Is EZ Pass Poised to Take a Toll on Your Privacy Rights?
Is toll collection the only thing EZ Pass transponders are being used for? Surprisingly, the answer is no, and if that sounds unsettling, it should.
I grew up in Arizona, a state where toll roads don’t exist. When we moved to Washington, DC in 2011, paying tolls was one of my least favorite parts about traveling throughout the East Coast (don’t taxes pay for roads?). Thankfully, we quickly discovered a way to ease the constant pain of traveling on toll roads: the EZ Pass. It’s convenient, I don’t have to stop at toll plazas, and now instead of having to keep a careful eye on my coin supply, I can earn 2X Chase points every time my credit card is charged to replenish my EZ Pass account.
At toll plazas that use the EZ Pass system, antennas emit a Radio Frequency field that activates the EZ Pass transponders of cars approaching the toll plaza. The EZ Pass transponder broadcasts a signal back to the antenna that contains information about the account the transponder is linked to. This account information is sent to a central database, and if the account is in good standing, meaning the account has a non-zero balance or has a credit card linked to it, the driver gets a green light and can proceed. Austrian company Kapsch TrafficCom AG is the main developer and supplier of this technology.
This technology has eliminated the terrible inconvenience of having to stop and hunt for coins or dollar bills every time you need to pay a toll, and contributes to faster trips for those who use the EZ Pass. In addition, the use of automated toll payment technology like the EZ Pass system contributes to reduced emissions, as cars no longer need to idle and stop while waiting for their turn to pay their toll. However, the potential exists for this technology and the data it generates to be used in intrusive and unsettling ways, and unfortunately, there are several instances of this occurring (1).
In 2013, a New Jersey resident built a simple device (using a breadboard from the Shad plant!) to detect every time his EZ Pass transponder was activated, and drove around New York City. In the stretch between Times Square and Madison Square Garden, a stretch of city streets with no tolls, his EZ Pass transponder was read 6 times! Upon investigation of NYC’s use of EZ Pass readers for purposes other than toll collection, it was discovered that NYC feeds this data to its traffic management center to provide real-time traffic information, to improve traffic flow. NYC stated that transponder information is scrambled and not kept permanently in any system.
I hate traffic more than I hate tolls, so the prospect of being able to use data to reduce traffic is very appealing to me. The problem here, though, is that nowhere in the terms and conditions (2) for EZ Pass is it stated that transponders will be read at locations other than toll plazas. At a minimum, governments that intend to read EZ Pass transponders for purposes other than toll collection should be transparent about it, and should ensure that adequate privacy policies are in place to ensure that users of EZ Pass transponders are aware of how their transponders may be read, and to ensure that any data obtained is anonymous and protected (3).
You might be thinking, why should I care so much about how my EZ Pass data is used? Well, an example from the great state of New Jersey will shed some light on that for us. In 2013, New Jersey Governor Chris Christie, and Deputy Chief of the NJ Port Authority Bill Baroni both used NJ Senator Frank Lautenberg’s EZ Pass records to add to their arguments against increases in tolls that the Senator supported (4). Additionally, Governor Christie called into question the Senator’s dedication to New Jersey, based on the average of 3-4 weekly trips to New York that Gov. Christie observed in the Senator’s EZ Pass records.
The bottom line is that insufficient effort has been dedicated to ensuring that the use of the EZ Pass technology and the vast amounts of data that go along with it will remain safe, and that customers’ privacy and best interests will always be protected. If boundaries aren’t set in place, it will be too easy for customers’ rights to erode. For example, what’s preventing states from deciding to use EZ Pass readers to calculate customers’ speeds, and issue them speeding tickets? Companies like Kapsch Traficcom AG that supply the technology and data management systems that make the EZ Pass system work need to be conscious of how their technology may be used, and pledge to not provide their technology to any agency that does not have robust safeguards in place to protect against the misuse of data.
Total Words: 782
- Kashmir Hill, “E-ZPasses Get Read All Over New York (Not Just at Toll Booths),” http://www.forbes.com/sites/kashmirhill/2013/09/12/e-zpasses-get-read-all-over-new-york-not-just-at-toll-booths/#49e70a2f3cfc, accessed November 18, 2016.
- E-ZPass Virginia and VDOT Violations Processing Policy, https://www.ezpassva.com/pdfs/privacy.pdf, accessed November 18, 2016.
