Tuesday, October 16, 2007

Congestion pricing poses a threat to locational privacy.

What this means and why you should care

Q: What does "locational privacy" mean?
A: "Locational privacy" means the ability to walk in public space and drive on public roads with the expectation that one's movements are not being tracked or recorded for later analysis.


Q: How will congestion pricing violate my locational privacy?
A: Congestion pricing systems track drivers in order to charge them for their road usage. In practice, congestion pricing systems use pervasive networks of cameras and electronic tag readers to charge drivers and catch violators. Some proposed systems require a GPS transmitter in every car to assess charges based on the car's recorded path. Almost all of the designs in use or under consideration require the tolling authority to build a giant database of tracking information that includes data for each driver who uses the congestion pricing zone.

Q: Aren't law enforcement agencies allowed to track my movements already? How is congestion pricing different?
A: The police have limited resources to devote to tracking your movements. As a consequence, they can't afford to track very many people at once. Besides, it's hard for the police to track you without your knowledge -- even if an unmarked car is following you, you'll probably become aware of it sooner or later. With a congestion pricing system, by contrast, a widespread network of inexpensive data-collection devices silently records everyone's movements in a central log, without anyone noticing. This quantitative difference in the ease of tracking and exploiting the collected data creates a huge qualitative difference in the tracking's impact. It's like wiretapping: there's a critical qualitative difference between single wiretaps that require a court order and disclosure, and the government secretly recording all phone calls for subsequent analysis.

Q: Don't EZ-Pass and similar existing electronic tolling systems already violate my locational privacy this way?
A: YES! The tolling data collected by EZ-Pass is linked to a credit card account (without being encoded to protect your privacy) and then stored in a single central location. In contrast, "electronic cash''-based highway tolling systems which preserve locational privacy have been deployed in the past, but are not widespread today.

Q: Won't the government keep the data safe and delete it as soon as it's no longer needed?
A: No. Many states keep EZ-Pass tolling data indefinitely, for example, and such data has already been (successfully) subpoenaed for use in divorce cases. Tolling authorities will be tempted to keep the data for ostensibly reasonable "law and order'' purposes.

Q: What kinds of tracking data misuse should we be afraid of?
A: It's easy to imagine civil-rights abuses based on data-mining. For instance, people who are tracked driving to a mosque might be referred to the FBI for careful observation. People who are tracked visiting the Riverdale Democratic clubhouse could be singled out for audits by the IRS. Neither of these examples is farfetched --- reports of officers recording the license plate numbers of cars parked at mosques are fairly widespread, and All Souls church in Pasadena was investigated by the IRS and threatened with revocation of its tax-exempt status based on an anti-war sermon delivered in 2004. And of course, such data could be used to pursue illegal immigrants. In addition to actual government abuses, the reasonable fear that visits to such locations might be tracked, stored and used later could have a chilling effect on legitimate political and religious expression.

Q: I frequently provide a lot of identifying information about my physical location --- for instance, to my credit card company. Why is this any worse?
A: It's hard to interact with the modern financial world without leaving a trace. And if you have a cell phone, you're probably already trackable by your cell phone company. But that doesn't make it right. The slow but steady erosion of locational privacy is a good reason to be concerned about further loss of privacy. Anyway, if you're worried about privacy, it's much easier to switch to cash, or turn off your cell phone occasionally, than to stop driving. Furthermore, these two examples involve the use of your data by private corporations, which -- unlike the government -- have no power to arrest you or take away your rights.

Q: Pervasive tracking of all vehicles will provide needed security in this age of terrorism. Shouldn't we be willing to sacrifice this kind of privacy for security?
A: No. We should no more have to sacrifice locational privacy for security than we should have to consent to the deprivation of any other rights. Residents of former Eastern bloc countries have written eloquently about the horrors of pervasive monitoring and surveillance. Even if it were reasonable to have cameras constantly watching high-risk areas (Wall Street, courthouses, and so forth), congestion pricing will cover the city and eventually the whole metropolitan area, and pervasive surveillance everywhere is fundamentally incompatible with a free and democratic society.

Q: Driving is privilege, not a right. Why shouldn't we demand the sacrifice of privacy in return for that privilege?
A: Particularly in areas that are poorly served by mass transit, it's such a hardship to refrain from driving that there's no reasonable way to opt out. In those situations, this proposition is coercive. As an analogy, suppose we demanded that people whose homes are connected to public sewer lines allow cameras in their bathrooms to track water usage. But there's really no need to use cameras for the purpose of monitoring water usage --- and the same is true of congestion pricing (see the next question).

