23rd ITS World Congress, Melbourne, Australia, 1014 October 2016

Paper number EU-TP0084

Privacy in a fast evolving Location Technology Industry
Jeroen Brouwer1*, Simon Hania2
1.

Jeroen.brouwer@tomtom.com - Oosterdokskade 114, 1011 DK Amsterdam, The Netherlands

2. Simon.hania@tomtom.com - Oosterdokskade 114, 1011 DK Amsterdam, The Netherlands

Abstract
Traffic congestion is a growing and global problem, impacting the majority of people traveling and moving goods. Due to the increasing volume
of connected navigation devices in the market (personal navigation devices or PNDs), smartphone applications, in-dash devices) Floating Car Data
(FCD) becomes widely available. When this data is matched with a map and processed in a traffic fusion process, real-time traffic solutions
including traffic incidents and traffic flow are created. However, how do you deal with the privacy of the driver when collecting FCD data? Data
security and data privacy are becoming hot topics for both governments and consumers. With the European Legislation around privacy and best
practice methods like Privacy by Design it is possible to be transparent, innovate and at the same time protect the privacy of the end user.
Keywords: Location Technology, Floating Car Data, Privacy, Internet of Things.
Privacy in a fast evolving technology industry
Wherever you go, you are tracked. This can be via the CCTV cameras at the train station, via Bluetooth trackers along the highway or via Wi-Fi
sniffers in stores. With innovations in the Internet of Things privacy has become a sensitive topic. Using statistics from users can result in interesting
new services, but there is also the risk of misusing this data. The current state of technology requires every service provider or app creator to think
about the protection and collection of data. Overall a privacy scandal can result in low trust in a product, resulting in high business risks, specifically
in any consumer-related business. We as TomTom have dealt with this for 10 years now, as navigation solutions provided us the opportunity to
track our customers and create highly interesting services with, for example IQ Routes and TomTom Traffic.
As early as in 2007 TomTom has been actively involved with connected cars. Since that year the addition of a cellular connection into the car
or navigation device makes it possible to create services like real-time traffic alerts. However, this not only enables innovations, it also raises
relevant privacy questions. The term privacy is broad as it includes; privacy (freedom, liberty, dignity), data protection (purpose, data minimisation,
notification and consent), information security (integrity, availability, confidentiality) and safety (ownership, integrity, reliability). In this paper
we will explain how TomTom is dealing with these topics in the exciting field of exploring new innovations and services while protecting the
privacy and maintaining the trust of our end users. Privacy in Location Services is getting a lot of attention across the globe.
TomTom Traffic, data collection
In order to create the most accurate real-time traffic services for road users TomTom is collecting speed data from a mix of sources. By collecting
GPS data from many different sources TomTom has a fleet that contribute highly accurate and anonymous GPS probe data. These source devices
all monitor road traffic conditions continuously and when each of them contacts the TomTom servers for traffic information, they exchange
intelligence on the congestion they have experienced in the past few minutes of their journey. This anonymous information is maintained in a
traffic data store and made available for analysis. The technology behind this data is that the software is archiving on a fixed frequency for the
GPS location and a timestamp. When this data is shared, the TomTom server will match the GPS location with the digital map. By using the map
matched GPS location and the timestamp it is possible to calculate the speed driven between two adjacent GPS points.
Thanks to the continuous sampling of these very precise GPS measurements, all groups of connected devices and cars contribute to the accuracy
of the travel time information. In order to make sure only information from inside the car is used, a special filter is implemented so bicycle, public
transportation and pedestrian data is filtered out. With a new GPS breadcrumb generated every few seconds on the device, it is possible to
accurately understand the road conditions for the vehicles. And with just a few devices reporting anonymously for a specific road stretch it is
possible to generate high quality traffic information with very detailed speed and travel time information with confidence.

Using Floating Car Data from various sources results in a number of benefits compared to other ways of measuring travel time and speed
information. As cars drive on all roads that are open for traffic it is possible to measure with floating car data travel times and speeds on all roads,
even when construction works take place, forcing traffic for example to go on a temporary lane or drive on the other side of a dual carriageway.
Also when new roads are opened, speed and travel time data can directly be measured and quickly analysed. Additionally, the system does not
have to wait until a vehicle has reached the end of a road section before the travel time is calculated as data can be received regularly along the
route. Floating Car Data enables TomTom to accurately measure speeds, also in cases of low speeds or standstill conditions.

