my way, or the spyway?
posted by:Ian Kerr // 11:39 PM // January 25, 2005 // ID TRAIL MIX
i feel like i am standing in the middle of yesterday.
ten years ago, information studies guru phil agre wrote a series of interesting articles about intelligent transportation systems (ITS) in an online journal called the network observer. the focus of these articles was on privacy. agre wanted to avoid utopian and dystopian extremes, steering readers instead towards what he called "medium-sized concepts that let us make theories about the interaction between technologies and institutions..."
agre warned of transponder disks that would be placed inside vehicles as part of automated toll collection systems on highways. agre worried that these transponders could be used not just to collect tolls but also to track who was traveling where and when. he predicted that automated tolls would commence on a voluntary basis but would become involuntary as toll roads multiply in number alongside public-private sector cost-recovery partnerships. the central aim would be to find an efficient and convenient way to collect tolls automatically, without asking drivers to slow down or pay cash at a gated highway entrance or exit.
ITS, agre noted, threatened the possibility of driving anonymously. in collaboration with world leading privacy expert marc rotenberg, agre raised a number of policy issues essential to ensuring adequate privacy protection on tomorrow's semi-public highways. agre also commended a company called amtech systems for developing a vehicle identification process system that would allow people to pay tolls automatically but with complete privacy, based on the digital cash methods developed by internationally renowned cryptographer david chaum.
the brilliance of chaum's system was its ability to authenticate the driver for the purposes of tracking payments without the need to reveal, collect or disclose personal identifiers that would indicate who was traveling where and when, etc. using crypto to render untraceable the link between drivers' identities and their means of payment, such technologies offered (and indeed continue to offer) the promise of a middle ground in cases where there is a clash between privacy and the public interest.
flash forward ten years.
it turns out that agre was dead right. automation and ITS have indeed come to rule the road on many of the better roadways in north america and europe. for example, in the province where i live, highway 407, is a fully automated toll road which runs east and west for108 kilometres just north of toronto - canada's largest city. like many other automated highways around the world, the 407 is the result of a public-private partnership. many large companies investing in this project are also investing in similar partnerships for other automated roads around the world. it is said that the automated toll for the 407 is for cost recovery purposes only - about a billion dollars - and that 407 international inc. will cease to collect tolls just as soon as the costs have been fully recovered (i.e., in approximately 30 years!).
when entering or exiting the highway, there is no need to stop, slow or otherwise interact with anyone. the payment system is completely automated; the technologies it employs can be used to determine the time of day you travel, how often, the locations where you enter and exit the highway, your vehicle class, the distance you traveled and whether your transponder (if you have one) is correctly mounted and used in accordance with the prescribed rules.
if you don't set-up a pre-existing transponder account, the default payment mechanism is a license plate recognition system which boast of a 99.999% accuracy rate. this allows the 407 international inc. to take photos of license plates and send motorists a bill in the mail for using the toll road. 407 international inc. has authorized access to drivers' home and/or business addresses through an arrangement with the ministry of transportation ontario (MTO), which shares government collected information with the corporation from the MTO vehicle registration plate database.
from a privacy perspective, this creates a kind of catch-22. setting up a pre-existing account usually requires motorists to identify themselves in order to become account holders. alternatively, billing drivers after the fact requires that toll road operators are able to locate them post-trip in order to collect toll fees.
recognizing this, the ontario information and privacy commissioner worked diligently with MTO and 407 international inc. to develop an anonymous payment scheme, ultimately publishing a report on the subject in 1998.
while this may have been so at the time, it turns out that the anonymous account option described in the report, no longer exists. it is no longer an available option.
this is news.
Highway 407 motorists can not sign up for an account without providing personal information of some kind, whether it is in the form their name and address in an application or personal information in the form of a credit card number which 407 International Inc. charges if payments are not made. Motorists can not pay towards their numbered account through a chartered bank; instead they must send payment through the mail in the form of a cheque or money order.
despite the ontario privacy commissioner's clear recommendations in the mid 1990's and despite the fact that truly anonymous transponders based on chaum's cryptographic techniques where developed and marketed more than a decade ago, no such systems are or have been utilized in ontario.
the reason offered by 407 international inc. appears to be quite straightforward - they say that the anonymous payment option is not popular and therefore does not justify the cost of making it available.
following up on catherine's memo, i was told in a recent phone interview that there are only four so-called anonymous accounts still in existence (i.e., accounts that, according to 407 international inc., do not to link identity with payment, even though such accounts required for their initiation personally identifying information of some kind).
but isn't it possible that the popularity of the anonymous payment option is to some extent dependent on its practical availability and the administrative burden imposed on those who might otherwise wish to use it? this point was astutely raised a few years back by colin bennett, charles raab and pricilla regan.
in the case of the 407, such burdens used to include: (i) an initial in-person visit to 6300 field avenue west, corner Highway 27, during business hours to set up the account (one could not initiate an account at any other MTO office, nor could one sign up by phone, fax, post or the internet); (ii) sending in a payment exclusively by post.
however, what was once a chore is no longer an option. even if one where willing to visit 6300 field ave west and send a cheque in by mail, one can no longer set up an anonymous transponder account!
what ought we to do about it?
blogging and other means of sharing information about the fact that it is no longer possible to drive anonymously on the 407 is certainly a start.
