NPR Berlin reported today that Berlin’s public transportation authority, the BVG, launched the Touch&Travel program [de] earlier this month, which allows Vodafone and Telekom customers to use an Android phone or an iPhone to pay for their transport tickets. Participants “check in” while boarding, and confirm their location either through continuous GPS data directly from their phones, or by scanning a QR code at the end points of their trip.

From a privacy perspective, this system stands in stark contrast to the current standard procedure in Berlin. As with nearly all German municipal rail, Berlin subways and buses operate on a proof-of-payment system: tickets are required while on board, but are only very occasionally checked.

Apparently, such proof-of-payment systems rose to popularity because of German labor shortages in the 1960s, but they also happen to be extremely respectful of rider privacy . Because travel and location data is never even collected, there’s no chance of it being cross-referenced against other data sets, given to the government, or sold to corporations. Though tickets may be traced to a buyer’s credit card, their actual use is not tracked, and riders may also pay cash with no penalty, preserving anonymity.

Berlin’s recently launched pilot program has none of these advantages. First, there’s the issue of anonymity: even taking the BVG and Deutsche Bahn at face value that the user data will be “scrubbed” and saved anonymously for only six months — a dubious proposition given the tempting law enforcement and ridership research opportunities of slipping from that stance — there is a huge and growing body of scholarship covering the possibilities of de-anonymizing large data sets. AOL search queries, Netflix movie ratings, even US Census data have effectively received the de-anonymization treatment.

There’s also the general question of locational privacy: individuals should have the “ability to move in public space with the expectation that … their location will not be systematically” recorded. That definition is at odds with the premise of the Touch&Travel program, which is basically consent to systematic tracking in exchange for a more convenient ticket purchase process.

Obviously that convenience is nice, and you only need to experience once the feeling of seeing your train pull away while you’re waiting for your ticket to print to understand the temptation of such a trade. And it’s true that there are occasionally positive outcomes of large-scale surveillance programs — New York City’s MetroCard data has been used in both legitimate alibis and criminal convictions, and even critics acknowledge that there are a small number of crimes that London’s CCTV system has helped solve. I won’t argue that there are no advantages to such a system, but that they’re outweighed by more subtle and incremental disadvantages. The loss of privacy and anonymity carries a real cost, even if it’s not one that’s immediately tangible.

Berlin’s public transportation system is currently one of the best imaginable in terms of privacy, and implementing a system that strips those benefits away is irresponsible and short-sighted. Further, privacy is a hard thing to introduce into a developed system; Berlin should reject any new solution that doesn’t make adequate consideration of privacy in its basic design, even if it’s a promised eventual addition.

Being mindful of privacy doesn’t require foregoing an update to ticket-buying infrastructure, either. There are cryptographic techniques for validating credentials anonymously that, while complex and occasionally difficult to understand, can be used to address the current pain points while still preserving privacy and anonymity. A system built with those techniques might not be as straightforward to develop and deploy, but would be invaluable to the people living in and visiting Berlin, and as a model to transportation agencies all over the world.