Fare Payment Without the Stasi

By Alon Levy

Last year, I saw a tip by the Metropolitan Police: if you witness any crime on a London bus and wish to report it later, you should tell the police the number on your Oyster card and then they’ll already be able to use the number to track which bus you rode and then get the names and bank accounts of all other passengers on that bus. Londoners seem to accept this surveillance as a fact of life; closed-circuit TV cameras are everywhere, even in front of the house where Orwell lived and wrote. Across the Pond, transit agencies salivate over the ability to track passenger movements through smartcards and contactless credit cards, which is framed either as the need for data or as a nebulous anti-crime measure. Fortunately, free countries have some alternative models.

In Germany, the population is more concerned about privacy. Despite being targeted by a string of communist terrorist attacks in the 1970s and 80s, it maintained an open system, without any faregates at any train station (including subways); fare enforcement in German cities relies on proof of payment with roving inspectors. Ultimately, this indicates the first step in a transit fare payment system that ensures people pay their fares without turning the payment cards into tracking devices. While Germany resists contactless payment, there are ways to achieve its positive features even with the use of more modern technology than paper tickets.

The desired features

A transit fare payment system should have all of the following features:

  1. Integration: free transfers between different transit vehicles and different modes should be built into the system, including buses, urban rail, and regional rail.
  2. Scalability: the system should scale to large metro areas with variable fares, and not just to compact cities with flat fares, which are easier to implement. It should also permit peak surcharges if the transit agency wishes to implement them.
  3. No vendor lock: switching to a different equipment manufacturer should be easy, without locking to favored contractors.
  4. Security: it should be difficult to forge a ticket.
  5. Privacy: it should not be possible to use the tickets to track passengers in most circumstances.
  6. Hospitality: visitors and occasional riders should be able to use the system with ease, with flexible options for stored value (including easy top-up options) and daily, weekly, and monthly passes, and no excessive surcharges.

Smartcard and magnetic card systems are very easy to integrate across operators; all that it takes is political will, or else there may be integrated fare media without integrated fares themselves, as in the Bay Area (Clipper can store value but there are no free transfers between agencies). Scalability is easy on the level of software; the hardest part about it is that if there are faregates then every station must have entry and exit gates, and those may be hard to retrofit. Existing smartcard technologies vary in vendor lock, but the system the US and Britain are standardizing on, contactless credit cards, is open. The real problem is in protecting privacy, which is simply not a goal in tracking-obsessed Anglo-American agencies.

The need for hospitality

Hospitality may seem like a trivial concern, but it is important in places with many visitors, which large transit cities are. Moreover, universal design for hospitality, such as easily recognizable locations for topping up stored value, is also of use to regular riders who run out of money and need to top up. Making it easy to buy tickets without a local bank account is of use to both visitors and low-income locals without full-service bank accounts. In the US, 7% of households are unbanked and another 20% are underbanked; I have no statistics for other countries, but in Sweden banks will not even give debit cards to people with outstanding debts, which suggests to me that some low-income Swedes may not have active banking cards.

New York’s MetroCard has many faults, but it succeeds on hospitality better than any other farecard system I know of: it is easy to get the cards from machines, there is only a $1 surcharge per card, and season tickets are for 7 or 30 days from activation rather than a calendar week or month. At the other end of the hospitality scale, Navigo requires users to bring a passport photo and can only load weekly and monthly passes (both on the calendar); flexible 5-day passes cost more than a calendar weekly pass.

In fact, the main reason not to use paper tickets is that hospitality is difficult with monthly passes printed on paper. Before the Compass Card debacle, Vancouver had paper tickets with calendar monthly passes, each in a different color to make it easy for the driver to see if a passenger was flashing a current or expired pass. The tickets could be purchased at pharmacies and convenience stores but not at SkyTrain stations, which only sold single-ride tickets.

ID cards and privacy

The Anglosphere resists ID cards. The Blair cabinet’s attempt to introduce national ID cards was a flop, and the Britons I was reading at the time (such as the Yorkshire Ranter) were livid. And yet, ID cards provide security and privacy. Passports are extremely difficult to forge. Israel’s internal ID cards are quite difficult to forge as well; there are occasional concerns about voter fraud, but nothing like the routine use of fake drivers’ licenses to buy drinks so common in American college culture.

At the same time, in countries that are not ruled by people who think 1984 was an uplifting look at the future, ID cards protect privacy. The Yorkshire Ranter is talking about the evils of biometric databases, and Israeli civil liberties advocates have mounted the same attack against the government’s attempt at a database. But German passports, while biometric, store data exclusively on the passport, not in any centralized database. ID cards designed around proving that you paid your fare don’t even have to use biometrics; the security level is lower than with biometrics, but the failure mode is that the occasional forger can ride without paying $100 a month (which is much less than the cost of the forgery), not that a ring of terrorists can enter the country.

