NYC Is Tracking RFID Toll Collection Tags All Over the City

← Back to Stories (view on slashdot.org)

NYC Is Tracking RFID Toll Collection Tags All Over the City

Posted by Soulskill on Friday September 13, 2013 @04:39AM from the oversight-planned-for-2018 dept.

In the northeast U.S., most of the tolls people encounter when driving make use of a system called E-ZPass to let them pay the tolls electronically. Drivers are given small RFID transponders that are scanned in tollbooths, at which point the toll is automatically deducted from a pre-paid account. One hacker got curious whether the RFID tags were being scanned elsewhere, so he tweaked his E-ZPass to blink a light and make a noise every time it was read. He tested the streets of New York City, and wasn't surprised to see it light up in plenty of places where there were no tollbooths to be found. From the article: "It’s part of Midtown in Motion, an initiative to feed information from lots of sensors into New York’s traffic management center. A spokesperson for the New York Department of Transportation, Scott Gastel, says the E-Z Pass readers are on highways across the city, and on streets in Manhattan, Brooklyn and Staten Island, and have been in use for years. The city uses the data from the readers to provide real-time traffic information, as for this tool. The DoT was not forthcoming about what exactly was read from the passes or how long geolocation information from the passes was kept. Notably, the fact that E-ZPasses will be used as a tracking device outside of toll payment, is not disclosed anywhere that I could see in the terms and conditions. When I talked to the E-ZPass Inter-agency Group — the umbrella association that oversees the use of the pay-toll-paying tags in 15 different states — it said New York is the only state that is employing this inventive re-use of the tags. ... 'If NYDOT can put up readers, says [the hacker], 'other agencies could as well.'"

46 of 314 comments (clear)

Min score:

Reason:

Sort:

Trending political procedures... by killfixx · 2013-09-13 04:40 · Score: 4, Insightful

Do a lot of tracking of everything a person does and only come clean when someone calls 'em out...
I hope this "hacker" is anonymous... Otherwise he's headed for a jail cell...
It used to be okay to point out when your government was being shady...
Not anymore!!
Yay!
Welcome to 1984!

--
"Helping to keep you two steps ahead of the Thought Police!"
1. Re:Trending political procedures... by Anonymous Coward · 2013-09-13 05:04 · Score: 5, Insightful
  
  It has never been secret.
  Except for:
  - where the RFID detectors are.
  - if they store the ID of the EZ-Pass tag.
  - if they store the geo-location data.
  - how long the keep the data.
  - who has access to the data.
  - if they sell the data.
  So you're right, no secrets here.
2. Re:Trending political procedures... by Maxo-Texas · 2013-09-13 05:07 · Score: 3, Interesting
  
  You could actually use this the other way.
  Remove the tag before you go do something naughty but keep it in your car other times.
  
  --
  She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
3. Re:Trending political procedures... by fizzer06 · 2013-09-13 05:11 · Score: 3, Interesting
  
  In the Dallas-FortWorth area, you can't pay cash, no toll booths. You get a bill in the mail if you don't have EZ Pass. The bill includes extra fees for examining the photograph and mailing the bill.
4. Re:Trending political procedures... by Impy+the+Impiuos+Imp · 2013-09-13 05:23 · Score: 4, Insightful
  
  This should have been in the agreement. Most would have no problem with it -- as long as it wasn't secretly used for law enforcement.
  Lawyers started supoenaing driver self-cams used in driving safety research, and volunteers dried up.
  Of even greater concern is illegal NSA type stuff. I suppose more people will put in these read-detectors to map them all out and force government to explain them all. This is a good thing.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
5. Re:Trending political procedures... by dkleinsc · 2013-09-13 05:30 · Score: 5, Insightful
  
  initiative to improve traffic flow in Manhattan
  If your goal is to improve traffic flow, you don't use EZPass, you use traffic counters that get laid down on the street (or use the pole-mounted radar counters) that are probably cheaper than the RFID devices they're using. Those don't identify each individual vehicle's path, but they do make it really clear where people are going (e.g. "the exit ramp has a count of 400 per hour, and and there's 350 more just to the right of that ramp than there was coming from the other way you can get to that spot.").
  Alternately, you can ask yourself how many major construction projects have occurred in Manhattan to improve traffic flow in response to the data from this program. I'd be really surprised if New York City even considered, say, rerouting 5th Avenue.
  Ergo, traffic flow isn't the problem NYC is trying to solve.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
6. Re:Trending political procedures... by bluefoxlucid · 2013-09-13 05:36 · Score: 4, Insightful
  
  eventually it will be illegal to drive without EZPass, and you will be billed for driving all over the place. All roads will be toll roads.
  
