Data Privacy, Security and Protection: Learning from Today's Toll Highways
1. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ●
North Texas Tollway Authority
Data Privacy, Security and Protection: Learning From
Today’s Toll Highways
Thomas J. Bamonte (@TomBamonte)
Assistant Executive Director, Strategy & Innovation
Presented to Transportation Research Board
95th Annual Meeting
Data Privacy, Security and Protection Policy Joint Subcommittee
January 12, 2016
2. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ●
Toll highways and data generation
Privacy/security concerns and responses
Implications for automated vehicles
Policy issues/research items
2
Agenda
3. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ●
Overview of Highway Tolling
3
Toll facilities in 35 states
2,900 miles of tolled
interstates
6,000 total road miles
5.7 billion annual trips
Tolls = approx. 30% of federal
gas tax revenue
37 million RFID transponders
in use
4. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 4
Mechanics of Electronic Tolling
5. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 5
Pay-by-Plate Customers
6. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 6
Trip Data Collection
7. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 7
Registered Owner Information
Personal information
Home address
Home phone
Email address
License plate
Credit card information
Vehicle type/color/VIN
Sources
Customer accounts
DMV data
Collection efforts
8. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 8
Roadway Camera Coverage
9. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 9
Toll Violation Enforcement: ALPR
10. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 10
HOT Lane Enforcement
11. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 11
“Black Box” Event Data Recorders
Capture crash-related data
Pre-crash vehicle dynamics
and system status
Driver inputs
Vehicle crash signature
Restraint usage/deployment
status
Post-crash data such as the
activation of an automatic
collision notification system
Installed in most
vehicles—NTHSA mandate
forward
12. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 12
Emerging Tolling Methods
13. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 13
Current Protections of Tollway User Privacy
Transponder customer
agreements
Customer account and trip
data shielded from general
disclosure; use allowed –
When conducting tolling
business
In response to court order
(e.g., warrant)
When aggregated/anonymized
(e.g., traffic studies)
High data protection
standards in place (e.g., PCI
compliance)
14. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 14
State Law Protections
Customer
account
information &
trip data =
FOIA
exception
Mandated
privacy policies
& data security
requirements
Laws governing
ownership &
use of event
data recorders
General data
security &
breach notice
requirements
ALPR
regulation
15. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 15
Federal Law Protections
Drivers Privacy
Protection Act
Various consumer law
protections
Federal legislation
introduced to protect
locational privacy—
including vehicles
Jones & Riley decisions
16. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 16
Established Principles
Customer account and trip data shielded from general
disclosure; use allowed:
When conducting tolling business
In response to court order (e.g., warrant)
When aggregated/made anonymous (e.g., studies)
With high data protection standards (e.g., PCI compliance)
By tolling authority with vehicle owner’s consent
By third parties with vehicle owner’s consent
17. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 17
Looking Ahead…
Old Days: Muscle Engine
18. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 18
Sophisticated Computing/Sensor Capabilities
These Days: Muscle Memory
World’s First Al Supercomputer for Self-Driving Cars
NVIDIA DRIVE PX 2
12 CPU cores | Pascal GPU | 8 TFLOPS | 24 DL TOPS | 16nm FF | 250W | Liquid Cooled
19. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 19
Sophisticated Computing/Sensor Capabilities
Tomorrow: High Sensory Capabilities
20. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 20
Vehicle as Highway Data Generator
21. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 21
OBD-II Telematics/Vehicle Behavior Monitoring
Drivewise by AllstateVinli
22. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 22
Driver Fitness Monitoring/Vehicle Customization
23. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 23
Vehicle-to-Cloud Connections
24. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ●
Vehicles as Mobile Commerce Platforms
Every vehicle becomes a
shopping tool
Vehicle adjusts to stored
preferences of the occupants
Data sharing between vehicle
and merchants
Targeted advertising
Targeted discounts
Convenience reminders—
e.g., time for oil change
25. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 25
Vehicle-to-Vehicle Connections
26. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 26
Vehicle Fleets/Vehicle Ownership
• Private vehicle ownership
supplanted by vehicle fleets
• Auto travel takes on
transit/airline characteristics
o Passenger not driver
o No vehicle ownership
o Customer data generated and
held by provider
27. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 27
Automated Vehicle Implications
• Every vehicle akin to a toll
highway customer vehicle
• Vehicles are mobile commerce
platforms
• Vehicles harvest/share data
about occupants and travel
patterns
• Vehicle ownership supplanted
by multi-modal fleets
o Travelers become
passengers
o Vehicle gather/share
massive amounts of data
28. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 28
Automated Vehicle Security/Privacy Challenges
• Vehicle hacking threat
o Legislative response: SPY Car Act
• Data security breaches
o Mobile commerce
o V2V
o V2I
o Highway agencies
o Fleet operators
o App integrators
29. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 29
Challenges: Unrelenting Gaze and Automated Vehicles
Extensions into law
enforcement
“Taking over” vehicle for
safety/traffic management
Sponsored ads in visual
stream on dashboard
Sale of customer data
V2X data sharing
Will surveillance
state/economy prompt a
consumer backlash?
30. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 30
Research/Policy Issues
Who owns/controls data generated by vehicle?
Can individual control of vehicles be overridden to
maximize safety/efficiency/crime prevention?
Do common carrier rules apply in the case of
driverless cars/fleets?
What privacy rules apply in fleet services?
Will commercialization of vehicles obviate need for
transportation-specific regulation of privacy/security?
Can driver monitoring be mandated for non-robot
drivers?
31. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ●
Our Mission
North Texas Tollway Authority
Provide a safe and reliable toll road system Increase value
and mobility options for customers Operate the Authority in a
businesslike manner Protect our bondholders Partner to
meet our region’s growing need for transportation infrastructure
32. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 32
Vehicle-to-Merchant Data Mining/Use
Google Car as
platform for searches
Vehicle displays
targeted advertising
from nearby
merchants
• iBeacon for automobiles
Consumer data
privacy issues similar
to other
devices/platforms
33. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 33
Highway User Information Collected
Customer
Account
• Home address
• Personal
financial
information
• (Non)payment
information
Vehicle ID –
license plate
and VIN
Vehicle
Occupant
Data
Travel
Pattern Data
•Time, place,
direction,
vehicle
•Speed derived
•Years of data
Vehicle
Operation &
Event Data
34. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 34
Lessons
Highway authorities are
increasingly high-volume
consumer businesses with
concrete
Connected vehicle raises
multiple privacy concerns not
addressed by existing toll
authority-customer framework
Managing the technologies that
put vehicle travel under an
unrelenting gaze pose pressing
challenges in near future
35. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 35
Growing Transponder Account Customers
36. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 36
Challenges: Unrelenting Gaze
ALPR deployed widely but
not regulated
GPS data uploaded from
smartphones
24/7 video surveillance
Peering inside cars with
infrared
M2M data sharing
Will surveillance
state/economy prompt a
consumer backlash?
37. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 37
What Lies Ahead: Connected Vehicles
Connected vehicle applications
provide connectivity:
Among vehicles to enable crash
prevention
Between vehicles and the infrastructure
to enable safety, mobility and
environmental benefits
Among vehicles, infrastructure, and
wireless devices to provide continuous
real-time connectivity to all system users
38. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 38
Vehicle-to-Infrastructure Data Mining
Highway authorities may have
interest in harvesting data
o Safety: Identify vehicles
behaving erratically
o Payment: Identify vehicles
for toll payment
o Enforcement: Identify stolen
vehicles or vehicle involved
in commission of crime
o Identify: Hazardous
situations (e.g., swerving
around object) and
communicate downstream
o Traffic management:
Immediate notice of
slowdowns and congested
areas
39. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 39
Overview
40. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 40
U.S. Toll Highway Network
41. ● M o b i l i t y . S a f e t y . C u s t o m e r s . E c o n o m y . R e s p o n s i b l e S t e w a r d ● 41
Conclusions
Transportation lawyers will have to become
privacy law experts
Highway authorities becoming more like utilities w/
associated consumer business issues
Toll highway authorities have head start on managing
customer relationships & protecting trip data
Highway travel subject to intensive surveillance
Patchwork of state laws may be reflective of
limited public concerns about privacy to date
That may change. . . .
Editor's Notes
2
3
Pay-by-plate is currently a more cumbersome billing collection process, complicated by poor name/address information at many DMVs and the lack of a national standard format for license plates. Tolling authorities work from license plates and with DMVs to get the home addresses of vehicle owners and send them bills. Toll authorities are using technology improvements to turn pay-by-plate users into good-paying customers with similar kinds of accounts.
