I’ve been doing a lot of Boston media this week about a story that seems to have touched a raw nerve. It’s reminded me of a frustrating problem I encounter whenever a technology and privacy issue is hot in the news: Some people seem to think it’s somehow radical, or controversial, to suggest law enforcement should get warrants to obtain sensitive information about people’s personal lives. There’s nothing remotely radical about this demand. Even worse, I’ve heard the issues framed in such a way that positions civil liberties concerns as opposed to public safety needs, as if we need to make sacrifices one way or the other—as if privacy and security aren’t complementary but rather contradictory demands. Yet others seem to think the sky is falling whenever a new technology enables a different form of digital tracking. But neither the “give everything to law enforcement” nor “we are doomed” view hits the mark. In fact, we can have new technologies and our privacy, too—and law enforcement can still benefit when it’s investigating an actual crime and gets a warrant.
The issue came up this week because the Massachusetts Department of Transportation (MassDOT) announced it is set to launch an all electronic tolling system in October. No longer will motorists be able to pay tolls with cash or change scrounged from the ashtray. People who don’t have EZ Pass transponders will receive a bill in the mail for their toll, plus a processing fee. The system uses license plate readers to capture images and time and date stamped records of each car as they pass under the gantries, located at various points along the Massachusetts Turnpike and in downtown Boston tunnels. (See the map below.)
Earlier this week, the Boston Globe published a story revealing that the system, which was designed and built by military contractor Raytheon, will also include a hot-list feature enabling MassDOT to automatically alert (via email) State Police when certain drivers pass under a gantry. Officials did not disclose the circumstances under which someone could be added to the hot-list, but said they would likely be limited to Amber Alerts and other emergencies, and that the system wouldn’t be used to hunt down someone who, for example, refused to pay their tolls. MassDOT officials plan to draft a policy in cooperation with the state’s Executive Office of Public Safety and Security, which oversees the State Police, they said. According to their public statements, the policy will be complete before the system goes live.
Judging by the substantial media interest this story has attracted, it seems like there’s a lot of public concern about MassDOT’s plans to create and store records showing where Massachusetts drivers have traveled, and use the system to alert State Police to the presence of particular drivers in real-time. At the ACLU we share those concerns, just like we are concerned about warrantless cell phone tracking, license plate tracking, and other forms of 21st century surveillance. But we also know there are good reasons for what MassDOT is doing. The agency is right to say that the new system will make the highways safer and less congested, and save time and gasoline. Fortunately, the privacy issues the system raises can be addressed by implementing good policy and passing strong privacy law. Like with most issues in the digital 21st century, we don’t have to skip out on this innovation because we are faced with new policy questions. All we need to do is implement good policy and statutes.
Thankfully, that’s not very complicated when it comes to the data generated by electronic tolling. As I’ve been telling many media outlets this week, we need to make sure MassDOT’s policies incorporate the following data hygiene principles:
- Only collect information if you absolutely need it, and document the purpose for collection. MassDOT needs to process tolls. It should only collect information for this purpose—meaning, for example, that the images its systems capture shouldn’t include faces or bumper stickers, just license plates.
- Restrict and document internal access to the information. There’s gotta be a need to know basis. The public should feel confident that very few people can access their location information either in stored form or in real-time. And MassDOT should implement internal auditing procedures to allow for oversight, to make sure employees are only searching for records when they need to do so to fulfill a legitimate work purpose.
- Restrict and document external access to the information. Don’t let anyone from outside the organization access personally identifiable or sensitive information except in very limited, documented circumstances. Law enforcement should only get access to stored or live information with a probable cause warrant, the gold standard of American justice, or in emergencies when someone’s life is at risk.
- Delete the information as soon as the purpose for which it was collected is fulfilled. Tolls have been processed and paid? Then there’s no reason to hold onto the information. Delete it. Retaining it invites internal and external abuse and hacking.
These principles apply to most databases. They aren’t controversial or new, or remotely radical. When applied to the new MassDOT system, they’ll go a long way towards making sure residents get the benefits of electronic tolling without the drawbacks of limitless surveillance.
People who say law enforcement should be able to access all the information they want, however and whenever they want, are confused about the issues. Those who say we should only use cash tolls have been left behind by the winds of technological change. Neither of these extreme positions speaks to the facts at hand. We absolutely can have both modern convenience and digital security. It’s not an either/or situation. Unfortunately, MassDOT wasn’t as forthright with the public as it should have been about issues like the hot-list feature. But now that we know, the ACLU and members of the public have an opportunity to make sure the above principles apply to that feature as well as the larger system overhaul.
It’s not hard for police departments to get warrants to obtain sensitive information about people, as long as they have probable cause to show the search will return evidence of a crime. It’s a great standard, and it’s worked for us for hundreds of years. The shift to a digital world doesn’t have to change that. And we aren’t about to travel back in time to an analog age—the benefits of digital technology are too great to pass up.
So pay no mind to people at the extremes of these debates. We don’t have to open up every database to limitless police scrutiny in order to have public safety. And we don’t need to smash all our electronics in a big pile in order to get back some digital privacy. All we need to do is implement good policy, and change the law to reflect the kinds of technologies we use today. That won’t necessarily be easy work, but we shouldn’t make it more difficult by overly complicating or muddying up the issues.