idea that I live somewhere near Duboce & Mission and that I work somewhere in Palo Alto. With further analysis (and further data that I didn’t provide here), you could also notice that on alternating Wednesdays I don’t go to Palo Alto, but I seem to take the 14 to work somewhere in downtown, probably near 3rd and Mission.

I was able to mostly obfuscate my whereabouts with regard to the MUNI surface busses, except for the occasional pedantic driver. Plus, there’s a built-in obfuscation because they don’t require a tag off. However, this obfuscation doesn’t hold if you are trying to get into one of the underground stations downtown (or BART, for that matter).

For CalTrain, I was able to obfuscate the specific stops where I get on and off, but since my monthly pass is specifically identified as a Zone 1 (SF to San Bruno) to Zone 3 (Atherton to Sunnyvale) and I use “Limited” or “Express” lines (which only service certain stations), they can still get a general idea as to where I’m located.

Additionally, if you look at the records of the conductor scans, you’ll find that on my return trip I am repeatedly found within 2 or 3 scans of specific other customers. You might be able to deduce that since I am likely coming back from work, these other people are highly likely to be my coworkers. And if these people explicitly tagged on, there’s a high probability that you now know where I got on, even though I didn’t tag on myself.

Other (Potential) Problems With the System

To use the website to add cash in addition to the loaded passes, you had to do some configuration. I didn’t recognize it as a problem at the time, but it required that you have a valid credit/bank card. A friend of mine (who had to cut up her credit cards to pursue a debt-free lifestyle) said she was basically left by the wayside with regards to the ClipperCard and the benefits of its use. (Which is becoming, more an more, mandatory for monthly pass holders.) I do not know if this is still the case, but it sounds like something the ClipperCard implementers would do.

Another thing to keep in mind is that all my travel is also hooked up to my Credit Card via the ClipperCard website. You’d have to talk to other black-hat-ier people than I to learn how vulnerable the ClipperCard site is. (As a none-too-impressed end user of the website, I am sure the implementation has plenty of security holes.)

One last thing to keep in mind is who has access to your ride records. A co-worker said he was able to get a CSV file of all his ClipperCard tag ins, just by calling the Customer Service line and the rep running a quick query to get all his activity. This means the reps probably have access to everyone’s records at their whim. I have dealt with Customer Service at ClipperCard, and I’m sure it’d be pretty easy to socially engineer one of them into giving up a whole bunch of information.

Do I Care?

What does this all mean? Well, with a little bit of effort, you could figure out where I am likely to be at several points during the week. Why do I care about this? Imagine a universe where I am a vocal proponent of a measure that takes aim at MUNI drivers’ pay, and people within the union want to find me at some point to change my mind for me… Is my data easily obtainable, especially to those within the public transit system? I think so.


In this exercise, I’ve tried to show just how vulnerable your personal location data can be, and how it could be used to gain some further bits of knowledge about you.

In reality, the biggest risk to the average person in the ClipperCard system are the potential for a third-party (hacker) to get your credit card and personally-identifying information. A far smaller secondary risk is having your historical transit records and patterns made vulnerable, specifically because access to this information is a lot less regulated than access to your personal financial information.