TfL Customer API
Request ID: FOI-2035-1920
Date published: 04 November 2019
You asked
Please could you supply all documentation on the TfL Customer API.
This will include any documents detailing any and all API calls along with their relevant parameters.
We answered
TfL Ref: FOI-2035-1920
Thank you for your email received by Transport for London (TfL) on 5 October 2019.
Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy. I can confirm we hold some of the information you require. You asked:
Please could you supply all documentation on the TfL Customer API.
This will include any documents detailing any and all API calls along with their relevant parameters.
We have an API developer guide which was produced for the developer of the TfL Oyster and contactless app. However we consider that the disclosure of this information would assist a third party to mount an attack and therefore would be exempt under Section 24(1) - National Security and section 31(1) - Prevention and detection of crime. Release of information under the Freedom of Information Act is a release to the public at large. Therefore TfL must consider how any potential recipient of the information might use it, rather than make assumptions about the intentions of the individual making the request.
In this instance the exemptions apply as release of this information could either open us up for direct cyber attack on the API or allow developers, with the appropriate skills, to create their own mobile app for Oyster for either public or malicious use. Information on how to utilise the API could be used to consider and mount a cyber attack with more information and ease. The document includes all of the details that would allow someone to do either of these things.
The London transport system is a critical piece of national infrastructure and as such we employ rigorous safeguards to protect it from cyber attack. Like other organisations we are subject to regular attempted cyber attacks. These attacks are unlawful under the Computer Misuse Act, and whilst the motive is not always apparent, we are aware of the risk to critical national infrastructure that may result from a successful attack.
We consider that releasing the API developer document would be likely to prejudice our efforts to prevent and detect future attacks and undermine our ability to safeguard TfL’ s information systems.
The use of these exemptions is subject to an assessment of the public interest in relation to the disclosure of the information concerned. We recognise the need for openness and transparency by public authorities, but in this instance we consider that there is greater public interest in safeguarding our information systems and protecting the integrity of the London transport network.
If this is not the information you are looking for, or if you are unable to access it for some reason, please do not hesitate to contact me.
Please see the attached information sheet for details of your right to appeal as well as information on copyright and what to do if you would like to re-use any of the information we have disclosed.
Yours sincerely
Eva Hextall
FOI Case Officer
FOI Case Management Team
General Counsel
Transport for London
Back to top