- Mariko Hirose, “Newly Obtained Records Reveal Extensive Monitoring of E-ZPass Tags Throughout New York,” https://www.aclu.org/blog/free-future/newly-obtained-records-reveal-extensive-monitoring-e-zpass-tags-throughout-new-york, accessed November 18, 2016.
- Tim Cushing, “Chris Christie, Port Authority Official Abused E-ZPass Data for Their Own Ends,” https://www.techdirt.com/articles/20150120/10430629761/chris-christie-port-authority-official-abused-e-zpass-data-their-own-ends.shtml, accessed November 18, 2016.
Student comments on Is EZ Pass Poised to Take a Toll on Your Privacy Rights?
I’m reading quite a few blog posts about companies that use customer-tracking technology to “enhance” the customer experience. Normally customers are pressured to accept the intrusion (and most do) in the name of convenience. In all cases that I am familiar with consumers are at least notified of the intrusion into their privacy, although the notification may be buried deep in 40 pages of micro-printed “Terms and Conditions.” For an excellent example read KOGR’s post about Disney’s MyMagic+ bands that track subject’s movements, purchases, and interactions in a way that the FBI can only dream of.
If that makes you nervous, this article should make you sick. Government use of EZPass transponders to track citizen’s movements, without their consent, in violation of the terms of agreement, for a politician’s political gain is outrageous and illegal. Sadly, I doubt our next Attorney General will prosecute Mr. Christie for his corruption.
Has there been any litigation against EZ Pass in this context? I’m curious whether the fact that this is a multi-state technology used by many governments has implications on how we should view the lack of privacy inherent in this issue. That is, is it justified to use the data EZ Pass provides in a more “secondary” way because it’s used by governments? I also wonder about Kapsch TrafficCom AG – they probably had a defined scope of use and terms with the government in order to construct this deal. Were they aware of the potential secondary uses and did they include them in the scope? Or even more troubling, did they promote them? In general, I think the increased penetration of digital technology blurs the lines of how we define specific uses of data and information.
I love the EZ Pass as it really does simplify going through toll booths and in other states taking toll lanes/highways for me. It makes the experience so seamless, sometimes I forget that I’m paying a toll. I am however relatively surprised at the fact that this device is being used to track vehicles around cities. While I think the application of it is great as I too do not like traffic, I am concerned about the privacy implications. You mentioned that the data is scrambled but what I’m concerned about is how truly scrambled it is and if it really is anonymous. After all, our names and credit card are attached the EZ Pass so it draws the question of at what point is the data scrambled. Tying this to our recent class discussion, I’m wondering if the safe driving trackers that insurance companies are issuing in exchange for a discount are doing the same thing. What I would like to see for this is the ability for users to opt-in to share their data with the city.
Wow. This is eye-opening and terrifying, especially since we can’t turn our EZ Pass off. At least with Internet browsing or the GPS systems on our phones, we have a way of limiting tracking or turning it off entirely. That being said, I think that we’re moving more and more into a world with no privacy. Even security cameras on the street can pick up our movements. When you think about the amount of recording and photography that goes on, it’s no wonder that the police were able to identify the Boston bombing suspects through crowdsourcing. The question now is whether the benefits of the technology outweigh the costs.
Great article on a product that I am intimately familiar with, but didn’t know about all of the ways I am exposing myself to personal data concerns! I agree with you that it is great if cities are able to leverage this data to make the cities less traffic filled and safer, but there are massive concerns about privacy, especially since this use case can’t be found in any of their user agreements. I do wonder how else we could be using this data to improve our safety.
One other consideration is the move in MA to begin removing tollbooths altogether and move towards an all-electronic system, which is already underway, and how this will potentially expose us as users even more to security concerns. In case you haven’t heard about this, here is a recent article: https://www.bostonglobe.com/metro/2016/10/30/forewarned-traffic-delays-mass-turnpike-start-this-week/7p7X6GHN0pqFrEgnYvat5N/story.html
Really interesting! Traffic is often a huge pressing concern for cities, so I am not surprised that they were comfortable pushing the limits of the intended boundaries of the system. In Massachusetts they are actively looking for private sector partners to supply traffic data. For example, in June 2016 the Massachusetts Department of Transportation announced a partnership with Waze, using anonymized travel information to better inform the public. In this context we can all get behind the fact that we hate traffic and it seems like a great use. I wonder if Waze had to update their terms of service to reflect that user data was going to be shared directly with the government?