Traffic solutions
From all data collected TomTom provides a range of different services. A quick overview of
products:
1. TomTom Traffic. TomTom Traffic is a product that provides traffic delay information.
This information is used in the navigation application. When there is a delay on the users
route the navigation engine will calculate what the impact is for your specific route. The
Estimated Time of Arrival (ETA) gets updated and if there is a faster route available an
alternative route will be offered. By using this application the driver will always have
access to an accurate travel time prediction and will offer the fastest route available.
Image 1. Real-Time navigation

23rd ITS World Congress, Melbourne, Australia, 1014 October 2016

2.

Custom Travel Times. Road operators have a need for traffic statistics for roads they
are responsible for. Collecting relevant data can be achieved by driving around with
a car or deploying cameras, but with the historical statistics from TomTom this can
easily be deducted. By means of a portal or via an API road operators can query the
historical database. They can obtain statistics like average and median travel times,
but also segment specifics speeds. For example on the image on the right, where you
see a black Saturday analysis for one of the French toll roads. The average speed
was significantly lower than on other weekdays during the summer months.

Image 2. Speed Analytics

3.

Origin/Destination. Owners of attractive locations, like a highway billboards, have

interest in who is traveling by their location or where their customers actually come
from. By using the historical traffic data from TomTom it is possible to derive high
level statistics about who is passing by a certain location. Based on this information the
organisation can tell their advertisement clients what type of public will pass by the
location and they can tailor the message to this group.

Image 3. Origin of trips for a selected location

So what is privacy?
Privacy means different things to different people. Yet, the most common element is about having a place for yourself, being able to decide for
yourself how others can observe you and being free from interference. In Europe privacy is a fundamental right: a right one has and which
cannot be taken away. Yet, this right is to be balanced with other rights. European data protection laws are meant to protect the users fundamental
right to privacy while at the same time enabling a free flow of information. To this end the starting point is that processing of personal data is only
allowed when a set of conditions is met. Not meeting these conditions can constitute a violation of law. So the outset is Not, unless and Yes,
provided that. In the US privacy very much relates to non-interference from government intervention and fair trade: a fair and transparent
use of the information about you by businesses, based on an agreement.
Personal data in the European definition is any information relating to an identified or identifiable natural person; an identifiable person is one
who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity.
Purpose limitation & data minimisation
A key element in European Data Protection Law is the concept of purpose limitation: personal data can only be collected and used for predefined, specific purposes. The purpose of processing must be defined before any collection or subsequent use commences. The purposes must be
defined and explained in advance, such that the end user is able to determine whether or not the way his data is used meets his expectation and
wishes. Only as long as legitimate purposes exist, data may be retained and used: afterwards it either has to be destroyed or irreversibly anonymized.
To legalize personal data processing for the specific purposes a legal basis must be established for which the processing is necessary. In the context
of TomTom Traffic, based on a judgment of the Dutch Privacy Authority this can only be unambiguous consent. Consent is a clear indication
of the end-user wish, based in information presented to him. Consent requires some form of affirmative action from the end-user. Silence or nonactivity cannot be seen as consent: the consent needs to be given unambiguously. In order for consent to be valid, consent cannot be made part of
accepting general Terms & Conditions: it requires specific information to be accessible before or at the moment the consent is asked and given.
There are many misconceptions on what constitutes personal data at the technical level. For example, many people think that when you use a
unique ID, like a device serial number, the data can be considered as anonymous. Another misconception is that when data is encrypted it is no
longer personal data. The last misconception is that a statement about privacy in the Terms and Conditions will cover users consent. A message
about asking for consent needs to be a separate and explicit message.
There are additional concerns on privacy when it is about transportation, the field that TomTom is operating in. The reason is that there are
conclusions that can be drawn from behavior which is unwanted. For example consider a trip driving to a synagogue on a Friday. Such a trip can
be linked to a conclusion that the trip was driven by a Jewish person. Obviously this is a conclusion that is unwanted and should be avoided.
The TomTom Approach
In the previous paragraph the term privacy is explained and how EU law is dealing with this. Over the years TomTom developed their own way
of dealing with this legislation. We are following three principles both internally and externally towards our customers:
1. Clarity. We make sure that the user understands which data TomTom is using, why we use it, how long we use it and who can use it.
2. Control. We enable the customer to remain in control of its data. We consider the data to be the customers data.
3. Care. We protect the customers data against unauthorized access and accidental loss as best as we reasonable can.

