Myki gates, Springvale station

Some thoughts on the Myki data leak

This, the other week, was interesting:

In a concerning revelation, researchers have found that myki, in conjunction with social media, can be used to uncover a wealth of information about card users.

ABC: ‘Shocking’ myki privacy breach for millions of users in data release

Here’s the report and media release from the Office of the Victorian Information Commissioner:

Information Commissioner investigates breach of myki usersโ€™ privacy

Here’s the original study:

Two data points enough to spot you in open transport records

What happened was that PTV released a whole bunch of Myki touch on/off data for a “datathon” event, where people see what handy things they can do with the data.

It was “de-identified” – that is, Myki card numbers were removed and replaced with another identifier, which could link trips from a single card together, but not back to a card holder.

Or so they thought.

Part of the problem was they left in a flag indicating the card type. This is not just Full Fare (Adult) or Concession – it goes down to the precise type of Concession or free pass. For instance type 39 is a War Veterans Travel Pass; type 46 is a Federal Police Travel Pass.

With more than 70 types of card, some of the more obscure types are pretty rare, so if the person you’re trying to track down is using one of them, they’re probably not that hard to find, particularly if you know which stations they regularly use.

That’s presumably how the researchers found Anthony Carbines, State MP for Ivanhoe, I’m guessing travelling on a State Parliamentarian Travel Pass – by looking at the data, and matching it up with his social media posts, which included at least one from Rosanna Station.

I’m probably in there too. And so are you. (I’ve only seen a sample of the data; a mere 30 million card touch records out of the total 1.8 billion originally released.)

Myki machines at Southern Cross

Ultimately, it’s good that data sets like this are released. There actually should be a lot more of it – at present, the data released by PTV is very limited. Anything related to patronage or bus service performance is really difficult to find.

Perhaps the problem with not adequately cleaning the data is that they’re out of practice. Almost everything currently available either has nothing to do with passengers directly, or is at such a high level that it could never be used to find individuals.

More data should be out there. Ultimately, the public transport network is funded by taxpayers, and it should be a lot more accountable and transparent than it is.

One thing’s for sure: if they have a go at releasing this level of detailed data again – and I hope they do – they’ll need to be more careful to remove information that could be used to re-identify individuals.

Android tram

Is Google recording your conversations without you knowing?

You’ve probably heard about the case of the Amazon Alexa smart speaker that recorded a conversation and sent it to someone.

Amazon has been forced to explain how Alexa recorded a private conversation and sent it to an Echo userโ€™s colleague without their knowledge. A Portland woman identified only as Danielle revealed the odd series of events in an interview with local TV station Kiro 7, claiming that an Amazon Echo device recorded a private conversation between her and her husband and sent the recording to an employee of the husband. — The Verge

I haven’t got any speakers in my house that record. (Some of the newer Sonos devices can do it. Mine can’t.)

And I don’t think I particularly want any.

The other week, probably triggered by the EU’s GDPR legislation, I got an email from Google suggesting I do a privacy check.

I had a look, and digging around found a page on Voice Activity.

To my surprise, this has dozens of voice recordings, going back about 18 months.

Google voice recordings

Apparently the Google app on my Android phone (actually my current phone and the previous one) has semi-regularly decided I was trying to attract the attention of the Google Assistant (normally invoked by saying “OK Google”), and started recording, then saved the recordings in the cloud.

I can play the recordings. The sound quality isn’t great, but you can make out the words. In none of them did I actually want the Google Assistant. They’re just random conversations with people.

You can turn the option off (well, you can pause it). Which I’ve now done.

It’s good that you can access the recordings, and change the option.

But I wonder how many people don’t know that Google is recording snippets of conversations and saving them on their servers?

Check yours via this direct link, or go to myaccount.google.com and then choose My Activity; Activity Controls; Voice & Audio Activity (where you can also Pause the feature).

Note: the Google App is also available on iOS, so it’s worth checking even if you have an iPhone, not an Android… And of course Siri has similar functionality.