  --
  Support my political activism on Patreon.
7. Re:Trending political procedures... by Mister+Transistor · 2013-09-13 05:38 · Score: 2
  
  Illinois has also been doing this for several years, especially around the Chicago area.
  There are some locations where they have signs up stating that "No Toll is Being Taken" and others that are not marked. The transponders they used to use had displays and beeped when accessed, I imagine that's why they put up signs, people used to notice accesses. Of course, the new replacement ones do not have any external indicators that they are being polled so that allows them to interrogate them anytime silently.
  They are now also interrogating them at small antenna sites between the major toll gates for traffic flow analysis, but AFAIK they are not using them anywhere but on the tollways. It is not known if they are gearing up to do speed measurement or anything nefarious with them, I don't think they can get away with that since not all vehicles have them.
  
  --
  -- You are in a maze of little, twisty passages, all different... --
8. Re:Trending political procedures... by postbigbang · 2013-09-13 05:39 · Score: 2
  
  And so you take your EZ-Pass, iPass, or whatever, and put it into its metal box after you're past the toll-whatever.
  Some of the tollbooths now take RFID-based credit cards. Same answer. These are radiological tokens. Kill the radio by putting it into a metal can, box, or even most ashtrays.
  That it's tracked isn't surprising. I'm looking at your cam right now. Stop picking your nose.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
9. Re:Trending political procedures... by sfm · 2013-09-13 05:40 · Score: 2
  
  The problem with cash is the number of places that accept this form of payment is shrinking rapidly. I see a day in the near future where your only 2 options for Highway/Bridge tolls are Tolltag and Pay-By-Mail (They photograph your plates and mail you the bill).
  But no matter how you pay, you are still being photographed, not only as you approach and depart, but also while you pass the toll booth. Check out those vertical cameras at ALL of the SF Bay toll plazas.
10. Re:Trending political procedures... by NeutronCowboy · 2013-09-13 05:49 · Score: 2
  
  And this is why my version of the easy pass sits in the glove box when I'm not near toll booths. How do I know it works? I forgot to take it out once, and blew right through the toll booth without a beep anywhere.
  On that thought: as soon as I renew my passport, I'm getting one of the aluminum card/passport holders/wallets. Having RFIDs about all kinds of data available out in the open is nuts. Yes, I'm aware of LPSs, facial recognition from video, but those are still a lot harder to do than just reading an RFID.
  
  --
  Those who can, do. Those who can't, sue.
11. Re: Trending political procedures... by icebike · 2013-09-13 06:22 · Score: 2
  
  Myself, I already know the transponder # is thrown out, making the trip anonymous. These anonymous trips are used to plan transportation improvements. That's all.
  You know this how?
  Because they told you that was what the plan said 10 years ago when they set it up?
  What about that telephone call from the Police Commissioner to the head of DOT that never made it to the files?
  
  --
  Sig Battery depleted. Reverting to safe mode.
12. Re:Trending political procedures... by icebike · 2013-09-13 06:34 · Score: 2
  
  On that thought: as soon as I renew my passport, I'm getting one of the aluminum card/passport holders/wallets. Having RFIDs about all kinds of data available out in the open is nuts. Yes, I'm aware of LPSs, facial recognition from video, but those are still a lot harder to do than just reading an RFID.
  The State Department says your RIFD enabled passport can't be read unless the passport is opened:
  
  Skimming.” We use an embedded metallic element in our passports. One of the simplest measures for preventing unauthorized reading of e-passports is to add RF blocking material to the cover of an e-passport. Before such a passport can be read, it has to be physically opened. It is a simple and effective method for reducing the opportunity for unauthorized reading of the passport at times when the holder does not expect it.
  
