Discussion of privacy guidance for automotive telemetric. Related to usage-based insurance, parking payment, road-use charging, emissions metering, etc
Majestic Call Girls: đ 7737669865 đ High Profile Model Escorts | Bangalore Es...
Â
Privacy-by-Design Cavoukian TTI March 2011
1. Privacy By Design |
034 Traffic Technology International February/March 2011
www.TrafficTechnologyToday.com
2. | Privacy By Design
Private
party Bern Grush interviews Ontarioâs privacy
commissioner, Dr Ann Cavoukian, who
explains that protecting driver privacy
while tolling is as important as â and
has a lot in common with â protecting
personal medical and smart grid data
Illustration courtesy of Shutterstock
T
he engineering solution to traffic congestion is simple to
describe but very complex to deploy. The keystone to its
solution, congestion pricing, has evident technical and
economic components, but its core and most difficult issues
are social. Issues such as affordability, fairness and equitability are
complex to argue as well as to solve. But the issue most commonly
raised in protest against congestion pricing is privacy. And this is
frequently expressed in the most personal of terms â for example,
âI donât want my spouse to know where I am.â Iâm sure youâll
agree that privacy is important for more reasons other than this.
Privacy is a concern because congestion-pricing systems need
some mechanism to be sure the right vehicle (or vehicle owner)
will be billed the correct fee on behalf of the correct road operator.
It doesnât matter which technology we propose to use, the privacy
issue can always be raised. To make matters worse, all of the
technologies used to collect payment for road use â even the
collection of fuel taxes â can be viewed as having a privacy issue.
The reason for this is that any payment that is made at a specific
location â or because your vehicle was at a specific location â could
The 7 Foundational Principles of Privacy by Design
1. Privacy by Design is proactive 3. Privacy by Design is 5. Privacy by Design is embedded operations remain
rather than reactive. embedded into the design into a system prior to the first visible and transparent.
Preventative rather than and architecture of IT systems element of information being 7. Privacy by Design requires
remedial, it anticipates and and business practices. collected in order to provide architects and operators
prevents privacy invasive Privacy becomes an essential end-to-end security and to keep user-centricity and
events before they happen. component of core system lifecycle protection. respect for user privacy
2. Privacy by Design operates as functionality. 6. Privacy by Design engages uppermost, by offering
the default setting. It seeks to 4. Privacy by Design seeks to visibility and transparency to measures such as strong
deliver the maximum degree accommodate full functionality assure all stakeholders that the privacy defaults, appropriate
of privacy by ensuring that â handling all legitimate business practice or technology notice, and empowering
personal data is automatically interests and objectives in involved is operating according user-friendly options.
protected. As the default a positive-sum, âwin-winâ to the stated promises and
rules, no action is required on manner, rather than a dated, objectives, and subject to Distilled from http://www.
the part of the individual to zero-sum approach with independent verification. ipc.on.ca/images/Resources/
protect their privacy. unnecessary trade-offs. Its component parts and 7foundationalprinciples.pdf
February/March 2011 Traffic Technology International
www.TrafficTechnologyToday.com 035
3. Privacy By Design |
Private disclosure
Ontarioâs information and privacy commissioner,
Dr Ann Cavoukian, explains about the Privacy by Design
concept and how it applies to electronic road tolling
Dr Cavoukian, I understand that you a proactive approach, embedding privacy from the outset. In that sense, it is
have been thinking about privacy protections directly into the design of the technology-neutral. Whatever system is
and road use since 1994, triggered system and, above all, exhibiting respect involved â including navigation satellites
by the first use of automated toll for user privacy. for road tolling â PbD requires that you
collection in Ontario. What were build it from the ground up, with privacy
the original reasons your office Can you say more about Privacy as the default setting.
looked at the issue? by Design? What is its most Data minimization is key. The Sofia
AC: When we first learned the 407 ETR important feature? Memorandum already requires that the
would be using electronic technology AC: Privacy by Design (PbD) advances anonymity of drivers be preserved. If the
to collect data on highway users for the view that the future of privacy cannot service can be provided anonymously,
the purposes of automatic billing, be assured solely by compliance with then it should be. Indeed, eliminating
we proactively contacted the Ontario regulatory frameworks; rather, privacy the collection of personally identifiable
Transportation Capital Corporation assurance must become an organizationâs information also eliminates the subsequent
(OTCC) as a result of the privacy issues default mode of operation. Initially, duty of care that extends to the collection
involved â ranging from tracking to I advanced the deployment of Privacy- and retention of personally identifiable
secondary uses of information. Enhancing Technologies (PETs) information. Where no personal information
Intelligent transportation systems as the solution. Today, I believe a more exists, the privacy concern disappears.
