Are co-operative systems and personal privacy mutually exclusive? Not necessarily, says Neil Hoose. But the more advanced the application, the greater the concession of privacy may have to become
ITS Stockholm in 2009 and the Cooperative Mobility Showcase event which took place alongsideShowing out
Cooperative systems raise the question of the extent to which the messages from one vehicle reveal enough information to identify the vehicle and possibly its driver. Any message has to contain enough information to establish its unique identity otherwise the receiver cannot tell whether or not it has already received and processed it. The receiving application will want to establish the veracity of the source and may also want to send a reply. If the service associated with the application has a payment model where usage is a factor then there may need to be some cross-referencing to an external account, either directly or via some form of clearing arrangement.One of the most interesting areas of benefit from cooperative systems could come from a step change in the granularity of data about traffic movement brought about by vehicles themselves providing a continuous stream of information on speeds, weather conditions, road surface conditions and so on, located in both space and time. Such a richness of data should enable more timely, appropriate and effective traffic information and traffic management. An essentially altruistic act by vehicle drivers, in the sense that there is no guarantee they will directly benefit themselves, has the potential to improve the overall operation of the transport network to the benefit of all over the longer term.
But are we prepared to trade some loss of personal privacy to achieve a greater good, and what is the trade-off point? The mention of personal privacy is always emotive. But let us not deceive ourselves about how sacrosanct our own privacy is. Individuals exhibit quite different behaviour in practise to their expressed views. Everyone who carries a mobile phone which is switched on is being tracked as otherwise there is no way they could receive a call. Once on a call, the degree of tracking increases to allow users to move across cell boundaries without dropping the call. Mobile devices with onboard positioning and 3G connections are more finely located again and sales of such devices are increasing rapidly;
Close(ish) acquaintances
So why do we express concerns about privacy yet happily go about our everyday lives giving our whereabouts to third parties? The answer seems to lie in the relationship between the individual and the organisations that know where we are. In the case of mobile phone, credit card and retail companies we are customers and we have a choice of supplier. If the company uses the location information in a way that I as a customer object to then I can switch off the device, not use the card and even switch to a different supplier. This gives the supplying company a strong incentive to be cautious in using private information and security conscious about what it does know. Customer information is also of high commercial value to these enterprises.Once government becomes involved in handling the data and any degree of compulsion is introduced our attitude to giving out detailed information about ourselves changes. Perhaps not surprisingly given the stories in the press, we regard the public sector as less competent in terms of maintaining data integrity and security. An even greater concern is the potential for the public sector to use the information to identify when we have committed some form of transgression. However our position may change if we perceive ourselves to be the victim of a transgression by someone else. In that case we expect the information from CCTV or mobile phone data to be available and used to identify the perpetrator and to bring them to book. So there are clear ambiguities in people's attitudes depending on the circumstances they find themselves in.
A need to forfeit? An interesting approach is to consider whether we need to forfeit any degree of privacy in a number of circumstances that cooperative systems will encounter. This might give some insight into ways the privacy issue might be addressed or at least shed some light on the key factors that are as yet unresolved.
First let's consider the case where an individual vehicle is receiving messages from surrounding vehicles or the roadside. The recipient of data wants to know that the message has come from a reliable and authenticated source, and the source may also want receipt of the message acknowledged. These factors are related to the system themselves not their owner or user, although the nature of the owner or user could reinforce the authenticity of the message. However, the identity of an individual is unlikely to be relevant provided there is a method of establishing the veracity of the source based on some digital certificate. In some ways it is similar to filtering out spam from email but obviously it has to be more effective and consistent than many filters available today. The point here is that data exchange does not of itself require privacy to be relinquished.
A bit earlier in this article the question of paying for services was mentioned. Any commercial transaction based on an external account and where the type or quantity of service consumed affects the size of the payment will require linking of transaction and account holder. Privacy could be achieved by use of a prepayment card in the vehicle where the payment transaction takes place onboard. Similarly, a fixed-price subscription service would not necessarily need every transaction to be logged and hence the location and activity of the user would not be recorded. In this case privacy is a matter of personal choice and means that for services using cooperative techniques to flourish there needs to be a choice of payment methods available.
Driving feedback
An intriguing possibility with co-operative systems is they can provide feedback on the capability of the driver. The current rules of the road, for example the speed limit, safe headway and presence of a hazard such as a sharp bend, can be provided directly into the vehicle. The system component providing that information can insist on an acknowledgement from the receiving vehicle. Both the vehicle itself and the external system have the potential to check the extent to which the driver reacts to information and, more significantly, the driver's compliance with traffic regulations. There are a variety of ways this can be passed to the driver. This ranges from the vehicle system preventing the regulation being broken, for example automatically slowing the vehicle, through real-time warnings to the driver that he or she is driving outside the regulations and regular, say weekly, reports showing when and where his/her driving was lacking, up to automated enforcement. The former two do not require any loss of privacy but may have limited impact and potentially unforeseen consequences if drivers deliberately set out to override the limits. The latter two clearly require a loss of privacy for those times when a driver does transgress but could have a massive impact on compliance with traffic law and hence on road safety. What price privacy when set against a large-scale social benefit that a massive reduction in injuries and death on the roads represents?Liability versus privacy
Finally, there is the relationship between liability and privacy. Inevitably there will be crashes and near-misses where the cause could be a fault in the system. To be able to establish if a fault occurred, and where and when in the system it happened, means that messages and data transfer have to be traceable. Only then can any degree of liability be established. The nature of the impact of faults influences the range and integrity of record-keeping required. Failure of a route advice message in a cooperative navigation service is irritating but its consequences are not far-reaching. However, failure of a message describing the braking rate of a vehicle in an automated headway application could result in a collision and open up an investigation as to whether it was the leading vehicle that failed to transmit, an intermediate vehicle that failed to forward or the colliding vehicle that failed to receive or use the message in question. Once again, we have the situation where the more involved in the driving task the application of cooperative techniques becomes, and hence the greater the benefits, the greater the need for a loss of privacy. When things go wrong, as they will, society rightly wants any blame to be clearly identified and placed. However, the information is only required in the event of a problem having occurred so there is no need for a loss of privacy otherwise.The foregoing of privacy is not a pre-requisite for cooperative systems but as their impact increases it becomes a greater issue. If some of the major benefits of cooperative systems are to be realised then there will have to be a trade-off made between individual freedom and societal gain. This is a political question and one which is under continual debate in many spheres; for example, anti-terrorism and responses to climate change have issues where the same balance has to be considered. The problem is that it is not clear who is responsible for ensuring such a debate is put in progress or how it can be resolved. What is certain is that it will take some time to resolve and is unlikely to be resolved in a single iteration. So the sooner it is moved to the head of the agenda the better, as to ignore it will only undermine the investments in research and development that are underway.