  With any Android phone having NFC capabilities, and a free app from the Google Market ,you can prove that to be another government big lie.
  So the shielded holder might be a good idea.
  But Which LPSs are you aware of?
  
  --
  Sig Battery depleted. Reverting to safe mode.
13. Re:Trending political procedures... by XnavxeMiyyep · 2013-09-13 06:37 · Score: 2
  
  Seattle has something similar on the 520 bridge. People with out of state license plates don't get billed. Last I checked, occasionally locals would get bills in the mail (in unmarked white envelopes, of course) if they had the same license plates as the out-of-state ones.
  
  --
  I put the 't' in electrical engineering.
14. Re:Trending political procedures... by icebike · 2013-09-13 06:46 · Score: 2
  
  I've rarely lived anywhere that had toll roads or toll bridges, but when I have and had to use them (like when moving all over creation after Katrina), I just paid cash.
  To me, it was worth the little extra they charged to keep from being tracked every time I crossed the bridge, etc.
  Next time you pull up to the toll plaza, pay attention to the license plate readers.
  
  --
  Sig Battery depleted. Reverting to safe mode.
15. Re: Trending political procedures... by bill_mcgonigle · 2013-09-13 09:06 · Score: 2
  
  Myself, I already know the transponder # is thrown out, making the trip anonymous.
  f paying tolls were the primary motive for these things, they'd be available anonymously with pre-paid cards sold at 7-11 to refill them.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
16. Re:Trending political procedures... by ultranova · 2013-09-13 09:15 · Score: 2
  Bureaucrats learn to rely on their tools. If the vehicle shows up at certain checkpoints, it would probably never occur to them to spend the hundreds of man-hours necessary to check things like traffic cameras to see if they could find it running without the tracker.
  
  Man-hours? The tools the bureaucrats have include:
  
  License plate scanners
  Facial scanners
  RFID scanners
  Cell phone location scanners
  E-mail and other online activity scanners
  Databases to store all of this data
  Automation to look for pretermined patterns
  Data mining to look for unexpected patterns and deviations from them
  What happens is that you do anything unexpected, the bureaucrat gets a notification from all this automation, along with your online and offline history. This isn't the 1700's anymore, there's no manpower or other resource constraint to keep every single person under 24/7 surveillance, and apparently no social one either, since you're a potential terrorist/child molester/drug user/kidnapper/whatever. Welcome to the Panopticon.
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Cup holder by A10Mechanic · 2013-09-13 04:47 · Score: 5, Funny

Does it also chart the size of the soda in your cup holder?
Not completely news by RedShoeRider · 2013-09-13 04:52 · Score: 5, Informative

"Notably, the fact that E-ZPasses will be used as a tracking device outside of toll payment, is not disclosed anywhere that I could see in the terms and conditions. "
In NJ, buried in the fine print, is a line that reads something like "other information may be obtained by the the Consortium at their discretion", which easily translates to: "We're going to use this to monitor traffic flow, and by doing that, we're monitoring you".
If you're driving on the Parkway (a New Jersey toll highway), there are plenty of places where you can see EZPass pickups buried in the road surface that are nowhere near the toll sites.

--
Chris Knight is my hero.
1. Re:Not completely news by Binky+The+Oracle · 2013-09-13 05:02 · Score: 2
  
  I remember this being discussed several years ago (I think here on Slashdot, in fact), but for Houston. The toll tags were being read by sensors mounted on nearly every overpass sign and used to create the traffic speed maps that we've all come to know and love. The controversy was primarily that they were not anonymizing the data and had no defined retention period. It surprised a lot of people at the time. Now, not so much. I'm actually surprised that anyone is actually surprised by this story. I now just assume that my toll tag is being read in any state I travel, whether it's "compatible" with their system or not. :-/
  
  --
  Slashdot comments... splitting hairs since 1997.
Quick hardware hack by Freshly+Exhumed · 2013-09-13 04:55 · Score: 3, Interesting

Time to put your transponder into a flip-lid Faraday Cage that springs open only when you require it, then closes by default.

