A hacker called Puking Monkey twiddled his E-ZPass to make it turn on an LED and moo whenever it was read and found it was being read in many unexpected places, and not just at toll booths.
Turns out the NY Department of Transportation runs a program called Midtown in Motion, which accesses E-ZPasses in midtown New York City for traffic analysis:
TransCore, a company that makes the RFID readers that New York is using to pick up on E-ZPasses, was more forthcoming. A 2013 case study from the company notes that the $50 million project to improve traffic congestion in New York also involved the installation of a network of traffic microwave sensors, and has been successful enough that the city plans to expand it another 270 blocks.
“The tag ID is scrambled to make it anonymous. The scrambled ID is held in dynamic memory for several minutes to compare with other sightings from other readers strategically placed for the purpose of measuring travel times which are then averaged to develop an understanding of traffic conditions,” says TransCore spokesperson Barbara Catlin by email. “Travel times are used to estimate average speeds for general traveler information and performance metrics. Tag sightings (reads) age off the system after several minutes or after they are paired and are not stored because they are of no value. Hence the system cannot identify the tag user and does not keep any record of the tag sightings.”
In other words, reading of the E-ZPasses won’t be very useful for uniquely tracking you or your speed, but it’s a reminder once again that if you accept some kind of tracking device, it may be used in ways you wouldn’t expect.
As for blocking that tracking, if you’re not excited about it, Puking Monkey recommends that you “bag the tag, and only bring it out when you want to pay a toll.” Most tags come with a “Faraday cage” type bag through which it can’t be read.
The unsettling aspect of this is that no one thought to inform us, and the state of NY believes it’s legal and ethical to do this. What we have learned is that ultimately, any means to snoop on us will be exploited by governments and they will subsequently a/ lie about it, and if caught lying, the will b/ make it legal for them to do it.
Next, they’ll make it illegal to hack your E-ZPass.