Finland is debating whether to implement “virtual toll roads” based on GPS positioning of cars. The debate for the most part has been insane, irrational, or both. It is fair to say that the majority of Finns seem to be against the idea, but then the great majority are against any kind of taxes, or any kind of change for that matter, and especially against anything that in any way touches on the right to drive.
I won’t go into the arguments over whether the tax is needed or not. I am more interested in what the least bad technical choice would be, if the tax were to be put into place.
The most serious and coherent objections (in my opinion) have come from civil-liberties types. They argue that “satellite surveillance” (as it tends to be called, misleadingly) will lead inexorably toward abuse of the data and loss of privacy.
I happen to agree with the civil-liberties types. If too much information is collected, it will be abused. However, I also happen to think that those most opposed to GPS monitoring specifically are missing one fundamental technical point. If some type of location-based system is to be used, then GPS positioning may fundamentally be the best (only?) technology for incorporating at least some privacy-enhancing mechanisms.
Why? Because a GPS receiver as such is a passive device. The receiver listens to GPS satellites, and determines where it is; after that, the location information just sits on the device until something is done to it. A GPS receiver only becomes a surveillance tool when it is combined with a transmitter that sends information somewhere else. That information does not need to be real-time location data.
Although popular imagination and the movies paint GPS positioning as something that allows SWAT teams to track down and eliminate any targets they want, it is not fundamentally so. In the end, for this application, authorities simply need to know that the accounts match. If a driver drives for X kilometers on roads with a toll tax of A EUR/km, he must pay A*X EUR in taxes. Likewise, if 100 drivers have driven on a given stretch of road worth B EUR, the authorities need to receive payment of B*100 EUR. If the figures match, there is no need for the authorities to know exactly who has driven where.
This may sound abstract, but in fact it is exactly how old-fashioned cash-based toll roads operated. As long as the number of cars corresponded with the amount of money taken in, there was no need whatsoever to know exactly who had used the road.
Any such privacy is immediately lost if the toll system relies on cameras or electronic forms of identification. The system relies on knowing that car A entered the toll road at time T. As soon as the car is photographed, privacy is lost. Such a system is in place in Stockholm. The cameras record the license plates of the cars; the information goes to central servers, and even if encryption is used, there is nothing the users or anyone else can do to improve privacy. Once the cameras are in place, there is no way to opt out of the system.
A GPS-based toll system can, if so desired, work as a hybrid between these two types of toll. Some ideas have already been bounced around, although they are still only in the very early phases.
- A “pre-paid” system of some type would make eminent sense, in that the car’s location never needs to be be made known to the authorities (except for spot checks or other tests to make sure that the system is not being abused).
- [Edit: Refinement suggested by Rune Tevasvold Aune: “What if the device in the car was prepaid, and while having a unique ID, not in any way being tied to a person (think browser cookie)? Then it wouldn’t really matter what method of registration is used or what kind of analysis is performed on the data (I imagine accurate tracking might greatly simplify thinks like planning of new roads and calibration of traffic lights). The ID could change every time the device is topped up, or even at shorter intervals.”]
- A third party can be used to encrypt and anonymize the data, as proposed by Niko Porjo on this same site (Finnish only).
- Data transmission can be delayed, and data from multiple cars combined and anonymized. Real-time information is not needed for the poll tax system.
- Separate and independent black boxes can (and probably should) be maintained to verify the movements of the car in unclear situations. These black boxes would need to act in favor of the driver: the information can only be decrypted by the user, when he disagrees with the results given by the authorities.
These systems certainly are not perfect. I agree with the civil-liberties types: there is no way to make this kind of system 100% secure. The authorities (or someone hacking into the system) will always find a way to abuse the system.
However, there is a fundamental axiom of all information security: every system can be broken. It is only possible to make breaking so difficult and expensive that for the most part it is not worth it. The proposals mentioned above would raise the cost and effort of abuse significantly. A camera-based system is very easy to abuse, as the driver has no way of controlling whether he is photographed. With a GPS-based system, the driver at least in principle has more control.
The authorities will doubtless do their utmost to minimize the control. In practice, an inoperative device would probably set off some type of alarm. Surveillance of non-compliant cars would certainly take place. Even so, the fact remains that there is still room for negotiation about what information is given out and to whom.
Most importantly, a GPS-based system also leaves room for mass civil disobedience, should the need rise. Destroying a large number of observation cameras would require an organized show of violence. Removing GPS devices from tens of thousands cars, on the other hand, simply requires those people to use a screwdriver. Because the basic measurements are distributed rather than centralized, a GPS-based system is difficult to enforce coercively, if enough people decide to opt out.
This last requirement also shows the limits of what is acceptable. If a GPS device is used as a car lock, so that driving is physically impossible without the device, then the system is unacceptable. (It is of course unacceptable from a safety perspective alone; electronic devices will malfunction, and there must at least be an emergency override capability).
Although I have a personal opinion about the proposed toll tax, it is not relevant here. My point is that if a tax of this type is implemented by force, then a GPS-based system may actually be the least malignant type of surveillance. (To put it cynically, the main open question is whether the system will be implemented in an extremely privacy-hostile way or merely a somewhat privacy-hostile way).
This is however only true if people are aware of the privacy issues, require these features to be built into the design from the very start, and are willing to invest time, money, and R&D work into the effort. Such R&D work would almost certainly require marketable innovations that the country needs right now, and could actually benefit us.
I am too cynical to expect that this to happen, of course. Like most major Finnish efforts of this scale, we will end up with an ultra-intrusive system that works sporadically at best, is delayed by five years, overruns the original budget by a factor of ten, and in the end has to be scrapped. But the potential is there.