--
I deny that I have not avoided attaining the opposite of that which I do not want.
1. Re:Quick hardware hack by Andy+Dodd · 2013-09-13 05:02 · Score: 4, Interesting
  
  Interestingly enough, EZ-Pass devices installed in rental vehicles do EXACTLY this to allow the renter choice of whether to use EZ-Pass or normal tolls.
  
  --
  retrorocket.o not found, launch anyway?
2. Re:Quick hardware hack by Freshly+Exhumed · 2013-09-13 05:04 · Score: 3, Insightful
  
  And I'll bet somebody has patented the 1836 technology.
  
  --
  I deny that I have not avoided attaining the opposite of that which I do not want.
Re:Still pissed by brainboyz · 2013-09-13 04:57 · Score: 4, Insightful

Funny you mention gay sex and then go on to list the only ones that care about privacy are those doing something "illegal, immoral or otherwise dangerous." Have you not been paying attention to Russia lately? Gay sex recently became illegal again. Just because society and politicians don't care NOW doesn't mean they will continue not caring.
Don’t keep it on the windshield by LMariachi · 2013-09-13 05:00 · Score: 3, Insightful

I have never kept my FasTrak (our version of EZPass) stuck to the windshield. It lives in its mylar foil bag in the center console until I’m approaching a toll. Besides, people will break a window and steal it. It can’t be linked to a different vehicle, at least not without me setting that up, so it’s pretty much worthless to anyone else, but crackheads don’t know that.
Re:Still pissed by CanHasDIY · 2013-09-13 05:00 · Score: 5, Informative

I'm still pissed I was labeled a troll when I mentioned that there was no privacy in the US.
Yea, I'm sure it was because you "mentioned" it; surely you weren't labeled a troll for gems such as:

So give up on the privacy whining.
Or

The only dumbasses who care about privacy are the ones doing something they know to be illegal
Or maybe even

I bet Castro was a privacy advocate.
Now GTF my lawn, you fucking troll you.

--
An enigma, wrapped in a riddle, shrouded in bacon and cheese
You already have something like this on your car.. by ravenscar · 2013-09-13 05:00 · Score: 4, Insightful

It's called a license plate. With technology that allows license plates to be read by cameras, any government organization could track the movements of every vehicle everywhere in their jurisdiction. Don't think you can't be tracked because you don't have an RFID tag in your vehicle.
Hubris by WOOFYGOOFY · 2013-09-13 05:04 · Score: 5, Insightful

It's a tactical mistake borne of hubris. When the RFID chips came out, people were paranoid they'd be use to track instead of ease on off congestion in toll roads as advertised. Officialdom trotted out the usual assurances. Now they're using them to track cars.. (as if they can't already do that through other means).
The long term effect is to breed distrust of government and technology. To induce a cynical turn of mind .
Seeing as 99% of security relies on public buy in , cooperation, the feeling of a shared purpose and identity and absent those things or if those things are greatly degraded, we have no effective security, this has to be seen as a big security blunder.
Tricking, coercing, forcing, sneaking by people what's needed for security is a bad idea. It was a bad idea when the NSA started doing it whether they were getting away with it or not. It's a bad idea wherever it goes. It works against security in a million ways none of which anyone can control.
The way to security buy in is through more openness, more sharing of the problems and threats we face and above all the verifiable protection of our civil liberties against the abuses which inevitably occur when identity and details of people's private lives are exposed for examination by the state.
You have to firewall international (or national) terrorism from all other concerns. You cannot use this information to, say catch drug dealers or common murders. Neither can you over-define what terrorism IS. Copyright violations aren't terrorism and neither are the activities of organized crime. Mainstream , even violent political protestors aren't terrorists and neither are the Tea Party or anarchists. That's called- regular life, normal criminal deviance that is NOT terroristic; the goal is not to undo Western civilization.
Deniers are of course not terrorists, despite my hyperbolic moniker.
Because that IS a slippery slope and what will happen is there will grow widespread, covert, person to person rebellion ande non-cooperation, subversion and ultimate undermining of security.
People don't want to live in Stasiland, whatever benefits there are to living in Stasiland and it' takes not very much to get people to thinking that they are living in Stasiland.
I am to the right of most people on this forum, (yesterday's rating drubbing) which is to say in the middle of the political spectrum. Even I am creeped out by some of the things that have been going on. It's human nature to abuse power in ways that lead to undue influence by the power wielders and then on to a kind of defacto fascism. That's not a political perspective, that's a historical and psychological fact and moreover instinctive knowledge. It is not possible to talk your way around instinctive knowledge.
Time to put a shoe box sized faraday cage in car by rolfwind · 2013-09-13 05:04 · Score: 4, Informative

http://www.thesurvivalistblog.net/build-your-own-faraday-cage-heres-how/
Re:Still pissed by Shortguy881 · 2013-09-13 05:05 · Score: 2

