3 years, 6 months ago

As How You Drive

I have been discussing Pay As You Drive (PAYD) insurance schemes on this blog for nearly ten years.

The simplest version of the concept varies your insurance premium according to the quantity of driving – Pay As How Much You Drive. But for obvious reasons, insurance companies are also interested in the quality of driving – Pay As How Well You Drive – and several companies now offer a discount for “safe” driving, based on avoiding events such as hard braking, sudden swerves, and speed violations.

Researchers at the University of Washington argue that each driver has a unique style of driving, including steering, acceleration and braking, which they call a “driver fingerprint”. They claim that drivers can be quickly and reliably identified from the braking event stream alone.

Bruce Schneier posted a brief summary of this research on his blog without further comment, but a range of comments were posted by his readers. Some expressed scepticism about the reliability of the algorithm, while others pointed out that driver behaviour varies according to context – people drive differently when they have their children in the car, or when they are driving home from the pub.

“Drunk me drives really differently too. Sober me doesn’t expect trees to get out of the way when I honk.”

Although the algorithm produced by the researchers may not allow for this kind of complexity, there is no reason in principle why a more sophisticated algorithm couldn’t allow for it. I have long argued that JOHN-SOBER and JOHN-DRUNK should be understood as two different identities, with recognizably different patterns of behaviour and risk. (See my post on Identity Differentiation.)

However, the researchers are primarily interested in the opportunities and threats created by the possibility of using the “driver fingerprint” as a reliable identification mechanism.

  • Insurance companies and car rental companies could use “driver fingerprint” data to detect unauthorized drivers.
  • When a driver denies being involved in an incident, “driver fingerprint” data could provide relevant evidence.
  • The police could remotely identify the driver of a vehicle during an incident.
  • “Driver fingerprint” data could be used to enforce safety regulations, such as the maximum number of hours driven by any driver in a given period.

While some of these use cases might be justifiable, the researchers outline various scenarios where this kind of “fingerprinting” would represent an unjustified invasion of privacy, observe how easy it is for a third party to obtain and abuse driver-related data, and call for a permission-based system for controlling data access between multiple devices and applications connected to the CAN bus within a vehicle. (CAN is a low-level protocol, and does not support any security features intrinsically.)


Sources

Miro Enev, Alex Takakuwa, Karl Koscher, and Tadayoshi Kohno, Automobile Driver Fingerprinting Proceedings on Privacy Enhancing Technologies; 2016 (1):34–51

Andy Greenberg, A Car’s Computer Can ‘Fingerprint’ You in Minutes Based on How You Drive (Wired, 25 May 2016)

Bruce Schneier, Identifying People from their Driving Patterns (30 May 2016)

See also John H.L. Hansen, Pinar Boyraz, Kazuya Takeda, Hüseyin Abut, Digital Signal Processing for In-Vehicle Systems and Safety. Springer Science and Business Media, 21 Dec 2011

Wikipedia: CAN bus, Vehicle bus


Related Posts

Identity Differentiation (May 2006)

Pay As You Drive (October 2006) (June 2008) (June 2009)

6 years, 9 months ago

Identity Standards: ISO 24760-1

I’m currently looking at international identity standards and thought that I might post some thoughts about them as I look at them. The first that I have looked at is ISO/IEC FDIS 24760-1:2011(E) “A framework for identity management – Part 1: Terminology and concepts”. This standard is supposed to define key terms for identity management […]

7 years, 1 month ago

Key Concepts Underpinning Identity Management

Today, the lack of trust in online Identity forces organizations to set up their own identity management systems, dishing out their own usernames and passwords/PINs for us. The result is that we end up having to remember well over 50 different online identities, which poses a large problem. Continue reading

7 years, 2 months ago

Identity Registries and Reconciliation Posture

A vendor recently asked me a question, and not for the first time, that amounted to “why won’t you buy these delicious software licenses for our amazing identity-management suite, which provides comprehensive solutions to the challenges faced by North American corporations in dealing with compliance requirements and bringing together disconnected versions of identity from across […]

7 years, 3 months ago

Challenges to Building a Global Identity Ecosystem

In this fifth video – Building a Global Identity Ecosystem – we highlight what we need to change and develop to build a viable identity ecosystem. The Internet is global, so any identity ecosystem similarly must be capable of being adopted and implemen…

7 years, 3 months ago

Entities and Entitlement – The Bigger Picture of Identity Management

In this fourth “Entities and Entitlement” video, we explain the bigger picture – why identity is not just about people. It’s about all things – we call them “entities” – that we want to identify in our digital world. An identity ecosystem d…

7 years, 4 months ago

Trust and Privacy – In an Identity Management Ecosystem

By Jim Hietala and Ian Dobson, The Open Group In the first of these five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having … Con…

7 years, 6 months ago

Dangling Conversation

@markhillary asks “When you follow company Twitter accounts, do you like being able to see who runs the account, like a named person on the profile?”

I think that depends how gullible you are. When I get a letter signed by an Important Person, I gener…

7 years, 10 months ago

More on identity and Mask

Who or what is ‘I’? How does our experience of ‘I’ change as we interact with our world? Yes, I do know that those questions might seem to fit more in philosophy or psychology. But as per the previous post, they also have huge ramifications in user-experience and user-interface design, in product-design, in sensemaking and […]