This piece comes courtesy of Joana Varon, Natasha Felizi e Danilo Doneda.

Vast amounts of information is compiled in the different varieties of RioCard, Rio de Janeiro's transportation cards. Citizens use the card to gain access to discounts or integrated fares in the transportation system. RioCard may be used without registering an official account, but in order to create one, it is required that everyone register their name, ID number, and date of birth.

While not mandatory, having an account is an advantage for lower income people, as it allows one to reclaim their credit if they lose the card. Creating an account becomes mandatory if you have transportation discounts for being a student, elderly, or an unemployed person, or if your employer pays for your transportation. In these cases, according to the benefit you are entitled, data from your school (including your degree of education), or your work records (such as occupation, company name, date of admission) would also be collected. And if a student is part of public support programs, his or her family data, such as income, is also required when creating a RioCard account. Biometric data is also collected from elderly passengers. Information regarding transportation routes and travel habits are collected from every user's card, which is  linked to people’s identity, if they have a registered account. With such data, it is straightforward to surmise a person’s patterns, habits, and even home and work locations.  With this data, it may even become possible to predict a person’s actions.

This trend toward integration of more and more services into one central card, is replicated outside of transportation. For example, in preparation for the 2016 Olympics, RioCard announced a partnership with Visa and together launched the RioCardDuo, which allows for users to use their cards for shopping, allowing for a record to be created about people’s spending habits.

But information gathered on transportation system in Rio goes beyond the information stored in RioCard. In 2013, while students were protesting the price of the public transportations, Rio's mayor approved the "Pact for Transparency in Transports". Deploying GPS and cameras was part of the process, and once they were implemented, these cameras got another layer of pervasiveness, as biometric identification through facial recognition was approved for the buses in 2015.

With all this data being compiled on citizens, it would be reasonable to expect that public authorities are careful and transparent to assure that this information will be stored securely. But this is not the case. An investigation from Coding Rights for a project focused on narratives to unveil surveillance in Latin America,  showed that:

a) a majority of data is concentrated in the hands of very few entrepreneurs and a network of agents (labelled by some as "transportations mafia") that have already been the target of investigations due to the lack of transparency in the billing processes;

b) there is no transparency, or proper privacy regulation, to guarantee that the data is being handled with appropriate care.

The discounted transportation fares are a result of "Bilhete Único" public policy, established in 2009. To implement this policy, the State of Rio de Janeiro have granted exclusively to the Federation of Companies for Passenger Transportation of Rio de Janeiro (Fetranspor) for ticketing services of all bus tickets, ferry, subway, and train in Rio de Janeiro. The Federation is also owner of RioCard IT, which is responsible for managing the data collected by ticket cards.

Fetranspor brings together 10 trade unions and gathers around 200 bus companies throughout the state. While it may seem a diverse range of companies, their ownership is concentrated in a very few people and companies, which sometimes are registered as owners, others as partners or directors. As a result, for instance, the businessman Jacob Barata, dubbed in Rio de Janeiro as the "King of Bus", is direct or indirectly owner of approximately 25% of the bus fleet of the city of Rio.

Thus, in addition to the profits generating from Rio’s vast transportation system, this small group also controls swaths of personal information about people who use their services. The investigation from Coding Rights made several FOIA requests to Fetransport and RioCard. Neither company provided substantive answers regarding who has access to the data that is collected, if it is shared for any other purpose than billing, how it are stored, for how long it is retained, and many other details. It is known that the Fetranspor sends reports to the Secretariats for Transportation of the Municipalities and the State of Rio billing data, but there is no further regulation regarding what they can or shall do with all the data that is collected. The scenario gets worse considering that the country has not enacted a Data Protection law, which would properly establish principles and provisions for data management of public data by the private sector.

That remains a dream while the task of trying to find protections spread out across the multiple statutes becomes an increasingly difficult one.

In March 2016, Privacy International launched the State of Surveillance reports – a global effort to benchmark surveillance policies and practices in the countries that are part of the Global Privacy Network, by undertaking collaborative research with our partner organisations. Today, we update that work and expand on it- both topically and geographically- with the ‘State of Privacy’(link to page when created).

