Update 9/7/16: Multiple sources are reporting that the Reston Town Center has postponed the implementation of paid parking until January 2017.
On September 12, the Reston Town Center will start charging for parking Monday through Friday, other than on holidays and during premier events, and according to the Reston Town Center, the ParkRTC app will be the easiest way to pay for parking. However, the ParkRTC app collects sensitive, personal information, and like me, you may have concerns about the information the ParkRTC app collects and how that information can be used by PassportParking, Inc., the company to which the Reston Town Center appears to have outsourced its paid parking services. Despite protestations by the Reston Town Center to the contrary, PassportParking appears to have the right to use your information in practically any way it wants and to disclose your personal information to any company with whom it does business.
Data Collected by ParkRTC
To use the ParkRTC app, you must enter your phone number or email address, your credit card number, its expiration date, and your license plate number. On an iPhone, the iOS version of the ParkRTC app wants you to allow location services, so that you can "park faster, avoid tickets, and get free parking", implying that location services are required for parking validation. If you allow location services from within the app, ParkRTC will be able to track your location at all times, even when you aren't using the app. The Android version of the ParkRTC app is worse; ParkRTC wants access to your accounts, contacts, location, and phone status, the ability to make phone calls, and permission to read, modify, or delete your photos, media, and files.
Privacy and Security
I'm not the first one to voice concerns about the privacy and security of the data collected by the ParkRTC app. Comments from others prompted the Reston Town Center to post this on Facebook:
- What steps are being taken to ensure the security of my personal and credit card information?
The security of our users' information is critically important to both Passport Inc and RTC, and we take our responsibility to protect that information very seriously. Passport conducts regular audits of their information security systems to ensure that there are no vulnerabilities. Passport also holds compliance with PCI DSS Level 1 certification-- the most stringent data security framework administered by the PCI Security Standards Council. You can verify Passport's ongoing compliance with this standard by checking the Visa or Mastercard Merchant Registries.
- Will my information ever be sold or distributed to a third party?
No, Passport Parking with never sell or distribute ParkRTC user information to third parties.
There are a few problems with that.
PCI DSS only applies to your credit card information. It is a payment card industry (PCI) security standard set by the PCI Security Standards Council.
PCI DSS Level 1 merchants and payment processing companies still suffer data breaches. Examples include Target and The Home Depot. Despite The Reston Town Center's naive statement to the contrary, conducting regular security audits does not ensure that there are no vulnerabilities.
The ParkRTC app is published by PassportParking. Your agreement regarding privacy and security is with PassportParking, not the Reston Town Center. No statement by the Reston Town Center is binding on PassportParking.
We use information that we collect about you or that you provide to us, including any personal information ... as ... permitted by law. ... we may disclose personal information that we collect or you provide ... [to] third parties we use to support our business.
Essentially, then, PassportParking can do anything they want with your information, as long as they neither break the law nor disclose your personal information to a third-party who has nothing to do with PassportParking's business. Legally, any third-party with whom PassportParking interacts for a business purpose, including all of its vendors and any company with whom PassportParking finds it commercially useful to exchange information, supports PassportParking's business, and nothing restricts the meaning of the word business to parking services.
We cannot promise that your information will remain secure.
I don't blame PassportParking for that statement. It's the only rational thing they can say. There are no secure data systems, only those that haven't been breached yet and those whose breach hasn't been made public yet.
Finally, although this need not be problematic, you should note the following:
We may disclose aggregated information about our users without restriction.
Data Potentially Exposed by a Data Breach
Setting aside what PassportParking might be permitted to do with your information, an equally important consideration is what cybercriminals might be able to do with your information in the event of a data breach at PassportParking. Criminals might obtain:
A history of your real-time location data, which given that the ParkRTC app by default collects your phone's location at all times, even when you aren't using the app, could be used to identify your commuting route and the addresses of your home, your place of work, your children's daycare center, your children's school, your doctors, and your favorite stores and restaurants.
Your transaction data, which probably includes the merchant, date, and time of every parking validation you've been given.
Your phone number and email address, which can be used to contact you directly with scams and which can be used to link information contained from a PassportParking breach with information gathered from other breaches.
A data breach could give a cybercriminal a very deep profile of your family's daily activities, and a means of contacting you by phone or email. Cybercriminals use this type of information to conduct targeted scams that include fake emails or phone calls from work, schools, or merchants, and that include personal details, such as the date of your last visit, to enhance their credibility. Such scams, usually focused on financial fraud or identity theft, are the least harmful criminal activities that could be enabled by a breach of real-time 24x7 location data.
What PassportParking Should Do
Information about you may be used solely as strictly necessary to provide the parking services to you.2
Real-time location data collected by the ParkRTC app will never leave your phone, unless your phone is likely within the boundaries of the Reston Town Center.3
Real-time location data collected by the ParkRTC app within the Reston Town Center will only leave your phone as strictly necessary to provide the parking services to you, and all real-time location data collected about you by PassportParking will be deleted as soon as is reasonably possible.4
PassportParking shall not retain any information about you for any longer period of time than is reasonably necessary to provide the parking services to you.
Information about you includes all information you provide to PassportParking and all information they automatically collect about you, including without limitation all information they collect through your use of the PassportParking app, their website, or the parking services.
Aggregated information means information that (i) does not consist of any information about you individually; (ii) is the result of mathematically combining data or computing statistics about groups of users, where such groups are of sufficient size that said mathematical or statistical computation effectively anonymizes all information about each individual in the group; and (iii) cannot be de-aggregated or de-anonymized either by itself or in combination with other data in the possession of a third party.
What You Should Do
Regardless of how you feel on this subject, if you are using an Apple iPhone or iPad, you should probably change your iOS privacy settings to help avoid potential privacy or security problems with real-time location data collected by the ParkRTC app. Under Settings > Privacy > Location Services, change the setting for ParkRTC to While Using the App.
If you have privacy or security concerns related either to parking in the Reston Town Center or to using the ParkRTC app, you can address them to the Reston Town Center (Twitter, Facebook, email) or PassportParking (Twitter, Facebook, email).
PassportParking probably also wants to use information about you to improve the parking services, the app, and their website. This can be done using anonymized data, subject to a suitable definition. ↩
Seriously, why does Passport Parking need to know where you are, if you aren't in the Reston Town Center? ↩
Guiding you to parking spaces and validating parking can reasonably be done without your location leaving your phone. Even if there's a legitimate reason for PassportParking to have your current location while you are in the Reston Town Center, I can't think of any reason why information about your location can't be discarded once the associated parking services transaction is complete or it is reasonably obvious that there is no associated parking services transaction. ↩