Reston Town Center: Paid Parking, Privacy, and Data Security

Update 9/7/16: Multiple sources are reporting that the Reston Town Center has postponed the implementation of paid parking until January 2017.


On September 12, the Reston Town Center will start charging for parking Monday through Friday, other than on holidays and during premier events, and according to the Reston Town Center, the ParkRTC app will be the easiest way to pay for parking. However, the ParkRTC app collects sensitive, personal information, and like me, you may have concerns about the information the ParkRTC app collects and how that information can be used by PassportParking, Inc., the company to which the Reston Town Center appears to have outsourced its paid parking services. Despite protestations by the Reston Town Center to the contrary, PassportParking appears to have the right to use your information in practically any way it wants and to disclose your personal information to any company with whom it does business.

Data Collected by ParkRTC

To use the ParkRTC app, you must enter your phone number or email address, your credit card number, its expiration date, and your license plate number. On an iPhone, the iOS version of the ParkRTC app wants you to allow location services, so that you can "park faster, avoid tickets, and get free parking", implying that location services are required for parking validation. If you allow location services from within the app, ParkRTC will be able to track your location at all times, even when you aren't using the app. The Android version of the ParkRTC app is worse; ParkRTC wants access to your accounts, contacts, location, and phone status, the ability to make phone calls, and permission to read, modify, or delete your photos, media, and files.

Privacy and Security

I'm not the first one to voice concerns about the privacy and security of the data collected by the ParkRTC app. Comments from others prompted the Reston Town Center to post this on Facebook:

- What steps are being taken to ensure the security of my personal and credit card information?

The security of our users' information is critically important to both Passport Inc and RTC, and we take our responsibility to protect that information very seriously. Passport conducts regular audits of their information security systems to ensure that there are no vulnerabilities. Passport also holds compliance with PCI DSS Level 1 certification-- the most stringent data security framework administered by the PCI Security Standards Council. You can verify Passport's ongoing compliance with this standard by checking the Visa or Mastercard Merchant Registries.

- Will my information ever be sold or distributed to a third party?

No, Passport Parking with never sell or distribute ParkRTC user information to third parties.

There are a few problems with that.

  1. PCI DSS only applies to your credit card information. It is a payment card industry (PCI) security standard set by the PCI Security Standards Council.

  2. PCI DSS Level 1 merchants and payment processing companies still suffer data breaches. Examples include Target and The Home Depot. Despite The Reston Town Center's naive statement to the contrary, conducting regular security audits does not ensure that there are no vulnerabilities.

  3. The ParkRTC app is published by PassportParking. Your agreement regarding privacy and security is with PassportParking, not the Reston Town Center. No statement by the Reston Town Center is binding on PassportParking.

If you really want to know what assurances you have with regard to privacy and security, you should look to PassportParking's privacy policy.

The Privacy Policy

The PassportParking privacy policy (available here and here) contains a long list of information they may collect about you. The most worrisome of those appear to be phone number, email address, license plate number, transaction details, real-time location data, and mobile device ID. The privacy policy also contains a long explanation of how PassportParking can use or disclose your information. Unfortunately, nothing in the privacy policy places practical limits on how PassportParking can use your information or to whom they can disclose your personal information. Stripped of muddying provisions, here's what the privacy policy says (emphasis mine):

We use information that we collect about you or that you provide to us, including any personal information ... as ... permitted by law. ... we may disclose personal information that we collect or you provide ... [to] third parties we use to support our business.

Essentially, then, PassportParking can do anything they want with your information, as long as they neither break the law nor disclose your personal information to a third-party who has nothing to do with PassportParking's business. Legally, any third-party with whom PassportParking interacts for a business purpose, including all of its vendors and any company with whom PassportParking finds it commercially useful to exchange information, supports PassportParking's business, and nothing restricts the meaning of the word business to parking services.

Given the Reston Town Center's touting of PassportParking's PCI DSS Level 1 status and its assertion that PassportParking's regular audits ensure there are no vulnerabilities, you might also want to take note of this language in the privacy policy:

We cannot promise that your information will remain secure.

I don't blame PassportParking for that statement. It's the only rational thing they can say. There are no secure data systems, only those that haven't been breached yet and those whose breach hasn't been made public yet.

Finally, although this need not be problematic, you should note the following:

We may disclose aggregated information about our users without restriction.

Whether disclosure of aggregated information creates privacy or security concerns depends entirely on what aggregated means and how the data is aggregated. For example, aggregated can mean that PassportParking has bundled all of its users' information together, but done nothing to anonymize the data pertaining to any individual, although I don't think that's the meaning PassportParking intended when they drafted the privacy policy. Nonetheless, even when steps are taken to anonymize data, the data can often be de-anonymized.

