1) Introduction

a) Imagine your car telling you exactly how long a traffic light will stay green, warning you if you wonÕt make it in time. Or imagine that same traffic light communicating with your car to inform you that some other vehicle is likely to run a red light. Imagine having the car in front of you tell your car that it is suddenly braking for an emergency, communicating faster than you can process the illumination of its brakes lights. These are the potential benefits of Vehicle Safety Communication technologies.

b) Now... imagine your car as a node in a wireless network, constantly making connections and communicating with other nearby cars and roadside infrastructure. Imagine your car openly transmitting 10 times per second its location, speed, and identity to anyone and everyone within 1000 meters every moment your car is on. Compared to EZ Pass systems, where a carÕs RFID tag is only activated and read when you happen to pass through a toll booth, imagine someone able to set up a wide-range data receiver to record the message activity of every single car that passes within a mile radius Š or a government agency outfitting vehicles to drive throughout New York City to record the messages of all vehicles. These are some of the potential threats of Vehicle Safety Communication technologies.

c) As the technical standards and communication protocols are still being developed for VSC technologies, certain political & value implications of these design decisions emerge Š including the privacy of a driverÕs personal information.

d) In this talk, I will

i) Discuss how the design of VSC technologies might alter personal data flows in politically significant ways; and

ii) Reveal how close attention to values might inform and guide the design decisions of such technological systems.

2) Vehicle Safety Communication Technologies

i) Vehicle safety communication (VSC) technologies are intelligent, in-vehicle safety applications designed to help drivers make better-informed decisions to avoid accidents.

ii) Made possible by recent advances in wireless data communication technology, VSC provide real-time information about the surrounding road conditions as well as nearby vehicles, warnings of hazards, and prediction of dangerous scenarios or imminent collisions.

b) How do they work?

i) VSC applications rely on the creation of autonomous, self-organizing, peer-to-peer wireless communication networks Š so-called ad-hoc networks Š connecting vehicles with roadside infrastructure and with each other.

ii) In these networks, both vehicles and infrastructure collect, process and exchange data with each other to provide real-time safety information about the immediate surroundings.

iii) These data messages, which are transmitted by your car 10 times per second, include your carÕs location, time and date stamps, vehicle speed, and some sort of vehicle or message identification number.

iv) Examples:

(1) Traffic Signal Violation Warning Š uses infrastructure-to-vehicle communication to warn the driver to stop at the legally prescribed location if the traffic signal indicates a stop and it is predicted that the driver will be in violation

(2) Cooperative Forward Collision Warning Š aids the driver in avoiding or mitigating collisions with the rear-end of vehicles in the forward path of travel through driver notification or warning of the impending collision

c) To help facilitate the development of VSC applications, seven major auto manufacturers have formed the Vehicle Safety Communications Consortium (VSCC). The main responsibilities of the VSCC are to

i) identify and evaluate the safety benefits of vehicle safety communication applications, and estimate their deployment feasibility;

ii) assess the associated communication and data requirements specific for VSC applications; and

iii) contribute to the formation of the necessary technical standards and communication protocols for this new technology

iv) All of these activities are currently on going Š the final design of VSC technologies have yet to be fully determined.

d) For the purposes of my research on this project, the VSCC has agreed to provide me access to their engineers, white papers and technical reports, and observation of their planning meetings. Having such access allows me to better understand the technical design decisions involved in developing VSC technologies, and, more importantly, this provides me an insiderÕs view of the value implications and values considerations that are made related to the design of the systems.

e) Security Considerations

i) The communications security of VSC applications remains an "open issue" for the VSCC. Primary security concerns from an engineering perspective include assuring that transmissions are generated by a trusted source (data authenticity), and that the data has not been degraded or tampered with after it was generated (data integrity).

(1) The concern here is to ensure that no one hacks into the system to pretend to be a car, pretend to be an emergency vehicle, or otherwise disrupt the system which would compromise its goals for highway safety.

ii) Since some data messages that originate from end-user vehicles could potentially contain personally-identifiable information, data anonymity has also emerged as key security issue. Anonymity and driver privacy are considered key factors in the success of many ITS-related technologies.

3) Privacy in Public

a) It is clear, then that the design and implementation of Vehicle Safety Communication applications trigger concerns about privacy of personal information on the roads.

b) Coupled with the predicted safety benefits of VSC applications is a potential rise in the ability to surveil people engaging in their everyday activities on the public roads.

c) For privacy theorists, this concern has been labelled the problem of "privacy in public." And, as we shall see, there are no guarantees that VSC applications will be designed in a value-sensitive way, in a way that will protect oneÕs "privacy in public"

d) You see, in scholarly and legal discussions about privacy, the concept of "privacy in public" is often discounted, if not altogether discarded. HereÕs why:

i) Conceptually, the idea that privacy might somehow be violated in public space is often considered paradoxical. For many theorists, the value of privacy applies to an individualÕs private sphere alone. Driving oneÕs car on public highways is considered a public act, and collecting oneÕs license plate number (or other identifiable information) is not considered an invasion of privacy.

