Before the NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION Washington, D.C Docket No. NHTSA

Similar documents
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

Re: Review of Market and Social Research Privacy Code

Protection of Privacy Policy

November 18, 2011 MEASURES TO IMPROVE THE OPERATIONS OF THE CLIMATE INVESTMENT FUNDS

This research is supported by the TechPlan program funded by the ITS Institute at the University of Minnesota

Violent Intent Modeling System

What does the revision of the OECD Privacy Guidelines mean for businesses?

CBD Request to WIPO on the Interrelation of Access to Genetic Resources and Disclosure Requirements

Although the invention of the GPS system, was a joint effort of many scientists, there are three main contributors

DEVON & CORNWALL C O N S T A B U L A R Y

Staffordshire Police

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

Data Protection and Ethics in Healthcare

Report to Congress regarding the Terrorism Information Awareness Program

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Riding with Little Brother: Striking a Better Balance between the Benefits of Automobile Event Data Recorders and Their Drawbacks

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

Diana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA Health Insurance Portability and Accountability Act (HIPAA)

Presentation Outline

EFRAG s Draft letter to the European Commission regarding endorsement of Definition of Material (Amendments to IAS 1 and IAS 8)

Australian Census 2016 and Privacy Impact Assessment (PIA)

Genetic Resources and Intellectual Property: Recent developments under the Convention on Biological Diversity

Provided by: Radio Systems, Inc. 601 Heron Drive Bridgeport, NJ

Responsible Data Use Policy Framework

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Before INDUSTRY CANADA Ottawa, Canada

Decision to make the Wireless Telegraphy (Vehicle Based Intelligent Transport Systems)(Exemption) Regulations 2009

A Roadmap for Connected & Autonomous Vehicles. David Skipp Ford Motor Company

DATA PROTECTION POLICY

Submission to the Productivity Commission inquiry into Intellectual Property Arrangements

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

Details of the Proposal

COMMUNICATIONS POLICY

The 45 Adopted Recommendations under the WIPO Development Agenda

ICC POSITION ON LEGITIMATE INTERESTS

the regulatory and licensing structure for small-cell Internet access on the 3.5 GHz band. 1

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

About the Office of the Australian Information Commissioner

Dr George Gillespie. CEO HORIBA MIRA Ltd. Sponsors

Toward Objective Global Privacy Standards. Ari Schwartz Senior Internet Policy Advisor

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

Privacy Impact Assessment on use of CCTV

UCF Patents, Trademarks and Trade Secrets. (1) General. (a) This regulation is applicable to all University Personnel (as defined in section

Extract of Advance copy of the Report of the International Conference on Chemicals Management on the work of its second session

Introduction to the Revisions to the 2008 Guidelines on the Acquisition of Archaeological Material and Ancient Art

THE EUROPEAN DATA PROTECTION SUPERVISOR, Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Principles for the Networked World

SUPERIOR COURT OF THE DISTRICT OF COLUMBIA ORDER

This Privacy Policy describes the types of personal information SF Express Co., Ltd. and

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC ) ) ) ) ) ) COMMENTS OF THE SATELLITE INDUSTRY ASSOCIATION

WIPO Development Agenda

Technologies that will make a difference for Canadian Law Enforcement

1:15-2:15 p.m. Registration & Refreshments

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER. to the NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION

We believe that... technological innovation and new uses of data can help solve big societal problems and improve lives.

WIPO Intergovernmental Committee on Intellectual Property, Genetic Resources, Traditional Knowledge and Folklore, Sixth Session, March 2004

IN THE UNITED STATES COURT OF APPEALS FOR THE TENTH CIRCUIT ) ) ) ) ) ) ) ) ) ) ) MOTION FOR ESTABLISHMENT OF BRIEFING SCHEDULE

BUREAU OF LAND MANAGEMENT INFORMATION QUALITY GUIDELINES

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554

(EC) ), 11(8) 347/ /2009, (EC)

Surveillance and Privacy in the Information Age. Image courtesy of Josh Bancroft on flickr. License CC-BY-NC.

