Starting in nine days, commuters who pay their skytrain fares with top-up cards must give up their ID card numbers, email addresses and phone numbers to the system’s operator.

Citing a clause in 20-year-old anti-money legislation, the BTS said its so-called Rabbit Cards could be used for illicit financial activities and therefore must be registered. The explanation didn’t fly on social media, where many suspected ulterior motives.

“Starting this Feb. 15, when topping up cash or trips at BTS ticket offices and the Rabbit service center at BTS Siam station, staff will ask for your ID card for registration and verification,” the operator announced online earlier this week.

The statement said phone numbers and email address must also be provided. Foreigners must use their passports for registration. After Feb. 15, topping up without registration will not be possible.

The BTS said the Rabbit Cards, which can also be used for purchases at a number of shops and restaurants, could be used for money laundering. But netizens questioned how that could be feasible as the cards are capped at 4,000 baht.

Other systems are also citing the law to make similar demands, but they seem to be unrestricted debit cards that can be used to purchase anything. Users of TrueMoney Wallet, an online cash platform provided by telecom giant True, must also register their personal information by Feb. 28.

One transparency activist noted it was strange that the BTS was pushing for mass registration as the interim parliament is considering an online privacy bill that could be enacted any time soon.

“This is a pessimistic interpretation, but my life experience taught me not to be optimistic about these kind of issues,” Arthit Suriyawongkul wrote online. “The anti-money laundering act has existed for a long time, but they have never forced any registration prior to this.”

The privacy bill – Thailand’s first such law – will ban any use or transaction of personal information without users’ consent, but will also allow information collected prior to the bill’s enactment to be used “according to the original purposes.”

One comment on Blognone, a tech news site, warned that the personal information of BTS users is at risk under the new policy.

“If someday there’s a data breach of all names and surnames tied to all travel records, I wish you all good luck,” user Lew wrote.

“If [Rabbit Cards] can be used for money laundering, the BTS should issue regular top-up cards that can only be used for the BTS, which do not require any verification, just like food court cash cards,” another user Jonathan_Job wrote.

The exposure of private data is not uncommon in Thailand, where activists say there is little protection for users.

In 2017, the police inadvertabtly made information of 790,000 residents visited by police patrols public on their website. The information included names, full addresses, phone numbers and what they told visiting police officers.

A year later, True Corp. exposed scans of its customers national ID cards, passports and driver’s licenses. The firm later blamed the unsecured storage on “hacks.”

The BTS Skytrain is owned by City Hall which grants a management concession to the Bangkok Mass Transit System Co. Ltd..