have the capability of being privacy substantial approach is required â If a system cannot function without
invasive, but with privacy built in, these extending the use of PETs to PETs Plus â personal information, then such information
systems can be transformed into privacy- taking a positive-sum (full functionality) should not be kept for longer than is
enhancing ones. My office worked approach, not just a zero-sum trade-off. necessary for the purposes collected. Of
extensively with the OTCC to ensure
that privacy was considered throughout Whatever system is involved â including
all phases of the development and
implementation of this project. navigation satellites for road tolling â PbD
For example, together, we were able to
ensure that the public had the option to
requires that you build it from the ground up,
travel the 407 ETR anonymously. This with privacy as the default setting
included making an initial payment into
an anonymous account from which toll This encompasses three things: IT course, no secondary uses should be
charges would be deducted automatically, systems, accountable business practices, permitted without consent. These are the
with no invoice or bill sent to your home. and physical design and networked fundamentals, and here PbD and the Sofia
infrastructure. The most important Memorandum are very closely aligned.
How hard was it to align the 407 ETR Principles of PbD are its proactive,
with your privacy principles? positive-sum nature and respect for So youâre saying that these provisions
AC: Not very. The OTCC was already user privacy. PbD is not intended as must be accounted for in technology
considering privacy issues when we a conceptual abstraction. I developed architecture and program design from
contacted them. They were receptive to it to ensure real and positive changes the beginning in order to get it right?
building in full privacy protection from in our everyday lives. AC: Absolutely, otherwise you risk what
the outset. With the help of my office, they my colleague, Professor Kai Rannenberg,
were able to meet the Seven Foundational How would PbD influence the use of calls âPrivacy by Disasterâ. Itâs not enough
Principles of a concept I developed called navigation satellites for road tolling? to fix the problem after thousands of users
âPrivacy by Designâ. This included taking AC: PbD is all about building privacy in have already been exposed to a privacy
036 Traffic Technology International February/March 2011
www.TrafficTechnologyToday.com
4. | Privacy By Design
entail revealing that you and/or your
breach. Thatâs why the first principle vehicle was at that location at a certain time.
of PbD is to be âproactive, not reactiveâ. Hence, if you pay for fuel with a credit card,
PbD anticipates and prevents privacy- it is easy to infer that you were likely at a
invasive events, before they happen. certain fueling station at a particular time.
It does not wait for privacy risks At the other extreme, the road use
to materialize, nor does it seek to offer payment collection technology most
remedies for resolving privacy infractions commonly feared â GNSS (GPS) â is
once they have occurred â it aims to arguably the most private, as we shall
prevent them from occurring. see, but it has to be managed properly
I believe it is critical to be proactive and to achieve that status.
constantly address privacy issues through From 2002 to 2010, I worked with an
a prolific yet targeted campaign such as innovator of road use metering technology
PbD. Unless the public, government and that used Global Navigation Satellite
businesses are well informed on what the Systems (GNSS). Hence, I have been
issues are â and the concerns associated concerned with driver privacy for quite
with privacy â the issues may only surface
after the fact, as privacy complaints, which
in my view is too little, too late. If we collect and
Cavoukian applied retain trip data from
Privacy by Design
principles to private vehicles for the
Ontarioâs 407
ETR in the 1990s agreed purpose, say, of assessing
road use fees or pay-as-you-drive
insurance premiums, this could
create a fabulous source of data for
secondary applications
a while. During this time, I have come to
appreciate the work of several privacy
experts and privacy commissioners.
Many people are talking about using Singular among these is Dr Ann Cavoukian,
road-use data for improving the PhD, Ontarioâs privacy commissioner (see
transportation network, for planning interview opposite).
expansions and transit, and for
improving real-time navigation. If trip More data for more purposes
data must remain under user control, We tend to approach complex problems
as the Sofia Memorandum insists, what such as healthcare, smart grids, and now
does that imply for those programs? traffic management by capturing, storing,
AC: Whether we are talking about new mining, and analyzing more data, which
systems, technologies, or business practices, may be kept longer to study yet more
the key from a privacy perspective is trends. Most data now has multiple
embedding privacy right from the outset purposes â and some of these purposes may
as a core functionality of the system be unanticipated when the data is collected.
requirements. In the kinds of examples In many ways, it is the opportunity to
that you mentioned, thinking through the piece together data from disparate sources
privacy issues in the design stage would â for good or harm â that creates more
make it clear that most of these applications alarm than data coming from any single
donât actually require personally identifiable application. Whether for capability,
data. Aggregated or anonymized data precision or profit, data-heavy applications
would provide most of what is needed. are increasingly interconnected, integrated,
Indeed, building privacy in as a design and pervasive. As they grow in span and
requirement can be eye-opening. Designers power, one can only imagine the migraines
often assume that personal information this can cause for privacy commissioners.