 Having already published State of Surveillance reports from partner organisations in Argentina, Chile, Colombia, India, Indonesia, Kenya, Morocco, Pakistan, the Philippines, Thailand, Tunisia and Uganda, we returned to these reports with the updated and expanded survey. We also have the pleasure in bringing in reports from new members of the Network, and now have reports on Brazil, Jordan, Mexico, and South Africa. (links to each of these pages including the ones above in the paragraph).

A new survey of questions was developed, expanding into areas beyond surveillance such as Data protection regulation; Smart Cities; Data breaches; Biometric IDs; Voter registration; SIM card registration, Cybersecurity, Cybercrime, Encryption, Licensing of telecommunications industry; E-governance; Health sector; Smart policing; Transport; Smart cities; Migration; Emergency response; Humanitarian programmes; and Social media.

These reports detail a number of growing trends, many of great concern. But the initiative itself is a positive trend. Around the world, more civil society organisations are standing up and getting involved in more debates about identity, about accountability of technology, about the exploitation of citizens’ data. This is a benchmarking exercise, but it is also a landmark initiative in the breadth and depth of the information that is available around the world courtesy of the next generation of privacy activists.

Growing up with technology while technology is growing up

There are a number of areas that a few years ago would have been considered emerging trends which can now be considered established orthodoxy for some countries. SIM Card Registration has now been established in 11 of the 16 State of Privacy countries (Argentina, Indonesia, Jordan, Kenya, Mexico, Morocco, Pakistan, South Africa, Thailand, Tunisia, Uganda), with two more countries – Chile and Colombia – currently discussing device registration.

When we look at emerging trends, Biometric identity card programmes are operating in 11 of the 16 State of Privacy countries (Argentina, India, Indonesia, Jordan, Kenya, Morocco, Pakistan, South Africa, Thailand, Tunisia, Uganda), with initiatives being discussed Brazil and the Philippines. In addition, “Smart City” initiatives have been launched in India (100 “smart cities” in the country by 2020), Indonesia (Jakarta), Jordan (Amman), Morocco (Casablanca), and the Philippines (Davao City).

That each of these “smart city” adopters are also – save the Philippines – Biometric identity adopters should come as no surprise. These countries have drunk the Kool-Aid on data: that data provides solutions to the social and infrastructural problems these countries face. All they need is more of it coming from more places. Biometric Identity cards were the vessel for that message years ago, it now seems initiatives like “Smart Cities” have become the next vessel.

So, with the increase in data collected about how citizens identify themselves, how they communicate, and how they interact with their city you would expect to see robust protection frameworks in place, right?

Wrong.

9 of the countries in the reports are completely without a comprehensive data protection law, including those countries racing towards innovation in the form of “smart cities”: Indonesia, India, and Jordan.

Well, you may ask, in absence of legal protections, at least if the data is protected at a technical level that should be sufficient….

If only. The ‘State of Privacy’ reports detail data breaches in Brazil, India, Mexico and the Philippines, among others, indicating that collecting data on its citizens appears to be more of a priority to States than securing it. 

Elections and security do not seem to go together these days with this year’s Philippines COMELEC breach of 55 million records of registered Filipino voters. The COMELEC breach was the largest data breach to date, for about a month. In April 2016,  a database containing voter registration records were published online in Mexico, exposing the personal information of 93.4 million Mexican citizens.

Brazil had data of 650,000 patient and public agents from the public health system of Sao Paolo leaked, the data included identification, address, phone number, and even medical information. And India was reported to have suffered 20 breaches in 2015 resulting in 32.1 million records being exposed.

Brave New Worlds

These trends demonstrate the challenges organisations from around the world working to strengthen the right to privacy face with data exploitation. The important point here is that those organisations exist, and Privacy International are able to support those groups working on this topic. This debate cannot just be about the United States or Europe; the majority of the world struggles with these issues. There are challenges – and solutions - out there that risk being muted due to the vaunted challenges faced by stereotypically “rich” or “developed” countries.

Privacy International and the Global Privacy Network will continue to update and expand on the State of Privacy as time passes. The next update will be in the new year. This is necessary as topics evolve so quickly and without warning that to try and present something static will inevitably age badly, and do so very quickly. If you’d like to suggest a country or topic to be included in a ‘State of Privacy’ report, we would love to hear from you at research@privacyinternational.org .

Bit by bit, we continue to build on the work begun years ago, aiming at creating a unique, forward looking resource that will develop over time, whatever those challenges are, and wherever they occur.