The Golden Gate Bridge is Watching You
Yesterday, the Golden Gate Bridge switched to all-electronic tolling. As of March 27, drivers entering San Francisco no longer have the option to pay the $6 cash toll to a human toll collector. Unfortunately, all of the bridge's electronic payment options track the identities of those paying the toll, and all represent a loss of privacy for visitors or commuters entering San Francisco by car. The current implementation of electronic tolling here (and elsewhere) is unnecessarily privacy-invasive and represents a missed opportunity to collect tolls electronically in more privacy-friendly ways.
Since March 27, motorists entering San Francisco have three different payment options. One option involves recognizing an RFID token in the motorist's vehicle, while the remaining two use a camera to photograph and recognize the license plate. (A cute new animation [YouTube link] from the bridge operator explains the options, though not their privacy consequences.)
- Motorists can sign up for a FasTrak RFID token, placed on the dashboard or under the windshield of their cars. The FasTrak system has operated for bridge-toll collection in California since 1997 and been available as an option for paying tolls on the Golden Gate Bridge since 2000. FasTrak subscribers must register an account (giving their legal names and license plate numbers, among other information) and obtain a token; as a car passes through the toll gates, an RFID reader detects the token's presence, reads its serial number, and debits the corresponding prepaid toll accounts. At the same time, a record is created in the FasTrak database.
- They can also create a "license plate account" tied to their license plate number, and pre-pay money into this account. When a motorist with no FasTrak token drives through the toll gates, a license-plate reading camera records an image of their license plate, recognizes the number, and causes the prepaid account to be debited.
- Motorists who haven't preregistered with either FasTrak or the license plate account system also have their license plates photographed as they pass through the toll gate. In this case, the Golden Gate Bridge toll operator will work with the Department of Motor Vehicles to send an invoice in the mail (akin to a parking or speeding ticket, but not including a fine or penalty). They must then pay the invoice by mail or online.
Yesterday's change involved phasing out the traditional cash payment option, and expanding the use of existing license-plate recognition technology. As the Wall Street Journal explained last year in an in-depth report, this technology has become widely used by police and law enforcement, municipalities, and even private companies. (Just on the other side of the bridge, beautiful Tiburon, CA, already uses license plate readers to track every car entering or leaving via the few roads leading in and out of town.)
The Golden Gate Bridge already had license plate readers in place, but in the past they were used only to ticket motorists who tried to evade tolls; now, they've been made a routine part of the toll-collection infrastructure itself. Though the physical infrastructure hasn't changed much, a significant shift has taken place in the purpose to which license plate recognition is being put—from a tool to catch a tiny minority of law-evaders to a routine, automatic part of the payment process. The privacy loss from creating a database of who crosses the bridge (and other toll roads and bridges across California) is considerable, though as the Journal noted, creating such records is only one example of "how storing and studying people's everyday activities,even the seemingly mundane, has become the default rather than the exception". Subpoenas to access FasTrak data for purposes other than toll collection have become a trend—even in contested divorce cases.
The tragedy in all of this is that most of these privacy harms could have been (and could still be) avoided while still achieving the benefits of electronic tolling. Toll collectors just need to decide that not collecting the identities of those who've paid their tolls should be a priority. At the simplest level, FasTrak could easily allow people to purchase prepaid transponders for cash at a kiosk or grocery store, and use them without registering them to a particular vehicle or name—just as the Bay Area's mass transit card, Clipper, does1. (There are a number of other privacy and security concerns about FasTrak, which is using a pretty basic technology, perhaps since its design has changed so little over the fifteen years it's been in use.)
There are also higher-tech privacy solutions available. David Chaum published a cryptographic technique thirty years ago that can be used for anonymous electronic payments with many of the properties of cash; dozens of refinements to Chaum's methods have been discovered in the meantime, and there's a thriving field of research on privacy-preserving electronic toll collection. Many modern designs allow much more complex forms of toll collection (like congestion and per-kilometer charges), yet without creating an extensive database of who went where when. Our 2009 white paper on locational privacy and transportation emphasizes some of the ways that technology can solve these problems without taking away the benefits of electronic payments—if transportation infrastructure providers and the public recognize that privacy needs to be protected.
UPDATE: An alert reader pointed out that FasTrak has a procedure for acquiring and activating a FasTrak token anonymously: it requires visiting the FasTrak Customer Service Center in downtown San Francisco in person (and periodically reloading cash value in person). FasTrak says
You can open your account with cash, money order, or cashier's check. A Representative will be able to open your account without requiring customer name, address or vehicle information. (If you try to open an account online, your name, address and vehicle information will be required.)
This option could benefit from much more publicity (and convenience). But thanks are due to FasTrak for offering it.
- 1. Clipper is a near-field communication system, not RFID, and stores more information on the card, but both systems work similarly for purposes of the present discussion. There's no fundamental reason that FasTrak transponders couldn't be purchased and refilled anonymously, just as Clipper cards can be. Some toll operators have used the license plate registration information to distinguish FasTrak-using drivers from non-FasTrak users. This allowed them to punish with an extra fine those who attempted to drive through a FasTrak toll lane without being FasTrak subscribers, without levying this fine on subscribers whose FasTrak devices simply failed to be read. The Golden Gate Bridge, however, abandoned this particular distinction yesterday and no longer distinguishes between FasTrak and non-FasTrak lanes, or imposes a fine on any driver for using the wrong lane.