Looking Down the Road: Transport Informatics and the New Landscape of Privacy Issues
by Phil Agre
CPSR News Volume 13, Number 3: Fall 1995
Two technologies, computer networking and public-key cryptography, have transformed the landscape of technology-and-privacy issues. This article illustrates the changes and explores their consequences by describing the emerging privacy issues regarding transport informatics, primarily in the United States.
Transport informatics is a European term for the use of information and communication technologies in transportation (Giannopoulos 1993, Hepworth 1992). It encompasses a wide variety of activities whose underlying unity is not always obvious. The largest institutional focus for transport informatics research and development in the United States has been the Intelligent Vehicle-Highway Systems (IVHS) program of the U.S. Department of Transportation (DoT). The industrial partners of the IVHS have recently switched to the more general term intelligent transportation systems (ITS) in order to include a broader range of surface transportation modalities especially city streets. The ITS program aims to define a common architecture for the many state and private initiatives concerning transport informatics.
Despite its potential for increased efficiency, transport informatics can also lead to significant invasions of privacy through the automated tracking of individual vehicles (Agre and Harbs 1994). This is a matter of considerable concern, since pervasive surveillance of citizens' road travel could chill the freedom of association that is crucial to a democratic society. Most of this article focuses on these issues; the last part of the article places the issues in a larger context by exploring how the privacy movement can best respond to, and take the initiative in, the emerging privacy landscape.
Transport informatics does not refer to any specific technology, nor has it sprung from any single technical breakthrough. It includes a broad range of applications that have become economically feasible as the basic price of computation and communicationÑ especially digital wirelessÑhas dropped. Working groups invested considerable effort in the late 1980s and early 1990s identifying and classifying the potential applications: commercial logistics, regulatory automation, traffic information services, route planning, law enforcement, and so forth (U.S. Department of Transportation 1992). This work was both technical and political, and it produced a framework for cooperation among producers and users of the new technology (Klein 1993).
Transport informatics is both supply-driven and demand-driven, in that "push" from hopeful producers of the technology is at least as important as "pull" from potential users. On the supply side, the end of the Cold War left many defense companies looking for new markets. They proceeded in their accustomed manner by developing a strong alliance with the government, in this case, the Department of Transportation. To coordinate this alliance, they have formed an organization called ITS America, an official advisory board to the DoT, whose membership includes companies, state departments of transportation, and university research groups (IVHS America 1993). Many observers have expressed concern that these defense-oriented firms are developing baroque architectures that may be poorly matched to the needs of a civilian market. A bias toward centralized control is evident throughout the many projects in existence and on the drawing board. Privacy advocates in particular have expressed concern over proposals to use potentially invasive technologies, such as video surveillance and vehicle identification transponders.
A major aspect of the supply-side picture is significant government support, primarily at the state and regional level, for automated toll collection. Although only a modest amount of this toll collecting has been implemented, much more is planned. Budgetary considerations and pressures for privatization drive this trend; at an ideological level it is motivated by economic arguments for the reduction of taxpayer subsidies to road users. This theory is sometimes called "congestion pricing" (Wallace 1995), although it is doubtful that the tolls would actually amount to true "prices" in a competitive market.
On the demand side, the market for transport informatics includes both industrial and consumer applications. (Other application domains, such as military and civilian government transport are not treated in this article, nor are regulatory automation and environmental programs such as emissions monitoring.) As is often the case, industrial users are far ahead in their use of transport informatics, and consumer applications may tend to follow the models already established by commercial users.
For a decade now, industrial distribution systems have been undergoing a quiet revolution as a result of improved information and communication technologies. Just-in-time scheduling, for example, reduces the unproductive capital devoted to inventories, while also making rough spots in the chain of production evident to central management. Likewise, Wal-Mart and the large "warehouse" retail stores depend on continual stock monitoring to schedule shipments of goods directly from factories. These and related developments require greater predictability in every link of the distribution chain, which has led to the construction of "integrated logistics" systems. It has become common, for example, to think of highways, train tracks, and other shipping routes as metaphorical conveyor belts in a global factory. Information technology makes this metaphor a reality by tracking the spatial location of every vehicle and package in real time. It is difficult to overestimate the consequences of integrated logistics for the world economy and its participants. Although it provides much of the motivation for transport informatics, integrated logistics is a much broader phenomenon. Its economic and technical logic is wholly straightforward and exceedingly powerful, but this logic includes no concept of privacy. Simply taking this model, with its exclusive focus on integration and efficiency, and transplanting it from commercial to consumer applications would almost certainly lead to significant privacy problems.
