Using Hamilton's parking app could send your personal data into the U.S.
The city said the app doesn't collect enough info that it feels would put users at risk
Privacy experts are raising some concerns about a parking app released by the city Hamilton in July.
The city launched the Passport Parking app to help locals "pay-by-phone" instead of waste time digging around for loose change.
"It's a joke … most apps are very privacy invasive and this one, I'm going to suggest, is no different."
Despite multiple requests for comment, Passport Parking declined to answer any specific questions, but said it was "committed to complying with all applicable data protection and privacy laws."
The city also said the app raised no major red flags and that residents shouldn't be concerned.
But the app is another example of modern technology simplifying daily routines at the expense of personal information.
Amanda McIlveen, manager of Hamilton's parking operations, said the app collects "basic" data with consent including:
- A phone number.
- A full name.
- A licence plate number.
- Credit card information.
The app can also collect a user's geolocation if they allow it, and social media information if someone interacts with the company through platforms like Facebook and Twitter.
McIlveen said the city only knows when and where someone parks, the licence plate number of the car in the spot and how much someone paid to park.
"We don't know who our users are," she said.
She added that the city introduced the app to try and help Hamilton catch up to other cities in terms of its technology without compromising residents' personal data.
Karen Louise Smith, an assistant professor in Brock University's communications, popular culture and film studies program, told CBC the wording in the policy suggests the American parent company, Passport Labs, Inc., is trying to integrate information across its apps and business.
"It's important to be aware the company develops a number of kinds of systems — things like parking, paying for parking, paying for transit — and are looking to use that data in various ways," she explained.
"They make it very clear that your parking information and where you are might get shared with Google, potentially with other in-dash apps, music streamers and other potential partners they have."
Smith also said that although the policy is fairly standard and honest, it features some broad wording because it applies to all of the company's apps.
One example is that Passport says it may collect data about users' insurers.
"That's one piece of information I don't think is necessarily needed to pay for parking. Government doesn't need to know who your insurer is when you put money into a parking meter," Smith said.
McIlveen said that part of the policy isn't applicable to the parking app.
She also noted that the city doesn't use any other services from Passport, which reduces the scope of the policy.
User data can be stored outside Canada
"It suggests data can be transferred to the U.S. and that has been a very sensitive issue in many cases because Canadian privacy law is strong and stronger in some cases than U.S. law," Smith explained.
"I am surprised to see that it's a possibility. It's not clear why someone in the U.S. needs to know if I'm parking next to the Collective Arts Brewery."
McIlveen said while data may end up in the U.S., it didn't raise a red flag for her. She also said the city has an agreement with the company that it cannot move credit card information south of the border.
She emphasized the company is PCI compliant, which means it does not store credit card information along with the rest of personal data. It has a separate, fully encrypted server which McIlveen said means not even Passport can see the entire credit card number.
"It is not collecting any substantial data from users that I feel would put them at risk," McIlveen said.
No privacy impact assessment
One factor both Smith and Cavoukian said would be important is whether the city underwent a Privacy Impact Assessment (PIA) on the app.
McIlveen confirms that didn't happen because it "wasn't required."
She notes the app met the requirements from the city's own information technology committees and risk assessment.
"I also think we're not the first municipality to adopt Passport. Kitchener, Windsor, Sault Ste. Marie and Toronto all have either the Passport app or back-end interface," McIlveen said.
"We weren't aware of any of those municipalities doing PIAs."
She added that all of Passport's data sharing complies with Canadian law and that the legal agreement with the city forces the company to immediately notify Hamilton of any breaches.
Smith and Cavoukian also both expressed concern that the company does not respond to "Do-Not-Track" signals.
"I am concerned that it's acceptable for companies to state publicly that they're not respecting those user preferences like 'Do-Not-Track' and the kinds of privacy protections that people have designed to get users and citizens more power," Smith said.
She adds that it's up to the government to try and protect citizens' privacy online.
That being said, Smith thinks it's practical to use the apps.
"It's hard not to use," she said.
Cavoukian warns anyone using the app should "proceed with caution."
"They're saying we have the authority to do a bunch of things, some of which are true, but saying we're not liable for anything is ridiculous," she said of the app.
"Feel free to use the app as long as you realize your personal information may be captured and the time at which you were here and used it, all of that could possibly be made publicly available."