is necessary, when it is not. But where If we collect and retain trip data
personally identifying information really from private vehicles for the agreed
is necessary, then you need to have clearly purpose â say, of assessing road use fees
identified purposes for collecting the data, or pay-as-you-drive insurance premiums â
and transparent rules about how it will be this could create a fabulous source of
used, disclosed, and later destroyed. data for secondary applications, such
as traffic studies, congestion studies,
February/March 2011 Traffic Technology International
www.TrafficTechnologyToday.com 037
5. Privacy By Design |
The Sofia Memorandum
The International Working Four recommendations were the detailed trip data is fully 4. In terms of enforcement, the
Group on Data Protection in made by the WG that were and permanently deleted system should not ascertain
Telecommunications has been designed to protect the privacy from the system after the the identity of the driver nor
active since 1983. Founded in the of drivers and vehicle owners: charges have been settled, in owner of a vehicle unless there
framework of the International 1. The anonymity of the driver order to prevent the creation is evidence that the driver has
Conference of Data Protection can and should be preserved of movement profiles or the committed something that is
and Privacy Commissioners, it by using the so-called smart potential for function-creep. defined as a violation of the
formulates recommendations to client or anonymous proxy 3. Processing of personal data road pricing system.
improve the protection of privacy approaches that keep driversâ for other purposes (e.g. pay-
in telecommunications. The personal data under their sole as-you-drive insurance or The above recommendations
Sofia Memorandum â issued control and do not require off- behavioral-based marketing), have been distilled from
at the 45th meeting of the WG board location record-keeping. should only be possible with www.datenschutz-berlin.
in March 2009 â directs its 2. Road pricing systems can and clear and unambiguous de/attachments/647/WP_Road_
guidance toward road pricing. should be designed so that consent from the individual. Pricing_Final_675.38.12.pdf
navigation optimization, and for all sorts privacy in the face of the ever-growing juggernaut of data capture
of marketing and planning purposes. and mining. Dr Cavoukianâs work for the past couple of decades has
Integrated with other data we could not only sharpened and formalized that focus, but has even applied
develop a phenomenal degree of valuable it specifically to road tolling. Her pre-science foreshadowed the 2009
knowledge about an urban area, a city, Sofia Memorandum (see sidebar, above) that is specifically designed
or a group of people. At the same time, for satellite-based road use charging. The seven principles of
this data could obviously be directed to Privacy by Design incorporate privacy throughout the design
harmful purposes. and operation of technology, operational systems, work processes,
management structures, and physical spaces. According to
Seven design principles Cavoukian, they âexplode the myth that privacy competes with
Itâs encouraging for anyone concerned other values in a zero-sum equationâ. That myth suggests, for
with privacy to know that there are tested example, that in order to realize fully the efficiencies of a system,
guidelines such as Privacy by Design (see such as a smart road use metering system, we must give up some
The Seven Foundational Principles of Privacy by privacy. âBut this is a myth based on false dichotomies and
Design sidebar) to preserve and enshrine a paradigm that posits our core values as being in conflict with
one another. That simply is unnecessary.â
Approaching the development of a satellite-based road
tolling system with these seven principles in mind means we
can realize all the benefits of a reinvigorated traffic management
and road-funding system, while enabling drivers to enjoy full
privacy for their private trips.
Privacy can and must co-exist alongside functionality,
operational efficiency, organizational control, security, and usability
in a positive-sum â rather than zero-sum â equation. There are
likely many important and necessary uses of trip information in
the context of solving the congestion problem. Without diminishing
the benefits of the available solutions, it is possible to design privacy
directly into them by making it the default in all physical,
administrative, and technological aspects of the system.
More privacy, not less
The two most common comments I hear regarding road-use
charging and privacy are âover my dead bodyâ and, in
contradiction, âthey already have your cell phone and credit
card dataâ. Neither are helpful or useful. There is no need to invade
privacy to assess and collect a road use fee. And there is no need
An âanonymous to taunt drivers by reminding them of existing and unrelated
accountâ allows
users to travel the
privacy risks. No-one wants more privacy exposure.
407 ETR and pay The Sofia Memorandum makes road use charging more private
charges without than credit card purchase at a fueling station and far more private
having to reveal who than current RFID/DSRC methods. Systems that can protect privacy
they are â no personal to this degree already exist â i.e. systems designed using PbD and
identification is according to the Sophia Memorandum guidelines. If you advocate
required
greater privacy than you have now, ensure that any proposals for
road user charging include these safeguards, then buy an all electric
vehicle, charge it at home, and stay away from fueling stations! â
038 Traffic Technology International February/March 2011
www.TrafficTechnologyToday.com