In addition to customer account information, toll authorities collect vast amounts of trip data from the vehicles passing by tolling points. NTTA has almost 700 million transactions annually and it is only the 10th largest tolling authority in the country. This is a massive data trove showing how, where and when folks in North Texas get around down to the last second.
But there’s more going on out there on the roadways. Now that toll booths have been removed, toll violation enforcement has taken on new importance. One important tool that NTTA is deploying through our law enforcement partner is automated license plate readers. Fixed and mobile ALPR units read the license plates of every passing vehicle. This information is cross-checked against toll violator databases and violators can be intercepted. Note that law enforcement agencies—especially at the local level—are making heavy use of ALPR technology for other law enforcement purposes. Combine tolling databases with ALPR databases and you get a massive regional database of trip data.
The next step may be peering inside the vehicle at the occupants. Highway authorities—but not NTTA I might add—are testing new infrared technology to help enforce HOV and HOT lane vehicle occupancy requirements. Getting a heat signature from a human as opposed to a dummy can result in detailed portraits of the vehicle occupants.
Let’s not forget that the vehicles themselves are generating mountains of data, captured by black box event data recorders and other onboard devices. Vehicles now are rolling out with 100 million or more lines of software code.
New tolling methods are emerging from private companies using the smartphone GPS and camera functions. These methods will complement and may someday replace traditional tolling. What this means is that private companies, in collaboration with public tolling entities, will be collecting the same kind of detailed locational data by customer vehicle.
The challenge is the unrelenting gaze on highway use. Keys to manage = (1) Give opt-in wherever possible; (2) Be wary of sharing individualized data with third parties, even other public entities;
The connected vehicle also has the potential for roadside business to tap into data flows and send targeted ads to the occupants of vehicles in the vicinity. Will consumers view these ads as digital intrusions or accept them as the price of, for example, leasing their vehicle at a lower rate? This might be a situation where customer opt-in is important. Highway authorities won’t want to breach customer privacy in this way w/out consent.
Through all these current technologies we gather mountains of information about motorists, their vehicles, and their travel. We have customer account information, like a Target or Macy’s. We know what vehicles are on our system and when and we are even able to discern who may be in vehicles. The vehicles themselves are gathering data about their own behavior.
XTRA Slide.
Nationwide, there are about 50 million vehicles equipped w/transponders already. Each of them are linked to a customer payment account with address and payment information. Payment comes automatically at the time of travel. These are big consumer businesses.
The challenge is the unrelenting gaze on highway use. Keys to manage = (1) Give opt-in wherever possible; (2) Be wary of sharing individualized data with third parties, even other public entities; and (3) whenever highway user privacy is at stake, make sure there is sufficient transportation benefits to make the legal/political risk worth running. Black box laws may become model: (1) data belongs in first instance to vehicle owner; (2) common sense exceptions—e.g., court order; and (3) vehicle owner can opt out. When buy car make these kind of choices. Riley will be extended to limit law enforcement overreach when it comes to vehicle tracking and data mining.
XTRA Slide
Highway authorities and law enforcement may have interest in harvesting data from passing connected vehicles. The more we know about what is going on with the vehicles on our system—number, speed, occupancy and the like, the better with can adjust speed limits, pricing, deployment of service vehicles, etc. Can we as public agencies find the appropriate balance between effectiveness and intrusiveness?
Opt-in to suite of services—knowing waiver of privacy rights.
Thank moderator. This happy and dated vision of driverless vehicles unwittingly illustrates the truth that connected/automated vehicles and their occupants will operate under the gaze of multiple eyes—highway authorities, law enforcement and commercial enterprises. While I don’t think privacy issues will derail the rollout of such vehicles, I do think that as transportation lawyers we will have to become much more familiar with privacy issues as a standard part of our practice. I am here to share what I know from my experience as a lawyer for the toll road authority serving Dallas-Fort Worth area. I’m humbled by what I don’t know.
As I’ve started learning, transportation lawyers are going to have to become privacy law experts. We have to recognize that transportation is evolving into a high-volume retail customer service business with all of the associated legal challenges that entails. While toll authorities have a good head start on these issues, neither our customer agreements nor state law address the intensive surveillance of our roadways. Of course, the limited patchwork of state law may indicate that the public isn’t too concerned about roadway privacy issues. If we and our clients fail in our job of finding the appropriate balance between utility and privacy, that may change.