Environmental Assessment in Canada and Aboriginal Law: Some Practical Considerations for Navigating through a Changing Landscape

In the name, particularly, of the women from these organizations, and the communities that depend on fishing for their livelihoods,

ASSEMBLY - 35TH SESSION

La protección de datos personales en el sector privado de Paraguay. Un estudio exploratorio

Striving for Excellence. Ark Oval Primary Academy

Needles in Haystacks, Magnets not Pitchforks. I. Introduction

ITS and Locational Privacy: Suggestions for Peaceful Coexistence

FORUM MEETING #2: JULY 8-9, 2018; SAN FRANCISCO, CA. Forum on Preparing for Automated Vehicles & Shared Mobility

The Ethics of Artificial Intelligence

COMMISSION OF THE EUROPEAN COMMUNITIES

AI R&D GUIDELINES. Oct , 2017, Paris. AI R&D Guidelines

Strengthening the Safety Culture of the Offshore Oil and Gas Industry A Workshop

2

Before the United States Patent and Trademark Office Alexandria, VA COMMENTS OF COMPUTER & COMMUNICATIONS INDUSTRY ASSOCIATION

The New Economy: Transatlantic Policy Comparison Data Privacy By Abe Newman

The European Securitisation Regulation: The Countdown Continues... Draft Regulatory Technical Standards on Content and Format of the STS Notification

IN THE MATTER OF 2013 SPECIAL 301 REVIEW: IDENTIFICATION OF COUNTRIES UNDER SECTION 182 OF THE TRADE ACT OF Docket No.

Towards a Magna Carta for Data

Comments of the ELECTRONIC PRIVACY INFORMATION CENTER

Whatever Happened to the. Fair Information Practices?

Progressive Licensing and the Modernization of the Canadian Regulatory Framework

The Continuous Improvement Fund (CIF)

Progress report of GRSG informal group on Accident Emergency Call System (AECS)

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

SURVEY QUESTIONS If you prefer an electronic copy of the survey please contact the Thomas Law Firm by at:

Global Trade and Personal Data Flows Are the Rules of Engagement Incompatible with Privacy?

RESPONSE TO THE HOUSE OF COMMONS TRANSPORT SELECT COMMITTEE INQUIRY INTO GALILEO. Memorandum submitted by The Royal Academy of Engineering

TELECOMMUNICATIONS INDUSTRY ASSOCIATION (TIA) IPR AND STANDARDIZATION

Robert Bond Partner, Commercial/IP/IT

Privacy Policy SOP-031

Research in Advanced Performance Technology and Educational Readiness

Comments of the ELECTRONIC PRIVACY INFORMATION CENTER EUROPEAN DATA PROTECTION BOARD

Minnesota Department of Transportation Rural Intersection Conflict Warning System (RICWS) Reliability Evaluation

Ethics, privacy and legal issues concerning GIS. This is lecture 12

MOTOR VEHICLE EDR GLOBAL STANDARDIZATION AND RELATED ISSUES Thomas M. Kowalick, November 16 th 2010

Wireless Sensor Networks and Privacy

Banco de Sabadell, S.A. Policy on communication and contacts with shareholders, institutional investors and proxy advisors

One App at a Time: How Technology Promotes Safety in the Design & Construction Industry

Transcription:

