Background Notes
about
Electronic Toll Collection





ICS Comment, written 16 November 1997:
The system of electronic monitoring and computer recording of vehicle movements, installed for toll collection on the four-lane Cobequid Pass Highway in Nova Scotia — which opened for regular traffic on 15 November 1997 — was planned with no noticeable public debate about, and no known government supervision of, design features affecting the potential problems inherent in such systems, which will have the effect of significantly increasing government intrusion into the private lives of citizens.

Further comment, written 8 August 1998:
The electronic toll collection system for the Macdonald and MacKay bridges across Halifax Harbour have entered the final 30-day test period, and soon will go into regular operation. Again, there has been no noticeable public debate about, and no known government supervision of, design features affecting the potential problems inherent in such systems.

See below for more information.


The Road Watches You:
'Smart' Highway Systems May Know Too Much

(C) 1995, Simson L. Garfinkel

(This is slightly longer version of my article that appeared
in the March 3, 1995 issue of The New York Times.)

Date: Wed, 3 May 1995 15:37:38 -0400
From: <simsong@acm.org> (Simson L. Garfinkel)
Subject: The Road Watches You: 'Smart' Highway Systems May Know Too Much
Source http://www.vortex.com/privacy/priv.04.10
[From Risks-Forum Digest; Thursday, 4 May 1995, Volume 17, Issue 11
— PRIVACY Forum MODERATOR]

Highway authorities throughout the country are building futuristic "smart road" systems designed to unclog our highways and bridges, improve driver safety, and create a variety of new services for our nation's motorists. But these smart roads could lead to an Orwellian surveillance state if we do not act now to change their course.

One smart road system is already in operation on New York's Tappan Zee Bridge. Called E-ZPass, the system allows drivers to drive through the toll plaza without reaching for their wallets or rolling down their windows. Instead, a computer operated by the Thruway Authority reads an electronic tag mounted inside the car's windshield, and automatically deducts the toll from a special pre-established account.

Other systems are going up around the country. In Florida, the Orlando-Orange County Expressway Authority has a system called E-PASS which lets drivers pay their tolls on the East-West Expressway and certain parts of the Central Florida GreeneWay. Instead of a windshield tag, E-PASS uses a radio transponder the size of a flashlight mounted under the car's front bumper. A similar system is being planned for the San Francisco Bay Area.

These automatic toll collection systems are just the beginning of a nation-wide plan called Intelligent Transportation Systems, or ITS. Rather than have each city adopt its own tag or transponder, the Department of Transportation and ITS America, a Washington-based organization that promotes the system, are scrambling to create a single, national standard.

As envisioned, smart roads could further reduce highway congestion by alerting drivers to upcoming accidents; a computer display mounted on the dashboard could suggest alternative routes. With its planned two-way communication between the car and the intelligent road, ITS could even eliminate the search of a place to park. Instead, your car's computer could automatically locate the nearest lot with an opening and electronically reserve you a place.

But there is a dark side to this plan, a privacy problem that its boosters are trying to pave under. These systems offer unprecedented opportunities to monitor the movements of drivers. It would create a bank of personal information that government and private industry might have difficulty resisting.

Consider Florida's E-PASS system. Each month, every E-PASS subscriber gets a detailed statement listing the exact time, date and location that each toll was collected. ITS America has adopted a set of privacy principles which say that states shouldn't take advantage of this data, yet the organization specifically envisions that "states may legislate conditions under which ITS information will be made available."

Phil Agre, who teaches communications at the University of California, San Diego, and closely follows privacy issues, warns that there might be other unintended consequences of the widespread use of ITS systems. Auto insurance companies already offer discounts to driver who don't live in areas of high auto theft or accidents; in the future, says Agree, they might offer discounts to drivers who can prove that they haven't driven onto "the wrong side of the tracks."

The data could also be sold illegally by insiders. Information about a person's movements might be a key fact in forcing an out-of-court settlement in a divorce or worker's compensation case. Private investigators would have a big incentive to bribe low-paid clerical workers for a photocopy of somebody's toll-crossing bill.

There is an alternative to this system. Instead of transmitting an account number, a radio would transmit "digital cash" using a smart card inside the car similar to the telephone cards used in many European countries. But judging by plans under way so far, state agencies and the Government haven't shown much interest in making privacy a priority in the design of the tomorrow's intelligent highways.

Americans have always loved the freedom that their cars give them. Could that too become a thing of the past?

Simson Garfinkel is a Cambridge-based writer who covers privacy issues. His fourth book, PGP: Pretty Good Privacy, was published by O'Reilly in January.


Abuse of Highway Toll Information

Date: Sat, 1 Jun 1996
Subject: Abuse of Highway Toll Information
Source

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below.

Date: Sat, 1 Jun 96
From: privacy@vortex.com (PRIVACY Forum)
Subject: PRIVACY Forum Digest V05 #11




Date: Sun, 26 May 1996 17:23:15 -0700 (PDT)
From: http://communication.ucsd.edu/pagre/agre.html
In the summer of 1998, Phil Agre's website was moved to Phil Agre's new website
    http://dlis.gseis.ucla.edu/people/pagre/
Subject: Highway Tolls and Privacy

The increasingly widespread use of automatic account-based systems for highway toll collection has led to equally widespread concerns for personal privacy. If individually identifiable toll records are stored in a database then perhaps they can be used for purposes beyond those originally intended. To my knowledge this has not yet happened in the United States. But it did happen a few years ago in France, and the story is worth telling. The details are available in English on Lexis/Nexis from an Agence France Presse bulletin of 17 August 1993, which I summarize in part here:

Jacques Mellick, mayor of the northern French town of Bethune and former cabinet minister, provided an alibi in the trial of politician and businessman Bernard Tapie on charges of trying to bribe a football coach to throw a match. He claimed that he and Tapie had met at Tapie's offices in Paris between 2:30 and 3:30pm on the date when the offence had supposedly taken place. Doubts soon arose about Mellick's story. A photo claimed to have been taken 2:00pm that day placed Mellick at a ceremony in Bethune. And, says the story, "the motorway toll booths between Paris and Bethune had no record of Mellick's car on the road that day". Mellick claimed that he had paid the toll himself because he had been travelling to Paris on private business. The article does not explain who had checked the records or who had made the information about them public. The toll booths in question used "smart cards", though the article does not say just which technology was involved

The point is, even though no record of Mellick's travels showed up in the toll-collection system, the lack of a record was printed in the newspapers as circumstantial evidence suggesting that Mellick had committed perjury. Fortunately in this case other, more clear-cut evidence existed. But plenty of people are having their reputations dragged through the mud in scandals and pseudo-scandals these days by "opposition research" organizations with trained researchers and access to all the databases they can find. In this context, the very existence of individually identifiable toll records is a clear invitation to trouble. And it's completely unnecessary as well, given that proven technology exists to collect highway tolls anonymously.

