Toll Roads Going Electronic, Raising Privacy, Security Issues

Man-operated toll booths, though not this bullet-riddled one from the death of Sonny Corleone in 1972’s “The Godfather,” have given way to technologies that now raise privacy issues. Credit: Paramount Pictures.

By Rob Sabo

The death of fictional New York mobster Sonny Corleone in “The Godfather” is perhaps the most famous movie scene involving a toll booth in American cinematic history.

But this month, such settings will be relegated to history — as toll booths along the 420-mile New York State Thruway system go dark in favor of electronic tolling monitors.

More than 267 million drivers use the system each year, according to the New York State Thruway Authority (NYSTA). But that’s a fraction of the drivers who use the interstate E-ZPass program.

Established in 1987, E-ZPass is the world’s largest electronic-tolling authority, with more than 25 million accounts operating across 18 Eastern and Midwestern states.

More than 41 million E-ZPass tags were in use last year — and the E-ZPass Interagency Group, based in Wilmington, Del., reported that it collected more than $11.2 billion annually in electronic toll revenues.

Electronic toll organizations in the U.S., more broadly, do not function as a singular entity. Each managing organization is responsible for its own data-security measures and standards.

Currently, 42 states use some form of toll organization or facility, according to the National Conference of State Legislatures.

Privacy Issues, Including PII

Still, the use of electronic-tolling services raises privacy concerns about the possibility of tracking or monitoring driver movements as they pass tolling stations, as well as security concerns about the personally identifiable information (PII) required to establish prepaid accounts with tolling organizations.

“Without protections, electronic tolls could enable the state and anyone the state decides to share toll information with to track someone’s travel habits, which raises serious Fourth Amendment concerns,” wrote David McGuire, executive director of the ACLU of Connecticut.

“We don’t have any information about the car or who is driving it. All we have is a unique number.”

Rick Carrier, Toll Roads of Orange County, Calif.

Last year, McGuire testified against any form of highway tolling before the Connecticut Transportation Committee.

He said data captured by automatic license-plate readers could paint a picture of drivers’ location, along with the date and time they passed under sensors.

This ever-growing pool of information can be used to determine driver travel patterns, with few rules about how that data is protected or shared.

How It Works

Toll data is collected in two ways: from transponders or RFID-enabled stickers on driver windshields, or from overhead cameras that scan the license plates of vehicles that aren’t equipped with tolling devices.

For the latter, toll agencies turn to state motor vehicle offices to determine the registered owner of the vehicle so they can bill them.

Connecticut and Vermont are the only two states in New England that have not implemented any form of highway tolling. The Connecticut proposal to initiate tolling died last year in the state Legislature.

Overhead cameras on toll roads in Orange County, Calif., obtain data from transponders in driver cars or take pictures of license plates of cars that lack the devices.
Credit: Toll Roads of Orange County.

In his testimony against the measure, McGuire said that automatic license plate readers (ALPRs) could enable governments to track and monitor driver habits.

“When an ALPR system captures an image of a license plate, it also tags each file with the time, date and GPS location of the photograph,” McGuire told the state panel.

“Connecticut tolls would capture sensitive information about millions of drivers — things like date and time of travel, GPS location and vehicle speed — and store it in a central database,” he added.

“Without rules to restrict how the government stores, collects, shares, sells or keeps this information, it could be used to hurt millions of innocent people who travel through our state.”

How Data Is Transmitted

Misconceptions abound about the data that’s transmitted when vehicles activate toll sensors, California’s Rick Carrier told Digital Privacy News.

Carrier is the interim chief toll operations officer for the Transportation Corridor Agencies-The Toll Roads of Orange County.

The entity manages 51 miles of four state highways accessed by more than 250,000 drivers every day. Tolls are collected by ALPRs mounted on overhead gantries.

Toll transponders inside vehicles have a unique number encoded on a chip embedded in the transponder, Carrier said. When transponders go under an antenna at a toll station, the antenna interacts with the transponder, returning the unique number and automatically collecting the toll.

“We don’t have any information about the car or who is driving it,” he said. “All we have is a unique number.

“People think about privacy as a luxury, but it should be a human right.”

Larry Pang, IoTeX platform, Silicon Valley.

“If the transponder isn’t read, then we capture the license plate.”

While the information exchange between transponders and antennas is not encrypted, Carrier said information is encrypted — as it’s sent from antennas to lane-controllers, and then from lane-controllers to the organization’s back office.

To travel this system, drivers do not need to create an account. Motorists have five days to pay for the right of using the highways through the Toll Roads website or they receive a violation notice.

