On Friday October 28, 2016, all electronic tolling went into effect on the Massachusetts Turnpike. No longer can motorists pay tolls with change or cash. Beginning Friday, all travelers must either use an EZ-Pass or face a slightly higher toll via the pay-by-plate system. 

The new architecture is technology-driven, and its advocates in and out of government say it’ll reduce congestion, traffic accidents, and carbon pollution. It also involves different kinds of data collection from the prior tolling apparatus. Now, the Massachusetts Department of Transportation (MassDOT) takes photographs of all cars as they pass under gantries hanging over the pike at 16 locations from Lee, MA in the west to the Sumner Tunnel in Downtown Boston in the east, and creates tolling records either using those photos or EZ-Pass data collected from electronic scanners attached to the same gantries. (See map below.) As cars pass between one gantry and another, the system also keeps records of how fast each car moves. All of this data collection, MassDOT says, is required in order for the system to function. We aren’t in the surveillance business, MassDOT highway administrator Tom Tinlin recently told the local public radio station—we simply need to collect tolls.

Some, including the ACLU, have raised concerns about the privacy and data tracking implications posed by the new technology. But as I wrote back in August, all electronic tolling doesn’t mean game over for motorists’ privacy. We simply must ensure the policies and procedures governing that sensitive information are robust enough to protect every Massachusetts motorist from abuse and misuse. Besides, the reality is that MassDOT had been keeping records of where and when motorists drove for years prior to the launch of all electronic tolling. Making matters worse, until the recent debates over privacy and all electronic tolling thrust the issue into the limelight, MassDOT had no data policy requiring deletion of tolling records. Yes, you read that right: Prior to all electronic tolling, MassDOT was storing your tolling records forever. 

Now there’s a policy, which covers everyone: pay-by-plate and EZ-Pass users alike. In mid-October 2016 we wrote a letter to MassDOT applauding officials for instituting the first ever data policy to govern that sensitive location history information, and offering some suggestions for how to strengthen it. Here’s what you need to know about the existing policy, and ways we at the ACLU think it could be better. 

1. First of all, the existence of the policy is hugely important. Kudos to MassDOT Secretary Stephanie Pollack and General Counsel John Englander for writing and implementing a data policy to require deletion of toll records—replacing the unacceptable status quo, wherein MassDOT had no policy and retained the records forever.
2. While the implementation of a data retention policy is a huge improvement, the retention limits appear arbitrarily long in some cases. Specifically:
   1. Seven years is too long to retain sensitive location information. Under the new policy, MassDOT officials will retain personally identifiable customer travel and transaction data for seven years. We agree with Mr. Tinlin: MassDOT is not a surveillance operation, but rather a transport agency. The purpose of the tolling system is to collect and process tolls. It’s unclear why officials decided to retain this extremely sensitive information for so long, and they haven’t yet made a convincing case to the public about how they arrived at seven years. We think this is too long, and the retention period ought to be sharply curtailed. 
   2. Counterintuitively, getting an EZ-Pass is actually beneficial from a privacy perspective. MassDOT’s policy says the agency will retain images of vehicles and license plates for seven years on cars without transponders, but for only three months on cars with transponders. Again, seven years is an awfully long time to store sensitive location records like these. It’s not at all clear why the records must be maintained for so long. Three months seems a lot more reasonable. 
3. The policy should be strengthened to clearly spell out how outside parties may access information held by MassDOT. Doing so will better protect Massachusetts drivers from improper surveillance and the abuse or misuse of their sensitive location information.
   1. MassDOT officials have said they only hand over information to outside parties like law enforcement or private attorneys pursuant to a subpoena or other lawful order. That’s good, but doesn’t say enough. For example, is one subpoena sufficient to obtain all seven years of one person’s sensitive location data? If so, that’s a good reason to curtail the retention limits. Either way, MassDOT officials should stipulate in its policy.

If you think MassDOT’s policy needs improvement in these areas, contact your state representative and senator and let them know you’re concerned. As we wrote to MassDOT earlier this month—and as the news seems to remind us every week—there are significant dangers involved in amassing sensitive personal information in centralized databases. If officials can’t give the public detailed, legitimate reasons for why they think they must retain our sensitive driving records for seven years in order to process tolls, those limits should be substantially shortened.