23rd ITS World Congress, Melbourne, Australia, 1014 October 2016

Based on the items of Clarity, Control and Care TomTom is making 10 promises to customers who have a TomTom navigation device:
1.
2.
3.

We will tell the user which data from or about you we use, why we use it, how long we use it, who else can use it and where it is kept.
We will only use the users data for the purposes we have stated to the user.
We keep as little of the users data as possible, and only for as long as we need it. When we no longer need data we destroy it or we
irreversibly anonymize it, so it is no longer linked to the user.
4. If we ask the users permission to use your data for specific purposes, we also allow the user to withdraw the permission.
5. If we have not been able to ask the users permission to collect and use its data and the user dont want us to do so, the user can tell us
and we will act accordingly.
6. We will allow the user to access and correct the users data if it is linked to the users MyTomTom account.
7. We will keep protecting the users data against unauthorized access and accidental loss as best as we reasonably can.
8. If we engage others to use the users information on our behalf, we will ensure they act in accordance with our policies.
9. If we share the users data with others, we will first ask the user for permission, unless there is a legal obligation that prohibits us from
asking.
10. We are open to any questions the user may have about how we use its
data and we will answer them.
In order to fulfill the above promises we take two key items into account in
everything we do. The first item is about the data collection. We ask for explicit
consent with an easy to understand message. On the right side of this page you
find the message that TomTom navigation users will see. This message has been
approved by the Dutch Privacy Authority.
Image 4. Asking for consumers consent on a TomTom navigation device.

Next to the consent of the user it is also important to take key item two into
account, which is the protection of privacy by avoiding re-identification of trips.
TomTom applies a strict code of conduct to respect privacy laws. Historic trip archives can only be used for road traffic and related purposes. No
raw data is provided outside TomTom. When creating products out of the historical archive TomTom will do the processing and TomTom ensures
that re-identification is impossible. This is for example done by providing travel time statistics not per trip, but aggregated in averages and
percentiles. Having this code of conduct has been instrumental in being allowed to consider the historic trip archive as anonymous data.
The future
The connected car will continue to develop itself. With the availability of extended Floating Car Data (x-FCD), new data sources will appear on
the horizon. Experts claim that in the future each car will create gigabytes of data per minute, with data about all kinds of relevant items, from the
activation of ABS to the state of the road or the distance towards the car driving in front of you. With engine sensors and others in and around the
car, a wide range of sensor derived content could be created. This data has most value when shared with the car manufacture or service provides.
The privacy points raised in this paper are also applicable to these developments and it will force each partner in this field to make careful decisions.
With the development of vehicle to vehicle (V2V) and vehicle to infrastructure (V2I), privacy questions are raised. The concept of these two terms
is that cars will not only communicate with a service provider, but also with the infrastructure and surrounding cars. Due to this technology it
becomes possible for cars to share data with each other, for example about upcoming danger. However, this will raise new privacy questions,
specifically when everyone could plug into this communication channel and, without consent, start archiving data. Strict decisions on encryption
and use-cases are required in order to have these new innovations respect privacy laws.
Recommendations
The connected car brings privacy challenges and we as TomTom found our way how to keep innovating while protecting the privacy of our
customers. Handling privacy is not something that can be done instantly the correct way, but requires constant tweaking and adjusting in order to
get it right. We would like to share some recommendations for other technology organizations dealing with similar privacy challenges. This can
be in the field of transportation, but also for any other technology organizations.
First of all it is important to use the privacy by design approach in the development process. This means that you incorporate privacy requirements
from the start of the development of the product. By making this part of the design phase of your project it is easier to react to new insights and
risks.
Another recommendation is to always have proper documentation available, answering the what, why, when, who and where questions. When
documented it is much easier to reflect and adjust decisions, but also to allow externals to validate your approach. And along with this
recommendation we also advise to have a privacy specialist in your organization!
We also have recommendations about the data itself:
Always assume that location data is unique and personal, so it needs to be treated with care;
Try to minimize on the data archive in both volume and time stored;
Create a user-friendly explanation to obtain a valid consent and avoid at all times forcing consent by putting it in the terms and conditions;
Consider the use of pseudonyms, the use of early anonymization and always aggregate the data before publishing;
Be careful when destroying data. Residues, artifacts and meta-data could result in re-identification;
Always keep anonymized data limited to the pre-defined purposes as defined in the consent questions;
Make sure that you control the access at all times;
Consider external auditing.