Privacy and Road Pricing

Posted by Herman | January 8, 2009 | permalink

Anders Betalen voor Mobiliteit_tcm195-187724.jpg

Without much ado the tenders for the road-pricing system for the Netherlands have been started. (See this and here). 
One of the hot topics in this system is privacy versus security/fraud prevention.
Having a unit in your car that tracks your whereabouts, stores that information for later use by the government triggers a lot of sensivities. Who can access that information? Is Big Brother watching you all the time?
At the same time you want to prevent fraudulent use (evasion of road charge, identity theft) and to be able to contest an incorrect charge in court succesfully.
The same professor that publicized the succesfull compromise of security of the Mifare chip used in the “OV-chipkaart” has now turned his attention on roadpricing, this time to propose a solution.
 
Bart Jacobs is one of a group of experts in the world who consistently warns us of the dangers of unsafe IT systems, like voting computers. Their main point is that the only safe IT-systems are the ones where the security design is publicized so experts can check and validate the security. Secrecy gives a false sense of security, only when the best minds cannot find a flaw or a way to compromise a system you can have some reasonable confidence in the system. And when bright minds find a flaw, at least you can take corrective measures. Otherwise you might be sleeping through years of fraud unknowingly.
Wiebren de Jonge and Bart Jacobs have published a very interesting paper (link here, download ETPprivacyFAST2008lncs.pdf) with a new approach. 
This architecture allows a lot of flexibility while keeping the privacy level as high as you as an individual care for. You can even break up the calculation of the roadcharge in little pieces, to be executed by different providers as you choose it, so nobody has a complete picture but yourself. The system design can be with a “thick” onboard-unit (OBU) that does all the calculations, or a “thin” OBU that off-loads as much as possible to other systems. They present how a “granny”, “gadgetfreak” or “geek” would create totally different solutions with or without the help of providers, suited to their wishes.
At the same time it is quite difficult to defraud the system. With a minimal number of spot-checks (less than 1 %) the authorities can verify that the roadcharges calculated are based on actual driving behaviour.
The actual design can be found in the paper (sending committed hashes of trajectories and seperately of roadcharges). In my opinion a very elegant solution. And above all something that can be subjected to the best test possible: of all the bright minds in the world.
(Continued after the break)

From the paper:

The proposed approach relies on regularly sending to the traffic Pricing Authority
(PA) only hashes of travelled trajectories and hashes of the corresponding fees due.
This makes it possible to achieve that users keep almost all data on the trajectories
they travel and on the amounts they should pay completely hidden from the PA, without having to rely for their privacy protection on a so-called Trusted Third Party
(TTP). Only a very small percentage of all these privacy-sensitive data requires that
the pre-image trajectories and pre-image fees are revealed to the PA for spot-checking
purposes (to detect cheating).

The calculations of the amounts due for trajectories travelled can be done–at desire–
inside or outside the vehicle. Thus, seamless integration of “thin” and “thick” in one
ETP system with one and the same spot-checking approach is made possible and
easy. The calculations can be performed in a privacy-friendly way, since they do not
require any vehicle or On-Board Equipment (OBE) identification.

The proposal can, for example, be used as a declaration-based approach much in line
with current tax declaration traditions in which the individual citizen is personally
responsible. However, the proposal allows for much individual variation (including
delegation) and many additional (commercial) services. For example, it is also possible
to reduce user responsibility and/or user involvement to an absolute minimum.

……..

This section will elaborate, to some extent, three different use scenarios of the proposed ETP approach, which we shall (respectfully) label ‘granny’, ‘gadget’ and ‘geek’.

‘Granny’ is well-aware of painful periods in history and is not happy with the idea that others (in particular, the state) know her car movements, but she definitely does not want much ado. She uses computers, in a limited way, but does not (wish to) understand the internal workings. She simply buys a black box that handles everything for her. Our ‘granny’ chooses for thin OBE that computes and sends the trajectory hashes itself, distributes fee calculations to selected Calculation Service Providers, sends hashes of the results (see Section 6.3) to the PA and also automatically handles the verification requests from the PA.

After each quarter the device informs her via a display (or an SMS or e-mail) how much she has to pay for that quarter. On her request, the device will show her other aggregations of fee calculations. For example, the fee due for a particular trip, day or week.

The ‘gadget’ person does not care very much about his privacy. He is willing to exchange it for extra services. He chooses some organisation that he trusts and that sells fancy car navigation systems (including for instance a car assistance or breakdown service) with embedded traffic pricing functionality. He buys such a device and signs a service contract so that the company will take care of all road fee submissions and checks on his behalf.The device sends his location information (trajectory parts) to the company, which handles the hash and fee submissions and the answers to spot-checks. The company to which he has delegated his road pricing duties thus knows his whereabouts, but offers additional services in return, like safety surveillance and tailored real-time congestion information with personalised suggestions for alternative routes.

Our ‘geek’ does not trust anyone. She wants a minimal system in her car that only stores trajectory parts and communicates their daily hashes to the PA. She frequently transfers her trajectory parts (pre-images) to her PC, e.g. viaWiFi or perhaps even via a dump on a USB memory stick or on her Bluetooth cell-phone. She uses open source software to do all the work required. Her software calculates the (sub)fees on the basis of publicly available map information, sends their hashes (see Section 6.3) as well as the fee due for each quarter to the PA via the web, and handles all spot-checking requests from the PA. With every spotcheck request concerning a trajectory part, the software on her PC first checks whether the time and location as specified by the PA are correct (see Section 7.5). If not, she asks for the photograph to find out whether this may have been an understandable error of the PA or an abuse attempt. She uses the additional functionality of her software package to keep a personal record of all her travels and can visualise them in Google maps (via Tor). She also keeps them to show to her boss, if needed, to substantiate her occasional reclaims for business trips. Note that a reasonable possibility is that the open source software package and the required map information are produced and published on behalf of the PA, say via a web site.

All these three fictitious individuals fulfil, in quite different ways, the duties associatedwith a system for ETP as proposed here. It shows that there is ample room for individual variation and for contributions and additional services by commercial organisations.

FacebookDiggStumbleUponShare

About Herman

Herman Wagter is one of the founders and co-editor of Dadamotive. His work as interim manager and consultant (Citynet Amsterdam/Fiber-to-the-Home, Platform Sustainable Mobility) has involved him directly in the impact of hyperconnectivity and sustainability on society. As an independent agent and "mobile warrior" he has experienced the pro's and con's of how organizations and projects can be structured, and what the effects on the final result can be. In his opinion we are entering an era of profound change, driven by these fundamental forces. Following the trends, discovering the fun and debunking the half-truths is a passion he likes to share with others.
Posted in: Hyperconnectivity.

Leave a Reply