June 15, 2024

Privacy and Toll Transponders

Rebecca Bolin at LawMeme discusses novel applications for the toll transponder systems that are used to collect highway and bridge tolls.

These systems, such as the EZ-Pass system used in the northeastern U.S., operate by putting a tag device in each car. When a car passes through a tollbooth, a reader in the tollbooth sends a radio signal to the tag. The tag identifies itself (by radio), and the system collects the appropriate toll (by credit card charge) from the tag’s owner.

This raises obvious privacy concerns, if third parties can build base stations that mimic tollbooths to collect information about who drives where.

Rebecca notes that Texas A&M engineers built a useful system that reads toll transponders at various points on Houston-area freeways, and uses the results to calculate the average traffic speed on each stretch of road. This is then made available to the public on a handy website.

The openness of the toll transponder system to third-party applications is both a blessing and a curse, since it allows good applications like the real-time traffic map, and bad applications like privacy-violating vehicle tracking.

Here’s where things get interesting. The tradeoff that Rebecca notes is not a necessary consequence of using toll transponders. It’s really the result of technical design decisions that could have been made differently. Want a toll transponder system that can’t be read usefully by third parties? We can design it that way. Want a system that allows only authorized third parties to be able to track vehicles? We can design it that way. Want a system that allows anyone to be able to tell that the same vehicle has passed two points, but without knowing which particular vehicle it was? We can design it that way, too.

Often, apparent tradeoffs in new technologies are not inherent, but could have been eliminated by thinking more carefully in advance about what the technology is supposed to do and what it isn’t supposed to do.

Even if it’s too late to change the deployed system, we can often learn by turning back the clock and thinking about how we would have designed a technology if we knew then what we know now about the technology’s implications. And on the first day of classes (e.g., today, here at Princeton) this is also a useful source of homework problems.


  1. This post made me think about an issue I’m involved in right now.

    In the coming months, I’ll post a story about a very interesting observation I’ve made about my 2004 BMW sedan. My BMW, like many, has a GPS tracking system for “safety purposes” like calling 911 after an accident. It also has a black box. The combination of the data between these two systems enables BMW to investigate my driving habits in alarmingly specific detail and in near real time.

    My point: the transponder system might have interesting design mistakes, but Amercian consumers are giving up the privacy information as part of the features they are paying for in their cars.

  2. A good example of a new technology along these lines extends the toll concept into a universal vehicular communication system, the Direct Short Range Communications effort involving the ITS, IEEE and FCC. DSRC will be used to implement the Vehicle Safety Communications system which envisions continual car-to-car and car-to-roadside communications. Applications include warning drivers about traffic, road and signal conditions ahead, and alerting nearby cars when a car suddenly changes direction or speed.

    For more information on DSRC and VSC see for example http://www.standards.its.dot.gov/Documents/dsrc_advisory.pdf
    and http://www-nrd.nhtsa.dot.gov/pdf/nrd-12/CampII.pdf (page 30).

    The privacy issues are massive as each vehicle must broadcast information about its driving condition. This could be used to automatically detect people who are speeding, running stop signs and signals, etc. The car would be constantly broadcasting incriminating information.

    At the Crypto conference this year, Boneh et al proposed a group signature scheme which could provide security against spoofing of the system (an unauthorized transmission could have devastating consequences) while still protecting the privacy of drivers. So the technology exists. The real question is how society wants to handle the tradeoffs.

    Will people support technology to protect the anonymity of drivers who are behaving unsafely? Or will they forego privacy altogether and create a system where the movements of every vehicle on the road are constantly reported, tracked and recorded? These issues should be discussed publicly well before deployment, unlike what happened with toll transponders.

  3. Then there are all those episodes of Law and Order where the police find out where someone’s been by checking the use of their Metrocard. There’s always a tradeoff between convenience and privacy. No matter how much I value my privacy, I can’t give up EZPass!

    Can those folks who scan a transponder also clone it?

  4. There’s at least some evidence that in the toll-collection case people did think about privacy issues before the systems were deployed and either decided that privacy was unimportant or that it was a definite negative. One of the early demonstrations of Chaum’s digital-cash work, for example, was a prototype toll staton that could handle cars traveling upwards of 100 mph. (Such a system could have provided privacy combined with identifiability under special circumstances. The extension of uses to things like traffic-speed monitoring is obvious.) I’m sure there were plenty of other privacy-preserving options being pushed at the time, but that’s just one I know a few details about.

    Even the current EZ-Pass system could have significantly more privacy protection if anonymous transponders were commonly allowed, but that’s another example of decisions being made explicitly against privacy interests.