Using Hamilton's parking app could send your personal data into the U.S.

Hamilton’s new Passport Parking app can save residents from digging into their pockets for change, but at what expense to your privacy? Experts weigh in on the new app.

The city said the app doesn't collect enough info that it feels would put users at risk

The city has launched a new parking app that privacy experts say could compromise the privacy of residents who use it. (Dan Taekema/CBC)

Privacy experts are raising some concerns about a parking app released by the city Hamilton in July.

The wording of its privacy policy allows users' data to be stored to other countries, with different privacy laws and fewer protections.

The city launched the Passport Parking app to help locals "pay-by-phone" instead of waste time digging around for loose change.

But the privacy policy is worrying for Ann Cavoukian, a former Ontario privacy commissioner.

"It's a joke … most apps are very privacy invasive and this one, I'm going to suggest, is no different."

Despite multiple requests for comment, Passport Parking declined to answer any specific questions, but said it was "committed to complying with all applicable data protection and privacy laws."

The city also said the app raised no major red flags and that residents shouldn't be concerned.

But the app is another example of modern technology simplifying daily routines at the expense of personal information.

Broad wording in privacy policy

Amanda McIlveen, manager of Hamilton's parking operations, said the app collects "basic" data with consent including:

  • A phone number.
  • A full name.
  • A licence plate number.
  • Credit card information.

The app can also collect a user's geolocation if they allow it, and social media information if someone interacts with the company through platforms like Facebook and Twitter.

McIlveen said the city only knows when and where someone parks, the licence plate number of the car in the spot and how much someone paid to park.

"We don't know who our users are," she said.

She added that the city introduced the app to try and help Hamilton catch up to other cities in terms of its technology without compromising residents' personal data.

Karen Louise Smith, an assistant professor in Brock University's communications, popular culture and film studies program, told CBC the wording in the policy suggests the American parent company, Passport Labs, Inc., is trying to integrate information across its apps and business.

"It's important to be aware the company develops a number of kinds of systems — things like parking, paying for parking, paying for transit — and are looking to use that data in various ways," she explained.

"They make it very clear that your parking information and where you are might get shared with Google, potentially with other in-dash apps, music streamers and other potential partners they have."

The privacy policy notes it does not allow third-party tracking and does not sell data (though the company also said it can't control all third-party tracking).

Smith also said that although the policy is fairly standard and honest, it features some broad wording because it applies to all of the company's apps.

One example is that Passport says it may collect data about users' insurers.

"That's one piece of information I don't think is necessarily needed to pay for parking. Government doesn't need to know who your insurer is when you put money into a parking meter," Smith said.

McIlveen said that part of the policy isn't applicable to the parking app.

She also noted that the city doesn't use any other services from Passport, which reduces the scope of the policy.

User data can be stored outside Canada

But the privacy policy has no limitation on where Canadian user data can end up.

"It suggests data can be transferred to the U.S. and that has been a very sensitive issue in many cases because Canadian privacy law is strong and stronger in some cases than U.S. law," Smith explained.

"I am surprised to see that it's a possibility. It's not clear why someone in the U.S. needs to know if I'm parking next to the Collective Arts Brewery."

Some of the data used with the city's parking app will end up south of the border. (Carlos Osorio/Reuters)

McIlveen said while data may end up in the U.S., it didn't raise a red flag for her. She also said the city has an agreement with the company that it cannot move credit card information south of the border.

She emphasized the company is PCI compliant, which means it does not store credit card information along with the rest of personal data. It has a separate, fully encrypted server which McIlveen said means not even Passport can see the entire credit card number.

"It is not collecting any substantial data from users that I feel would put them at risk," McIlveen said.

No privacy impact assessment

One factor both Smith and Cavoukian said would be important is whether the city underwent a Privacy Impact Assessment (PIA) on the app.

McIlveen confirms that didn't happen because it "wasn't required."

She notes the app met the requirements from the city's own information technology committees and risk assessment.

"I also think we're not the first municipality to adopt Passport. Kitchener, Windsor, Sault Ste. Marie and Toronto all have either the Passport app or back-end interface," McIlveen said.

"We weren't aware of any of those municipalities doing PIAs."

She added that all of Passport's data sharing complies with Canadian law and that the legal agreement with the city forces the company to immediately notify Hamilton of any breaches.

Do you feel like you are being stalked across the internet by an ad? It keeps popping up on your browser and creeping into your social media feeds. This month, the founder of one search engine is asking U-S policymakers to enact do-not-track legislation. It's not exactly what you'd expect from an internet company and their CEO. Tech columnist Manjula Selvarajah takes a look. 4:01

Smith and Cavoukian also both expressed concern that the company does not respond to "Do-Not-Track" signals.

"I am concerned that it's acceptable for companies to state publicly that they're not respecting those user preferences like 'Do-Not-Track' and the kinds of privacy protections that people have designed to get users and citizens more power," Smith said.

"I find it troubling stating you're not adhering to those as part of a normal privacy policy now."

She adds that it's up to the government to try and protect citizens' privacy online.

That being said, Smith thinks it's practical to use the apps.

"It's hard not to use," she said.

Cavoukian warns anyone using the app should "proceed with caution."

"They're saying we have the authority to do a bunch of things, some of which are true, but saying we're not liable for anything is ridiculous," she said of the app.

"Feel free to use the app as long as you realize your personal information may be captured and the time at which you were here and used it, all of that could possibly be made publicly available."

About the Author

Bobby Hristova


Bobby Hristova is a reporter/editor with CBC Hamilton. Email: bobby.hristova@cbc.ca


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.