Public Acceptance of V2V/V2I It’s a Matter of Trust Claire W. Barrett July 16,

Transportation Challenges Safety 33,561 highway deaths in ,615,000 crashes in 2012 Leading cause of death for ages 4, Safety 33,561 highway deaths in ,615,000 crashes in 2012 Leading cause of death for ages 4, Mobility 5.5 billion hours of travel delay $121 billion cost of urban congestion Mobility 5.5 billion hours of travel delay $121 billion cost of urban congestion Environment 2.9 billion gallons of wasted fuel 56 billion lbs. of additional CO 2 Environment 2.9 billion gallons of wasted fuel 56 billion lbs. of additional CO 2

3

The Challenge Characteristics Data exchange between vehicles without pre- existing relationship No impact on vehicle design New entrants Dynamically changing technology Predicates Data confidentiality Data integrity Authentication Non-repudiation Authorization 4

ITS Privacy Considerations ITS operations contingent up “vehicles” broadcasting signals indicating location, signals which are intended to be received and understood by a range of other devices. If entities are able to locate and track specific vehicles. Is ITS location information “personal information”? – Link location data to unique vehicle identifier (or series of identifiers) – Link ITS signal to registered vehicle and subsequently registered owner What is at stake? – Present location – Historical location – Behavior patterns Likelihood of Risk & Harm? – Degree of annonymization – Business operations controls Collection Retention Linking – “System” roles Certificate holders Opt-in / Informed Consent – Consumer chooses to engage/deploy ITS technology – Consumer affirms acceptance of privacy risk prior to any information collection/use Opt-out / Implied Consent – ITS capabilities are installed and operational in vehicle by default – Consumer must make active decision to disengage ITS functionality Consumer may not be as aware of their available choices and the resultant privacy implications – Sufficient when the government's interests in preventing injury, property damage, and loss of life on roadways are served by the practice – Usually must allow for individuals to opt-out of such programs and requires that members of the public be made reasonably aware of to what they are tacitly consenting. Mandatory model – Sufficient when the government's interests in preventing injury, property damage, and loss of life on roadways are served by the practice 5

ITS Privacy Law No federal laws that specifically protect an individual's locational information – Driver's Privacy Protection Act of 1994, Protects personal information collected by departments of motor vehicles Proposed laws – Geolocational Privacy and Surveillance Act Require law enforcement to get a warrant before using locational technology to track an individual's location – Location Privacy Protection Act of 2011 Presumptively illegal for non-government entities to collect an individual's locational information absent consent. States with statutes that require disclosure of data tracking devices that are included in cars by auto manufactures – Maine, Colorado, California, and New Hampshire – Virginia (Va. Code § (C)(s), § ,§ ,§ )Va. Code § (C)(s) § § § requires an owner's consent for any device that collects electronic information from a car, not just from those devices installed by an auto- manufacturer, except in selected circumstances generally prohibits insurers from treating consumers differently, if they refuse to provide the insurer ITS generated data. Current law typically places much greater restrictions on the collection and use of personally identifiable data by the public sector, than by the private sector. – Who is collecting and/or using the information gathered by an ITS application often dictates the level of privacy protections triggered. 6

Consumer Privacy Bill of Rights Individual Control – Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Transparency – Consumers have a right to easily understandable and accessible information about privacy and security practices. Respect for Context – Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Security – Consumers have a right to secure and responsible handling of personal data. Access and Accuracy – Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Focused Collection – Consumers have a right to reasonable limits on the personal data that companies collect and retain. Accountability – Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. 7 Applies to personal data, which means any data, including aggregations of data, which is linkable to a specific individual. Personal data may include data that is linked to a specific computer or other device. Consumer Data Privacy in a Networked World

Federal Trade Commission Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1) (2011), prohibits – “unfair or deceptive acts or practices‘ and most states have analogous consumer laws. Active in regulating companies' privacy notices to consumers about how they collect and use consumer data, including locational data. "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers,“ Privacy by Design - companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy; Simplified Choice for Businesses and Consumers - companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities. Greater Transparency - companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them 8

Responding to the Challenge The system will NOT – collect or store any data on individuals or individual vehicles – Include data in safety messages or security system that could be used by law enforcement to identify speeding or erratic driver – Permit tracking though space or time vehicles linked to specific owners/drivers/persons – Collect financial information, personal communications, or other information linked to individuals. – Require collection any information identifying specific vehicles or owners for automatic enrollment – Provide a “pipe” into the vehicle for extracting data. Will enable NHTSA and motor vehicle manufacturers to find lots or production runs of potentially defective V2V equipment without use of VIN numbers or other information that could identify specific drivers or vehicles. There is space for VIN in the proposed SAE standard – but DOT will likely proposed that the mandated message not include it, and furthermore is considering proposing to prohibit manufacturers from including VIN or and data personally identifying the driver or owner in V2V messages broadcast via mandated DSRC – Emergency and commercial/fleet vehicle exception – Rulemaking Research/Public Engagement – Location tracking and re-identification – Privacy risk – Privacy Impact Assessment 9

Contact Info Claire W. Barrett DOT Chief Privacy & Information Asset Officer Office of the Chief Information Officer Office of the Secretary US Department of Transportation