The Doctoral School in Sciences and Engineering is happy to invite you to Amirhossein ADAVOUDI JOLFAEI’s defence entitled
Privacy in Electronic Toll Collection Systems: Privacy Analysis and Protection
Supervisor: Prof. Thomas ENGEL
The use of electronic toll collection (ETC) systems is on the rise, as these systems have a significant impact on reducing operational costs. Toll service providers (TSPs) access various information, including drivers’ IDs and monthly toll fees, to bill drivers. While this is legitimate, such information could be misused for other purposes violating drivers’ privacy, most prominent, to infer drivers’ movement patterns. To this end, privacy-preserving ETC (PPETC) schemes have been designed to minimize the amount of information leaked while still allowing drivers to be charged.
We demonstrate that merely applying such PPETC schemes to current ETC infrastructures may not ensure privacy. This is due to the (inevitable) minimal information leakage, such as monthly toll fees, which can potentially result in a privacy breach when combined with additional background information, such as road maps and statistical data. To show this, we provide a counterexample using the case study of Brisbane’s ETC system. We present two attacks: the first, being a variant of the presence disclosure attack, tries to disclose the toll stations visited by a driver during a billing period as well as the frequency of visits. The second, being a stronger attack, aims to discover cycles of toll stations (e.g., the ones passed during a commute from home to work and back) and their frequencies.
We evaluate the success rates of our attacks using real parameters and statistics from Brisbane’s ETC system. In one scenario, the success rate of our toll station disclosure attack can be as high as 94%. This scenario affects about 61% of drivers. In the same scenario, our cycle disclosure attack can achieve a success rate of 51%. It is remarkable that these high success rates can be achieved by only using minimal information as input, which is, e.g., available to a driver’s payment service provider or bank, and by following very simple attack strategies without exploiting optimizations. As a further contribution, we analyze how the choice of various parameters, such as the set of toll rates, the number of toll stations, and the billing period length, impact a driver’s privacy level regarding our attacks.
The monthly toll can reveal significant information about the toll stations visited. To address this issue, applying a differential privacy mechanism that adds a small amount of noise to the actual monthly toll fee appears to be a straightforward solution. However, since adding noise to monthly fees increases monetary costs for users, the noise added should be kept reasonably small. Since adding more noise intuitively means more privacy in the differential privacy framework, one must carefully choose the amount of noise to add in order to strike a balance between privacy gain and additional cost.
Our goal is to investigate whether such a balance can always be found, and if not, under what circumstances it can be found. To achieve this, we first analyze how different parameters of the protection mechanism affect the amount of noise needed to achieve a given level of privacy, using the most common differential privacy mechanism to generate the noise. To investigate the effectiveness of hiding the monthly toll with a differential privacy mechanism, we first design an attack mechanism that attempts to recover the original monthly toll from a hidden one. We empirically evaluate the effectiveness of this attack by analyzing its success rate on two different real-world ETC systems, as well as some artificial ones. Our results suggest that whether or not a reasonable balance between privacy and cost can be achieved is highly dependent on the pricing scheme, as well as what users consider an acceptable cost for privacy.