Thanks for the article Brad. I believe this is yet another example of technology becoming invasive under the flagship of “additional services to customer” while exploiting grey areas in regulations. It is clear that privacy concerns are growing among users, in spite of the extra convenience that certain services provide. I often think about where the balance is, who would be responsible for enforcing it and what would be the implication of the business? Europe is much more regulated than US regarding privacy law and companies such as Google and Facebook have been adapting and repercussions on usability appear minimal. I think that starting to regulate a currently “far-west” market should be the first step.
See below post on Privacy Law in US versus Europe
Great post here–and one that has serious implications not just for privacy, but, perhaps more importantly, for the extent to which this time-saving technology can be adopted. When we talked about parking meters in Marketing this week, I immediately thought how much EZ Pass could improve the payments process. And, as “Operations 2016” notes above, Mass is pulling out tool booths and replacing them all with electronic readers. The time savings will be huge, and the technology exists. The biggest barrier to realizing this significant benefit is popular opinion and consumer behavior–will we accept this new technology? Much of that will depend on the transparency with which government deals with these issues.
One thought, per “FCF”‘s note above; you can in fact turn off your EZ-pass. You can buy sliding boxes–open to have your EZ-Pass read, close to not have it read. So, it’s possible. Small solutions like this might go a long way to assuaging some of these concerns.
Every time you download an app, create an account on a website or enter some contract, you inevitably have to accept the “terms and conditions” in order to proceed. Personally, I cannot be bothered by the content in the terms and conditions and virtually always accept without reading them. In a world were new technologies, apps, etc. are constantly introduced with terms and conditions that nobody cares to read, what are consumers supposed to do? They are often filled with verbose legal jargon — should I get sign-off from my lawyer every time I want to use a new food delivery app? I say we just bite the bullet, let the companies do what they want to do and enjoy the food when it arrives. Maybe they’re tracking my eating habits and selling it to McDonalds, so what?
Brad thanks for writing this. As an EZ Pass customer, I had no idea that all of this data was being tracked during “off” times away from tolls.
The most striking and concerning thing is the lack of anonymity in the Gov Christie case.
I noticed that you focused on the hardware manufacturers as a way to place pressure on EZ Pass to shift privacy practices. I wonder, what other players in this should have a vested interest and what can they do to incentivize EZ Pass to increase privacy? (Government, Customers, Lobbyists etc.)
Brad, this was an enlightening (and funny!) post. I am similarly concerned that EZ Pass location data is being used for purposes other than paying tolls at dedicated toll booths. The prospect of the government constantly getting pings on my location is frightening but I agree that using the data to reduce traffic is enticing. Do you think that EZ Pass could be subject to a class action lawsuit for allowing data to be used for purposes outside of the terms and conditions of their user agreement? Kapsch Traficcom AG and EZ Pass need to quickly partner with a data protection agency to ensure this data isn’t being used for nefarious purposes.
Is it bad that I’m not surprised or necessarily concerned about how the EZ Pass location data is being used? Big picture, of the myriad of ways personal data can be captured, it seems that EZ pass is fairly limited in terms of the value it could provide to information-seeking hackers. That said, I totally agree that the lack of transparency and reporting of this from EZ Pass to its users are a bit disconcerting. Even cell-phone apps disclose that a substantial amount of personal data is (or may be) stored and used by others. It also makes me wonder if states like Illinois who have their own EZ Pass device — the IPASSS– disclose how the data they retrieve is being used.
Wow, this is very unsettling! The fact that not only were they collecting this data outside of it’s intended usage area but that they weren’t even disclosing that as a possibility in the T&C is absurd. Data privacy is a topic near and dear to me, and I fully recognize how seemingly innocuous non-standard uses of data can snowball into something much more insidious.
In the digital age, how do you think we’ll regulate the privacy of user data going forward? Obviously more should be done, but who should be doing this? Is it the government, industry, or some other third-party? Also, it’s good that someone who knows how to hack his smart pass figured this out, but what about the lay person who isn’t able to do that? How should we as a society view their fundamental right to privacy?
Brad — fun and entertaining post. Quick question for you: do you suggest private and public uses of such location data be separated and specified, as well as regulated separately.
Interesting post! I’m surprised that there hasn’t been much attention given to this invasion of privacy. EZPass is increasingly becoming a requirement to drive around the US, in fact, Massachusetts is moving towards all electronic toll roads. Moreover, it’s system that’s increasingly permeating the globe. Even countries like Jamaica utilize EZPass on the few highways that they have. EZPass and/or state and city governments need to inform citizens of how their personal data is being used. This shouldn’t be an option. Further, more resources need to be allocated to protecting and managing this personal information.