The MTA is busily updating its turnstiles with new readers for its tap-to-pay fare system. Slated to replace the Metrocard entirely by 2023, One Metro New York (OMNY) has been touted as a way to make paying for transit faster and easier, but a privacy watchdog is sounding an alarm: It’s a system that’s rife with security vulnerabilities and ripe for exploitation.

“Given how often government agencies, including the New York Police Department, have abused surveillance data to target ethnic and religious minorities and how for-profit corporations face overwhelming pressure to monetize user data, OMNY has the potential to expose millions of transit users to troubling repercussions,” states the Surveillance Technology Oversight Project (STOP), a non-profit advocacy organization fighting to end discriminatory surveillance, in its “OMNY Surveillance Oh My” report.

In a gradual transition away from printing 40 million Metrocards a year, the MTA introduced the tap-to-pay system earlier this year with the goal of making it easier for riders to pay fares across different modes of transit by directly linking a credit or debit card to an OMNY account. When riders tap their contactless credit or debit cards, or smartphones with digital wallets, like Apple Pay or Samsung Pay, against a reader, the MTA authenticates the form of payment and automatically deducts the cost of a ride. Riders who prefer to pay cash will still be able to do so: in 2021 the MTA will start selling reloadable contactless card at vending machines, bodegas, and other outlets where you’d expect to find Metrocards.

The modes of transit under the MTA umbrella still use different systems to collect fares from riders, which causes friction when transferring between the New York City Transit subways or buses, the Long Island Railroad, and Metro-North. Long lines at vending machines and bottlenecks due to incorrectly swiped MetroCards are common, and the MTA sees OMNY—which is developed by the San Diego-based company Cubic Transportation Systems—as a solution for those problems. However, the supposed convenience of new technology comes with its own set of problems with regard to tracking and storing user data.

OMNY tracks where users enter the transportation system. Paired with what STOP characterizes as a weak and ambiguous privacy policy, this presents potential opportunities for misuse of personal information. For example, while users who register for an account will be able to access their ride history for 90 days—OMNY lets users without an account access their trip data for seven days by entering their credit card number—the OMNY privacy policy doesn’t specify how long the MTA will retain their data. (The MTA also collects trip data from Metrocards and trips can be connected to specific riders if they purchase one with a debit or credit card, and that information can be subpoenaed.)

STOP’s report outlines reasons why OMNY’s policies, and the MTA’s promises, are insufficient:

Although MTA officials have promised to keep rider data secure and safe, the Privacy Policy is deficient in several regards: (i) the Policy is only available online, even though it governs real-world usage of the system by riders who may not have access to the Policy before unknowingly sharing their data; (ii) the Policy puts no limitations on the ability of the MTA and Cubic to collect highly sensitive data about riders; (iii) the Policy permits the MTA and Cubic to store the data indefinitely; and (iv) the Policy allows a wide range of uses for the collected data, including sharing with government agencies other than the MTA.

STOP also points out that much of OMNY’s privacy policy includes non-limiting language—phrases like “may include” and “without limitation”—making it difficult for users to know exactly what information of theirs is being tracked and how it’s being used. OMNY anonymizes trip data and discloses that it plans to use it to inform service improvements and better understand how riders use the MTA. However, even when data is anonymized, research has shown that it is never totally anonymous; it’s relatively easy for programmers to connect all the “anonymous” data people create to the individuals who created them.

“The MTA takes privacy and data security seriously,” an MTA spokesperson told Curbed by email in a request for comment on STOP’s report. “Under OMNY, user data is completely anonymized so the MTA never knows who is connected to a particular tap for any purpose relating to data analysis. We utilize end-to-end encryption technology with other measures to ensure maximum security, and we never sell data to third parties.”

As with many private companies and governments, data and information gathering practices in New York City are very opaque. It’s not known how different city agencies collect, share, and use data. While the MTA says it doesn’t sell any of its data, we do know that MTA security cameras, for example, feed into the NYPD’s Domain Awareness System—a counterterrorism product developed with Microsoft—giving law enforcement access to live feeds throughout the city. NYPD entered into a partnership with IBM and the software company ended up using that data to develop a facial recognition product that can track people by skin tone—a clear racial profiling and civil liberties issue.

“Given the NYPD’s history of discrimination, gaining access to OMNY—yet another round-the-clock tracking tool—would undoubtedly mean that New Yorkers of color, immigrants, and other minority groups would be disproportionately targeted,” the report states.

What’s concerning about this unknown data sharing between different levels of government and private companies comes into high relief when considering the political context of our time: ICE is gaining access to this data to target immigrants for raids, even in sanctuary cities and states.

The unintended consequences of collecting data recently became a concern for immigrants with respect to IDNYC, a city-issued identification card that was intended to help undocumented immigrants. Many people who registered for NYCID were concerned about what could happen if the Trump administration gained access to the documents used to verify identity, like passports from another country. Initial drafts of legislation for IDNYC included a clause stating that the city would not retain any documentation used to obtain a card, but that language—which was intended to protect privacy—changed by the time the program launched to much softer terms that allowed the city to keep or destroy the data.

OMNY presents a similar dilemma: What happens if the data gets into the wrong hands? More stringent policies about data could better protect users’ privacy and prevent the information being used for discriminatory surveillance. This isn’t an OMNY-specific challenge either. American policy regarding privacy protections for technology consumers is very weak.

“OMNY has the potential to increase the convenience of some transit users’ commutes, but it comes at a steep privacy price,” STOP’s report warns. “A simple bus or subway ride shouldn’t cost us our civil rights.”

This story has been updated to include a statement from the MTA.