Its not the collection of the data, its the shady circumstances under which it is collected. All of this huge data collection happening outside the public's eye can be used for nefarious acts, not only by individuals, but by corporations and governments. What better way to control a population than through analytics?

--
Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
Re:You already have something like this on your ca by Spiked_Three · 2013-09-13 05:06 · Score: 2

Yeah, and a sample license plate tracker comes with openCV these days. Takes about 20 minutes to put together a tracker that observes all visitors to the adult movie booth place down the street, and another hour or two in front of the government offices to associate license plates with bureaucrats. You know what they say, "information is power."

--
slashdot troll = you make a compelling argument I do not like the implications of.
Re:Were you expecting anything different by mark-t · 2013-09-13 05:10 · Score: 4, Interesting

Actually it probably has no identifying details at all... it's almost certainly just a serial number, and that's it. It may also have a checksum on the device that might be derivable via a one-way hash from personal information that the company has about you, but in general this would not be practical to try to reverse, Such a checksum id could potentially be used to verify at their end that the device was not a forgery.
The company that collects the data on the device has your identifying details and has recorded which device, by serial number, they assigned to you. Whenever they are scanning the device, all they need to do is look up its serial number in their database to get all of your identifying information that they have... unless somebody else had suitable access to that same database, they would not generally be able to identify who you were or anything else about you for that matter.
A third party could, however, potentially use the information even without access to said database to track where it was you were going... although as far as they are concerned, they'd be tracking some anonymous device, with no idea in general who actually has it... only knowing where it was detected by scanners.

--
File under 'M' for 'Manic ranting'
How hard to pull a "Little Brother" ? by Mahldcat · 2013-09-13 05:12 · Score: 2

...Not sure if this was just Science Fiction, but how hard would it be to clone an EZ pass off a random stranger and then reprogram a second random stranger's pass with said data?
Wouldn't that be true for *ANY* type of RFID? by mark-t · 2013-09-13 05:16 · Score: 3, Informative

I mean, if you have an RFID chip, wouldn't it be detecting that it's being read whenever it passes near *ANY* scanner, whether or not the people who operate the scanner are actually even interested in that RFID? All someone else would know, in general, is that the RFID isn't one that they are trying to track, and I'd imagine at *MOST* they may be able to know which company was tracking that RFID (although I'm not even sure they could do that). And even then, without access to the other company's database of users they would have no way to know who it was who had that RFID or any other personal information.

--
File under 'M' for 'Manic ranting'
yawn. by nblender · 2013-09-13 05:16 · Score: 2

As others have mentioned, if gubmint wanted to track you, they'd use your license plate because everybody has to have one of those whereas these toll passes are optional... In my city (Calgary, Alberta) the municipal government uses bluetooth ID's to track phones/cars as they travel down the roads to generate traffic information. We have handy signs that report the expected time to various exits. I've found it handy because I know about how long it should usually take to a specific exit and if the reported time is wildly different, I can choose to exit sooner and take an alternate route...
I suppose I could surmise that the municipal government has some way to tie my cellphone to my name and is tracking me... But I think it largely improbable and I can always turn off my bluetooth if I'm doing something nefarious just as NYCers can put their tags in a metal box.
Re:Still pissed by newcastlejon · 2013-09-13 05:20 · Score: 2, Informative

Have you not been paying attention to Russia lately? Gay sex recently became illegal again.
No, it didn't. Talking about it, however, is a different story.
Have you not been paying attention?