Q: But we need congestion pricing systems to alleviate downtown traffic problems. What alternatives do we have?
A: There are ways of designing congestion pricing systems that preserve locational privacy! Using modern cryptography, a congestion pricing system could simultaneously protect our locational privacy and allow tolling authorities to collect revenue. This is the same technology that makes it safe to use ATMs or buy things online. See our other documents for more information on how this could work.

Authors of this posting are Andrew J. Blumberg, Department of Mathematics, Stanford University, Stanford, CA 94305, email blumberg @ math.stanford.edu and Robin Chase, Meadow Networks, email robin @ meadownetworks.com

8 comments:

david said...

Good write-up. I felt the comment implying that most/all congestion charging schemes involve large databases of people's movements was somewhat incorrect. There is a spectrum: the most invasive is of course a location system that uploads position fixes in real time to the authorities. A less invasive version is for the unit hold map data onboard, and calculate charges which are then uploaded to the authority (i.e. without positional data). The least privacy invasive is a system where enforcement is peer to peer, i.e. a certain percentage of private cars carry cameras, and where revenue is collected by the government whilst it is not actually made aware of the route you intend to travel. See http://www.cl.cam.ac.uk/Research/DTG/publications/public/jjd27/arb-spw2006-final.pdf for a paper from our group on the subject.

david said...

Sorry, that link should have been to this paper.

andrew blumberg said...

hi david,

thanks for your feedback; we should probably amend that claim to "most/all congestion pricing schemes which have been implemented" (e.g. london, the stockholm test, and so forth).

i wasn't aware of your work on peer to peer toll computation systems --- that sounds really interesting. thanks for the pointer.

- andrew

Chris Bradshaw said...

I wonder if 'locational privacy' is in the public good. People driving a car actually use the car's exterior (including tinted glass) to gain some measure of privacy.

However, society requires all motor vehicles to display an official plate with a unique number, in recognition that the vehicle is a dangerous piece of equipment. Licensing and other road regulations carry this further by imposing a hierarchy of other responsibilities & restrictions as the vehicle gets bigger and the cargo more valuable (people rather than inanimate objects, or toxic or explosive substances).

And most larger-than-car vehicles are owned not by the driver, but by a corporation, meaning that the driver is accountable to a 'third party' in addition to the state.

Carsharing and car-rental agencies have a self interest in knowing some things about how their vehicles are used, even if the user is not an employee.

I contend that people using cars owned by others -- even coops -- would therefore provide a welcome increase in driver accountability, reducing road rage, hit-and-runs, etc.

Chris Bradshaw
Ottawa

Andrew Blumberg said...

Hi Chris,

You raise an interesting issue. I would argue that preserving "locational privacy" is an essential aspect of protecting free political and religious expression, and so is in the public interest.

I should be clear that I think this protection should apply to the movements of private citizens only --- clearly, tracking and monitoring of the movements of freight trucks is in everyone's interest.

In a better world, there would be practical transportation options other than cars, so that perhaps an argument of the form "people concerned about privacy shouldn't drive" would be sustainable. But in many parts of the United States, even dense urban areas, this just isn't the case (or imposes unreasonable hardship).

(And as an aside, I'd mention that many public transit systems are moving to systems of payment which themselves fail to preserve locational privacy).

Moreover, as we can see in the UK, once pervasive surveillance tools start to become accepted, it's very difficult to limit their spread.

- Andrew

ps. I'm sympathetic to the line of reasoning you're pursuing, and I'd be interested in discussing this further. Feel free to e-mail me at "blumberg at math.stanford.edu".

how to reduce water usage said...

Our proposal for an implementation of a congestion pricing system that preserves locationalprivacy depends on following idea: Instead of having a single license plate, a driver should have many different license plates numbers — a set of “secret dynamic license plates”. Then, capturing any given license plate number doesn’t give enough information to track the driver’s movement.
The hard part is then to figure out how the state can collect tolls anyway.

how to reduce water usage said...

Our proposal for an implementation of a congestion pricing system that preserves locationalprivacy depends on following idea: Instead of having a single license plate, a driver should have many different license plates numbers — a set of “secret dynamic license plates”. Then, capturing any given license plate number doesn’t give enough information to track the driver’s movement.
The hard part is then to figure out how the state can collect tolls anyway.

javieth said...

A good network card always garantee a good connection,therefore it is important to choose the appropriate.Understand how the network card work is easy, now we have a lot of information about it and if you have continues problem is better solve as soon as possible. Related to this, in some particular situation costa rica investment opportunities helped me to decide the best investment.