Phil Agre, UCSD (University of California at San Diego)

Proposed Satellite Monitoring of Car Movements
in Sweden

Date: Wed, 29 Jan 1997 20:39:29 +0100 (MET)
From: Feliks Kluzniak <feliks@carlstedt.se>
Subject: Proposed Satellite Monitoring of Car Movements in Sweden
Source [From Risks-Forum Digest; Volume 18, Issue 81 — MODERATOR]
    http://www.vortex.com/privacy/priv.06.03

The new issue of Dagens IT, no. 3, dated 28 Jan - 3 Feb 1997 (a Swedish paper aimed at information technology professionals), contains an item that might be of some interest to those RISKS readers who followed discussions about automatic highway toll booths in the US and related subjects.

My (probably imperfect) translation follows.

Car users will be put in "feetcuffs"
(written by Margaretha Sundstroem)

With the help of a new satellite system car users might pay different taxes, depending on when and where they drive. This is what the State communications commission is said to be discussing.

According to (the newspaper) Dagens Politik, the State communications commission is discussing a proposal to use satellites for determining car taxes in the future. It is proposed that all of Sweden's 3.5 million cars should be equipped with a little reader fastened to the instrument board. Car users would then buy cards that can be inserted into the reader. The card would communicate with a satellite that would register where you drive and for how long. The car tax would then be withdrawn from the card.

The proposal has been put forward by the State institution for communication analysis. They estimate that just the Stockholm (tax) authorities would be able to earn six billion crowns by using this system.

The costs for car users would thereby increase.



The reference to "feetcuffs" (by analogy to "handcuffs" - ankle shackles?) is an allusion to radio transmitters that are irremovably fastened to the ankles of some criminals in this country so that the authorities can monitor their compliance with the rules of house arrest.

The word "communication" is meant to include car traffic etc. The word "billion" is given in its US meaning: a thousand million.

The risks? Apart from the risks of having very complex systems automatically determine how much you have to pay, there are the usual privacy considerations. Some cry out "big brother". Others say you are already in this situation if you carry a cellular phone.

Feliks Kluzniak, Carlstedt Research & Technology, Gothenburg

Parker's Column

Date: Sun, 12 Jan 1997
From: <pdonham@fox.nstn.ca>

Source: http://www.cfn.cs.dal.ca/Media/TodaysNews/listserv/parker-l/530.html

On each landing, opposite the lift shaft, the poster with the enormous face gazed from the wall. It was one of those pictures which are so contrived that the eyes follow you about when you move. BIG BROTHER IS WATCHING YOU, the caption beneath it ran.
— George Orwell, 1984

Sometime this spring [1997], the Halifax-Dartmouth Bridge Commission [Nova Scotia] plans to install equipment that will automatically identify vehicles and bill tolls to individual customer accounts.

A radio transmitter in each toll lane will broadcast a signal 100 times per second. When the radio waves strike a transponder card affixed to a vehicle, they will induce an electrical charge in an imbedded microchip. The chip, in turn, will cause the card to emit a second radio signal encoded with the vehicle's ID.

Sensors will pick up this signal and send the ID code to a computer, which will check to see if it corresponds to a valid account. If so, lights will signal the motorist to proceed, and deduct 60 cents from the customer's account.

To use the system, a motorist will have to set up an account and purchase a transponder card for $30. Although details have yet to be worked out, General Manager Steve Snider hopes to let customers replenish their accounts by cash, cheque, or direct debit of bank accounts or credit cards.

The system has many obvious advantages. It should speed traffic through the tolls, and simplify collection for both motorists and the commission.

It also opens some new possibilities: the commission hopes to have a telephone number a customer can dial and, using a PIN, instruct the computer to fax a print-out of recent trips across the bridges.

But there's the rub. Although the system is intended solely to facilitate collection of tolls, it will, as presently designed, entail electronic surveillance of citizen's comings and goings. The commission will have each subscribing motorist's name, address, and telephone number, and the time, date, direction travelled, and vehicle used for every bridge crossing.

Chris Welner, spokesman for the Department of Transportation and Public Works, said the Highway 104 Corporation plans to install a similar system on the new toll highway in Cumberland County. Welner said department officials hope the two systems will be compatible, so motorists won't have to carry a welter of transponder cards.

Add in the Confederation Bridge, and possible future toll roads in the Valley, South Shore, and Eastern Counties, and it's clear that a central government computer could soon contain a massive database of citizen movements.

Some citizens will find this prospect obnoxious. Others will shrug: I have nothing to hide, so why should I worry. But use of the word "hide" implies that there is never a legitimate basis for keeping one's movements private, and that government is a benign force.

I am not imputing motives here. No one is setting out to devise a system of state, electronic surveillance of citizens. But that is an unintended consequence of the system that's now falling, helter skelter, into place.

Interviews with Welner and Snider demonstrate that responsible officials have not thought deeply about this problem. Welner said he didn't know whether department officials had considered the privacy implications of electronic vehicle identification, but agreed, "It probably is something that should be considered."

Snider insists that personal data will be secure, and the system will be voluntary. But there will be a financial penalty for paying cash, and Snider acknowledges that the commission hopes motorists will feel powerfully motivated to use the electronic payment method.

