Forbes reports that a man has found that E-ZPasses, which are used to pay tolls on highways and bridges, can be read far from toll booths and used to track individuals’ locations. Privacy questions surrounding the use of E-ZPasses and other RFID-enabled toll-payment technology have been raised before, including the question of retention and sale of the data. In 2010, California Gov. Arnold Schwarzenegger signed SB1268 (pdf), which affects consumer privacy. The bill’s digest explains, “This bill would prohibit a transportation agency, as defined, from selling or providing personally identifiable information of a person obtained” through that person’s use of an electronic toll payment system. The law, which went into effect on Jan. 1, 2011, also requires agencies to purge the data when it is no longer needed for billing or law enforcement purposes.
Forbes reports that a man going by the name “Puking Monkey” decided to “hack his RFID-enabled E-ZPass to set off a light and a ‘moo cow’ every time it was being read. Then he drove around New York. His tag got milked multiple times on the short drive from Times Square to Madison Square Garden in mid-town Manhattan … and also on his way out of New York through Lincoln Tunnel, again in a place with no toll plaza.”
At Defcon, where he presented his findings, Puking Monkey said he found the reading of the E-ZPass outside of where he thought it would be read when he put it in his car “intrusive and unsettling,” quoting from Sen. Chuck Schumer’s remarks about retailers tracking people who come into their stores using their cell phones. […]
It’s part of Midtown in Motion, an initiative to feed information from lots of sensors into New York’s traffic management center. A spokesperson for the New York Department of Transportation, Scott Gastel, says the E-Z Pass readers are on highways across the city, and on streets in Manhattan, Brooklyn and Staten Island, and have been in use for years. The city uses the data from the readers to provide real-time traffic information, as for this tool. The DoT was not forthcoming about what exactly was read from the passes or how long geolocation information from the passes was kept. Notably, the fact that E-ZPasses will be used as a tracking device outside of toll payment, is not disclosed anywhere that I could see in the terms and conditions.