Length of Data Storage

The Toll Roads stores data from transactions for 18 months to 54 months before deleting it, Carrier said, with some caveats: Retention depends on the nature of the transaction.

Data from transactions with valid transponders is housed for 18 months, while data from activity involving license-plate captures can be housed for up to 54 months — depending when or if the transaction is resolved.

“When we capture your license plate, we go to the DMV and get the registered owner’s name and address and send them a violation,” Carrier told Digital Privacy News. “We keep that information until the transaction is resolved.”

But consumers should be more concerned about the data toll agencies require to sign up for an account, Carrier said.

That includes name, address, telephone number, email address — and credit-card information that is kept on file for prepaid accounts. Orange County’s operation does not store credit-card numbers, Carrier added. 

“We have almost 2 million accounts, but we have zero credit-card numbers in our database,” he told Digital Privacy News.

Other Security Steps

The Toll Roads system goes to great lengths to protect that vast pool of PII data, Carrier emphasized.

The organization is a Level 1 merchant with the Payment Card Industry (PCI) Security Standards Council, meaning that Toll Roads processes more than 6 million transactions annually.

Based in Wakefield, Mass., PCI was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa to enhance payment-account and data-security standards.

Security measures are audited annually by an external PCI examiner in a process that runs from June through September. It’s a pass-fail audit.

“There are over 300 items the auditor looks at, from network segmentation to policies and procedures,” Carrier said. “They dig deep.

“You have to get them all right, or you are wrong.”

How New York Does It

The NYSTA’s conversion from toll booths to electronic tolling required more than 2,000 sensors and cameras mounted on massive steel gantries spanning main highways and key entrance and exit ramps.

Work on the $355 million project began last fall.

Sensors along the Thruway scan motorists’ E-ZPass transponders for automatic payment, while cameras record the plates of vehicles without E-ZPass accounts so the authority can bill them by mail.

The use of electronic tolling services requires a tradeoff of privacy for service, said Larry Pang, head of development for the Silicon Valley platform IoTeX.

“People think about privacy as a luxury, but it should be a human right,” Pang told Digital Privacy News.

“People are jaded by these great user experiences that are offered today — but shifting the social contracts that state, ‘You must give up this for me to give you that’ needs to be limited to very scoped and verifiable uses of our data.”

In Florida, which created its SunPass system in 1999, user PII is protected under the state’s public records law, said Angela Starke, communications director for Florida’s Turnpike Enterprise, the tolling arm for the Florida Department of Transportation.

“Personally identifying information of SunPass account holders can only be obtained by persons outside of the department or authorized law-enforcement agencies by subpoena or court order,” she told Digital Privacy News.

“The department may share certain SunPass account information with operators of other toll facilities for toll payment, collection and notice purposes — and (those) operators are required to observe all applicable laws regarding the disclosure of such information.”

Multiple Transponders

Since the nation’s toll agencies operate independently from one another, drivers can’t use one single account to travel throughout the country.

A Florida SunPass account, for instance, is recognized by Georgia’s Peach Pass and North Carolina’s Quick Pass — and Quick Pass is compatible with E-ZPass, but none will work with California’s FastTrack or Texas’ TxTag.

That’s why interstate truckers have multiple transponders on their dashboards, Orange County’s Carrier said.

While multiple accounts may create multiple opportunities for data misuse, toll agencies strive to keep customer PII safe, he added.

“We know customers entrust us with a fair amount of data — and it’s on us to safeguard that data,” he told Digital Privacy News.

“We’ve never had a breach — and I don’t think we ever will, due to the thoroughness of that PCI data-security standard.”

Rob Sabo is a Nevada writer.

‘It Isn’t All About Technology’

Even the most stringent data-security measures aren’t 100% foolproof — and the liabilities of hacked or leaked data eventually could outweigh any potential benefits, experts told Digital Privacy News.

Larry Pang, head of development for the IT platform IoTeX in Silicon Valley, said the real question is not whether tolling organizations were capable of building robust systems to protect users’ personally identifiable information, but whether the model of third-party institutions acting as centralized data custodians remained viable.

“The world’s largest organizations invest billions into tech R&D and still get hacked because the threat landscape is ever-evolving,” Pang said. “The countless headlines regarding ‘inside jobs’ and ‘social engineering attacks’ prove it isn’t all about technology.

“Holding users’ data is shifting from being an asset to a liability,” he added.

“Rather than institutions being a custodian for users’ data, users can get what they want by owning their own information and presenting it as authorization to any institutions or people as they see fit.”

— Rob Sabo

Sources (links external):