The transportation revolution is on its way. In fact, it’s already here. Partially automated vehicles (AVs) are on the nation’s roadways right now, connected vehicles (CVs) are just around the corner, and autonomous vehicles may not be far behind.
Standards and policies are evolving as well. For example, the National Highway Traffic Safety Administration is preparing to mandate CV hardware on all new light-duty vehicles. But linking both normal vehicles and AVs into the CV system — and, in turn, to the roadway infrastructure — is a challenge that has many states scratching their figurative heads. In order for public policy to advance hand in glove with developing technologies, policy makers must first be aware of how these technologies could change the nature of the transportation system.
“We’re working to provide that understanding,” says Texas A&M Transportation Institute (TTI) Senior Research Engineer Ginger Goodin. Goodin directs TTI’s Transportation Policy Research Center (PRC), which supports the Texas Legislature by researching and reporting on transportation-related public policy issues. “We can help lawmakers understand the capabilities and limitations of technology in order to craft the best policy possible for the people of Texas.”
Defining Security Concerns for CV/AVs
Securing the data enabling connected and automated vehicles to safely reach their destinations is a primary concern.
“It’s not just a question of finding the right technology to guarantee data security,” explains TTI Associate Transportation Researcher Jason Wagner. “Good policy creates a hospitable environment in which effective security administration can thrive. The policy has to support the right solution to make it work.”
The issues surrounding CV/AV data security are varied and complicated. As Wagner notes in the report Revolutionizing Our Roadways: Cybersecurity Considerations for Connected and Automated Vehicle Policy, there are important questions some agencies simply aren’t looking at. Security designs and policy considerations related to transportation infrastructure and non-safety applications are two such areas. Wagner, along with ITS security specialists from Booz Allen Hamilton, developed the white paper outlining detailed considerations that can help direct future research and analysis, as well as frame policy considerations, as CV/AV deployment moves forward.
Concerns regarding system design, governance and administration, standards development and data systems interoperability, how CV/AV security issues interrelate, and how the transportation system can address system security (and who’s responsible if that fails) are just some of the broad-stroke questions identified in the report.
“Good policy and administration create the context for keeping information secure,” explains Wagner, “but there’s also the related, almost inseparable issue of maintaining privacy for the individual citizen. How do we monitor, manage and ensure the system functions optimally and securely while balancing the need to protect drivers’ privacy?”
Determining the Need-to-Know Basis
Maintaining the privacy of personally identifiable information (PII) is currently a hot topic in policy discussions, as evidenced by the 2015 Texas legislative session. Legislators introduced seven measures addressing the protection of PII in one form or another. Since the lifeblood of CV/AV implementation is information management, how these data are handled can influence how private they’re kept.
The study Revolutionizing Our Roadways: Data Privacy is separate but related to the effort investigating security concerns. The PRC study’s report, which Wagner coauthored with RAND researcher Karlyn Stanley, focuses specifically on defining the privacy issues surrounding CV/AV implementation.
“Personal information is a valuable but challenging tool to use,” explains Wagner. “As it becomes omnipresent, its research and application value can increase, but so do the chances for its misuse. Carefully crafted public policy and vigilance in administration are needed to ensure individual privacy.”
The most important PII considerations as outlined in Wagner’s report are the following:
- Different areas of state and federal law define PII in different ways. There’s no consistent statutory standard or treatment for personal, private or sensitive information.
- Anonymization — the process of stripping names and other identifiers from data to preserve their anonymity — was found inadequate in a recent Massachusetts Institute of Technology study; this has broad implications since many organizations rely on anonymization as a cornerstone for their data privacy protection.
- Who owns vehicle data? The general public might assume people own their personal data, but stakeholders — from private companies to public agencies — disagree. Who owns personal data can directly impact how they’re protected and who can see what when.
- Those who can profit from certain data — insurance and telematics companies, for example — are rushing to do just that. Not only will those interests have concerns about how the data are regulated legally, but business often gets ahead of policy when the bottom line is at stake.
- The amount of data AVs and CVs generate will be huge. State agencies, which will likely play a role in managing these data, are not yet prepared for the amount they’ll need to manage to keep an information-driven transportation system operating smoothly and safely.
“Outlining these issues for policy makers is a perfect role for PRC,” says Goodin. “Good policy founded upon solid, independent research will help smooth the anticipated transition to an automated, connected transportation system for Texans in the coming decades.”