How long will personal data be retained? Snider wasn't sure. Would police be given access to the data without a warrant? Snider said the commission would have to consult its lawyer, something it hasn't done. Would motorists be allowed to open anonymous accounts? Hadn't thought of that.

What's clear is that the commission has devoted little thought to designing a system that gathers no unnecessary personal data (like names and phone numbers).

Electronic toll collection is only the first step toward automated highways, or intelligent transportation systems (ITS) as they are known in industry jargon. Because the bridge commission is taking this step first, the system it adopts will likely become standard throughout the province, if not the region.

Privacy policies are a political issue that should not be left in the hands of a bridge commission. The public, and the legislature, need to think these questions though. Now.

(Readers with Internet access can read more about the privacy implications of ITS at <http://weber.ucsd.edu/~pagre/its-issues.html> and <http://weber.ucsd.edu/~pagre/its-privacy.html>.)

Copyright (C) 1997 by Parker Barss Donham.
All rights reserved. <pdonham@fox.nstn.ca>

Parker Barss Donham | R.R.1, Bras d'Or | (902) 674-2953 (vox)
pdonham@fox.nstn.ca | Nova Scotia, Canada B0C-1B0 | (902) 674-2994 (fax)


Total Surveillance on the Highway

Date: Tue, 1 Aug 1995
From: Phil Agre <pagre@weber.ucsd.edu>
Subject: Total Surveillance on the Highway
Source http://www.vortex.com/privacy/priv.04.17

A controversy is growing around the failure of "Intelligent Transportation System" programs in the United States to exercise any leadership in the adoption of technologies for privacy protection. As deployment of these systems accelerates, some of the transportation authorities have begun to recognize the advantages of anonymous toll collection technologies. For example, if you don't have any individually identifiable records then you won't have to respond to a flood of subpoenas for them. Many, however, have not seen the point of protecting privacy, and some have expressed an active hostility to privacy concerns, claiming that only a few fanatics care so much about privacy that they will decline to participate in surveillance-oriented systems. That may in fact be true, for the same reason that only a few fanatics refuse to use credit cards. But that does not change the advantages to nearly everyone of using anonymous technologies wherever they exist.

Let me report two developments, one bright and one dark. On the bright side, at least one company is marketing anonymous systems for automatic toll collection in the United States: AT/Comm Incorporated, America's Cup Building, Little Harbor, Marblehead MA 01945; phone (617) 631-1721, fax -9721. Their pitch is that decentralized systems reduce both privacy invasions and the hassles associated with keeping sensitive records on individual travel patterns. Another company has conducted highway-speed trials of an automatic toll-collection mechanism based on David Chaums digital cash technology: Amtech Systems Corporation, 17304 Preston Road, Building E-100, Dallas TX 75252; phone: (214) 733-6600, fax -6699. Because of the total lack of leadership on this issue at the national level, though, individuals need to do what they can to encourage local transportation authorities to use technologies of anonymity. It's not that hard: call up your local state Department of Transportation or regional transportation authority, ask to talk to the expert on automatic toll collection, find out what their plans are in that area, and ask whether they are planning to use anonymous technologies. Then call up the local newspaper, ask to talk to the reporter who covers technology and privacy issues, and tell them what you've learned.

On the dark side, here is a quotation from a report prepared for the State of Washington's Department of Transportation by a nationally prominent consulting firm called JHK & Associates (page 6-9):

Cellular Phone Probes. Cellular phones can be part of the backbone of a region-wide surveillance system. By distributing sensors (receivers) at multiple sites (such as cellular telephone mast sites), IVHS technology can employ direction finding to locate phones and to identify vehicles where appropriate. Given the growing penetration of cellular phones (i.e., estimated 22% of all cars by 2000), further refinements will permit much wider area surveillance of vehicle speeds and origin-destination movements.

This is part of a larger discussion of technologies of surveillance that can be used to monitor traffic patterns and individual drivers for a wide variety of purposes, with and without individuals' consent and knowledge. The report speaks frankly of surveillance as one of three functionalities of the IVHS infrastructure. (The others are communications and data processing.) The means of surveillance are grouped into "static (roadway-based)", "mobile (vehicle-based)", and "visual (use of live video cameras)". The static devices include "in-pavement detectors", "overhead detectors", "video image processing systems", and "vehicle occupancy detectors". The mobile devices include various types of "automatic vehicle identification", "automatic vehicle location", "smart cards", and the just-mentioned "cellular phone probes". The visual devices are based on closed-circuit television (CCTV) cameras that can serve a wide range of purposes.

The underlying problem here, it seems to me, is an orientation toward centralized control: gather the data, pull it into regional management centers, and start manipulating traffic flows by every available means. Another approach, much more consonant with the times, would be to do things in a decentralized fashion: protecting privacy through total anonymity and making aggregate data available over the Internet and wireless networks so that people can make their own decisions. Total surveillance and centralized control has been the implicit philosophy of computer system design for a long time. But the technology exists now to change that, and I can scarcely imagine a more important test case than the public roads. People need to use roads to participate in the full range of associations (educational, political, social, religious, labor, charitable, etc etc) that make up a free society. If we turn the roads into a zone of total surveillance then we chill that fundamental right and undermine the very foundation of freedom.

Phil Agre, UCSD

Highway Privacy and Extremist Politics

Date: Thu, 18 Jan 1996 20:08:26 -0800 (PST)
From: Phil Agre <pagre@weber.ucsd.edu>
Subject: Highway Privacy and Extremist Politics
Source http://www.vortex.com/privacy/priv.05.03

In a report on the right-wing militia movement in Washington State (available on the Web at http://nwcitizen.com/publicgood/reports/maltby3.htm ), Paul de Armond discusses one David Montgomery, whom he describes as "a perennial right-wing congressional candidate and former treasurer for the Washington chapter of Rev. Sun Myong Moon's American Freedom Coalition". He clearly regards Mr. Montgomery as a fringe extremist, and he illustrates this view by quoting one of Mr. Montgomery's campaign flyers, entitled "Gun Rights and Your Freedom" as follows:

"New toll roads can identify your car and charge an account in your name by means of a sensor in the windshield. This could allow the government to track your movements."

