Privacy will dictate the architecture of GNSS road-use metering systems

One of the protests most frequently offered for not wanting to use positioning satellites to toll our roads is the assumption that cars will be tracked and the perception of considerable loss of privacy that would entail. Any journalist will tell you this. While it is technically possible to build such a repugnant system, few would tolerate it.

It can be argued that it is neither useful nor sensible to build such systems that way. But there are two perfect reasons this will not happen. First, in most countries, such a system would be so unacceptable to drivers that it would be boycotted or vandalized to an extent that it would become unreliable and perhaps even inoperable as a financial system. Second, most of these same countries are in the process of adopting policies that will not permit tracking of private vehicles, using road pricing data for any purpose other than intended, or retaining such data once payment is settled, which in the case of a prepaid account would be instantaneous.

The International Working Group on Data Protection in Telecommunications (IWGDPT) has been addressing this for some time. Founded in 1983 in the framework of the International Conference of Data Protection and Privacy Commissioners, the IWGDPT formulates recommendations to improve the protection of privacy in telecommunications. The Sofia Memorandum, issued at the 45th meeting of the WG in March 2009 directs its guidance toward road pricing.

The WG made the following

"recommendations designed to protect the privacy of drivers and owners of vehicles:

• The anonymity of the driver can and should be preserved by using the so-called smart client or anonymous proxy approaches that keep personal data of the drivers under their sole control and do not require off-board location record-keeping.
• Road pricing systems can and should be designed so that the detailed trip data are fully and permanently deleted from the system after the charges have been settled in order to prevent the creation of movement profiles or the potential for function-creep.
• Processing of personal data for other purposes (e.g. pay-as you drive insurance or behavioral-based marketing), should only be possible with clear and unambiguous consent from the individual.
• In terms of enforcement, the system should not ascertain the identity of the driver or owner of a vehicle unless there is evidence that the driver has committed something which is defined as a violation of the road pricing system."
  

Miroslav Marc, member of ISO/CEN standardization committees dealing with road use charging, explains: “IWGDPT opinions are not legally binding nor is that intended. They are formal recommendations. The Sofia Memorandum, however, is not just a European document, but an international one, since IWGDPT members come from around the world. The weight of these recommendations is reflected in the respect for the institutions that adopted them.”

Privacy Commissioners in several countries have indicated that they will promote these recommendations. Natasa Pirc Musar, the Slovene Information Commissioner, issued a similar opinion, prior to the IWGDPT guidance, stressing that data can only be used for the purposes stated and must be managed according to the criticality of the need (“principle of proportionality”). Her opinion: Personal data (including location data) is to remain exclusively under the surveillance of the user.

Marc also pointed out that “Peter Hustinx, European Data Protection Supervisor (EDPS), issued his opinion on the European Commission's proposed plan to accelerate and coordinate the deployment of ITS in road transportation in Europe based on guidance of the Sofia Memorandum.”

In paragraph 45 under Safeguards for the use of location tools for the provision of ITS location-based services, The EDPS states:

"The use of location technologies is particularly intrusive from a privacy viewpoint… As was stressed by the Article 29 Working Party, the processing of location data is a particularly sensitive matter involving the key issue of the freedom to move anonymously, and which requires the implementation of specific safeguards in order to prevent surveillance of individuals and misuse of the data."

It is doubtful that any country will permit GNSS telematics that do not provide extreme privacy protection, even anonymity – i.e., likely disallowing methods to permit location data to leave the vehicle without driver/owner control. Brazil’s Federal Government (Seventh Circuit Federal CIVIL ACTION PUBLIC Autos) recently made it illegal to mandate tracking-enabled telematics.

All of this means that thin-class telematics (that forward location information to a data centre for processing) for road-user charging will likely have little market excepting possibly for commercial vehicles. The task, now, for road-use telematics designers is to make fat devices (that determine a bill on-board) cheaper.