Privacy Concerns

There is a very real concern among policy makers and the general public that a road pricing system that charges based on when and where individuals travel inherently threatens privacy. Indeed, if these systems are not designed and implemented properly, the threat to privacy could be very real. This leads to two significant challenges that must be overcome if comprehensive pricing is to be seriously considered in the United States: first, any system must ensure adequate safeguards to personal privacy; second, the public agency or agencies charged with implementing comprehensive pricing must gain the confidence of policy makers and the public that these safeguards exist and will be effective.

A great deal of thought has already gone into how a system could be structured to safeguard personal privacy. The Oregon pilot project, for example, placed strong emphasis on an architecture that would protect privacy, and the currently ongoing University of Iowa pilot project includes testing of system and privacy protection safeguards.

Key system considerations that relate to privacy include: how information about where and when a vehicle traveled would be identified and recorded, who would physically own and control this information, and how and in what form the information would be communicated to the administering agency for billing and collection purposes. More research is needed on this, but most road pricing designs either currently in place or being discussed suggest that these considerations can be adequately addressed.

Specifically, these designs center on the use of an on-board unit (one in each vehicle) that would contain a GPS receiver that receives satellite signals enabling it to calculate vehicle location in real time and a computer that calculates the associated VMT charge. The key point is that the satellite signal is only a one-way signal "telling" the car receiver where it is, and therefore outside the vehicle there is no tracking of where individuals travel. In essence, this receiving function of a VMT system would function like the GPS devices that millions of Americans have already installed in their cars without worry of privacy loss.

The more critical question related to privacy is what happens to the travel information that is stored on the on-board unit. The Commission believes that such a system can and should be designed so that the information transmitted to the administering agency would only relate to the bulk charges due and would not include specific information about trip origins and destinations, routes, or time of travel. In other words, the administrating agency would only receive information that a particular vehicle owes a particular amount each month. It should be noted that such a system would provide considerably more privacy than other information technology systems in our society, such as credit card and cell phone systems, where the relevant company knows not just how much a person owes but where the individual made purchases and what phone numbers were called (and, in fact, approximately where the person is when making a call). Moreover, information should be transferred from the vehicle to the administrative agency (or gas pump) in secure ways-for example, by encrypting the data transfer.

There is, however, a trade-off between the ability of users to monitor their usage for billing purposes and privacy concerns. Systems could be designed that do not store the on board unit information about individual trips but instead record the amount of the cost. But this would not allow individuals to challenge their payments to administrative authorities. However, systems can be designed that would let travelers challenge charges in ways that then let the individual trip data be permanently deleted from the on-board unit.

Other studies have experimented with systems in which these data are uploaded along with the bulk payment information if travelers choose to have this done. The system employed in the Puget Sound region system maintains and can provide users with detailed information on priced travel. Hence, the user can easily check to ensure that they were appropriately billed for travel and contest any inappropriate charges. However, the detailed data required to provide this documentation mean that a record exists of all vehicle travel, which clearly has privacy concerns (e.g., this information, if it existed, could potentially be subpoenaed). Such systems can and should be designed so that the detailed trip data are fully and permanently deleted from the system after the charges have been made, as

It is generally agreed that equipping all roads everywhere with the types of equipment used in current electronic toll collection application would be far too costly. Instead, most concepts for comprehensive pricing assume the use of an on-board unit consisting of a GPS receiver, software, and a wireless communications capability.

happens in the London congestion pricing system. And travelers should have the right to have only overall charge information transmitted if they so choose.

In contrast, the Oregon system only kept information on total mileage by category, and the categories were very general. Thus, the privacy issue was mitigated but a user had only limited ability to verify the accuracy of the charges.

The system developed for the Iowa pilot project has the capability to both protect privacy and provide detailed information when desired, but it is also more expensive. This system records all travel on encrypted files in the vehicle. Only the data about the amount of charges owed to each jurisdiction, however, are typically transmitted to the billing system. If users believe that there are errors in their bills, they have the option to open the encrypted file and provide the detailed data for review to the organization(s) receiving the payment. In addition, these systems could be easily designed to automatically delete travel data from the on-board unit after a certain date (e.g., 60 days after travel) to ensure an even greater level of privacy protection.

While the approaches just discussed indicate that privacy concerns could be adequately addressed and provide a strong foundation for developing new system configurations with improved privacy safeguards, much work still needs to be done before a national comprehensive pricing approach could be implemented. And even with better technical and institutional solutions to address privacy concerns, the question of how to gain policy-maker and public confidence in the proposed systems is still largely unanswered. In short, the Commission appreciates that the privacy concerns associated with comprehensive pricing administration are both real and justified, Put it believes that such systems can and should be designed to fully protect travelers' privacy and that additional research and public outreach on this issue are needed. (See the corresponding recommendations to address these needs in Chapter 8.)