The spy in the sky?

Road pricing is a funny old thing – we get incredibly worked up about the idea of a public authority tracking our vehicle movements, yet we tolerate the fact the mobile phone companies have been tracking us for years. The Department for Transport’s road pricing demonstrations programme is moving ahead, but how much of a privacy threat is it?

The principle of road pricing is a simple one: to manage congestion and generate revenue by charging road users according to the time, distance and route of their journey.

Supporters argue that this divides up the cost of road management – and the associated environmental impact – in an equitable manner that penalises those who drive long distances through congested routes during peak hours, and rewards those whose usage is less, and does not include busy roads in the rush hour. Sales reps covering hundreds of miles a day in their Mondeos will subsidise the driving of elderly ladies who go to the post office twice a week. Critics are quick to point out that many of us have no choice about our driving, since in the absence of viable public transport alternatives, we have to be at work on time, our kids have to get to school, and if we have a large family then we have little choice but to run a big car. They also point out that those in rural areas have a greater dependency upon their cars, and that as such the old ladies going to the post office are in fact the road users who will pay the greatest price for road pricing.

These arguments relate to the generation and expenditure of revenue from road users, and aren’t for this column – both the government and advocate groups have been debating them for some years now, and the flashpoint in that process was the 1.8m signature petition against road pricing last year.

What is of interest here are the privacy implications. As Professor Brian Collins, the Chief Scientist at DfT, points out, the reason that road pricing is so sensitive is that it brings together location data, identification data and charging data: in other words, deciding who was where at what time, and charging them for it. The principal mechanisms to achieve this include:

  • toll booths and vignettes: traditional roadside tools that collect a fee from the driver at a barrier, in the style of the French autoroute Peage;
  • tag and beacon: high-tech tolls that use a proximity token to determine when a vehicle has passed a given point in the road and charge accordingly (the London C-Charge scheme can be considered to be one of these);
  • area-based technologies: experiments with mobile phones to track the location of the vehicle within a given cell have met with mixed success, but might prove viable with new phone technologies;
  • GPS: fitting the vehicle with a GPS unit and transponder (most likely a mobile phone) so that it can transmit journey telemetry to a central system. This approach can be highly accurate but prone to errors in city centres where the GPS signal might easily be lost.

There is no reason why any of these telemetry systems needs to invade our privacy. The problem arises when we prepare billing data and enforce compliance with the system. In most cases, operators will need to amass data about the vehicle’s usage, calculate a fee, and send it to the registered keeper. If the bill remains unpaid then they will need to pursue the registered keeper for it. Likewise, the government will need to enforce compliance with the system – it’s no use building a road pricing scheme if drivers refuse to register for it, or disable equipment in their vehicles in order to escape the toll. This means that we will need yet another network of fixed and mobile enforcement cameras to catch culprits.

But it can be done in a privacy-friendly manner, and the German TollCollect system is an example of just that. Germany probably has the most stringent privacy protections in Europe, and from the very beginning it was clear that if the government there was to build a system that would bill HGV operators for their autobahn use (it’s commercial vehicles on motorways only), then it had to comply with the law. The solution was to fit each registered vehicle with a GPS system that gathers data about its usage, and can then be interrogated to generate a bill. Once the bill is paid, the usage data is erased from TollCollect’s systems, so there is no central record of the vehicle’s movements. The enforcement approach is similarly privacy-friendly: roadside cameras check the vehicle’s registration against the billing database as it passes, and so long as there are no overdue bills or police warrants, the data is erased before it even makes it to the central system.

The problem for the UK is that TollCollect isn’t cheap. The system’s integrity depends upon trust in the on-board equipment, and that means it has to be rugged and tamperproof. Replicating that across tens of millions of cars just isn’t feasible. If we want a ‘cheap’ solution then the scheme’s operators will have to use less trustworthy equipment in cars, and that will mean a much stricter network of enforcement cameras, and retaining the billing data for longer so that frauds can be identified – the ‘spy in the sky‘ scenario comes to bear (except of course the spy isn’t in the sky, it’s in the vehicle).

It’s for that reason that the Department for Transport is trialling a number of different approaches over the next two years, so that it can better understand which technologies and management approaches might provide the best balance of cost, reliability and consumer-friendliness. There are a number of research projects looking into ways of building privacy-friendly road management systems*. What is critical is that these systems build in cryptographic privacy controls from day one, rather than adding them on later, or relying on the law to provide protection. Some have suggested that so long as it’s against the law to access registered keeper details to cross-reference with telematic data from road pricing systems then we’ll all be fine, but I doubt many will trust the law to protect their privacy in this case.

So to answer my original question: why do we get so worked up about road pricing when the debate about mobile phones has passed us by? I think the answer is simple: because we can’t see a benefit from it. Oh sure, we all want to protect the environment and do our bit for climate change, and none of us want to live on a busy road or get stuck in traffic jams. But pay more for every mile we drive? Very few would volunteer to do so. There’s no question that road pricing has the potential for an unspeakable invasion of privacy, but so far the Department for Transport seems to be going about managing the privacy issues in the right way.

And this is the privacy argument at its simplest. We’re being asked to give up a degree of our privacy as our vehicle movements are tracked, but we can’t see a benefit in return for this risk. The solution will rest in developing a proper case for road charging that makes sense to everyone. Environmentalists and traffic campaigners need to be convinced that it will work. The elderly or those in rural communities need to be convinced that they won’t be punished for their road usage. Ordinary drivers need to know that they will get a fair deal (even if that means throwing in a free TomTom system and reward points for road use). And privacy advocates need to be satisfied that cryptographic privacy controls are built in to every aspect of the scheme so that nobody – not the government, not the operators, not a careless civil servant – can lose, misuse or abuse the data therein.

* – Declaration of interest: The Enterprise Privacy Group has worked with both the Department for Transport and Satellic to develop white papers on privacy-friendly road charging, and to facilitate stakeholder engagement workshops on the topic.