Before the NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION Washington, D.C. 20590 Docket No. NHTSA-2002-13546 COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER February 28, 2003 The Electronic Privacy Information Center (EPIC) respectfully submits these comments on the National Highway Traffic Safety Administration (NHTSA)'s role in the development and installation of Event Data Recorders (EDRs), or "black boxes," in motor vehicles. Our comments focus on the privacy implications of EDR technology. We recommend that, in order to respect the privacy interests of drivers, the collection of driving-related information through EDRs must follow Fair Information Practices, including obtaining unambiguous or "opt-in" choice from drivers to collect such data. With respect to the proposed EDR database compiled by NHTSA, we recommend that in addition to complying with the letter and spirit of the Privacy Act of 1974, any such database be constructed with the goal of preserving the privacy of drivers so that only aggregate information is collected and made available to third parties. EPIC is a non-profit research and educational organization that examines the privacy and civil liberties implications of emerging technologies. Our experience in the field has shown that the most effective way to tackle emerging threats to privacy posed by new technology is to craft strong, technologically neutral standards to protect the privacy interests at stake. The comments focus on the key privacy issues implicated by the use of EDR technology and suggests a policy framework of Fair Information Practices to effectively protect the important interests at stake. 1

Event Data Recorders Event data recorders (EDRs) are electronic "black boxes" that collect and store information about the operation of a motor vehicle. The data recorded might include the date, time, velocity, direction, number of occupants, airbag data, and seat belt use. The devices might even include location data, which would raise additional significant privacy issues. In addition, there are open questions about how the data can be accessed, recorded and transmitted. There are several different types of EDRs in the market ranging from the Vetronix system, which is installed in cars produced by General Motors, 1 to the more elaborate MacBox system currently being tested by the Drive Atlanta project at the Georgia Institute of Technology. Each type of device collects different kinds of data for different purposes. The NHTSA has attempted to limit the definition of EDRs in the request for comments, but this does not address the public concern about these devices, as the different types of EDRs are available in the market. Any limitation of the purpose of EDRs must be part of a broader privacy protection framework as we argue below. Advocates of EDR technology suggest that the information might be useful in accident reconstruction and developing safer vehicles through "real world" testing. Insurance companies want the data to settle claims expeditiously. These companies, along with car rental agencies, and others have also demonstrated interest in obtaining this data in support of efforts to control driving behavior through surveillance. The former head of NHTSA, Dr. Ricardo Martinez, who now runs Safety Intelligence Systems Corporation (SISC), wrote a letter asking NHTSA to consider 1 Timothy Staab, Black Box Technology and GM Vehicles, Delta Analysis, at http://www.deltacrash.com/article.htm 2

mandating the use of EDRs. SISC, which was formerly Loss Management Systems, Inc., aims to find cost effective ways to service insurance claims and simplify investigation and litigation procedures. It has entered into a partnership with IBM and the Insurance Services Office, Inc. to promote a global auto-crash database that envisions a point where "information can be automatically and instantly transmitted from cars" to a centralized database. 2 SISC supports the MacBox technology behind the Drive Atlanta program at Georgia Institute of Technology. The project also receives funding from NHTSA. The MacBox records location data, voice, and video images of a vehicle in addition to information about the vehicle's operation. It also uses Global Positioning System (GPS) and cellular technology to transmit information about the car back to a central command center. One of the principle researchers behind the project, Dr. Jennifer Ogle, co-authored a paper discussing the potential use of EDR technology in insurance. 3 The study examined the use of variable insurance premiums designed to "discourage risky driving behavior." The report says that, "For example, premiums may increase significantly for vehicle activity above 65 mph, accelerations over 8 mph/second, etc. " The system also tracks how much a person travels to adjust insurance premiums accordingly. The aim is to both punish driving patterns that are considered to be "risky" and to modify driving behavior through the constant surveillance enabled by EDR technology. Clearly the privacy implications of such a monitoring program are significant. The project currently is being tested with volunteers who are fully apprised of the 2 IBM, Insurance Services Office, and Safety Intelligence Systems Corporation Press Release available at http://www.accidentreconstruction.com/news/apr02/041702a.asp 3 Commuter Choice And Value Pricing Insurance Incentive Program, available at http://www.hhh.umn.edu/centers/slp/projects/conpric/projects/gawk.pdf 3

