Toll payment devices used to track vehicles on toll-free roads
Public records obtained by the ACLU from New York City and State agencies have confirmed the extensive use of RFID readers to track RFID toll payment devices on streets and roads where there are no tolls.
The ACLU’s report on the responses to its public records requests speaks for itself, but raises more questions about where else, by which government agencies, and for what purposes motor vehicle movements are being tracked, and whether vehicles without these RFID toll payment devices are also being tracked.
In New York, toll-tag RFID readers were systematically deployed on toll-free city streets for traffic monitoring. By logging the time and a unique vehicle identifier (broadcast by the RFID toll tag) for each vehicle passing each set of sensors, the system can calculate the most recent travel times between any tow sets of sensors. That’s what’s used (at least in New York City) to generate the travel times displayed on road signs, and for other traffic management and traffic signal control optimization purposes.
The problem is that measuring the time required for an individual vehicle to travel between any two points in the road network requires uniquely identifying each vehicle and logging the time it passes each sensor. It’s unclear from the documents obtained by the ACLU how long these logs are retained, to whom they are accessible, or how they are used.
The E-ZPass toll tags used in New York and other states in the Northeast and Midwest use the same long-range RFID technology, with the same potential for surveillance use, as FasTrak in California, SunPass in Florida, and RFID toll payment systems in many other states including (we are not making this up) Freedom Pass for toll roads in Alabama.
The RFID transponders in these toll payment devices are designed, of course, to be read from above or alongside the road, even when the device is inside the vehicle. These RFID transponders are promiscuous: they will respond with their unique ID number to a query from any RFID reader. In general, no license, permit, or consent is required to operate an RFID reader. Anyone can legally buy an off-the-shelf RFID reader, install it wherever they want — near a road, or in a vehicle — and start logging the time, location, and unique ID of each toll tag that comes within range. They can use or sell these logs without restriction.
Most motorists, of course, have no idea how the travel times on highway signs are estimated, and these vary from place to place. The state of Washington, for example, has experimented with a homebrewed system for tracking vehicles through the unique MAC addresses broadcast by in-vehicle Bluetooth systems.
Most toll-collection agencies provide foil bags in which RFID toll tags can be kept when they aren’t in use. But it’s a nuisance at best, and potentially dangerous for someone driving alone, to remove the toll tag from the foil bag while driving, and replace it in the bag after passing each toll payment point. Most people leave these ID-broadcasting devices permanently mounted and exposed on the sun visor, windshield, or dashboard of their vehicle.
What about those motorists who don’t carry these RFID-based toll payment and tracking devices in their vehicles? Many toll roads are moving to “all electronic tolling” (AET) in order to eliminate toll booths and any possibility of on-the-spot payment of tolls. At least as currently being deployed in the US, most if not all of these AET systems use automated license plate readers in each lane to identify each motor vehicle without an RFID toll payment device. A bill for the toll is then mailed to the registered owner of the vehicle. One way or another, either by RFID tag serial number or license plate number, every vehicle is uniquely identified and the time, location, and direction of its passage is logged by the toll agency or its contractors. These all electronic tolling and vehicle tracking systems are already in use on bridges, tunnels, and toll roads from the Mystic/Tobin Bridge in Boston to the Golden Gate Bridge in San Francisco.
License plate readers are increasingly widely deployed, but RFID readers are a cheaper and more versatile technology for vehicle tracking than LPRs, at least at present. A separate, properly positioned LPR camera is typically required for each lane, and optical character recognition software is needed to extract license plate numbers from raw imagery. A single, cheaper, RFID reader can cover multiple lanes, from a wider range of placement locations.
Vehicles without toll payment devices have other promiscuous RFID chips that broadcast unencrypted unique identifiers. New motor vehicles sold in the US are required to have automated tire pressure monitoring systems (TPMS), most of which rely on sensors and transponders attached to, or embedded in, new tires. There are no legal controls on tracking or logging of vehicle movements by means of these tire tags, and no way for ordinary motorists to know when, where, or by whom their position has been recorded, who has logs of past vehicle movements, or how those logs might be used in the future. Similar (and similarly uncontrolled) but shorter-range unique-numbered RFID chips are used as stored-value transit fare payment devices in many major metropolitan areas, so even non-drivers are at risk of being covertly tracked.
Some (limited) technical counter-measures:
http://www.authorstream.com/Presentation/pukingmonkey-1903125-road-less-surreptitiously-traveled/
a follow on to the above, as to where the tag data goes and the simple xor “scramble” is here https://cryptovillage.org/archives/dc22/ezpass.pdf
also Houston TX also does the Bluetooth too http://traffic.houstontranstar.org/bluetooth/transtar_bluetooth.html