Although he doesn't say so explicitly, the context makes it sound as if Mr. de Armond regards this view as bizarre. The problem, of course, is that it is basically true. The "sensor" is really (in most cases) an RF [radio frequency] transponder, and it is not quite "in" the windshield but (in many cases) attached to it. Such systems are in operation in roughly ten US states and in several other countries. Although few serious observers regard these systems as government plots to track citizens' movements, the systems have nonetheless provoked controvery across the political spectrum because they could, in fact, be used for this purpose. The FBI, for example, has made no secret of its desire to obtain unrestricted access to the files maintained by toll authorities. Although such systems could easily be made anonymous using new technology based on digital cash, I know of no US authority that is planning to do so.

Now, Mr. de Armond is actually aware of all of this; he just inadvertently neglected to quote enough of the flyer to make apparent the role of automated toll roads in Mr. Montgomery's humongous conspiracy theories. What's scary, of course, is that the toll roads are so readily used in this way. The use of this issue by political extremists is a symptom of a deep problem, which is that automated toll collection in the US, like many other new technologies that affect the public, is being developed with only the faintest semblance of democratic process — decisions are made in back rooms and the systems just seem of materialize one day. The bureaucrats who run the show don't expend much effort on privacy because they don't hear any screaming about it, and they don't hear any screaming about it because only a tiny proportion of citizens is even aware of the issue. (Having said this, I should point out that Washington State is just about the only US jurisdiction which has seen meaningful organized resistance to automated toll collection. I do not know of any connection between this resistance and the far right.)

Automated toll collection may not be a sinister plot, but in its practical consequences it is just as bad. It is a serious accident waiting to happen — not least because it provides an organizing issue for political extremists. The very possibility of the systems' abuse, together with the tacit policy of stealth implementation, threatens to become a corrosive influence on our society.

Phil Agre, UCSD



Date: Mon, 10 Jun 1996 16:40:03 -0700 (PDT)
Subject: Building in Privacy
Source: http://snyside.sunnyside.com/cpsr/lists/rre/building_in_privacy

[This is a paper presented by Ann Cavoukian <cavouk@io.org>, the Assistant Privacy Commissioner of Ontario, at a recent meeting on privacy and security technology. It describes the need for (what have come to be called) privacy-enhancing technologies such as biometric encryption. The endnotes are missing.]

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below.


GO BEYOND SECURITY — BUILD IN PRIVACY:
ONE DOES NOT EQUAL THE OTHER

 Ann Cavoukian, Ph.D.
Assistant Privacy Commissioner, Ontario

CARDTECH/SECURTECH 96 CONFERENCE

ATLANTA, GEORGIA
MAY 14-16, 1996


Privacy vs. Confidentiality/Security

This paper will begin by touching briefly on the meaning of privacy since this term is at times used interchangeably with confidentiality/security. But let me assure you that the two are not one and the same. While privacy may subsume what is implied by confidentiality, it is a much broader concept involving the right to be free from intrusions, to remain autonomous, and to control the circulation of information about oneself.

Privacy involves the right to control one's personal information, and the ability to determine if and how that information should be obtained and used. The Germans have referred to this as "informational self-determination": In 1983, the German Constitutional Court ruled that all citizens had the right to informational self-determination (an individual's ability to determine the uses of one's information). While most countries with privacy laws have this notion of self-control as one of the goals of their legislation, they do not usually have an explicit constitutional guarantee to privacy, as in the case of Germany.

It is in this sense that privacy is a much broader concept than confidentiality since it entails restrictions on a wide range of activities relating to personal information: its collection, retention, use and disclosure. Confidentiality, however, is only one means of protecting personal information, usually in the form of safeguarding the information from unauthorized disclosure to third parties.

Confidentiality only comes into play after the information in question has been obtained by a company, organization or government (commonly referred to as "data users"). Data users are expected to be responsible for the safekeeping of the personal information entrusted to them. In this sense, they have a custodial obligation to protect the information in their care. Thus, a relationship of trust exists between data subjects and data users, requiring a duty of care and an expectation of confidentiality. The latter involves containment of the personal information to those permitted access to it, and safeguarding it from disclosure to unauthorized third parties. The means by which this is achieved involves security.

The full spectrum of data security, computer and network security, physical security and procedural controls must be deployed to protect personal information from a wide range of threats: inadvertent or unauthorized disclosure, intentional attempts at interception, data loss, destruction or modification, attempts to compromise data integrity and reliability, and others. Measures that enhance security enhance privacy: the two are complementary, but not one and the same. Therefore, simply focusing on security is not enough. While it is an essential component of protecting privacy, it is not sufficient by itself. For true privacy protection we must turn to the time-honoured principles of data protection commonly referred to as "the code of fair information practices."

These internationally-recognized principles were first formally launched by a European organization, the OECD (Organization for Economic Co-operation and Development) in 1980, for the purpose of conferring rights upon data subjects and responsibilities upon data users (both Canada and the United States are signatories). They place limitations on the collection of personal data, place restrictions on its uses, place an onus on purpose specification, declare a need for openness, transparency, and accountability, and create the right of individual access and correction.

The eight principles governing data protection

The eight principles governing data protection are as follows:

Building In Privacy

What is needed is a convergence of these principles with those found in systems design and smart card applications. What is needed are the design correlates of fair information practices. The systems design and architecture should translate the essence of these practices into the language of the technology involved.

In addition, incorporating such a requirement into a privacy impact assessment prior to the actual development of a new system should be viewed as an essential first step. Just as it would be inconceivable to build a new system without any idea of the financial costs involved, it should be equally inconceivable to build a new system without any idea of the privacy costs involved, or the protections needed to minimize those costs. Preparing such an assessment at the beginning of the process, followed by the implementation of fair information practices upon completion, will ensure a much higher degree of privacy protection.