These two forces, the supply side and the demand side, converged in the passage of the Intermodal Surface Transportation Efficiency Act of 1991 (ISTEA). Along with the architecture development program I have mentioned, this legislation instructed the DoT to conduct research into a variety of social issues, including privacy. One result of this research was a DoT report to the Congress entitled Nontechnical Constraints and Barriers to Implementation of Intelligent Vehicle Highway Systems (U.S. Department of Transportation 1994). The words constraints and barriers indicate something of the attitude toward privacy of the ITS establishment: privacy concerns have generally been treated as obstacles to the systems' development, rather than as part of their necessary functionality.
Privacy risks arise in transport informatics systems in several ways. Generally, these involve planned or coincidental surveillance of users' movements and other behavior. (For a more detailed survey see Alpert .) Examples of applications and their privacy implications include the following.
- The automated real-time tracking of commercial trucks is a workplace privacy issue for truck drivers and many other logistical workers. At the same time, the tracking systems reduce the arbitrary pressures associated with crudely estimated normative schedules (Lappin 1995).
- At least one rental car company has been experimenting with systems to track its cars (Marks 1994, Wald 1994). This facility, based on the Global Positioning System, is promoted as providing drivers with directions and emergency services. But clearly it could also be used to track the company's property. The nature of the renter's legitimate expectation of privacy in the face of these technologies remains to be established.
- Many regional transportation authorities are installing hundreds of video cameras on heavily traveled routes (Simon 1995). Ostensibly meant to detect congestion, accidents, road debris, and other conditions requiring official intervention, these cameras may find other applications that raise civil liberties concerns. These traffic-flow cameras generally do not have the resolution to read license plates, but other cameras have been installed (for example, on underpasses) specifically for that purpose, as in tracking vehicles for statistical purposes. Other proposed surveillance technologies include systems that track individual drivers' cellular telephones or vehicle identification transponders.
- Some conceptual papers on ITS have envisioned more coercive applications, in which automated monitoring systems would "provide the individual driver with immediate feedback on his behavior. In case a driver neglects these efforts to correct his misbehavior, the same information could be used to enforce correct behaviour by venous means, such as fines, license or speed limitation (policing)" (Organization for Economic Cooperation and Development 1992: 25).
Databases of individual drivers' toll payments could have a wide variety of potential secondary uses, from marketing to law enforcement to civil litigation to political repression. AVI is typically implemented using a transponder, an electronic unit roughly the size of a cigarette package, usually attached to the bumper or dashboard of the car, that interacts through digital radio signals with roadside beacons. A car entering a tollway will "hear" a request for identification from the nearby beacon, and respond by transmitting its identification number. The details vary, but the most common design is for the beacon to relay this number to a central computer that deducts the necessary sum from a prepaid account and returns an acknowledgment to the beacon. Drivers without adequate funds in their accounts will be notified to pay in cash at a conventional toll booth.
The crucial issue is whether this payment system is anonymous. This in turn depends on both the transponderbeacon communications and the architecture for registering drivers' payments For example, if the transponder transmits the driver's license number or vehicle identification number (YIN) then the system is definitely not anonymous. Normally, though, the transponder transmits its own serial number. Therefore, the system as a whole is anonymous if this number is not associated with any other identifier that can be connected to the individual. Unfortunately, in the United States, the transponder number is most often associated with a driver's account number, whether a bank account number or the number of a debit account maintained by the road authority. The E-Pass system in Orlando, Florida, for example, issues each customer a monthly statement that includes the customer's name and address, together with a complete list of toll payments for the month. Each entry on this statement lists the precise time and location of the toll payment, including which lane the driver was in (Garfinkel 1995). Many such systems do permit customers to pay anonymously with cash, but this option is usually much less convenient and is rarely used once the system has been in operation for a few months.
Inherently anonymous toll-payment architectures are possible, and at least one is under active development. This is an AVI system being developed by the Amtech Corporation (Dallas, Texas) based on "digital cash." Digital cash is a scheme invented by David Chaum (1992) and marketed by his company Digicash (Amsterdam); it is based on public-key cryptography and permits parties to a transaction to transfer funds reliably in electronic form without having to identify themselves to one another. Although law enforcement authorities are concerned that digital cash may lend itself to money- laundering, tax evasion, and other financial crimes, toll-collection provides one potential application of digital cash for which criminal abuses are hard to imagine. Unfortunately, although digital cash has enjoyed a great deal of official attention in Europe and Japan, I have seen no evidence that any American authority is planning to use it. Many have never even heard of it.