technology and have consented to being monitored. If EDR technology is mandated by the NHTSA or becomes required through the coercive pricing of insurance rates, there needs to be a very strong set of privacy safeguards established to protect the interests of drivers before any such technology becomes widely deployed. Signifance of Automobile Privacy in American Culture Over the past century, ownership of automobiles has expanded from being the privilege of the very elite to becoming essential to the transportation and livelihood of most Americans. Regulating the use of automobiles has become crucial to safety on roads, but along with these regulations, the regulation of private uses of automobiles presents risks to individual privacy. Any intrusion on automobile use has been predicated on the government articulating public safety goals. The use of EDR technology must follow a similar model where any public safety goal is first proven to be necessary and effective and then must be used only in a manner that minimally infringe on the rights of individuals. Creating A Fair Information Practices Privacy Architecture The privacy issue concerns not just who "owns," i.e. controls the use of the data (which should be the operator of the vehicle), but the entire set of information practices, including how the data is collected, processed, transmitted and stored. The Organization for Economic Cooperation and Development (OECD) developed robust Privacy Guidelines in 1980, which have been adopted by several countries, government agencies, and corporations. These guidelines would provide an effective framework for addressing 4

the privacy issues surrounding EDRs as they provide strong, technologically neutral privacy rules. The Guidelines incorporate eight core principles: 1. Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. 2. Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. 3. Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. 4. Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Purpose Specification Principle except: (a) with the consent of the data subject; or (b) by the authority of law. 5. Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. 6. Openness Principle: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. 7. Individual Participation Principle: An individual should have the right: (a) to obtain from the a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; (c) to be given reasons if a request made under sub-paragraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended. 5

8. Accountability Principle: A data controller should be accountable for complying with measures, which give effect to the principles stated above. There are different EDRs in the market that collect varying amounts of information. A clear purpose specification, for example, would determine what information needs to be collected and would limit the uses of the data for surveillance. There need to be clear guidelines for how the data can be accessed and processed by third parties following the use limitation and openness or transparency principles. Similarly the data quality principle and the security principle provides guidance on the standards for protecting transmission of the information from the vehicle and how the data should be handled to ensure that there is a robust audit trail. The NHTSA needs to conduct further analysis to develop appropriate guidelines following the Fair Information Practices framework. Even if the NHTSA were not to mandate the use of EDR technology, it should consider developing such a framework for vehicles that do have EDR installed. The Deutsche Akademie Fuer Verkehrswissenschaften (German Academy of Traffic Science) has recently released a report on the use of black box data in German courts. 4 The document proposes limits on the collection of information for purposes such as reconstruction of accidents in civil and severe criminal cases, and grants control of the data to the vehicle operator. NHTSA might consider the German approach, and also build on the experience and expertise of the international community in EDR technology while building its own privacy framework. 4 German Academy of Traffic Safety Report is available at http://www.deutscheverkehrsakademie.de/pdf/empfehlungen_2003.pdf 6

Proposed NHTSA Auto-Crash Database The NHTSA should follow the letter and spirit of the Privacy Act of 1974 in developing the auto-crash database. We plan to submit comments on the Privacy Act notice, if and when it becomes available. The proposed nationwide database of auto-crash data should respect the privacy interests of drivers by containing only de-personalized information about automobiles in the event of an accident. The privacy of drivers should be protected using Privacy Enhancing Technologies (PETs) during the collection stage, rather than later at the processing stage where although a database administrator might choose to withhold that information, it might still be subject to disclosure. If a particular person is identified with a record there must be strict guidelines for giving access to that information following the Privacy Act. Conclusion NHTSA must not mandate the use of black box technology without ensuring that strong privacy safeguards are in place to protect the interests of drivers. Indeed, strong privacy safeguards might further any public safety interests the agency has in EDR technology, by promoting adoption of the technology by drivers who do not feel the presence of these devices are a risk. EPIC encourages the agency to engage in further public discussions to develop a Fair Information Practices framework to cover the use of automobile black boxes. We would be happy to participate in such discussions. Respectfully submitted, Mihir Kshirsagar, Policy Analyst Electronic Privacy Information Center 1718 Connecticut Ave NW, Suite 200 Washington, DC 20009 7

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback