pagre@ucla.edu
http://polaris.gseis.ucla.edu/pagre/
This appeared in the CPSR Newsletter 13(3), 1995, pages 15-20. Copyright 1995 by the author.
4000 words.
Please do not quote from this version, which differs slightly from the version that appears in print.
Two technologies, computer networking and public-key cryptography, have transformed the landscape of technology-and-privacy issues. This article illustrates the changes and explores their consequences by describing the emerging privacy issues surrounding transport informatics, primarily in the United States.
Transport informatics is a European term for the use of information and communication technologies in transportation (Giannopoulos and Gillespie 1993, Hepworth and Ducatel 1992). It encompasses a wide variety of activities whose underlying unity is not always obvious. The largest institutional focus for transport informatics research and development in the United States has been the Intelligent Vehicle-Highway Systems (IVHS) program of the US Department of Transportation (DoT), whose industrial partners have recently switched to the more general term Intelligent Transportation Systems (ITS) in order to include a broader range of surface transportation modalities -- especially city streets. This program aims to define a common architecture for the many state and private transport informatics initiatives.
Despite its potential for increased efficiency, transport informatics can also lead to significant invasions of privacy through the automated tracking of individual vehicles (Agre and Harbs 1994). This is a matter of considerable concern, since pervasive surveillance of citizens' road travels could chill the freedom of association that is crucial to a democratic society. The last part of this article places the issues in a larger context by exploring how the privacy movement can best respond to, and take the initiative in, the emerging landscape.
"Transport informatics" does not refer to any specific technology, and has not sprung from any single technical breakthrough. It includes a broad range of applications that have become economically feasible as the basic price of computation and communication -- especially digital wireless -- has dropped. Working groups invested considerable effort in the late 1980's and early 1990's identifying and classifying the potential applications: commercial logistics, regulatory automation, traffic information services, route planning, law enforcement, and so forth (US Department of Transportation 1992). This work was both technical and political, and it produced a framework for cooperation among producers and users of the new technology (Klein 1993).
Transport informatics is both supply-driven and demand-driven, in that "push" from hopeful producers of the technology is at least as important as "pull" from potential users.
On the supply side, the end of the Cold War left many defense companies looking for new markets. They proceeded in their accustomed manner by developing a strong alliance with the government -- in this case, the Department of Transportation. To coordinate this alliance, they have formed an organization called ITS America, an official advisory board to the DoT whose membership includes companies, state departments of transportation, and university research groups (IVHS America 1993). Many observers have expressed concern that these defense-oriented firms are developing baroque architectures that may be poorly matched to the needs of a civilian market. A bias toward centralized control is evident throughout the many projects in existence and on the drawing board. Privacy advocates in particular have expressed concern at invasive proposals like video surveillance and vehicle identification transponders.
One key part of the supply-side picture is a strong movement by governments, primarily at the state and regional level, toward automated toll collection. Budgetary problems and pressures for privatization drive this movement; at an ideological level it is motivated by economic arguments for the reduction of taxpayer subsidies to road users. This theory is sometimes called "congestion pricing" (Wallace 1995), though it is doubtful that the tolls would actually amount to true "prices" in a competitive market.
On the demand side, the market for transport informatics includes both industrial and consumer applications. (Other application domains, such as military and civilian government transport are not treated here. Neither are regulatory automation and environmental programs such as emissions monitoring.) As is often the case, industrial users are far ahead in their use of transport informatics, and consumer applications might tend to follow the models already established by commercial users. For a decade now, industrial distribution systems have been undergoing a quiet revolution as a result of improved information and communication technologies. Just-in-time scheduling, for example, reduces the unproductive capital devoted to inventories, while also making rough spots in the chain of production evident to central management. Wal-Mart and the large "warehouse" retail stores, likewise, depend on continual stock monitoring to schedule shipments of goods directly from factories. These and related developments require greater predictability in every link of the distribution chain, leading to the construction of "integrated logistics" systems. It has become common, for example, to think of highways, train tracks, and shipping routes as metaphorical conveyor belts in a global factory. Information technology makes this metaphor a reality by tracking the spatial location of every vehicle and package in real time. It is difficult to overestimate the consequences of integrated logistics for the world economy and its participants. Although it provides much of the motivation for transport informatics, it is a much broader phenomenon. Its economic and technical logic is wholly straightforward and exceedingly powerful, but this logic includes no concept of privacy. Simply taking this model, with its exclusive focus on integration and efficiency, and transplanting it from commercial to consumer applications would probably lead to inadequate privacy protection.