Navigo’s ID cards are not hospitable, but allowing passengers to ride with any valid state-issued ID would be. Visitors either came in from another country and therefore have passports, drove in and therefore have drivers’ licenses, or flew in domestically and therefore still have ID cards. Traveling between cities without ID is still possible here and in other free European countries, but everyone has national ID cards anyway; the ID problem is mainly in the US with its low passport penetration (and secondarily Canada and Australia), and the US has no intercity public transit network to speak of outside the Northeast Corridor.

What this means is that the best way to prevent duplication of transit passes is to require ID cards. Any ID card must be acceptable, including a passport (best option), a national ID card (second best), or an American driver’s license (worst).

Getting rid of the faregates

There are approximately three first-world Western cities that have any business having faregates on their urban rail networks: London, Paris, New York. Even there, I am skeptical that the faregates are truly necessary. The Metro’s crowd control during the World Cup victory celebration was not great. New York’s faregates sometimes cause backups to the point that passengers just push the emergency doors open to exit, and then rely on an informal honor system so that passengers don’t use the open emergency doors to sneak in without payment.

Evidently, the Munich S-Bahn funnels all traffic through a single two-track city center tunnel and has 840,000 weekday users, without faregates. Only one or two trunk lines are busier in Paris, the RER A with about a million, and possibly the RER B and D if one considers them part of the same trunk (they share a tunnel but no platforms); in London, only the Central, Victoria, and Jubilee lines are busier, none by very much; in New York, none of the two-track trunks is as busy. Only the overcrowded lines in Tokyo (and a handful in Osaka, Beijing, and Shanghai) are clearly so busy that barrier-free proof-of-payment fare enforcement is infeasible.

The main reason not to use faregates is that they are maintenance-intensive and interfere with free passenger flow. But they also require passengers to insert fare media, such as a paper ticket or a contactless card, at every station. With contactless cards the system goes well beyond exact numbers of users by station, which can be obtained with good accuracy even on barrier-free systems like Transilien using occasional counts, and can track individual users’ movements. This is especially bad on systems that do not have flat fares (because then passengers tag on and off) and on systems that involve transferring with buses or regional trains and not just the subway (because then passengers have to tag on and off at the transfer points too).

Best industry practice here is then barrier-free systems. To discourage fare evasion, the agency should set up regular inspections (on moving vehicles, with unarmed civilian inspectors), but at the same time incentivize season passes. Season passes are also good for individual privacy, since all the system registers is that the passenger loaded up a monthly pass at a certain point, but beyond that can’t track where the passenger goes. All cities that have faregates except for the largest few should get rid of them and institute POP, no matter the politics.

Tickets and ID cards

In theory, the ID card can literally be the ticket. The system can store in a central database that Alon Levy, passport number [redacted], loaded a monthly pass valid for all of Ile-de-France on 2018-08-16, and the inspector can verify it by swiping my machine-readable passport. But in practice, this requires making sure the ticket machine or validator can instantly communicate this to all roving fare inspectors.

An alternative approach is to combine paper tickets with ID cards. The paper ticket would just say “I am Alon Levy, passport number [redacted], and I have a pass valid for all of Ile-de-France until 2018-09-14,” digitally signed with the code of the machine where I validated the ticket. This machine could even be a home printer, via online purchase, or a QR code displayed on a phone. Designing such a system to be cryptographically secure is easy; the real problem is preventing duplication, which is where the ID card comes into play. Without an ID card, it’s still possible to prevent duplication, but only via a cumbersome system requiring the passenger to validate the ticket again on every vehicle (perhaps even every rail car) when getting on or off.

The same system could handle stored value. However, without printing a new ticket every time a passenger validates, which would be cumbersome, it would have to fall back on communication between the validator and the handheld readers used by the inspectors. But fortunately, such communication need not be instant. Since passengers prepay with stored value, the ticket itself, saying “I am Alon Levy, passport number [redacted], and I loaded 10 trips,” is already valid, and the only communication required is when passengers run out of money; moreover, single-use tickets have a validity period of 1-2 hours, so any validator-to-inspector communication lag time of less than the validity period will be enough to ensure not to validate expired tickets. The same system can also be used to have a daily cap as in Oyster, peak surcharges, and even generally-undesirable station-to-station rather than zonal fares.

It’s even possible to design a system without single-use tickets at all. Zurich comes close, in that a 24-hour pass costs twice as much as a single-use ticket (valid for just an hour), so passengers never have any reason to get a single-use ticket. In this system there would not be any stored value, just passes for a day or more, valid in prescribed zones, with printable tickets if regular riders in one zone occasionally travel elsewhere.

The upshot here is that advanced technology is only required for printing and reading QR codes. The machines do not need to be any more complicated than ATMs or Bitcoin ATMs (insert money, receive a Bitcoin slip of paper); I don’t know how much Bitcoin ATMs cost, but regular ATMs are typically $2,000-3,000, and the most expensive are $8,000, unlike the $75,000 ticket machines used at New York SBS stations. The moving parts are software and not hardware, and can use multi-vendor cryptographic protocols. In effect, the difficult part of verifying that there is no duplication or forgery is offloaded to the state ID system.