(Eric Hughes has pointed out to me that other anonymous toll-payment schemes are conceivable as well. For example, a customer might remotely instruct her bank to create a temporary account from which a short series of toll payments might be drawn; the road authority would be able to connect these payments to one another without being able to connect them to the customer.)
Early decisions about ITS payment architectures may have lasting effects. Technical standards are often difficult to change once they become entrenched in the market, and if non-anonymous schemes become prevalent then only the most courageous agencies will pursue anonymous alternatives. ITS America, though, has pursued privacy issues primarily through the development of a set of "Fair Information and Privacy Principles," currently in "draft final" form (Phillips 1995). These principles are important because they will provide guidance to numerous industry and government peopleÑlargely urban planners and transportation engineersÑ who have little prior experience with databases of personal information or the privacy issues they imply. A copy of these principles is available on the World Wide Web at: http://weber.ucsd.edu/~pagre/its-privacy.html. Not surprisingly, the draft principles are extremely weak. They make no mention of anonymity. In fact, they explicitly state that personal information collected through ITS may be used for non-lTS purposes, stipulating only that drivers be notified and given the opportunity to opt out. They suggest that law-enforcement uses of ITS information be authorized by state governments, and they propose no limits on the law enforcement uses that state governments might authorize. The principles are voluntary, and they suggest no procedures through which compliance with them might be monitored. Nor do they specify which organizations will be liable when individuals are harmed through the improper use of ITS information.
Individuals' ITS records have virtually no statutory privacy protection (Glancy 1995). Moreover, neither tort law nor the Fourth Amendment promise much protection (Halpern 1995, Weisberg 1995). The United States, unlike most industrial countries, has no generalized regulatory machinery for privacy protection. Furthermore, since most ITS systems will be operated by public agencies such as state transportation departments and regional transportation authorities, the records on individual toll payments that these systems maintain will often fall within the scope of state open records laws. (See Connors article, this issue.) ITS America's draft privacy principles recognize this dangerÑbut instead of recommending changes in the law, they effectively suggest that the records be held by private entities.
The ITS America privacy principles are scheduled to be revised and adopted early next year. (A small number of privacy advocates attended a meeting in Washington to discuss the principles in July 1995 and expressed their strong concerns; another meeting is tentatively scheduled for November to review the issues in the context of ITS architecture development.) Short of comprehensive data protection legislation, however, it is doubtful that even the strongest privacy principles would have any significant effect. Once databases of personal information from ITS systems grow, a wide variety of organizations will start proposing secondary uses for the information. It is impossible to predict with certainty that abuses will occur, but numerous other privacy-sensitive technologies provide strong and discouraging precedents. Telephone companies, for example, must respond to an enormous volume of subpoenas for their records; transportation authorities that maintain individually identifiable information in their databases may find themselves in the same position. Subpoenas are not costly to issue, though they may be expensive to comply with, and ITS information should be as attractive as phone company records for a variety of legal purposes.
In my view, therefore, the technical issues are far more important than the language of voluntary principles. Individually identifiable information, once collected, is virtually certain to be abused; inherently anonymous architectures avoid the whole problem by not collecting the information in the first place. It is this kind of foundational design choice that must be faced early in the process to avert needless privacy erosion in the rush to implement ITS systems.
So far, I have painted a pessimistic picture of the prospects for privacy protection in American ITS schemes. Viewed in the broadest context, though, AVI-based toll collection is about the most tractable privacy issue that one might hope to encounter for several reasons:
- The dangers are easily explained to the public.
- The combination of government and industry participation provides those of all political persuasions with an enemy of their choice.
- The functionality provided by the systems does not actually require them to collect individually identifiable information.
- None of the key special interest groups involved in ITS have a strong reason to promote secondary uses of toll information.
- A straightforward technological solution can make the systems inherently anonymous.