These two forces, supply-side and demand-side, converged in the passage of the Intermodal Surface Transportation Efficiency Act of 1991 (ISTEA). Along with the architecture development program mentioned above, this legislation also instructed the DoT to conduct research into a variety of social issues, including privacy. One result of this research was a DoT report to the Congress entitled Nontechnical Constraints and Barriers to Implementation of Intelligent Vehicle-Highway Systems (US Department of Transportation 1994). The vocabulary of "constraints and barriers" indicates something of the attitude toward privacy of the ITS establishment: privacy concerns have generally been treated as obstacles to the systems' development, rather than as part of their necessary functionality.
Privacy issues arise in transport informatics systems in several ways. (For a more detailed survey see Alpert (1995).) Examples include:
Databases of individual drivers' toll payments would have a wide variety of potential secondary uses, from marketing to law enforcement to civil litigation to political repression. AVI is typically implemented using a "transponder" (roughly the size of a cigarette package), usually attached to the bumper or dashboard of the car, that interacts through digital radio signals with roadside beacons. A car entering a tollway will "hear" a request for identification from the nearby beacon, and it will respond by transmitting its identification number. The details vary, but the most common proposal is for the beacon to relay this number to a central computer that deducts the necessary sum from a prepaid account and returns an acknowledgement to the beacon. Drivers without adequate funds in their accounts will be notified to pay in cash at a conventional toll booth.
The crucial issue is whether this payment system is anonymous. This in turn depends on both the transponder-beacon communications and the architecture for registering drivers' payments. For example, if the transponder transmits the driver's license number or Vehicle Identification Number (VIN) then the system is definitely not anonymous. Normally, though, the transponder will transmit its own serial number. Therefore, the system as a whole is anonymous if this number is not associated with any other identifier that can be connected to the individual. Unfortunately, in the United States, the transponder number is most often associated with a driver's account number -- whether a bank account number or the number of a debit account maintained by the road authority. The E-Pass system in Orlando, Florida, for example, issues each customer a monthly statement that includes the customer's name and address, together with a complete list of toll payments for the month. Each entry on this statement lists the precise time and location of the toll payment, including which lane the driver was in (Garfinkel 1995). Many such systems do permit customers to pay anonymously with cash, but this option is usually much less convenient and is rarely used once the system has been in operation for a few months.
Inherently anonymous toll-payment architectures are possible, and at least one is under active development. This is an AVI system being developed by the Amtech Corporation (Dallas, Texas) based on "digital cash". Digital cash is a scheme invented by David Chaum (1992) and marketed by his company Digicash (Amsterdam); it is based on public-key cryptography and permits parties to a transaction to transfer funds reliably in electronic form without having to identify themselves to one another. Although law-enforcement authorities are concerned that digital cash may lend itself to money-laundering, tax evasion, and other financial crimes, toll-collection provides one potential application of digital cash for which criminal abuses are hard to imagine. Unfortunately, although digital cash has enjoyed a great deal of official attention in Europe and Japan, I have seen no evidence that any American authority is planning to use it. Many have never even heard of it.
(Eric Hughes has pointed out to me that other anonymous toll-payment schemes are conceivable as well. For example, a customer might remotely instruct her bank to create a temporary account from which a short series of toll payments might be drawn; the road authority would be able to connect these payments to one another without being able to connect them to the customer.)
Early decisions about ITS payment architectures may have lasting effects. Technical standards are often difficult to change once they become entrenched in the market, and if non-anonymous schemes become prevalent then only the most courageous agencies will pursue anonymous alternatives. ITS America, though, has pursued privacy issues primarily through the development of a set of "Fair Information and Privacy Principles", currently in "draft final" form (Phillips 1995). These principles are important because they will provide guidance to numerous industry and government people -- largely urban planners and transportation engineers -- who have little prior experience with databases of personal information or the privacy issues that come with them. A copy of these principles can be found on the WorldWide Web at http://polaris.gseis.ucla.edu/pagre/its-privacy.html
Perhaps unsurprisingly, the draft principles are extremely weak. They make no mention of anonymity. They explicitly envision that personal information collected through ITS will be used for non-ITS purposes, stipulating only that drivers be notified and given the opportunity to opt out. They suggest that law-enforcement uses of ITS information be authorized by state governments, and they envision no limits on the law-enforcement uses that state governments might authorize. The principles are voluntary, and they suggest no procedures through which compliance with them might be monitored. Nor do they specify which organizations will be liable when individuals are harmed through the improper use of ITS information.
Individuals' ITS records have virtually no statutory privacy protection (Glancy 1995). Neither tort law nor the Fourth Amendment promise much protection either (Halpern 1995, Weisberg 1995). The United States, unlike most industrial countries, has no generalized regulatory machinery for privacy protection. Furthermore, since most ITS systems will be operated by public agencies such as state transportation departments and regional transportation authorities, the records on individual toll payments that these systems maintain will often fall within the scope of state open records laws. ITS America's draft privacy principles recognize this danger -- but instead of recommending changes to the law, they effectively suggest that the records be held by private entities.
