FAQ: (Data) security and privacy

Transcription

1 Shockwave Traffic Jams A58 FAQ: (Data) security and privacy The strength of the shockwave traffic jam service developed in the project Shockwave Traffic Jams A58 is that the participants receive customized in-car advice. However, this personalized service requires a lot of data. This involves highly specific data about the participants vehicles, for example: their location, speed, direction, etc. Which issues come into play here in terms of (data) security and privacy? And how does Shockwave Traffic Jams A58 deal with those issues? About Shockwave Traffic Jams A58 The Province of Noord-Brabant is the contracting authority for the project Shockwave Traffic Jams A58, which is part of the Ministry of Infrastructure and the Environment s programme Beter Benutten (Optimising Use). In this project, businesses, government and knowledge institutions cooperate to introduce cooperative systems and services. To this end, 34 roadside beacons equipped with WiFi-P have now been installed along the A58 motorway between Tilburg and Eindhoven. With suitable equipment, they enable wireless communication in passing cars. The first service to run on this system is the shockwave traffic jam service: based on detailed information about congestion and shockwave traffic jams along the test route, participants receive personalized in-car speed advice. This enables them to better anticipate situations ahead that are not yet visible, enabling them to move through the traffic quickly and more easily. (DATA) SECURITY Which issues come into play in terms of (data) security? When data are used, and certainly when they are transmitted, three types of data security threats come into play. The first involves the question of whether the authenticity is safeguarded. For example: as the user of an in-car service, can I trust that the information on the screen of my device truly originates with my service provider? 1 Secondly, there is the issue 1 Of course, the other parties involved in the chain face similar problems - for example, the service provider itself (do the data that are fed back to the service provider really come from its users?), the traffic control centre, etc. Here, only examples with the end user are discussed.

2 of integrity. Is the advice appearing on my screen correct? Have the data been knowingly or unknowingly changed? And thirdly, there may be concerns regarding the availability. Will the service be available when I want to use it? Or will there be a problem, somewhere in the chain, with collecting or sharing data, and will that lead to a breakdown of the service? 2 Can these issues be prevented? There is no such thing as 100% (data) security. Accordingly, the aim of security measures is to reduce risks to an acceptable level. What is acceptable will differ for each individual application. Obviously, a service that takes over some or all of the task of driving entails greater risks and must therefore be secured much more tightly than a service that only provides information or advice. What are the specific security risks in the project Shockwave Traffic Jams A58? Those risks are small, because the service being offered is an advisory service. The worst thing that can happen is wrong advice being displayed on the screen of the device in the car (e.g. advice to reduce speed while that is not necessary), or that no advice whatsoever is shown for a brief period. In both of these cases, the driver will be in the middle and quite able to take his own decision. Such problems are undesirable, obviously, if only because each issue is harmful to the trust placed in - and by the same token: the success of - the cooperative system and the shockwave traffic jam service. Which (data) security approach was chosen for Shockwave Traffic Jams A58? Shockwave Traffic Jams A58 is a joint development and test project for ITS. This is why it was decided to acquire experience with sophisticated (data) security measures. These are suitable for the shockwave traffic jam service but are meant in particular for the future and for services yet to be developed. The most important measure is that all communication transmitted by roadside stations and cooperative equipment in vehicles is digitally signed. This guarantees the integrity and authenticity of the communication - in other words, it ensures that the data are, in fact, sent on by and originate with a reliable source without being changed. The signing and verification process is called Public Key Infrastructure, or PKI (more details are given below the next question). To maintain optimal availability, the Shockwave Traffic Jams A58 system runs on quality servers with high uptime. How does this PKI system work? Every system in Shockwave Traffic Jams A58 that transmits wireless messages - i.e. the 2 The security issues regarding data storage - are the data inaccessible to unauthorized parties? are discussed in the section about Privacy. 2