As I mentioned in the introduction, this new landscape is the product of two technologies: computer networking and public-key cryptography. Computer networking is not itself a new technology, but only in the last few years has it begun to have a pervasive influence on industrial practices. At the most basic level, networking makes it possible to envision applications that are unified functionally despite being distributed across a large geographic territory. Transport informatics, of course, is centrally concerned with the coordination of activities spread over large areas, particularly when employed as part of an integrated logistics system that creates tight linkages across a global system of production and distribution. At a more subtle level, networking makes possible the integration of computational processes across different functions and organizations. As a practical matter, this means that information technologists find themselves trying to interconnect database systems that have arisen independently in a wide variety of local circumstances. This is not just a technical problem of conversion between different data formats. More importantly, it is also a semantic problem: each database is likely to reflect the vocabulary and conventions of the particular work group that created it (Robinson and Bannon 1991). This not only makes the technical task more difficult, but also increases risks of harm to individuals, since personal data held in one system may be totally inappropriate for use in another. Transport informatics provides strong motivations for firms to interlink their machines over networks so that, for example, a shipping firm's customers can automatically cheek on the status of their shipments. Likewise, secondary uses of information collected by AVI toll-collection systems would be greatly facilitated by unrestricted real-time networked access to those databases. In all such cases, however, the meaning and quality of the data, even if suitable for the original purpose, may generate serious privacy questions when transposed to a new context and combined with personal information from other databases
Computer networking, then, creates the conditions for greatly increased risks to individual privacy. Public-key cryptography, on the other hand, creates the conditions to greatly alleviate these risks. As Marc Rotenberg has pointed out, cryptography significantly changes the view of technology that has been implicit and explicit in most analyses of the social effects of technology. For the past fifty years, social theorists have, with some justification, identified technology with social control. Privacy advocates, as a result, have often been placed in the position of criticizing technology as such, or else arguing for the reduction or limitation of technical functionality. Digital cash and other technologies based on widely available strong cryptography, though, effectively invert the political situation. (See Biddle article, this issue.) By allowing privacy advocates to take a pro-technology stance, these new technologies cast the opponents of strong privacy protections as those who cling to technologically backward methods.
The challenge, of course, is to ensure that privacy-enhancing technology is actually used. This depends upon both political and market forces. Although information technologies are dropping in price, their development and use are nonetheless powerfully driven by standards. Consider, for example, the success of the Internet's TCP/IP protocol, which is effectively reducing the need for other internetworking protocols. TCP/IP permits interconnection with a huge number of existing networks that already use TCP/IP, and this compatibility generally outweighs the narrow advantages of any specific alternative. By analogy, in the case of toll-collection, much depends on the type of electronic financial infrastructure that develops in each region of the world. At the moment, it seems likely that Europe will develop an anonymous scheme based on a variant of digital cash such as Mondex, whereas the United States will develop a non-anonymous system modeled on credit cardsÑfor example, the electronic payment system being developed by Visa (Holland and Cortese 1995). Of course, several different payment systems may still arise, but once a non-anonymous system becomes a well- established standard, privacy concerns alone may be unable to create the market conditions for the construction of an anonymous alternative.
Another problem is the depth to which privacy invasion is ingrained in the practices of computer system designers (Agre 1994). The point is not that most system designers consciously set out to invade anybody's privacy. Instead, the problem lies in the practice of creating internal representations that mirror reality in a point-by-point fashion, so that a system can only support an activity by "capturing" it. The first step in current-day system design, after all, is to define a set of data structures to be maintainedÑfor people, types of vehicles, the vehicles themselves, roads, lanes, accounts, transactions, dates, times, and so onÑand a convention for creating identifiers for each type of data structure. For example, people might be identified by Social Security number, vehicles by government-assigned vehicle identification numbers, and so forth. Such a system might protect anonymity by simply omitting any representation of individual people. But doing so would be difficult in practice, given that so many existing systems do represent data in an individually identifiable fashion, thus permitting a person's identity to be reconstructed easily through the merging of records from different sources.
The widespread use of public-key cryptography to protect privacy, then, will require a considerable change in mindset among programmers. In effect we are witnessing two different revolutions: the computer networking revolution and the consequent merger of all the world's databases, and the public- key cryptography revolution with its potential to protect individual identities without limiting system functionality. The question is, which revolution will happen first?
The answer to this question, of course, depends on numerous factors, not the least of which is pure chance. Privacy advocates can play several roles:
- They can ensure that designers and standards committees are aware of technical options that protect privacy without sacrificing functionality.
- They can build and publicize demonstration systems that employ digital cash and other privacy- protecting technologies.
- They can explain the issues to the press and the public, refusing to allow themselves to be positioned as opponents of technology.
- They can use the Internet to keep some technologically adept communities up to date on the issues as they evolve, asking Internet participants to track the issues in their own localities and spreading news of public hearings and other opportunities to present the issue..
- They can provide grassroots support for industry alliances that push for strong cryptography against government proposals that threaten both civil liberties and commercial security.
