Meet Anthony Carbines. He's a politician in Victoria, Australia. Like many politicians, he loves to tweet about public transport.
Endearing and a bit nerdy, right?
Well, as it turns out, it's also a privacy risk.
In 2018, the Victorian government helped publish a huge set of data about passengers using Myki — the state's public transport card — as part of the Melbourne Datathon.
The dataset showed when cards were used to touch on and touch off in Victoria's public transport system between 2015 and 2018. It included more than 15 million cards, and nearly two billion instances of people touching on and off.
The data was "de-identified", meaning the Myki card numbers and the names of their users were not included.
But each card was given an ID, and the publicly released data included the card type, the time its user touched on or off, and location information such as stop IDs.
Using a few of his tweets, researchers figured out which card ID belonged to Carbines, and could therefore track his movements over three years.
The researchers, from Melbourne University, knew that Carbines' electorate office was just down the road from Rosanna railway station.
State parliamentarians have a special type of Myki card. The researchers figured out that only two people with this kind of card had visited Rosanna train station. One had only been there once, but the other frequently commuted between Rosanna and the city.
To confirm this card belonged to Carbines (and with his consent), they looked up his tweets, by searching his handle and the word "train". They found 18 — and all of them matched a record in the dataset.
"It is overwhelmingly unlikely that this is a coincidental resemblance to a different person," they wrote in a new research paper about the experiment.
The deputy secretary of Victoria's transport department, Jeroen Weimar, said in a statement that the department was already implementing recommendations made by the state's information commissioner about the issue.
"We take the privacy of Victorians very seriously," Weimar said. "Careful sharing of data makes an important contribution to how we improve transport services for all Victorians — it's vital we continue to update our privacy protections."
The department is also developing a new privacy and research ethics framework, which will be reviewed by the commissioner.
The researchers were also able to identify their own movements, along with a man who had travelled with lead researcher Chris Culnane on one occasion.
They are now warning that even "anonymised data" raises privacy, safety and security issues, and argue most Myki users in the dataset could be identified from just a few touch on or touch off events.
"It is clear that this particular data should never have been released in the form it was released in," the researchers wrote in their paper.
"It's easy to imagine how information like this could be used by people who might want to cause harm," Culnane said in a statement.
BuzzFeed News contacted Carbines for comment, but he was not immediately available.