--
If God forks the Universe every time you roll a die, he'd better have a damned good memory.
Future plans outside New York by Applekid · 2013-09-13 05:30 · Score: 4, Interesting

In Florida, we have a toll transponder system too. Recently waves of notices have been going out that the older style transponders are being deprecated for newer ones. I always thought that was kind of silly because the new style transponders are currently compatible with the existing system just like old ones are, so it's not really a "protocol" type change (I'm a software guy, not an EE, so there is likely some RFID stuff I don't know about).
The biggest change? The older transponders would beep when scanned, the newer ones no longer have that functionality. Sounds like perpetual tracking is coming to my state.

--
More Twoson than Cupertino
Re:Tin Foil Hat for your car? by Ronin+Developer · 2013-09-13 05:31 · Score: 5, Informative

When I received my EZ-Pass, I also received a bag (like those used to protect electronic chips) that I could put my EZ-Pass in when I don't want it to be read. It's my choice.
People were so up and arms of the UUID in iPhones and iPads being used to track their activity...but, the ability to collect this type of UUID in EZ-Pass has been available for years and nobody gave a rat's ass. The difference over license plate numbers (readable via OCR) is that these are easier to read....AEI tags, the tags used on railcars (EZ-Pass on steroids) were designed to be read as trains passed at over 90 MPH.
If you run a GPS such as Waze or another with real-time traffic analysis....it's, likely, reporting your position, speed, direction and...an identifier (maybe just your Waze account ID). All modern cell phones are E911 capable - they know where you are ... if they care. Do you turn your phone off when you drive your the car or go about your daily business? Unlikely.
There are far bigger things to worry about.
That being said, it would be interesting to know how this data was actually being used, stored and shared.
Lawsuit by Quila · 2013-09-13 05:46 · Score: 2

In the conditions of your contract you gave up a specified amount of privacy (your time/location information at toll booths) in exchange for the consideration of the convenience the service provides. They have now taken more privacy than you willingly gave up, providing more value for themselves than the contract gave them, and have provided no further consideration to you.
Classic example of "Give government a tool, and it will be abused."
Re:Still pissed by Mister+Transistor · 2013-09-13 06:06 · Score: 4, Insightful

My rule #46:
The number of skeletons in [most famous person]'s closet is usually directly proportional to how sanctimonious or pious they act in public.

--
-- You are in a maze of little, twisty passages, all different... --
Re:Still pissed by Archangel+Michael · 2013-09-13 06:10 · Score: 2

Just like it warms my Heart when Obama appoints someone he once demonized to some post or another.
http://beforeitsnews.com/alternative/2013/09/obama-appoints-former-bain-capital-exec-to-top-post-2762156.html

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Not at all surprised... by mi · 2013-09-13 06:39 · Score: 2

If the government cared for privacy, they would've made these tags anonymous — to be purchased and/or re-charged at gas-stations and convenience stored. Instead they must be registered to both your name and your license-plate and even using your own transponder in a rental car while yours is in a shop, is a violation of the terms (though people normally get away with it).
It was obvious from day one, data-collection was at least a secondary objective. Nominally the system is owned by a private company(ies), but with the government-enforced monopoly we get the worst of both worlds — a business' normal desire for profit, with government-style absence of competition.

--
In Soviet Washington the swamp drains you.
That's illegal, right? by catfood · 2013-09-13 08:10 · Score: 2

It's unauthorized access to my computing device.
Houston went a step further by Anonymous Coward · 2013-09-13 08:17 · Score: 2, Interesting

In Houston, Tx, the city was tracking the RFID tags and using sensors all over the highways to generate real time traffic data, and openly said they were doing it. Of course there were privacy concerns, but they assured the citizens that it was strictly anonymous.
They went a step further and now use Post Oak's sensors to detect Bluetooth devices, using the repeated detection of MAC addresses to estimate traffic flow and speed.
http://traffic.houstontranstar.org/bluetooth/transtar_bluetooth.html
Re:Were you expecting anything different by mark-t · 2013-09-13 08:33 · Score: 2

How will you find out who it is, exactly?

--
File under 'M' for 'Manic ranting'
Re:Were you expecting anything different by JohnFen · 2013-09-13 09:09 · Score: 2

Actually it probably has no identifying details at all... it's almost certainly just a serial number, and that's it.
How is a serial number unique to you not an identifying detail?