And, in case PassportParking decides they need to change the privacy policy1:

We may update our privacy policy from time to time. If we make material changes to how we treat our users’ personal information, we will post the new privacy policy on this page.

So, as you continue to park in the Reston Town Center and use the ParkRTC app, you are expected to periodically go back to the privacy policy webpage and make sure the policy hasn't changed.

Data Potentially Exposed by a Data Breach

Setting aside what PassportParking might be permitted to do with your information, an equally important consideration is what cybercriminals might be able to do with your information in the event of a data breach at PassportParking. Criminals might obtain:

  • A history of your real-time location data, which given that the ParkRTC app by default collects your phone's location at all times, even when you aren't using the app, could be used to identify your commuting route and the addresses of your home, your place of work, your children's daycare center, your children's school, your doctors, and your favorite stores and restaurants.

  • Your transaction data, which probably includes the merchant, date, and time of every parking validation you've been given.

  • Your phone number and email address, which can be used to contact you directly with scams and which can be used to link information contained from a PassportParking breach with information gathered from other breaches.

A data breach could give a cybercriminal a very deep profile of your family's daily activities, and a means of contacting you by phone or email. Cybercriminals use this type of information to conduct targeted scams that include fake emails or phone calls from work, schools, or merchants, and that include personal details, such as the date of your last visit, to enhance their credibility. Such scams, usually focused on financial fraud or identity theft, are the least harmful criminal activities that could be enabled by a breach of real-time 24x7 location data.

What PassportParking Should Do

At a minimum, PassportParking should have a privacy policy that better protects your privacy and that obligates them to notify you effectively of changes to the policy. The privacy policy should also require implementation of one of the basic tenets of information security: keep as little information as possible for as short a time as possible. Cybercriminals can't steal what PassportParking doesn't have.

Accordingly, PassportParking should change the privacy policy so that:

  1. Information about you may be used solely as strictly necessary to provide the parking services to you.2

  2. Information about you may only be disclosed to third-parties who both (i) need to know the information to provide the parking services to you; and (ii) are bound by non-use, non-disclosure, and destruction obligations no less stringent than those in the privacy policy.

  3. Real-time location data collected by the ParkRTC app will never leave your phone, unless your phone is likely within the boundaries of the Reston Town Center.3

  4. Real-time location data collected by the ParkRTC app within the Reston Town Center will only leave your phone as strictly necessary to provide the parking services to you, and all real-time location data collected about you by PassportParking will be deleted as soon as is reasonably possible.4

  5. PassportParking shall not retain any information about you for any longer period of time than is reasonably necessary to provide the parking services to you.

  6. Information about you includes all information you provide to PassportParking and all information they automatically collect about you, including without limitation all information they collect through your use of the PassportParking app, their website, or the parking services.

  7. Aggregated information means information that (i) does not consist of any information about you individually; (ii) is the result of mathematically combining data or computing statistics about groups of users, where such groups are of sufficient size that said mathematical or statistical computation effectively anonymizes all information about each individual in the group; and (iii) cannot be de-aggregated or de-anonymized either by itself or in combination with other data in the possession of a third party.

  8. If PassportParking changes the privacy policy, you will be notified of the changes and given an opportunity to review those changes, when you next use the ParkRTC app, and the app will not collect any additional information about you until you acknowledge the notification.

What You Should Do

Regardless of how you feel on this subject, if you are using an Apple iPhone or iPad, you should probably change your iOS privacy settings to help avoid potential privacy or security problems with real-time location data collected by the ParkRTC app. Under Settings > Privacy > Location Services, change the setting for ParkRTC to While Using the App.

If you have privacy or security concerns related either to parking in the Reston Town Center or to using the ParkRTC app, you can address them to the Reston Town Center (Twitter, Facebook, email) or PassportParking (Twitter, Facebook, email).


@ErrantBullseye #reston #rtc #parkrtc
Facebook


  1. The wording in this quote is somewhat odd. I wonder whether the provision is drafted as intended. It seems to imply that PassportParking can update their privacy policy without posting the new policy, as long as the changes don't materially affect how they treat your personal information. Personal information includes your name, phone number, mailing address, and email address, but it does not include your license plate number, transaction details, real-time location data, or mobile device ID.

  2. PassportParking probably also wants to use information about you to improve the parking services, the app, and their website. This can be done using anonymized data, subject to a suitable definition.

  3. Seriously, why does Passport Parking need to know where you are, if you aren't in the Reston Town Center?

  4. Guiding you to parking spaces and validating parking can reasonably be done without your location leaving your phone. Even if there's a legitimate reason for PassportParking to have your current location while you are in the Reston Town Center, I can't think of any reason why information about your location can't be discarded once the associated parking services transaction is complete or it is reasonably obvious that there is no associated parking services transaction.