3 roadside beacons and the cooperative devices in the vehicles - gets two types of digital keys : secret keys for those beacons and devices, and a public key that is accessible to anyone via a database. The issue and registration of the sets of keys is closely supervised. Let s say a service provider wants to transmit speed advice. Prior to transmission, the service provider signs this message with his secret key: based on the content of the message, the key generates a digital signature. As soon as a cooperative device in a car receives this speed advice, it will look for the public key of the transmitting roadside beacon. This public key can be used to verify the signature under the message: was that signature in fact generated with the proper secret key (= is the sender who it says it is), and does it match the content of the message? If an OK comes back, the cooperative car device knows that both authenticity and integrity are okay. If a false comes back, then either the sender is not who it says it is or the message has been altered. Does the PKI system in Shockwaves Traffic Jams A58 use encryption to render messages unreadable? No, it does not. The reason is very simple: at the heart of a cooperative system lies cooperation and the free exchange of data between the various components within the system (i.e. between the car devices themselves, and between those devices in the cars and the roadside beacons). Data encryption is diametrically opposed to that principle and, moreover, serves no purpose whatsoever for a collective application like speed advice. For example, this means that speed advice from the service provider or location and speed data from the vehicles can be read in principle by anyone. This does not pose any problem for security as long as no incorrect or unwarranted messages are sent - but it does raise some privacy issues, of course. For this, see the section Privacy further down. What about (data) security when more services become available on the cooperative system? Whether the existing measures still adequately address any (new) risks will have to be determined with each new service. Where necessary, additional security will need to be provided. PRIVACY Which issues come into play in terms of privacy? Data are collected and stored about the individual cars, for example, such as their location and time. Certain information is also shared with third parties. These are the first risks: are the data inaccessible for unauthorized parties and is it ensured that no privacy-sensitive information is shared? Then there is the fact that the communications are not encrypted, for the sake of the open and collective nature of the cooperative system. Theoretically, this means that someone else could also receive and read the messages. 3

4 How are the privacy risks of storing and sharing (vehicle) data minimized? All the source data collected for the project Shockwave Traffic Jams A58 are stored on servers in server parks, which are tightly secured, both physically and digitally. In terms of traffic information, the collected data are interesting for third parties because they provide a detailed picture of the speed and stability of traffic flows, for example. To prevent third parties from being able to zoom in on individual cars, the data are only offered in aggregated form. However, as it is virtually impossible to aggregate all the different starting points and destinations, the head and tail of each individual trip can be removed. This way, no information about individual trips can be shared. All messages can be intercepted and read. What are the resulting, specific privacy risks and how are they countered? There are no privacy issues attached to the data distributed by service providers via the roadside systems: those data concern speed advice and warnings similar to the ones that can be shown on variable message signs. This is different with the data trail left behind by the on-board units. Even though each separate message presents no problems a certain vehicle A was driving at location x at point in time t it would be a problem if all communications from a cooperative vehicle were intercepted and projected on a map: this would reveal a route. This would allow insight into the travel behaviour of individual vehicles (and thus of the user/driver). While that risk does not seem very large, the cooperative system of Shockwave Traffic Jams A58 is already prepared for tight measures that will tackle this problem. For example, the onboard units have various digital identities for signing the messages. Using multiple identities makes it much harder for third parties to recognise a sender based on the messages sent. The on-board units can change their unique ID ( MAC-address ) every five minutes, meaning that they never transmit the same ID for longer than a few consecutive minutes. 3 The cooperative system itself will not know which ID belongs to which vehicle, either, in that event. In its turn, this makes it impossible to follow the on-board units themselves. What about privacy when more services become available on the cooperative system? That will need to be examined for each new application: which (new) data are collected, stored and shared, and to what extent does this present a (new) privacy risk? With the current system of secure data storage and aggregating data, a solid foundation has already been laid for the protection of privacy. In addition, the cooperative system is already prepared for the removal of trip heads and tails and for changing MAC-addresses, which steps up privacy protection quite considerably as well. 3 Many devices have a fixed MAC address, but the on-board units do not. That has everything to do with the communication technology used (WiFi-P), which is based on connectionless communication. Contrary to mobile communications, messages are only sent, so there is no need to establish a connection. That makes it easy to switch IDs. 4

5 Security and privacy measures according to European standards All (data) security and privacy measures applied in the Shockwave Traffic Jams A58 project dovetail with European frameworks as adopted by ETSI, the European Telecommunications Standards Institute. Accordingly, rather than creating new concepts, the Shockwave Traffic Jams A58 project has translated existing concepts into practice. Valuable knowledge and experience has been gained in the process: many of the concepts had not been applied on such a large scale. Obviously, being in line with existing concepts and agreements is important with a view to the future. If extra security and privacy measures become necessary because more extensive applications are introduced, the security and privacy system from the Shockwave Traffic Jams A58 project will not need to be fully adapted. In that event, the existing system can easily be expanded. 24 May 2016 More information: Trudy van de Westelaken, communication advisor for the Shockwave Traffic Jam A58 project: info@spookfiles.nl. 5