ii) Empirically, the problem of privacy in public was not compelling enough to garner significant attention by privacy theorists and the public at large. Simply put, prior to recent advances in information technology, the problem of privacy in public was not experienced in oneÕs everyday life. Up until recently, most people reasonably assumed that their day-to-day movements and activities were neither being surveilled nor cataloged; people have come to count on virtual anonymity as they engage in their daily, public activities, including driving on the roads.

e) However, advances in information technology challenge these conceptual and empirical reasons for disregarding the problem of "privacy in public."

i) For example, before IT, I could leave my apartment, come down to school, buy some food, go to the library, walk through the park, get some groceries, etc without being systematically surveilled. Sure, some people will watch me, and the store owners and librarians will know I came in, but thatÕs about it.

ii) Now, there are surveillance cameras in my elevator, lobby, at the subway, in the Park, etc. If I buy a metro card with a credit card, they can track every time I swipe that card and tie it to my CC number. The grocery store keeps track of all my purchases, and the library knows exactly what time I entered and what I checked out.

iii) Developments in information technology mean that there is virtually no limit to the amount of information that can be recorded, virtually no limit to the level of data analysis that can be performed, that the information can be shared with ease, and virtually stored forever. All these separate pieces of personal information can now be processed, aggregated and analyzed in order to create a profile of my daily activities.

iv) The consequence of the emergence of such powerful information technology is a rise in the magnitude, detail, thoroughness and scope of the ability to surveil everyday people engaging in their everyday, public activities.

f) This is why the problem of "privacy in public" becomes a very important concern.

4) Does VSC threaten oneÕs "privacy in public"?

a) The first factor to consider is whether VSC makes different types of personal information available:

i) Existing norms of highway travel anticipate the sharing of some generally-observable information: non-identifiable information about a vehicleÕs occupants, the type of vehicle, observable information about where the vehicle is going, and the vehicleÕs license number.

ii) But, the introduction of VSC technology into the context of highway travel might disrupt these norms. Some VSC applications require the transmission of a vehicleÕs specific location (GPS coordinates) to help prevent impending collisions. While third parties can currently visually-observe that a vehicle is "in Times Square," with the implementation of VSC technology, they might know the vehicleÕs precise location, "40.75704, -73.98597."

iii) Of course, all vehicles openly display their unique license number; and similarly, VSC technologies might also transmit a unique identifier. While both represent the disclosure of identifiable information, the precision of the transmitted data eliminates the uncertainty of whether an observer visually read the license plate number correctly. The added precision and accuracy of a transmitted identification number upsets the current norm of appropriate visual information.

b) A second factor centers on the flow of personal information, how easily it is accessible and distributed.

i) The occupants of a vehicle and its license plate number have been deemed appropriate information to divulge, but mainly in visual contexts, and generally only to people in close proximity. Quite simply, someone has to be nearby, watching your vehicle in order to obtain this identifiable information.

ii) The flow of such identifiable information is generally confined to the likelihood that a person happens to be located in a particular spot in order to actually observe another vehicle. Further, that person would be unable to observe all vehicles and would have to selectively choose which to examine more closely to determine its occupants, type or license number. It also is unlikely that any one observer would be able to maintain complete surveillance of a particular vehicle as it travels through chaotic rush hour traffic or travels hundreds of miles across country. Such conditions represent natural barriers to mass surveillance of highway traffic, barriers that constitute part of the existing norms of flow or distribution.

iii) VSC technologies disrupt these norms of flow of personal information. Vehicles equipped with VSC technologies will be constantly transmitting information about their identity, location and status for reception by other vehicles, roadside infrastructure, or anyone else with the proper receiving equipment.

iv) A person no longer need to be positioned in a particular place to visually observe a vehicle Š all that is needed is a well-placed receiver and information for all passing vehicles can be recorded. Even more, a series of well-placed receivers could collect information from the same vehicle over a span of miles.

c) It is clear form these brief examples how Vehicle Safety Communication technologies might disrupt the existing norms of personal information flow in highway travel, thereby threatening oneÕs "privacy in public"

5) Value-Sensitive Design

a) Since these VSC applications and their related protocols and standards are still in the developmental stage, it becomes crucial to understand how the engineers can be proactive in their technological designs to support the norms of personal information flows Š to support the value of "privacy in public."

b) Key design decisions that remain include:

i) How identifiable will the information be? Simply "I am a valid car" or perhaps "I am car #123456" or "I am Michael ZimmerÕs car"

ii) What types of data encryption, if any, will be utilized. Will each car have its own encryption key? Multiple keys?

iii) Can a user turn the system off?

iv) From a policy perspective, what level of access to these messages will law enforcement enjoy? Even if encrypted, will they have access to the encryption keys to be able to determine who a particular message came from? What kind of legal barriers will be put in place?

v) A decision that has received almost no attention thus far: who will deploy, control and have access to the thousands of receivers that will be installed on roadside infrastructure? Will these receivers be able to archive data transmissions? What kind of access limits will be in place?

c) These, and many more, design decisions for VSC technologies will be made in a variety of forums each with a variety of needs, abilities and agendas. Since VSC will have substantial effects on the lives of virtually everyone, it would be most desirable to have broad public participation in the processes that are defining the technology. Given that democratic participation in technological design remains a difficult ideal to attain, the involvement of scholars, such as myself, who are committed to value-sensitive design is imperative.