One of the most important principles is the "use limitation" principle, referring to the limitations that should be placed on the uses of personal information. This requires drawing a clear distinction between the primary purpose of the collection and any subsequent or secondary uses, unrelated to the primary purpose. In other words, personal information collected for one purpose (paying taxes), should not be used for another purpose (compiling a mailing list of people with incomes over $100,000), without the consent of the individuals involved. Thus, the use of the information should be limited to the primary purpose (tax collection), which was the purpose specified to the data subject at the time of the data collection. While the above may sound fairly straightforward, it is seldom put into practice without some mechanism (a privacy law or code of conduct) requiring that such principles be followed.

When systems are not built with privacy in mind (which is generally the norm), one may not be able to easily isolate the primary purpose of the collection (if an effort is to be made to restrict uses of the information to that purpose). And if different types of information have been gathered by the same organization for different purposes, then access should be restricted to those who need to access a particular type of information — not the entire set. This requires the creation of segregated fields of access with a clear demarcation of who should be permitted access to what fields. Even better, however, would be the anonymization of personally identifiable data.

New and emerging information technologies have lead to a massive growth in the amount of personal information accumulated by organizations. In identifiable form, this trend increasingly jeopardizes the privacy of those whose information is being collected. Minimizing or entirely eliminating identifying data, however, will go a long way to restoring the balance. To the extent that smart cards can be designed with anonymity in mind, privacy interests will be advanced enormously.

Why is it that every time you engage in a wide range of activities — using a credit or debit card, making a telephone call, subscribing to a magazine, joining a club, ordering goods from a mail-order catalogue, or buying something at a grocery store or department store, an identifiable record of each transaction is created and recorded in a database somewhere. Why is it that in order to obtain a service or make a purchase (other than with cash or a cash-card), organizations require that you identify yourself? This practice is so widespread that it is treated as a given: it can be no other way. Really? The time has come to challenge this view. Is it not possible for transactions to be conducted anonymously yet securely, with proper authentication? Emerging technologies of privacy not only make this possible, but quite feasible.

Consumer polls repeatedly show that individuals value their privacy and are concerned with potential losses in this area when so much of their personal information is routinely stored in computers over which they have no control. Anonymity is a key component of maintaining privacy. Protecting one's identity is synonymous with preserving one's ability to remain anonymous. Technologies that provide authentication without divulging identity not only address privacy concerns, but also provide much-needed assurances to organizations regarding the authenticity of the individuals they are doing business with.

Privacy-Enhancing Technologies

Two examples of privacy-enhancing (anonymizing) technologies will be provided here, each of which relies upon the "blinding" of identity through the use of encryption — in the first case, through an extension of public key encryption, in the second case, through the use of biometric encryption.

Blind Signatures

The blind signature, created by David Chaum of Digicash is an extension of the digital signature — the electronic equivalent of a handwritten signature. Just as a signature on a document is proof of its authenticity, a digital signature provides the same authentication for electronic transactions. It provides the necessary assurance that only the individual who created the signature could have done so, and permits others to verify its authenticity.

Digital signatures are an extension of an asymmetric cryptosystem, public key encryption. In a public key system, two different keys are created for each person: one private, one public. The private key is known only to the individual while the public key is made widely available. When an individual encrypts a document with his or her private key, this is the equivalent of signing it by hand since the private key is unique to that individual. The intended third party can decrypt the message using the individual's public key, which corresponds to his/her private key. If the information is successfully decrypted, then one has the necessary assurance that it could only have been transmitted by that individual. Otherwise, it would not have been possible to decode the information successfully.

While a digital signature provides proof of authenticity (that a transaction originated from a particular sender), it reveals the identity of the individual in the process. The blind signature, created by David Chaum, Director of DigiCash, is an extension of the digital signature but with one additional feature: it ensures the anonymity of the sender. While digital signatures are intended to be identifiable (to serve as proof that a particular individual signed a particular document), blind signatures provide the same authentication but do so in a non-identifiable or "blind" manner. The recipient is assured of the fact that a transmission is authentic and reliable, without knowing who actually sent it.

One application of blind signatures involves the use of "e-cash" which can be used as an electronic form of payment that can be transmitted via networks such as the Internet. Just as cash is anonymous, e-cash is also anonymous in that it cannot be traced to a particular individual. Chaum calls it "unconditionally untraceable." The service provider, however, is assured of its authenticity; the only thing missing is the ability to link the transaction to a particular person. Chaum emphasizes that his system provides much-needed protections against fraud and abuse. It is predicated on the use of non-identifier-based technology: "A supermarket checkout scanner capable of recognizing a person's thumbprint and debiting the cost of groceries from their savings account is Orwellian at best. In contrast, a smart card that knows its owner's touch and doles out electronic bank notes is both anonymous and safer than cash."

Biometric Encryption

Biometric measures provide irrefutable evidence of one's identity since they offer biological proof that can only be linked to one individual. The most common biometric measure is the fingerprint. Fingerprints have historically raised concerns over loss of dignity and privacy. The central retention of fingerprints and multiple access to them by different arms of government invokes images of Big Brother watching.

The fundamental problem with identifiable biometric measures has been that once obtained, they are stored in identifiable form together with other personal information in a central database. This may then potentially be accessed by a number of third parties and used for a variety of unintended purposes. All of this facilitates surveillance — making it easier to track your movements and compile detailed personal profiles. Thus, the threat to privacy comes not from the positive identification that biometrics provides best, but the ability of others to access this information in identifiable form, and link it to other personal information. This can only occur, however, if the biometric information is kept in identifiable form. All of that changes if the biometric measure is used only to encrypt the information to be stored.

Therein lies the paradox of biometrics: a threat to privacy in identifiable form, a protector of privacy in encrypted form; a technology of surveillance in identifiable form, a technology of privacy in encrypted form. As noted earlier, reliable forms of encryption can anonymize data and prevent unauthorized third parties from intercepting confidential information. In the case of biometrics, they permit authentication without identification of the user.

Take the example of someone receiving welfare benefits. The government needs to ensure that only those eligible to receive such benefits actually receive them, thereby reducing fraud. But if someone is eligible for welfare, then he should get what he is entitled to. So what is needed is confirmation of the fact that person A (who we have determined is eligible for welfare benefits), is in fact person A and not someone impersonating him. Biometric encryption can do that anonymously, without revealing the fact that person A is John Smith. So if A uses these benefits to buy groceries (with food stamps, for example), he should be able to do so once his eligibility has been authenticated. You don't need to know that A is John Smith who went to the store to buy a box of cereal, a bag of chips, and some milk. But you need to be sure that someone else can't impersonate him and claim the same benefits.

One company, Mytec Technologies, has done just that. Mytec has developed a new technology that will transform the way we view fingerprints: from posing a threat to privacy, to becoming its protector. Fingerprints encrypting information will now be used to protect people's privacy instead of invading it. Through the "bioscrypt," a compound of biometrics encryption, user eligibility is authenticated without divulging identity. Further, the bioscrypt bears no physical resemblance to the user's actual fingerprint. Mytec's system does not retain any record, image or template of the individual's actual fingerprint. Therefore, a copy of the fingerprint is never kept on file. Instead, a number or set of characters encrypted by the finger pattern, not the finger pattern itself, is retained in the form of the bioscrypt. The bioscrypt cannot be converted back to its corresponding fingerprint from which it originated because it is not a fingerprint.

Thus, one's finger becomes one's uniquely private key, with which to lock or unlock information. Since the bioscrypt was designed to confirm an individual's identity, it can only be used for comparative purposes, with the individual holding the key. Extension of this technology allows for the development of complete information systems using anonymous databases. George Tomko, President and C.E.O. of Mytec says that "the bioscrypt precludes the need for a unique identifying number or the centralized storage of fingerprints. People can carry out their transactions privately in a "blind manner" without the electronic tracing of a person's activities. Now transactions made through monetary systems such as credit or debit cards can be completely anonymous, thus ensuring total user privacy. With this technology, elimination of fraud is a by-product of protecting an individual's privacy."

Both David Chaum's blind signatures and George Tomko's biometric encryption provide for maximum privacy through advanced systems of encryption. Technologies such as these should receive the full support of both those interested in protecting privacy and those interested in eliminating fraud. They achieve the goal of fraud reduction without giving away your identity in the process, or your privacy — a true win/win scenario.

Conclusion

The process of building privacy into systems and smartcard applications begins by recognizing the distinction between privacy and security. Introducing fair information practices into the process will by necessity broaden the scope of data protection, expanding it to cover both privacy and security concerns. The preparation of a privacy impact assessment can be a useful tool to assist in identifying areas where privacy may be negatively impacted, leading either to eliminating the problem areas or building in the necessary protections. The greatest protection, however, may come from de-identifying or anonymizing personal information.

The use of privacy-enhancing technologies such as those described above (DigiCash and Mytec) which minimize or entirely eliminate personally identifiable information are ideal in that they serve the needs of both individuals and organizations: personal privacy is maintained through the anonymity afforded by such systems, while organizations are assured of the authenticity of the individuals they are doing business with. Both needs are met. Mission accomplished.

Reference:
Privacy Commissioner of Ontario
    http://www.ipc.on.ca/

Access to DMV Records by Rental Car Companies

Date:   Fri, 09 Feb 1996 11:53:48 EST
From:   Paul Robinson <paul@TDR.COM>
Subject: Access to DMV Records by Rental Car Companies
Source http://www.vortex.com/privacy/priv.05.04
[DMV: Department of Motor Vehicles]

According to a report over the radio, a little-noticed provision of one of the crime bills which have come out allows a rental car company to check your driving record.

According to the report, two or three incidents — an accident or certain types of tickets — is enough to cause you to be blacklisted.

Where are the problems in this?

1.   There is no announcement of this practice; you're not likely to find out until you get to the counter and can't rent a car.

2.   There is no appeals process available.

3.   There is no means available to provide for corrections or to determine where or how the error occurred in the event you are caught short by this happening.

4.   No consideration is made as to the severity of the offences or whether you were even at fault in the accident; if the information is there, you walk.

Questions:

5.   What proof do we have that those who are inquiring into the database are authorized to do so, that they are actually looking up the record for that customer, and what privacy protections do we have against unauthorized inquiries? Do we have the right to password-protect our own account?

6.   What protections do we have against the risk of erroneous data in a report?

7.   Is this the same data as is available at a DMV or DPS office, and if not, in what way is it different?

8.   Are there rights under law to get errors corrected? For damages for inconvenience due to errors? Any right to collect damages for misconduct if knowingly false information is placed in a database? Or for failure to timely followup inquiries and remove errors? Government agencies are not known for speed in action unless, like with large organizations, damages and fines are available to those who are injured due to error, negligence or misconduct.

Advice:

1.   Whenever making a reservation for a car at a rental agency, book it with multiple agencies, then once you have the car, cancel or reschedule the ones not needed. (I do this because I have been extremely inconvenienced when there are conditions imposed at the rental counter I couldn't meet when I'd booked a car and made plans weeks in advance; if I had known about them beforehand I could have done something about them.)

2.   If you get caught short in any circumstances, try another agency if (as is usually the case) asking for a supervisor doesn't help.

3.   When making a reservation, ask if they do checking of one's driving record. If they do, and you want or must use that particular agency, then ask them to check your record in advance so you can know if there are any problems.

4.   Get a copy of your driving record so you can know if there are any errors or inaccurate reports. In Maryland, where I live, a 3-year report costs $5 if uncertified, and $8 if certified; a full report of everything on file is $10 and $15, respectively. (My report showed nothing at all.)

5.   The above could also apply to certain issues regarding credit reports, for the same or similar reasons.

Paul Robinson

On the Road to Nosiness?

Date:   Sat, 6 Nov 93
From:   Les Earnest <les@sail.stanford.edu>
Subject: On the Road to Nosiness?
Source http://www.vortex.com/privacy/priv.02.35

In his Detroit Free Press article, Dan Gillmor describes prospective privacy intrusions in the form of vehicle tacking based on "intelligent vehicle highway systems." Some of these problems can be avoided through appropriate design decisions, but the fact is that many of us can be tracked today on a minute-by-minute basis.

The article says:

Proposals for electronic tolls — which economists and traffic planners generally agree would be an efficient way to reduce congestion and pay for upkeep. The reasoning, which makes sense, is that you should pay more to use the highway at rush hour than at 2 a.m. How would that be done? Highway and vehicle sensors, which wouldn't slow traffic like old-fashioned toll booths, would know when you use the road and bill you accordingly.

However, instead of basing toll payments on a credit/billing system, a debit card can be used that is purchased anonymously. This can be done in at least two ways: using a smart card that keeps track of how much of its value has been "spent" on tolls or a card that simply gives its ID number when interrogated, so that a central toll computer can keep track of how much of its original value has been spent. A more elegant approach would be to use a Digicash card or equivalent coupled with a transceiver. Any of these schemes would do a reasonable job of preserving privacy.

California state officials originally proposed an automatic toll billing system in which the vehicle identification number could be read electronically, which would have been disastrous for privacy. However, they have apparently been talked into using the anonymous debit card approach by privacy advocates, principally Chris Hibbert.

However, those of us who use cellular phones can be, and perhaps are being, tracked already. A certain amount of tracking is essential in order to make the cellular phone system work. This includes measurement of signal strength from a given cellular phone at various transceiver sites and with various antennas — each site typically has six or so directional antennas. Back-of-the-envelope calculations indicate that by comparing signal strengths from various sites and antennas the location of the phone often can be determined to less than a square mile and sometimes more accurately.

Note that your phone can be tracked even when you are not talking — if it is open to incoming calls it can be tracked without your being aware of it. Furthermore, there appear to be no legal constraints on the use of this information. The cellular phone company can give it to a law enforcement agency without the latter having to get court order. Alternatively, the company can sell this information to whoever is interested.

Probably most cellular phone companies will not disclose tracking information based on ethical considerations, but I wouldn't want to count on it. I believe that this is a loophole that should be closed by appropriate legislation.

Les Earnest

The following are recommended:



Privacy Issues in Intelligent Transportation Systems
    http://www.vortex.com/privacy/priv.04.07



Privacy and Electronic Toll Collection
Maintaining one's privacy has been a general concern in the community for quite some time. With the recent introduction of roads where the tolls have been collected electronically, privacy concerns have gained more emphasis. The Australian Transport Council (ATC) Electronic Toll Collection Working Party has identified privacy, as it relates to electronic toll collection, as an issue. This report has been prepared to indicate the status of this issue, taking into account previous work and current legislation...
    http://www.atcouncil.gov.au/etc/etc1.htm
The Wayback Machine has archived copies of this document:
Australian Transport Council
Working Party on Electronic Toll Collection

Archived: 2001 March 11
http://web.archive.org/web/20010311194612/http://www.atcouncil.gov.au/etc/etc1.htm
Archived: 2001 October 20
http://web.archive.org/web/20011020145859/http://www.atcouncil.gov.au/etc/etc1.htm




Technology and Privacy: The New Landscape
    http://dlis.gseis.ucla.edu/people/pagre/landscape.html



Looking down the road: Transport informatics and the new landscape of privacy issues
    http://dlis.gseis.ucla.edu/people/pagre/its-cpsr.html



Identification Technologies and Their Implications for People
    http://dlis.gseis.ucla.edu/people/pagre/identification.html
The Wayback Machine has archived copies of this document:
Identification Technologies and Their Implications for People

Archived: 1999 October 10
http://web.archive.org/web/19991010001941/http://dlis.gseis.ucla.edu/people/pagre/identification.html
Archived: 2000 August 16
http://web.archive.org/web/20000816033551/http://dlis.gseis.ucla.edu/people/pagre/identification.html
Archived: 2001 March 2
http://web.archive.org/web/20010302094725/http://dlis.gseis.ucla.edu/people/pagre/identification.html
Archived: 2001 October 8
http://web.archive.org/web/20011008004939/http://dlis.gseis.ucla.edu/people/pagre/identification.html




Eyes on the Road: Intelligent Transportation Systems and Your Privacy
by Tom Wright, Information and Privacy Commissioner of Ontario
Describes what Intelligent Transportation Systems (ITS) are, their applications, where they have been used, and what their implications are with respect to the privacy of travellers. The paper contains questions for assessing the privacy impact of various ITS technologies.
Released March 1995
    http://www.ipc.on.ca/english/pubpres/papers/ITS-E.HTM
The Wayback Machine has an archived copy of this document:
Eyes on the Road:
Intelligent Transportation Systems and Your Privacy

Archived: 2001 September 10
http://web.archive.org/web/20010910204521/www.ipc.on.ca/english/pubpres/papers/ITS-E.HTM




407 Express Toll Route: How You Can Travel This Road Anonymously
A collaborative effort between the Ontario Transportation Capital Corporation and the Information and Privacy Commissioner of Ontario.
The paper discusses the "anonymous account billing system" that was developed to address privacy concerns regarding the electronic surveillance system being used for billing purposes.
Released May 1998
    http://www.ipc.on.ca/english/pubpres/papers/407.htm
The Wayback Machine has an archived copy of this document:
407 Express Toll Route:
How You Can Travel This Road Anonymously

Archived: 2001 September 10
http://web.archive.org/web/20010910234549/http://www.ipc.on.ca/english/pubpres/papers/407.htm




New Jersey Turnpike electronic toll collection system hacked
A security breach on the E-ZPass electronic toll system for the New Jersey Turnpike has led to a suspension of the application pending repairs, although no customer payment information was accessed, according to a spokesman for the Turnpike Authority. The application is based on an e-mail-based account information system. A programmer and user of the E-ZPass system, Christopher Reagoso, who lives in Pennsylvania, brought the security glitch to the attention of a local Philadelphia television station last week. Although Reagoso was not able to access home addresses, telephone numbers, or checking information, turnpike officials acknowledged that he was able to view account information such as the turnpike usage and names of the users in the e-mail billing system of the largest electronic toll collection system in the United States...
    http://www.infoworld.com/articles/hn/xml/00/10/25/001025hnezpass.xml


