New contactless card system for public transport
This page forms the starting point for an open design of a new contactless smart card system for public transport. The starting point are requirements, at a high level of abstraction. Implementation details, if any, will only appear at the end.
The general idea is that travellers carry smart cards which will enable them to "enter the system", for instance via special gates that open when the card is held close to a smart card reader. At that stage relevant information about (at least) the entrance location and time is stored, both in the card and in the (backoffice connected to) reader. Upon "leaving the system", again via gates that are opened after communication with the card, information about the time and location of the exit are recorded and used to determine the associated cost of the journey.
In a first approximation the focus of the requirements will be on privacy, transactions, transparancy and monitoring.
Privacy protection should be part of the architecture of the system, and not some add-on - like via anonymous prepaid cards that are inconvenient to use (and reveal your identity if you ever charge them via your bank or credit card).
Within this context privacy requirements focus on two matters.
- Information stored in the cards can only be read by authorised parties. This means that a card reader must first authenticate itself as being genuine and that a card cannot be read (skimmed) while it is in your pocket. In particular, a card does not release any identifying information like through a (fixed) anti-collision identifier.
- Information stored in the back-office system need not involve (personal) identities, so that anonymous travel is possible without any inconvenience.
Privacy is not absolute, but may be lifted under specific circumstances:
- In case of misbehaviour (like fraud) your identity may be revealed, possibly in such a way that all your earlier travels become recognisable (revocable privacy).
- In case there is a court-order.
Proofs of transactions
Travelling by public transport involves financial transactions. These transactions/payments should be properly authorised so that the different parties involved can be held accountable and so that disputes can be resolved convincingly. In particular this means that transactions should be:
- non-reputable, in the sense that once a traveller enters the system appropriately, a reproduceable proof of this fact is constructed, for instance in the form of a digital signature that is created by the travellers card. Other crucial steps of transactions should involve similar proofs, especially leaving the system.
- non-forgeable, in the sense that the system (or system administrators or operators) cannot "create" travels on its own. Such fraud possibilities by insiders are often neglected.
This requirement applies at different levels.
- In the way that the system is organised, so that interested parties can understand how it operates and how data flows are organised.
- The system is easy to use.
- It is easy to understand how prices are calculated and how and when payments take place.
- Travellers can easily access and check their data (travel, payment), for instance by reading out the contents of their own card on their own computer (eg. to obtain travel details for a refund from their employer).
Monitoring of the dataflows in the system is needed chiefly for the following purposes.
- Fraud detection, with focus on spending more than is loaded on a card. This requires a shadow (financial) bookkeeping of individual cards.
- Usage patterns, in order to see which lines are used by how many travellers at which times, so that services can be optimised. This involves anonymous, statistical information.
The aim here is not to facilitate individual travel monitoring, unless individual travellers agree to it (explicit opt-in).