Locational Privacy

Andrew Blumberg and Peter Eckersley are right to be concerned about your privacy. They are wrong that GNSS-based road tolling systems naturally invade your privacy. They don't need to. In most countries, they won't be allowed to.

My reply to their concerns:

I agree absolutely that privacy, and specifically locational privacy should be guarded. ... In the EU (one of the regions that constrain our [GNSS-road-tollling system] designs), location data is generally not allowed to leave a vehicle in the case of the private automobile (not so for commercial vehicles – yet). This problem is easily solved by moving price map segments to the vehicle and calculating usage fees (based on time, location and place) inside the vehicle. In one extreme, what comes out of the vehicle is an encrypted message that effectively lists the road authorities to whom money is owed and how much – never when or where the vehicle used their infrastructure. In some jurisdictions, we are not permitted to re-use location data, in some we can build aggregate O-D maps as long as we destroy end point data that could be used for inferencing location.

However, even with these constraints a person living in Pennsylvania who takes a trip into New York might have on their bill, which is discoverable, a line that says they paid money to a New York road authority. Even if the bill does not disclose where or when the vehicle visited New York, it is still evident New York was visited. If this is a problem, do what is done in Singapore – pay in the vehicle with a smart card. All that remains to do in that case is to tell an enforcement authority that that vehicle has paid it’s bill, and no one needs to know it ever visited New York. Location data in the telematics memory can be deleted immediately on payment, and if the user has a prepaid account the location data can be deleted ongoingly, just like your Garmin forgot where you were a few seconds ago.

I submit that autonomous, self enforcing, satellite-based systems that pay privately and do NOT permit location data to escape, are most private – there is NO need to track vehicles for the purpose of road taxation any more than I should be tracked because I have a Garmin NUVI on my windshield. Tolling systems using license plates, RFID, DSRC are less private than properly designed GPS-based systems. It is these systems that we should watch, as well as the privacy design components of satellite-based systems.