State transportation departments face a challenge when considering connected and automated vehicles and infrastructure. On the one hand, these transit initiatives carry the promise of making services more efficient, effective and safe for all residents. On the other hand, poorly managed projects might collect troves of sensitive resident data, share it inappropriately with police and other departments and fail to keep any of it secure against hackers, leaving residents feeling spied on and at risk.
Getting the benefits of smart transit tech while minimizing the dangers may mean baking data privacy and security considerations into projects from the get-go, according to Kristin White, executive director of the Connected and Automated Vehicles Office (CAV-X) for the Minnesota Department of Transportation (MnDOT).
“We [need] to make sure we balance this historic inequity of communities that have been over surveilled. There’s a strong lack of trust with government and industry data protections, but we still sometimes need information to make informed policies,” explained White.
States and cities across the U.S. have been exploring how public and private use of smart transit tech can deliver benefits. Traffic lights could sense and prioritize ambulances — speeding their rescue missions — while connected snowplows trundling along highways in low-visibility conditions could alert other drivers to their presences to prevent collisions. Sensors in traffic infrastructure could better inform the city about how to manage congestion and where more transit options are needed, while automated vehicles have already helped deliver food and medical supplies during the pandemic.
To resolve connected and automated transit’s tension between utility and risk, MnDOT has been working to get ahead of growing trends and act now to establish privacy and data security policies that can guide public-sector approaches to the technology at present and in the long term. The Governor’s Council on Connected and Automated Vehicles recently released an annual report highlighting its latest efforts, including drawing together members of academic, business, government and nonprofit sectors last year to create the CAV Innovation Alliance charged with researching and developing best practices for emerging technologies. No one set of rules will be able to cover the nuances of all situations, so the committees have focused on developing flexible frameworks that can be used to guide thinking and offer advice on a wide variety of possible use cases.
Public privacy expectations
Public agencies that want to preserve trust with residents must be transparent about exactly what data is being collected and understand constituents’ assumptions around privacy, explained Frank Douma, co-chair of the CAV Innovation Alliance subcommittee on Connectivity and Data and director of the State and Local Policy Program at the University of Minnesota’s Humphrey School of Public Affairs.
Residents might expect connected infrastructure to detect what any bystander could, such as that there’s a car on the street, but systems that dig deeper to detect specifically who owns the car can feel invasive — an issue Douma said Minneapolis ran into in 2007, when a project that used intersection cameras to try to identify and fine drivers who ran red lights generated public outcry over privacy concerns.
“When you’re getting into things like red light enforcement and other traffic enforcement mechanisms, you’re getting into areas of possibly taking a picture of the driver or at least the license plate … that’s very identifiable, and if you aggregate that, it begins to tell the story of that person’s life — you don’t need any government transportation system having that kind of data,” Douma said.
Projects collecting easily observable details may be able to simply ask residents to opt out of data collecting, while those seeking to gather more identifying information should depend on users voluntarily opting in, recommended Damien Riehl, managing director at legal research platform Fastcase and other co-chair of the Connectivity and Data subcommittee.
Key principles for trust also entail ensuring that data is only ever used for the purpose it was collected, and that it stays with the transportation department only, without law enforcement or other agencies getting access, White said. Strong policies around what information is collected and how can guide departments toward approaches that help residents feel the services are working for them, not against them.
Any collected data must be protected and de-identifying personal information is an important approach, but even anonymized data doesn’t always stay that way, said Riehl.
A hypothetical project might replace users’ real names with pseudonyms but would fail to be secure if it included enough other specifics — like users’ dates of birth and neighborhoods — allowing fraudsters to connect the dots and re-identify some “anonymous” individuals. Agencies must be on guard not only against hackers but also fraudsters or stalkers using seemingly innocuous Freedom of Information Act (FOIA) requests to view databases with plans to crack their targets’ aliases, Riehl said.
Government agencies must also be mindful that technology and criminal techniques are always evolving. Defense strategies thus must not only protect against the threats of today but also anticipate attacks that could emerge in the future.
“What isn’t re-identifiable today could be re-identifiable tomorrow,” Riehl warned.
When something goes wrong
No organization can prevent all hacks and the strongest approach to securing residents’ data in the long term may be simply to not have it — or at least not have it by the time bad actors develop ways to get through your defenses, explained White.
“The longer an organization holds onto information, the more dangerous it is to not only be hacked or to be able to connect different pieces of information to identify someone,” White said. “When it comes to technology, security and privacy, it’s really not a matter of if you’re going to be exposed, but when.”
Organizations should regularly delete data, White explained, although how quickly they can purge records may be a case-by-case matter. Some lawsuits can be made up to seven years after the incidents, meaning governments therefore must retain certain records long enough to be able to present in court, while data like videos of road traffic often can be deleted within 48 hours, she said.
Agencies also need to carefully target their data collection and only gather exactly as much as is essential for their current, specific purposes — something that breaks with traditional approaches of far less discriminate approaches, said Riehl.
“The old mindset is to collect everything in case you’ll need it,” Riehl said.
The more data an organization collects, the more data it needs to safeguard against current and emerging misuse and threats, after all.
“[Connected and autonomous] vehicles will transmit tons of information, ten times a second right now, and only small pieces are really necessary for what we need to do and what the state of Minnesota wants to do,” added MnDOT chief architect and CISO Bill Leifheit. As a committee member, he focused on developing security recommendations in collaboration with state CISO Rohit Tandon.
Throughout the process of designing transit systems and devices, designers must continually debate whether to add a new sensor or collect an additional piece of data and weigh the benefits of a more-informed system against privacy concerns, added Tandon.
“It’s a balance that has to be put in place every time — what is the risk versus the value of gathering that additional sensor information,” Tandon said.
When it comes to harnessing developing technology to ensure it remains helpful, not harmful, to residents, targeted and minimized data collection along with clear permissions policies may be key parts of an effective strategy.