The ITS America privacy principles are scheduled to be revised and adopted early next year. (A small number of privacy advocates attended a meeting in Washington to discuss the principles in July 1995 and expressed their strong concerns; another meeting is tentative scheduled for November to review the issues in the context of ITS architecture development.) Short of comprehensive data protection legislation, however, it is doubtful that even the strongest privacy principles would have any significant effect. Once databases of personal information from ITS systems grow, a wide variety of organizations will start proposing secondary uses for the information. It is impossible to predict with certainty that abuses will occur, but numerous other privacy-sensitive technologies provide strong and discouraging precedents. Telephone companies, for example, must respond to an enormous volume of subpoenas for their records, and transportation authorities that maintain individually identifiable information in their databases may find themselves in the same position. Subpoenas are not costly to issue, though they may be expensive to comply with, and ITS information should be equally attractive for a variety of legal purposes.
In my view, therefore, the technical issues are far more important than the language of voluntary principles. Individually identifiable information, once collected, is virtually certain to be abused; inherently anonymous architectures avoid the whole problem by not collecting the information in the first place. It is this kind of foundational design choice that must be faced early in the process to avert needless privacy erosion in the rush to implement ITS systems.
So far, I have been painting a pessimistic picture of the prospects for privacy protection in American ITS schemes. Viewed in the broadest context, though, AVI-based toll collection is about the most tractable privacy issue that one might hope to encounter:
As I mentioned in the introduction, this new landscape is the product of two technologies: computer networking and public-key cryptography. Computer networking is not itself a new technology, but it has only begun having a pervasive influence on industrial practices in the last few years. At the most basic level, networking makes it possible to envision applications that are unified functionally despite being distributed across a large geographic territory. Transport informatics, of course, is centrally concerned with the coordination of activities spread over large areas, particularly when employed as part of an integrated logistics system that creates tight linkages across a global system of production and distribution. At a more subtle level, networking makes possible the integration of computational processes across different functions and organizations. As a practical matter, this means that information technologists find themselves trying to interconnect database systems that have arisen independently in a wide variety of local circumstances. It is not just a technical problem of conversion between different data formats. More importantly, it is also a semantic problem: each database is likely to reflect the vocabulary and conventions of the particular work group that created it (Robinson and Bannon 1991). This not only makes the technical task more difficult, but also increases risks of harm to individuals, since personal data held in one system may be quite unsuitable for use in another. Transport informatics provides strong motivations for firms to interlink their machines over networks so that, for example, a shipping firm's customers can automatically check on the status of their shipments. Likewise, secondary uses of information collected by AVI toll-collection systems would be greatly facilitated by real-time networked access to road authorities' databases. In all such cases, however, the meaning and quality of the data, even if suitable for the original purpose, may generate serious privacy questions when it is transposed to a new context and combined with personal data from other databases.
Computer networking, then, creates the conditions for greatly increased risks to individual privacy. Public-key cryptography, on the other hand, creates the conditions to greatly alleviate these risks. As Marc Rotenberg has pointed out, this is a significant change in the view of technology that has been implicit and explicit in most analyses of the social impacts of technology. For the past fifty years, social theorists have, with some justification, identified technology with social control. Privacy advocates, as a result, have often been placed in the position of criticizing technology as such, or else arguing for the reduction or limitation of technical functionality. Digital cash and other technologies based on widely available strong cryptography, though, effectively invert the political situation. By placing privacy advocates in a strongly pro-technology stance, they cast the opponents of strong privacy protections in the role of clinging to technologically backward methods.
The challenge, of course, is to ensure that privacy-enhancing technology is actually used. This depends upon both political and market forces. Although information technologies are dropping in price, their development and use are nonetheless powerfully driven by standards. Consider, for example, the success of the Internet's TCP/IP protocol, which is effectively reducing the need for other internetworking protocols. TCP/IP permits interconnection with a huge number of existing networks that already use TCP/IP, and this compatibility issue generally outweighs the narrow advantages of any specific alternative. In the case of toll-collection, by analogy, much depends on the type of electronic financial infrastructure that develops in each region of the world. At the moment, it seems likely that Europe will develop a scheme based on a variant of digital cash such as Mondex, whereas the United States will develop a non-anonymous system modeled on credit cards -- for example, the electronic payment system being developed by Visa (Holland and Cortese 1995). Of course, several different payment systems may still arise, but once a non-anonymous system becomes a well-established standard, privacy concerns alone may be unable to create the market conditions for the construction of an anonymous alternative.