- They can provide background information, policy analysis, technical assistance, and media connections to citizens" groups that are organizing protests against privacy-degrading projectsÑsuch as bad implementations of ITS, particularly for purposes of congestion pricing.
- They can identify, organize, and train local privacy activists.
We are thus faced with the task of keeping the political dialogue about technology and privacy as technically sound and broadly inclusive as possible. In this way, we can hope to ensure that transport informatics in particular, and similar systems across the broader landscape more generally, will evolve in a way that provides the benefits of automation while retaining maximum protection of personal privacy.
Agre, Philip E., "Surveillance and Capture: Two Models of Privacy," The Information Society 10(2), 1 994, pp. 1 0 1 -27.
Alpert Sheri A., "Privacy and Intelligent Highways: Finding the Right of Way," Santa Clara Computer and High Technology Law Journal I I ( I ), 1995, pp. 97-1 18.
Chaum David, "Achieving Electronic Privacy," Scientific American 267(2), 1992, pp. 96-101.
Garfinkel Simson, "The Road Watches You," New York Times, 3 May 1995, p. A17.
Giannopoulos, G. and A. Gillespie, eds, Transport and Communication Innovations in Europe, New York: Halsted Press, 1993.
Glancy, Dorothy, "Privacy and Intelligent Transportation Technology," Santa Clara Computer and High Technology Law Journal 11 (1), 1995, pp. 151 -88.
Halpern, Sheldon W., "The Traffic in Souls," Santa Clara Computer and High Technology Law Journal 11 (1), 1995, pp. 45-73.
Hepworth, Mark, and Ken Ducatel, Transport in the Information Age: Wheels and Wires, London: Belhaven Press, 1992.
Holland, Kelley and Amy Cortese, "The Future of Money: E-cash Could Transform the World's Financial Life," Business Week, 12 June 1995, pp. 66-78.
IVHS America, Proceedings of the 1993 Annual Meeting of IVHS America: Surface Transportation: Mobility, Technology, and Society, 14-17, April 1993, Washington, DC: IVHS America.
Klein, Han, "Reconciling Institutional Interests and Technical Functionality: The Advantages of Loosely- Coupled Systems," Proceedings of VNIS'93 (Vehicle Navigation and Information Systems), IEEE/IEE, Ottawa, Canada, 12- 15 October 1993.
Lappin, Todd, "Truckin'," Wired 3(1), 1995, pp. 117-23, 166.
Marks, Peter, "For a Few Lucky Motorists, Guidance by Satellite," New York Times, 2 April 1994, pp. 1, 16.
Organization for Economic Cooperation and Development, Intelligent Vehicle Highway Systems: Review of Field Trials, Paris: OECD, 1992.
Phillips, Don, "Big Brother in the Back Seat?: The Advent of the 'Intelligent Highway' Spurs a Debate over Privacy," Washington Post, 23 February 1995, p. D 10.
Robinson, Mike and Liam Bannon, "Questioning Representations," in Liam Bannon, Mike Robinson, and Kjeld Schmidt, eds, ECSCW'91: Proceedings of the Second European Conference on Computer-Supported Cooperative Work, Dordrecht: Kluwer, 1991.
Simon, Richard, "Camera Gains More Exposure as a Device for Traffic Control," Los Angeles Times, 20 February 1995, pp. Bl and B3.
U.S. Department of Transportation, IVHS Strategic Plan: Report to Congress, December 1992.
U.S. Department of Transportation, Nontechnical Constraints and Barriers to Implementation of Intelligent Vehicle-Highway
Systems: A Report to Congress, June 1994.
Wald, Matthew L., "Two Technologies Join to Assist Lost Drivers," New York Times, 30 March 1994, p. A13.
Wallace, Charles P., "Singapore in High-Tech Tangle to Fight Automobile Gridlock," Los Angeles Times, 3 February 1995, p. A5.
Weisberg, Robert, "IVHS, Legal Privacy, and the Legacy of Dr. Faustus," Santa Clara Computer and High Technology Law Journal 11 (1), 1995, pp. 75-96.
Phil Agre is an assistant professor of communication at the University of California San Diego He edits a free monthly online newsletter entitled The Network Observer; http://communication.ucsd.edu/pagre/mo.html. His email address is email@example.com
© Computer Professionals for Social Responsibility
P.O. Box 717 Palo Alto, CA 94302-0717
Tel. (415) 322-3778 Fax (415) 322-3798 firstname.lastname@example.org
Created before October 2004