Electronic Road Pricing in Singapore: Individual Privacy vs. Public Security


In a column titled "Beware of GPS - you're being watched", Business Times senior correspondent Lee Han Shih commented on news that an American car rental agency has started using Global Positioning System (GPS) tracking devices to monitor its cars and impose penalties on customers for speeding.

Lee then speculated on the possibility of GPS being mandated on all Singapore vehicles and the commercial value of the information that could then be collected on the behaviour of Singaporean drivers. Almost in passing, Lee mentioned that the Electronic Road Pricing (ERP) system already tracks vehicles in some parts of Singapore.

This remark apparently upset the Land Transport Authority (LTA) which immediately fired off a letter to the Business Times saying that "the ERP system is used solely as a traffic management tool, and is in no way used by the authorities to track the movement of vehicles."

Sadly, I had to disagree with this claim by the LTA.

Reassure public on use of new ERP systems

I refer to the letter "ERP is not used to track vehicles: LTA" from the Land Transport Authority (BT, Sept 25).

Eight years ago, when the ERP was still on the drawing boards, a Registry of Vehicles official told the Straits Times (April 16, 1993),

"One of the concerns of the ERP is the issue of privacy. If you have a mechanism for central settling of charges, the authorities will be able to know when and where you have been.

"We have got around that by opting for the pre-paid smart card so all the information is in the card and not with the authorities managing the system."

Yet after the ERP was introduced, and despite LTA public relations campaigns to the contrary, it slowly emerged that all the information was indeed with the authorities managing the system.

In their recent reply, the LTA failed to state clearly that the transaction records sent to their control centre include vehicle identification data as well as Cashcard data.

In an August 1998 incident, the LTA sent refunds to 1,500 motorists who had been wrongly charged by the ERP system ("Motorists charged in ERP slip-up," Straits Times, Aug 29, 1998).

This demonstrates that the LTA is able to electronically identify vehicles, and that it does keep records of all vehicles going through ERP gantries, including those which have not broken any ERP regulations.

The LTA asserts that it deletes transaction records after it has received payment for its CashCard transactions, but all high-reliability information systems make backups of their data. If backups are not being made for ERP data, the LTA should summarily fire its IT administrators. If backups are being made, then vehicle data can be retrieved for as long as the backups are kept.

As Microsoft learnt when embarassing email messages surfaced during its anti-trust trial, backups can come back to haunt you long after you thought the original data was gone.

In a letter to the Straits Times last year, the LTA said that it uses video data recorded by expressway monitoring cameras to help the Traffic Police in accident investigations ("Emas data shared with police", ST, Dec 14, 2000). Furthermore, the system is being upgraded so that the cameras will continuously record data instead of recording only after an incident has occurred.

Given this stance, it is quite easy to envisage situations where the LTA would share ERP data with the Police and other agencies if requested to do so for criminal investigations and national security reasons.

Lee Han Shih is therefore quite apropos in his article Beware of GPS - you're being watched (BT, Sep 24).

To keep things in perspective, however, ERP gantries are too widely dispersed at present to be a very efficient monitoring tool compared to other conventional surveillance techniques.

Next generation ERP systems based on Global Positioning System (GPS) devices, however, are a very different story. In principle, all vehicles fitted with such devices could be tracked very precisely throughout Singapore and perhaps as far as Southern Johor.

Very few details have emerged on these proposals, but the potential privacy risk is many times larger than in the present system.

There are of course some who would opt to sacrifice privacy for convenience and prefer, for example, a billing-based ERP rather than the present pay-before-you-go debit system.

Whatever the correct balance between privacy and convenience, and between privacy and security, it is essential that the issues be brought out and discussed in the open so that some sort of societal consensus can be achieved.

There are valid law enforcement and national security reasons for the government to be allowed to use data from present and future Intelligent Transportation Systems.

The key is to establish a legislative, administrative and technical framework to ensure that these powers are used with justification and only under judicial or ministerial authority, much as search warrants and telephone intercepts are used today.

Even more important is to establish public confidence that such powers are not abused.

The LTA unfortunately has not been entirely forthright in its public statements about the capabilities of the present ERP system. Inevitably, this colours public perceptions of the risks to individual privacy that may arise in future ERP systems.

Next generation ERP systems are still in an early stage of development. This gives the LTA a chance to build privacy into the ERP by design, and to communicate to the public that while total privacy cannot be guaranteed, it can be managed in a manner that is beneficial and acceptable to the public.

Hopefully the LTA will not squander the opportunity.

Ngiam Shih Tung

Originally published with minor changes in the Business Times on October 1, 2001.