What I’m going to present to you today is based on an EU-funded project that Teknologirådet participated in, and that was finished last year, called PRISE.
Our focus was on technologies and means to ensure the security of the society, but the result should be applicable also to safety and security in the transport sector. We started out by making an overview of different basic technologies that make up security applications. These technologies are also central in ITS applications:
Communication technologies is a basis for all ITS applications. The use of positioning technology such as GPS is an example - and in particular when the position of the vehicle is communicated to other systems. A very relevant example is eCall – that will ”phone home” – or rather 112 – and give a full report when a vehicle has been involved in an accident. The potential for use of positioning or locating technologies in other applications, such as traffic planning, is growing with every gadget we get with a GPS. In a few years most of us will walk or drive around with more than one of these on us. And communication technology is more than what we traditionally think of – phone calls, e-mails and such. There is also communication between an RFID sender and the toll booth that we pass, between the two cameras involved in automated traffic control over a distance etc. The main privacy challenge with communications technology is eavesdropping – that someone can get hold of the information during the communication.
And of course we looked at sensors, such as cameras (electro optical sensors). In safety and security in the transport sector they are both used traditionally – for surveillance for instance in busses and trains, but also for ATC, licence plate registration and recognition etc.
Other sensors can be RFID chips for road pricing or toll. Black boxes (i didn’t find a good picture of that), ticketing systems for public transport. And – if we leave the road for a while – embedded in identity documents used when we travel abroad. The main privacy challenge with sensors is transparency: It is often impossible for a person to know if he or she is captured by a camera, of if an RFID tag is read by a reader.
I’d like to also touch on biometrics. We see an increasing use of this in the transport sector, mainly for security reasons, or a combination of security and efficiency: Check-in at airports using fingerprints, iris scans etc. On the roads, license plate recognition is the most used (“biometrics” for cars), and of course with enough cameras – like in London – there is a potential to follow a car around town with the cameras. As facial recognition improves, we will see the possibility of following a person around on CCTV. Biometrics are of course very closely linked to the person they belong to, but the privacy challenges are mainly connected to how you collect the information and how you handle it later. Is it communicated in any way – from a local checkpoint to a central register? Or is it only stored locally – for instance on the subjects ID-card?
Which leads us to storage. When I started working in the computer industry, the problem used to be that there wasn’t enough storage – in fact a chunk of the Norwegian Motor vehicle registry was deleted at one point - i think it was in the 80s - to save storage space. Today the problem – from a privacy perspective - is the opposite. There is so much storage space and it’s so cheap that it’s actually cheaper to just keep data than to delete it when you don’t need it any more. We store data about everything: Toll booth passing, air and sea travel, travel by public transport, information about vehicles...
And information in different databases can be analysed and put together And here we come to the privacy concerns: Is the data correct? Updated? Complete? Is it secure? Or is it easy to get access to data you don’t really need to see? Is it only used for the purpose that it was collected for? If not, we have what we call function creep, and it is a big concern in the privacy communities. Function creep is for instance when you start giving tax authorities access to toll booth data so they can check that people don’t get tax deductions they aren’t entitled to...
In order to take privacy into consideration, the privacy impact need to be assessed for all projects that involve personal data. I’m very happy that The Norwegian Ministry of Administration and Government Reform has made a guide for making such an assessment.
I was also very pleased when I found this quote in the new National Transport Plan from the Ministry of Transport and Communication.
And this: And just a small disclaimer: These are my own translations from Norwegian to English, not official ones.
Making an evaluation is nice, but what do you do when you find that the things that you REALLY REALLY want to do come with a cost for privacy? I think we should be realistic enough to acknowledge that we still will get both safety and security technologies or means that will affect privacy in the future. An ITS example – although not so safety or security related – could be road pricing. Road pricing can be implemented in many ways. The simplest one is that you pay a certain amount of money when you pass a toll booth – most commonly on your way into a big city. Of course this can be really unfair. Someone who lives just outside the ”border” and drives 10 minutes to work, pays the same as someone who drives around inside the city limits all day! With a ”black box” and a GPS you could make a much more fair system, where those who drive the most, in rush hours, on the most densely trafficked roads, pays the most. Similar systems could of course be part of a safety system, where back boxes could be checked by the police or insurance companies, or the car could ”phone home” every time you commit a traffic violation. But this is a type of technology that people find extremely privacy violating. We need to ask ourselves: Does the gain in safety or security outweigh the cost to privacy? In cases where you – after careful analysis – end up implementing something that you know will impact privacy, it is important to try and minimise the effect as much as possible.
We need some tools. The PRISE project have identified three types of such tools.
The first is legal tools. Which is what we always want to do, isn’t is – just regulate ourselves away from the problem? Legal tools regulate the use of the technology, and sometimes we need this because most technologies can be used for many different purposes.
Data storage for instance can be used to store a lot of information that does not affect peoples’ privacy, but because it can also be used for storing personal data, we need to regulate what can be stored, for how long, etc.
Most people have one or more cameras – we can’t ban cameras just because they can be used to violate privacy. But if you want to set it up as a surveillance means in a public space we regulate where you can put them and who you must inform the public.
We also have some technical tools. These can be the implementation of privacy enhancing technologies,
Such as data minimisation – that is not collecting more data than you need in the first place.
Or anonymisation, or pseudonymisation.
Organisational tools are often forgotten, but they are very important. Because for many technologies it’s how they’re actually put to use that decide whether they are privacy friendly or not. It doesn’t help to have laws protecting privacy, when the employees at the toll both company will tell the “concerned” husband that his wife passed the booth 30 minutes ago anyway!
And it doesn’t help that an ICT system has excellent features for assigning roles and access rights, if all employees are just entered as ”administrators”.
If you have money, you have the power to change things.
Governments have money. Make privacy a criteria in public procurement. Private enterprises make a living by delivering products and services that are in demand. If privacy is in demand, they will deliver it.
Evaluate the use and effect of technologies and means for security. Did the cameras really reduce the crime rate? Does the police get more convictions when they can store telecommunications data longer? It sounds obvious, but the fact is that for Norway, nobody can answer these questions.
Terminate it if it doesn’t work
OR if it’s no longer needed. When something bad happens we want our politicians to react. – And they want to be seen to do something. Sometimes we end up with new security measures. And Security measures already installed and funded have this annoying habit of becoming permanent – even when there is no apparent reason why they should. We need routines to make sure that we get rid of privacy infringing security measures that doesn’t work or are no longer needed.
Safety, security and privacy?
Security, Safety and Privacy? - Privacy challenges with ITS Christine Hafskjold Multimodal ITS, May 7 th 2009