/Researchers Used A Politician’s Random Tweets About Public Transport To Track His Movements Over Three Years

Researchers Used A Politician’s Random Tweets About Public Transport To Track His Movements Over Three Years

Endearing and a bit nerdy, right?

Well, as it turns out, it’s also a privacy risk.

In 2018, the Victorian government helped publish a huge set of data about passengers using Myki — the state’s public transport card — as part of the Melbourne Datathon.

The dataset showed when cards were used to touch on and touch off in Victoria’s public transport system between 2015 and 2018. It included more than 15 million cards, and nearly two billion instances of people touching on and off.

The data was “de-identified”, meaning the Myki card numbers and the names of their users were not included.

But each card was given an ID, and the publicly released data included the card type, the time its user touched on or off, and location information such as stop IDs.

Using a few of his tweets, researchers figured out which card ID belonged to Carbines, and could therefore track his movements over three years.

The researchers, from Melbourne University, knew that Carbines’ electorate office was just down the road from Rosanna railway station.

State parliamentarians have a special type of Myki card. The researchers figured out that only two people with this kind of card had visited Rosanna train station. One had only been there once, but the other frequently commuted between Rosanna and the city.

To confirm this card belonged to Carbines (and with his consent), they looked up his tweets, by searching his handle and the word “train”. They found 18 — and all of them matched a record in the dataset.

“It is overwhelmingly unlikely that this is a coincidental resemblance to a different person,” they wrote in a new research paper about the experiment.

The researchers were also able to identify their own movements, along with a man who had travelled with lead researcher Chris Culnane on one occasion.

They are now warning that even “anonymised data” raises privacy, safety and security issues, and argue most Myki users in the dataset could be identified from just a few touch on or touch off events.

“It is clear that this particular data should never have been released in the form it was released in,” the researchers wrote in their paper.

“It’s easy to imagine how information like this could be used by people who might want to cause harm,” Culnane said in a statement.

BuzzFeed News contacted Carbines for comment, but he was not immediately available.

Original Source