Another problem is the depth to which privacy invasion is ingrained in the practices of computer system designers (Agre 1994). The point is not that most system designers consciously set out to invade anybody's privacy. Instead, the problem lies in the practice of creating internal representations that mirror reality in a point-by-point fashion, so that a system can only support an activity by "capturing" it. The first step in current-day system design, after all, is to define a set of datastructures to be maintained -- for people, types of vehicles, the vehicles themselves, roads, lanes, accounts, transactions, dates, times, and so on -- and a convention for creating identifiers for each type of datastructure. For example, people might be identified by Social Security Number, vehicles by government-assigned Vehicle Identification Numbers, and so forth. Such a system might protect anonymity by simply omitting any representation of individual people. But this is difficult in practice, given that so many existing systems do represent data in an individually identifiable fashion, thus permitting an individual's identity to be reconstructed easily through the merging of records from different sources.
The widespread use of public-key cryptography to protect privacy, then, will require a considerable change in mindset among programmers. In effect we are witnessing two different revolutions: the computer networking revolution and the consequent merger of all the world's databases, and the public-key cryptography revolution with its potential to protect individual identities without limiting system functionality. The question is, which revolution will happen first?
The answer to this question, of course, depends on numerous factors, not the least of which is pure chance. Privacy advocates can play several roles:
We are thus faced with the task of keeping the political dialog about technology and privacy as technically sound and broadly inclusive as possible. In this way, we can hope to insure that transport informatics in particular, and similar systems across the broader landscape more generally, will evolve in a way that provides the benefits of automation while retaining maximum protection of personal privacy.
References
Philip E. Agre, Surveillance and capture: Two models of privacy, The Information Society 10(2), 1994, pages 101-127.
Sheri A. Alpert, Privacy and intelligent highways: Finding the right of way, Santa Clara Computer and High Technology Law Journal 11(1), 1995, pages 97-118.
David Chaum, Achieving electronic privacy, Scientific American 267(2), 1992, pages 96-101.
Simson Garfinkel, The road watches you, New York Times, 3 May 1995, page A17.
G. Giannopoulos and A. Gillespie, eds, Transport and Communication Innovations in Europe, New York: Halsted Press, 1993.
Dorothy Glancy, Privacy and intelligent transportation technology, Santa Clara Computer and High Technology Law Journal 11(1), 1995, pages 151-188.
Sheldon W. Halpern, The traffic in souls, Santa Clara Computer and High Technology Law Journal 11(1), 1995, pages 45-73.
Mark Hepworth and Ken Ducatel, Transport in the Information Age: Wheels and Wires, London: Belhaven Press, 1992.
Kelley Holland and Amy Cortese, The future of money: E-cash could transform the world's financial life, Business Week, 12 June 1995, pages 66-78.
IVHS America, Proceedings of the 1993 Annual Meeting of IVHS America: Surface Transportation: Mobility, Technology, and Society, 14-17 April, Washington, DC, Washington, DC: IVHS America, 1993.
Hans Klein, Reconciling institutional interests and technical functionality: The advantages of loosely-coupled systems, Proceedings of VNIS'93 (Vehicle Navigation and Information Systems), IEEE/IEE, Ottawa, Canada, 12-15 October 1993.
Todd Lappin, Truckin', Wired 3(1), 1995, pages 117-123, 166.
Peter Marks, For a few lucky motorists, guidance by satellite, New York Times, 2 April 1994, pages 1, 16.
Organization for Economic Cooperation and Development, Intelligent vehicle highway systems: Review of field trials, Paris: OECD, 1992.
Don Phillips, Big Brother in the back seat?: The advent of the "intelligent highway" spurs a debate over privacy, Washington Post, 23 February 1995, page D10.
Mike Robinson and Liam Bannon, Questioning representations, in Liam Bannon, Mike Robinson, and Kjeld Schmidt, eds, ECSCW'91: Proceedings of the Second European Conference on Computer-Supported Cooperative Work, Dordrecht: Kluwer, 1991.
Richard Simon, Camera gains more exposure as a device for traffic control, Los Angeles Times, 20 February 1995, pages B1 and B3.
US Department of Transportation, IVHS Strategic Plan: Report to Congress, December 1992.
US Department of Transportation, Nontechnical Constraints and Barriers to Implementation of Intelligent Vehicle-Highway Systems: A Report to Congress, June 1994.
Matthew L. Wald, Two technologies join to assist lost drivers, New York Times, 30 March 1994, page A13.
Charles P. Wallace, Singapore in high-tech tangle to fight automobile gridlock, Los Angeles Times, 3 February 1995, page A5.
Robert Weisberg, IVHS, legal privacy, and the legacy of Dr. Faustus, Santa Clara Computer and High Technology Law Journal 11(1), 1995, pages 75-96.