What this means and why you should care
Q: What does "locational privacy" mean?
A: "Locational privacy" means the ability to walk in public space and drive on public roads with the expectation that one's movements are not being tracked or recorded for later analysis.
Q: How will congestion pricing violate my locational privacy?
A: Congestion pricing systems track drivers in order to charge them for their road usage. In practice, congestion pricing systems use pervasive networks of cameras and electronic tag readers to charge drivers and catch violators. Some proposed systems require a GPS transmitter in every car to assess charges based on the car's recorded path. Almost all of the designs in use or under consideration require the tolling authority to build a giant database of tracking information that includes data for each driver who uses the congestion pricing zone.
Q: Aren't law enforcement agencies allowed to track my movements already? How is congestion pricing different?
A: The police have limited resources to devote to tracking your movements. As a consequence, they can't afford to track very many people at once. Besides, it's hard for the police to track you without your knowledge -- even if an unmarked car is following you, you'll probably become aware of it sooner or later. With a congestion pricing system, by contrast, a widespread network of inexpensive data-collection devices silently records everyone's movements in a central log, without anyone noticing. This quantitative difference in the ease of tracking and exploiting the collected data creates a huge qualitative difference in the tracking's impact. It's like wiretapping: there's a critical qualitative difference between single wiretaps that require a court order and disclosure, and the government secretly recording all phone calls for subsequent analysis.
Q: Don't EZ-Pass and similar existing electronic tolling systems already violate my locational privacy this way?
A: YES! The tolling data collected by EZ-Pass is linked to a credit card account (without being encoded to protect your privacy) and then stored in a single central location. In contrast, "electronic cash''-based highway tolling systems which preserve locational privacy have been deployed in the past, but are not widespread today.
Q: Won't the government keep the data safe and delete it as soon as it's no longer needed?
A: No. Many states keep EZ-Pass tolling data indefinitely, for example, and such data has already been (successfully) subpoenaed for use in divorce cases. Tolling authorities will be tempted to keep the data for ostensibly reasonable "law and order'' purposes.
Q: What kinds of tracking data misuse should we be afraid of?
A: It's easy to imagine civil-rights abuses based on data-mining. For instance, people who are tracked driving to a mosque might be referred to the FBI for careful observation. People who are tracked visiting the Riverdale Democratic clubhouse could be singled out for audits by the IRS. Neither of these examples is farfetched --- reports of officers recording the license plate numbers of cars parked at mosques are fairly widespread, and All Souls church in Pasadena was investigated by the IRS and threatened with revocation of its tax-exempt status based on an anti-war sermon delivered in 2004. And of course, such data could be used to pursue illegal immigrants. In addition to actual government abuses, the reasonable fear that visits to such locations might be tracked, stored and used later could have a chilling effect on legitimate political and religious expression.
Q: I frequently provide a lot of identifying information about my physical location --- for instance, to my credit card company. Why is this any worse?
A: It's hard to interact with the modern financial world without leaving a trace. And if you have a cell phone, you're probably already trackable by your cell phone company. But that doesn't make it right. The slow but steady erosion of locational privacy is a good reason to be concerned about further loss of privacy. Anyway, if you're worried about privacy, it's much easier to switch to cash, or turn off your cell phone occasionally, than to stop driving. Furthermore, these two examples involve the use of your data by private corporations, which -- unlike the government -- have no power to arrest you or take away your rights.
Q: Pervasive tracking of all vehicles will provide needed security in this age of terrorism. Shouldn't we be willing to sacrifice this kind of privacy for security?
A: No. We should no more have to sacrifice locational privacy for security than we should have to consent to the deprivation of any other rights. Residents of former Eastern bloc countries have written eloquently about the horrors of pervasive monitoring and surveillance. Even if it were reasonable to have cameras constantly watching high-risk areas (Wall Street, courthouses, and so forth), congestion pricing will cover the city and eventually the whole metropolitan area, and pervasive surveillance everywhere is fundamentally incompatible with a free and democratic society.
Q: Driving is privilege, not a right. Why shouldn't we demand the sacrifice of privacy in return for that privilege?
A: Particularly in areas that are poorly served by mass transit, it's such a hardship to refrain from driving that there's no reasonable way to opt out. In those situations, this proposition is coercive. As an analogy, suppose we demanded that people whose homes are connected to public sewer lines allow cameras in their bathrooms to track water usage. But there's really no need to use cameras for the purpose of monitoring water usage --- and the same is true of congestion pricing (see the next question).
Q: But we need congestion pricing systems to alleviate downtown traffic problems. What alternatives do we have?
A: There are ways of designing congestion pricing systems that preserve locational privacy! Using modern cryptography, a congestion pricing system could simultaneously protect our locational privacy and allow tolling authorities to collect revenue. This is the same technology that makes it safe to use ATMs or buy things online. See our other documents for more information on how this could work.
Authors of this posting are Andrew J. Blumberg, Department of Mathematics, Stanford University, Stanford, CA 94305, email blumberg @ math.stanford.edu and Robin Chase, Meadow Networks, email robin @ meadownetworks.com
Tuesday, October 16, 2007
What this means and why you should care