Privacy advocates push for change in how long Clipper card information is stored

A lone commuter strolls through the underpass to Palo Alto’s Caltrain station, where a single Clipper card swipe records the time and place of boarding. (Photo: Caroline Davis / Peninsula Press)

For more than a million Bay Area commuters, the use of a Clipper card is one of life’s mindless tasks — a swipe boarding Caltrain here, a quick tag hopping on a SamTrans bus there.

What most don’t realize is that their routine activity, when and where they board and disembark, gets stored in a transit agency’s database, where it remains for seven years after the Clipper account is closed.

Riders can choose not to register their card, but there are conveniences and benefits to having an account, which is why 46 percent of users have signed up.

Now, the Metropolitan Transportation Commission (MTC) is debating changes to its privacy policy. One of the concerns is that passenger data can be accessed in both criminal and civil cases through court orders. Since the Clipper program started in 2010, that has happened three times when crimes were involved.

“Society has turned a little bit, and they’re recognizing that this modern world we live in has a privacy issue involved,” said Randy Rentschler, the commission’s director of legislation and public affairs. “Anyone who has a Facebook account would get that. And I think us, on the public sector side, are going to be held up to a much higher standard as a result.”

In overseeing the Clipper program, the commission has authority over two important pieces of rider information: how long the data is stored and who has access to it. Primarily, the information is used to help keep the Clipper system running smoothly, Rentschler said. Account holders also can review their travel histories or replace the card and its monetary balance if it is ever lost, stolen or damaged.

Next month, commission members plan to discuss the privacy policy, including why the data must be kept for so long. They will consider reducing the time period to four and a half years, which would make it consistent with FasTrak (the transponder used for tolls across the state).

The seven-year time frame is written into the commission’s contract with Cubic Transportation Systems Limited, the firm paid to operate Clipper’s customer service center.

“Seven years is a fairly ridiculous amount of time to keep ridership information,” said Chris Conley, a technology and civil liberties attorney with the American Civil Liberties Union of Northern California. “There’s really no value to the MTC to be retaining the information for this extensive period of time.”

Conley spoke against the privacy policy at a San Francisco Board of Supervisors hearing a few weeks ago. He said the transportation commission should keep information only as long as absolutely necessary, adding that a reduction to four and a half years still seems excessive.

The commission considers the data essential to the efficient operation of a system that spans bus, train and ferry lines, according to Rentschler. During the week ending Oct. 19, the Clipper recorded its highest average number of weekday boardings, exceeding 700,000 for a five-day week.

Conley is not swayed by the efficiency argument. “It still is far longer than I can come up with any reason they might need to have individual records of where people have come and gone and how they have used the system,” he said. “We definitely want [the MTC] to identify exactly how long we need to keep this information, what’s the purpose for keeping it…spell out exactly what they do with the information.”

Caltrain riders, like those pictured at the Palo Alto station, might not realize the Clipper card they use keeps track of where they board and disembark. (Photo: Caroline Davis / Peninsula Press)

Rentschler said privacy advocates are too focused on imagining future scenarios and not focused enough on how the data is used now. Few members of the public have contacted the commission with concerns, he said, adding, “We hear from the public on a lot of things. It’s not like the public is silent. The public has just not been engaged on this.”

Perhaps it’s a matter of the public being unaware, Conley countered.

“As we’ve seen in other situations involving Facebook and other online companies, as the public becomes aware their information is being recorded, is being retained for periods far longer than they expected… they do respond,” he said.

Both Clipper and FasTrak have detailed privacy policies – the lengthy Cardholder Agreement on the Clipper Web site makes that quite clear. “Our privacy policies for FasTrak and Clipper are very, very stringent,” Rentschler said. “We don’t use it for marketing, we don’t use it for any purpose, period, ever.”

In 2010, the state legislature passed a law to protect the privacy of motorists using the FasTrak system. The law prohibits transportation agencies from selling or sharing personal data and requires them to purge the information when no longer needed. The Clipper card was not included in the legislation, which took effect in January 2011.

Because of that law, though, there are important distinctions between Clipper and FasTrak. Two years ago, if someone was involved in a divorce case, he or she could have secured information from FasTrak. But civil cases are no longer eligible for this information.

Other cities, like New York, have similar transportation card programs. The Metropolitan Transportation Authority for New York City has MetroCard for its buses, subways and Staten Island Railway. The card is swiped by New Yorkers approximately 200 million times a month, according to MTA spokesman Aaron Donovan. For riders purchasing MetroCards with cash, the riders have no real identity – just a serial number – and the only information recorded is trips taken, which can be stored for up to four years.

+ posts

About The Author

Scroll to Top