Data Mining
    http://www.vortex.com/privacy/priv.04.08


Databases and Privacy
    http://www.vortex.com/privacy/priv.04.09



The following are interesting here only because they — like many other websites operated by ETC manufacturers and users such as departments of transport — somehow don't quite get around to mentioning privacy concerns.
What is ETC?
Electronic Toll Collection (ETC) is the use of various technologies to allow the manual in-lane toll collection process to be automated in such a way that customers do not have to stop and pay cash at a toll booth. With ETC, an actual toll plaza is not even a requirement to collect tolls. The ETC equipment can be mounted on overhead gantries and/or in the pavement which allows vehicles to be charged while they proceed at highway speeds.
    http://www.ettm.com/etc.html

PULNiX America, Inc.
Electronic Toll Collection for toll violation enforcement and video billing is one of our specialties. Current ETC systems utilize transponder technology for vehicle identification combined with video systems for violation enforcement. Accuracy rates over 95% on readable license plates, and as high as 98%, have been achieved in field tests; no other company has achieved these rates under realistic operational test conditions. Satisfied customers include the California Department of Transportation (CALTRANS), the Canadian Ministry of Transportation, and the Netherlands Rijkswaterstaat (Dutch D.O.T.). With accuracy rates this high, the practicality and economic benefits of using video systems is apparent. Consequently, the next stage in ETC system development is likely to be the use of video systems for vehicle identification as well as violation enforcement; pilot projects currently are underway in Canada and the Netherlands...
    http://www.pulnix.com/its/its-ETC.html

SunPass: innovative Electronic Toll Collection System
Florida Department of Transportation
Incorporating the latest technology, SunPass has been implemented across most of Florida's toll roads, saving drivers' time, money, and the hassle of digging for change. With SunPass, there's no stopping you! SunPass allows motorists to pass through designated SunPass lanes without having to stop or carry change. Tolls are automatically deducted from a prepaid account as motorists pass through the specially equipped lanes. Frequent users qualify for a rebate. Transponders cost $25 plus tax and require a minimum opening balance of $25...
    http://www.sunpass.com/main.cfm

FasTrak Electronic Toll Collection
CalTrans, the California Department of Transportation
FasTrak is an electronic toll collection system which allows you to prepay your Bridge Tolls, eliminating the need to stop at the toll plaza. The system has three components: a transponder, which is placed inside your vehicle, an overhead antenna, which reads the transponder and collects the toll, and video cameras to identify toll evaders. The system tracks bridge usage and account balance. A quarterly statement itemizing your bridge use and account balance will be sent to you through the mail. You may also check your account balance using the automated response telephone system at the FasTrak Service Center. Should your transponder not read at the lane, the toll will be applied to your account by matching the license plate information...
    http://www.dot.ca.gov/fastrak/faq.htm

The Oklahoma Turnpike Authority's Pike Pass program
started operation on January 1, 1991.
    http://www.its.dot.gov/tcomm/itibeedoc/etcs.htm

Electronic Toll Collections Debut In Manila, Philippines
The system incorporates automatic vehicle identification (AVI) transponders, called E-PASS, and magnetic-encoded cards for recording trips (transactions). This provides a robust infrastructure for comprehensive audit capability, and E-PASS streamlines toll transaction processing. Payment for E-PASS transactions are made via pre-paid accounts registered with the E-PASS Customer Service Center. The toll collection system also supports payment by cash or coupons. As with ETC roads elsewhere, E-PASS uses windshield-mounted radio frequency identification (RFID) tags and lane-mounted tag readers to automatically register a car when it passes through a toll plaza. Motorists using the wireless technology no longer have to stop, wait or fumble for cash, so traffic flows faster. The hardware is integrated with TransCore's proprietary traffic and business management software...
    http://www.transcore.com/news/news000923.htm

Electronic toll collection in Oslo, Norway
The windscreen-mounted unit holds details of the identification of the driver, and sends these by two-way radio communication to a roadside beacon. These are checked against a central database and, if the account is not valid, the vehicle is photographed automatically and the driver fined...
    http://www.ertico.com/what_its/succstor/electoll.htm

1985: First ETC installation in France on Esterel-Cote Azur motorway
    http://www.ascom.com/apps/WebObjects/ecore.woa/de/showNode/
        siteNodeID_28693_contentID_94256_languageID_1.html

Peace Bridge Electronic Toll Collection Equipment New York State DoT
    http://www.erie.gov/nittec/web/buffalo/elements/625.htm



Wayback Machine
Wayback Machine
http://web.archive.org/index.html

"Use the Wayback Machine to view web sites from the past."


Archive of This Document:
Electronic Toll Collection

The Wayback Machine has copies of this webpage from the early days:
Archived: 2000 August 17
http://web.archive.org/web/20000817013037/http://www.alts.net/ns1625/electoll.html
Archived: 2001 April 26
http://web.archive.org/web/20010426183618/http://www.alts.net/ns1625/electoll.html
Archived: 2001 July 14
http://web.archive.org/web/20010714120817/http://epe.lac-bac.gc.ca/100/205/300/nova_scotias_electronic_attic/07-04-09/www.littletechshoppe.com/ns1625electoll.html




Go To:   Index to online Nova Scotia History
    http://epe.lac-bac.gc.ca/100/205/300/nova_scotias_electronic_attic/07-04-09/www.littletechshoppe.com/ns1625histindx.html
Go To:   Home Page
    http://epe.lac-bac.gc.ca/100/205/300/nova_scotias_electronic_attic/07-04-09/www.littletechshoppe.com/ns1625index.html

Valid HTML 4.0 webpage
W3C HTML Validation Service
http://validator.w3.org/

Valid CSS webpage
W3C CSS Validation Service
http://jigsaw.w3.org/css-validator/

This page originally posted: 1997 November 16
Latest content revision:   1998 August 08
Script upgraded to HTML 4.0: 2001 September 05