We’ve gotten used to unlocking our phones using facial recognition, but this technology could soon allow Greater Montreal public transit users to buy their fares. The Autorité régionale de transport métropolitain (ARTM) plans to implement software by the end of 2024 to authenticate users’ identities by their faces, it has been learned The Press. The project is already worrying cybersecurity experts.
What there is to know
- ARTM wants to develop facial recognition software to facilitate the purchase of tickets.
- The situation worries cybersecurity experts.
- This all comes at a time of a vast digital transition in public transport.
In a document filed in recent days in the government’s Electronic Tendering System (SEAO), the ARTM says it is studying the possibility of setting up a “digital identity validation solution” to “simplify access to fare products” and avoid physical trips to the counter.
The software would allow a Greater Montreal public transit user “to verify their identity via a facial recognition system using the camera on their smartphone, or their computer if applicable,” thereby speeding up the obtaining of specific tickets.
To do this, you would need to provide official documents such as a passport, a driving license, a health insurance card, or even a birth certificate or permanent resident card.
For the moment, the software is scheduled to be put into service in the last quarter of 2024. Initially, it would only concern online orders of cards for seniors, who receive price discounts. They also benefit from free travel on the island of Montreal. Until now, these people have to obtain an OPUS card with photo, fill out a form and go to a service point to validate their identity, which can sometimes be long and arduous.
“The estimated volume of potential users who could benefit from this service in the Montreal Metropolitan Community (MMC) is approximately 160,000 users per year,” the Authority indicates in its call for tenders.
In an email, the organization specifies that its software will eventually be “gradually expanded to other clienteles and digital services.” In short, we understand that in the long term, all public transit users could be invited to follow suit. It is all part of a vast digital transition project estimated at $162 million and which should culminate in 2027 with a multi-mode system using a mobile application bringing together the metro, bus, REM, car sharing, bike sharing, taxi, and even carpooling.
“The current call for tenders aims to acquire a software solution that allows a person’s identity to be validated online quickly and securely. This solution will greatly simplify user access [admissibles] to price offers, in addition to allowing them to save time,” explains ARTM spokesperson Séléna Champagne.
Could your privacy be at stake?
While he welcomes the intention to simplify processes for users, the coordinator at the UQAM Social Media and Gamification Research Laboratory, Jonathan Bonneau, does not hide the fact that he has certain concerns related to the call for tenders.
It gives the impression that, like many companies, they mainly have in mind to better document and understand the behavior of their customers. And I am not sure that this justifies this type of approach which can become harmful if it is poorly managed.
Jonathan Bonneau, coordinator at the UQAM Socio-Digital Media and Gamification Research Laboratory
“We are in a very dangerous invasion of privacy, especially if a third party with bad intentions gains access to this data. We are seeing more and more cases of fraudsters who manage to do it without much experience in programming or IT. It is a real issue, especially among the elderly who are all the more vulnerable,” continues Mr. Bonneau.
Instead, he suggests that the ARTM secure users’ identities using “mechanisms that have already proven their effectiveness, but which verify less important digital data,” such as verifications by sending a code, which digital giants like Google still use to this day.
Also concerned, cybersecurity specialist and lecturer at the University of Sherbrooke Steve Waterhouse supports his colleague. “There is an overexposure of personal information in there that is quite significant. It must be much better defined on the use that they are going to make of this data, because there, it scares me a little,” he says.
“I don’t understand, moreover, why the ARTM doesn’t connect with the Government Authentication Service (SAG), which is already in place and works quite well. It’s a bit like they want to reinvent the wheel, in a way. And I find that a shame,” adds Mr. Waterhouse.
Used as soon as they are destroyed
Aware of the risks, the Authority indicates for its part, in its call for tenders, that the personal data transmitted to the software should not be kept, but rather “destroyed as soon as they are no longer useful”.
In addition, “data including metadata produced by the software […] are the exclusive property of ARTM,” adds the organization, which specifies that this information could therefore not be “transmitted, sold, accessed or exploited by third parties” without its authorization.
The organization also specifies that a “data security strategy” as well as another “cybersecurity incident response strategy” must be defined, documented and then applied by the supplier who will deliver the future software.
As for data hosting, it must be done “in Canada, the United States, the United Kingdom or a country of the European Union,” we learn in the document, which emphasizes that if the information is stored outside Quebec, an assessment of privacy factors will be required under the law.