Wednesday, March 25, 2009

Protecting location privacy of drivers

As background to this one. you might want to read the more general article we just wrote for the Huffington Post on why we call for a national dialogue about (and promise for) location privacy. Below are some specific ways we might technically provide location privacy in for cars.

We start with what we consider to be the gold standard:

A privacy-preserving taxing protocol should reveal the minimum possible amount of information needed to achieve the policy goal, in this case the amount of tax owed.

Most current systems (e.g., E-ZPass) operate on the "trust us" model:
the government promises to properly respect the security of the driver, but collects potentially invasive information. But we all know, there just aren’t any “trusted third parties” that can be trusted forever. And we don’t need to rely on them.

For some kinds of applications, simply having a tamper-resistant device in the car that calculates the tolls and reports only the amount owed would suffice. Such a device could be auditable (so that drivers could know that the device is not secretly delivering information about their position) and equipped with a self-destruct feature (to erase location information) so that the driver could hide her information if necessary (perhaps at a cost of paying an excessive "default toll").

But wouldn't it be great if the tolling and traffic software could run on any smartphone? For this kind of setup, there are more sophisticated solutions available. One of the truly amazing aspects of modern cryptography is that it makes it possible to design protocols for mutually untrusting parties to act as if there is a trusted third-party mediating, without actually requiring such a third-party. For instance, electronic cash allows people to pay bills anonymously and untraceably, but in a way that assures merchants that they are actually getting paid (it's hard to forge). Anonymous credential systems allow individuals to prove that they are authorized to access certain data or enter particular areas without revealing their identity. We need to demand that these sorts of protections are required and part of any future road pricing systems.

Cryptographic protocols can be designed to allow the government to collect taxes, detect infractions, and record aggregate traffic statistics without violating the privacy of drivers. For a more comprehensive discussion of such solutions, see here. The big contractors likely to be involved in designing and implementing the road pricing systems (e.g., IBM and Siemens) have on staff some of the finest cryptographers in the world. Requiring such protections would pose no substantial obstacle to the technical adoption of a mileage-based system.

This post was co-authored by Andrew Blumberg.

Photo by Gerlos.


Anonymous said...

I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.

Joannah said...

very good article keep it up

Mike Weisman said...


In a class I took a couple of years ago from Phil Bereano, we learned that one of the principles of data collection is that if the data is collected, it will be in many cases be mis-used. Whether it was the household registries of the Dutch cities in WWII, or the location information in an E-Z Pass beacon, it will be and has been mis-used.

Already E-Z Pass is used to track down husbands in divorce cases, record the movements of parolees, illegally track suspects without a warrant, and embarrass misbehaving wives.

So the idea in all privacy issues is to prevent the data from being collected in the first place.

Now in our dumb world, all data is coming to be seen as necessary for 'national security.' I'm going to leave that one behind, because I have never believed Total Information Awareness was the right approach to security.

But you can take the approach of some other countries and not collect the data at all, or destroy it immediately after its principal use is finished.

Location data may be necessary to bill for services (using a Zipcar, taxi fares, subway or train entry, mileage taxation, bike rental, etc.) It would need to be kept a couple of days to complete the payment transaction. Maybe you would keep it longer, say 60 days, for people who contest their bills. Then it is gone, disappeared.

This is already the law in the EU. Despite what you may have heard, attempts to keep data for months or years (depending on the data) have been thrown out because they violate the Data Directive. In addition, data holders must file their plans for maintaining privacy with their national privacy commissioner, and there are strong fines for breaches of privacy. If a company cannot maintain privacy, then it cannot acquire the data, i.e. it is out of business. That was the issue in the trans-Atlantic passenger data lists, because US airlines lacked sufficient privacy plans. Now they have them, because the EU is the de facto standard.

Encryption is not the only answer, since encryption is only as good as the last person to crack it. Data that doesn't exist, or is destroyed, doesn't require any encryption at all.