however, on the identity trail thinks that there is more that can be done. we will be pursuing the legality of the failure to provide an accessible, anonymous payment option for 407 motorists in ontario.
we will do so in conjunction with graham greenfleaf and the baker & mckenzie cyberspace law and policy centre in australia, who will undertake a parallel inquiry in connection with a recent proposal in new south wales involving some of the same investoring companies, who wish to initiate a toll system that would result in a similar loss of anonymity.
working together on developing parallel test cases in both jurisdictions, our aim is to create strategies about how to reclaim the anonymous payment option by making privacy laws work. in canada, part of our aim will be to test the scope of the "limited collection" provision of canada's federal privacy legislation as my colleague stephanie perrin so often reminds us - "use it or lose it."
some people's reaction to all of this is sure to be - what is the big deal? why should I care about the fact that i cannot drive anonymously?
a proper answer to these questions requires more attention than i can offer in this already excessive blog. but consider the following.
ITS technical standards are currently being set in the US. ITS canada is not an active participant in the standard setting initiative taking place between the american transportation department and the ITS community. according to recent discussions with the general manager of ITS canada, it is likely that US standards will be adopted in canada even without our participation in their development. canada will end up adopting the US standards for the sake of convenience, compatibility and interoperability.
at the same time, transport canada is attempting to stimulate the growth of ITS north of the 49th through various funding initiatives. such initiatives have been commenced as part of a broader response to terrorism and the perceived need to ease trans-border flows by allowing identifiable and approved vehicles to pass through without having to stop at customs.
so … where is all this heading?
while it is hard to tell for sure, it is worth considering the content of a recently released report for ITS America [link to http://www.itsa.org], titled "Homeland Security and ITS: Using Intelligent Transportation Systems to Improve and Support Homeland Security [link to: http://www.itsa.org/resources.nsf/Files/PPRA_Security_Final/$file/PPRA_Security_Final.pdf] among other things, the report outlines the potential for ITS to prevent, detect and respond to terrorist attacks. this includes "[p]roviding surveillance and analysis for public transportation, including identification of and effective rapid response to threatening or high risk passenger behavior."
looking back to agre's predictions a decade ago - written during the inception of the 407 project in ontario - it is interesting to note that the then information and privacy commissioner of ontario, tom wright, proclaimed that "people want to drive on highways, not spyways."
here we are, once again, standing in the middle of yesterday.
* many thanks to catherine thompson for her outstanding work on this project
Living in Montreal as I do, I must say that even the former arrangements to pay anonymously would not work for out of town tourists like us, passing through. When I chose to travel on Highway 407 in August of 2004, there was no notice on the map or the signs of how the payment would be made, or even that it was a toll road. Once you reach the turnoff, there is no going back, and there is no human there to question. I got my bill for this little brief trip down the road, about two months later, after I had forgotten about it. Unlike the Massachusetts turnpike, however, with which I am more familiar, this 20 minute trip cost me about ten dollars, not to mention $.50 for the stamp and whatever it costs you for a cheque. Clearly half the fees, which were more than double in my estimation of what I would have paid on the Mass. turnpike for a jaunt of similar duration, go to the enormous expense of processing and mailing out bills for $10.
What's so crazy about having a human in a toll booth, to whom you hand a couple of dollars?
Posted by: Stephanie Perrin at January 25, 2005 03:24 AM
The "what's the big deal?" issue you raise is very interesting. Suppose someone reasons in the following way: "Look, it's really not such a big deal. After all, we don't get upset over the phenomenon of owning telephone accounts, and that's importantly similar to the ITS thing. To own an account in the first place, you've got to reveal personal information; and after that information is recorded, for billing purposes, about a good deal of your activity on the account -- e.g. which long-distance calls are made when, to where, for how long, etc. But we're not so concerned about privacy and anonymity in this context, because we rest secure with the knowledge that there are significant restrictions on the access and use of such information. Similarly, we shouldn't be so concerned with the setup on the 407. Sure, just setting wheels on the highway at all entails revealing certain bits of personal information; and frequent travelling entails the keeping of information about which trips your car makes when, to where, for how long, etc. But we can rest secure with the knowleedge that there are significant restrictions on the access and use of such information." Any thoughts?
Posted by: David Matheson at January 25, 2005 10:26 AM
i think that i would say to that someone that there is an important disanalogy that makes it easier to "rest secure" in the case of the phone as compared to the private sector tollway.
currently, the "significant restrictions on the access and use of such information" in the telephone context are set out in significant detail and are subject to explicit judicial procedures pursuant to the wiretapping provisions in the criminal code of canada.
no similar set of safeguards exist to govern the semi-private highways.
part of what i take to be the "big deal" in the 407 example is that there are no clear rules about information sharing between the private and public sector partners, as well, the private sector intermediaries collecting tolls (read: personal information) are not subject to the same obligations as telecommunications providers and, say, ISPs (on the infobahn).
also, one might argue that -- in an era of fast networks and inexpensive databasing -- phone companies ought not to be able to exert as much surveillance power as they do.
of course i recognize there is tremendous safety value in the ability to mine such info. my second point here is simply to say that the mere fact that phone companies are doing it does not entail that we should concede it is ok to exert such one-way surveillance on private sector roadways as well!
Posted by: ian kerr at January 31, 2005 07:59 PM