The connected world promised by Internet of Things technology is already beginning to transform the way we live our lives.

But how much privacy are we willing to sacrifice in the name of innovation?

Earlier this year the Roads and Transport Authority of Dubai announced a world-first digital license plate pilot.

Local cars will now be fitted with the RPlate Pro, which can display weather and road conditions on its bistable digital screen (similar to that of a Kindle), while also promising to ease some of the administrative hassle that comes with car ownership with automated registration.

What’s more, the plates come equipped with a GPS tracker, which will provide real-time traffic updates and help track down stolen vehicles, according to manufacturer Reviver Auto.

“We’re not just reinventing the connected vehicle ecosystem; we’re building safer and more connected communities one license plate at a time, and are thrilled to be part of Dubai’s Smart City initiative,” said Reviver Auto CEO, Neville Boston.

But are GPS-enabled license plates an innovative solution or something from a George Orwell novel?

On one side, the plates have the ability to save lives with their ability to alert paramedics if the car has been in an accident.

And automated renewal will no doubt slash thousands of hours of admin for both the government and public.

But Chair of the Australian Privacy Foundation, David Vaile, believes it may take some time before the risks of such a scheme can be fully understood.

“The implications of automated data from transport and movement can often be quite non-obvious,” he told Information Age.

“These implications can be projected off into the future, or into another place or into another social or business setting.

“You may not be able to fully appreciate what’s possible now – fifteen years ago the scale of today’s big data would not have been understood.”

Vaile also questioned the necessity of the project.

“What is the purpose and the use of this? How serious are the problems they have said it is for?” he asked.

“The data that’s generated out of this is potentially, depending on what it is and how you treat it, very intrusive if you want to track people, social networks, relationships or families.”

The pilot will run from May to November this year.

There is no indication of how much the project will cost nor how many cars will be fitted with the number plates.

Risk versus reward

The plates are indicative IoT technology, in that they aim to create a digitally-connected system that brings users, and the wider public, benefits.

The scheme looks to improve public safety in Dubai, where luxury cars are part of the city’s fabric and license plate theft is a common occurrence.

Over the past three years 799 license plates have been reported stolen to police, which makes the RPlate Pro’s is the anti-theft feature an ideal solution.

If the car is reported stolen to the authorities, the plate will change its display to reflect this, replacing the registration details with ‘STOLEN’.

The plates display 'STOLEN' when theft is suspected. Source: Youtube

While this is somewhat of a novel crimefighting tool, it shows the in-built GPS tracking device on the license plates could help keep citizens safe.

The tracking function could also prove advantageous for fleet vehicles, where GPS tracking devices are already common protocol.

The City of Sacramento in the US has agreed to be the first city to trial the plates on a fleet basis, with 24 plates purchased for its in-house vehicle fleet.

The $699USD ($923.80AUD) per unit price tag on the plates will reportedly cost the city less than the current GPS tracking system it places on its vehicles.

But just like IoT, the benefits the technology enables bring some inherent risks.

It is important to note that Reviver Auto states on its website that the RPLate Pro has “secure and encrypted data connection to the cloud.”

However, Vaile explains that the data generated will still be a “honeypot temptation” to whoever it is that gets their hands on it.

Learning from Cambridge Analytica

Aside from security concerns, Vaile also made clear that technology projects of this scale can often be doomed to fail.

“The traditional ways for an IT project to fail is: if, by when it gets to users, it’s too expensive; it doesn’t work well enough; if it takes too long; or if it does stuff that isn’t useful,” he continued.

“But there’s another way of IT projects failing now, which is the Cambridge Analytica and Facebook example, where they work, but only too well and produce a very socially unwelcome result.”

While CEO of Dubai’s RTA Licensing Agency, Abdullah Yousuf Al Ali explained the pilot “underscores the keenness of the RTA to keep abreast of the latest technologies", it is being introduced at a time where users now demand control over their data.

The recent Cambridge Analytica scandal has rocked Facebook and its reputation, enough to kickstart the #DeleteFacebook movement and for CEO Mark Zuckerberg to confess that it is now time for stronger regulation.

The European Union has now implemented its sweeping GDPR reforms, protecting consumer data like never before, with €20 million or 4% of global turnover in fines for worldwide companies that do not comply.

And according to Vaile, this sets a regulatory precedent Dubai cannot ignore.

“The big problem with ‘open data’ is that nobody wants to take responsibility when it gets breached,” he said. “With the Cambridge Analytica scenario, you realise data could not only be taken out but maybe linked and reidentified with lots of other stuff.”

“Unless there’s a very thorough and future-looking analysis of the vulnerability in the data you’re generating, I’d suggest the near impossibility of permanently de-identifying data means that it’s always going to be a very high-risk hot zone for individual surveillance and identifiable tracking.”

Data is power

Dr Gavin Smith is the Deputy Head of the School of Sociology at ANU and has spent much of his career investigating the social impacts produced by mass surveillance technologies.

He spoke to Information Age about how he expects Dubai’s license plate scheme to play out.

“In some ways this is just another piece of thread in the surveillance web, where the authorities will be able to better understand where drivers are, what kind of habits they have, where they drive to,” he said.

“It’s another added element of the surveillance culture that we’re, increasingly as global citizens, living under.

“We have more and more of these smart, passively-ambiently recording technologies that are embedded in everyday life, from smartphones, to wearable tech, to laptops that are networked.

“All these devices that have sensors and are recording where we are and who we’re with and what we’re doing.”

With it openly stated that the data collected will be used by the Dubai government to track stolen vehicles and monitor traffic, the program is an example of ‘dataveillance.’

“Dataveillance basically means knowledge and control through data-driven means,” said Smith.

And, as has been shown by the rise of targeted advertising in recent times, there is always a cost when it comes to data.

“So, the data that these types of technologies are ambiently giving out in real-time… can be used to do all manners of different tasks, from governing traffic to monitoring people that state authorities deem to be risky.

“Corporate companies are trying to better govern people’s consumption by knowing where they are and trying to point them and orient them towards particular services depending on their geolocational positioning.

“All this data is always subject to social relations and social constructed – it’s never neutral. It’s always being pointed towards particular political, commercial or social imperatives.”

Governments and data

Speaking about his product recently, Neville Boston from Reviver Auto assured users that any collected data was in safe hands.

“Everything is stored in the cloud and those lines of communication are encrypted,” he said. “We are actively testing all of our systems to make sure they haven’t been penetrated. Think of us more like Apple, less like Facebook,” he said.

The self-proclaimed Apple comparison perhaps alludes to the technology heavyweight’s 2016 legal stoush with the FBI, where Apple refused to create a ‘backdoor’ for the FBI to unlock the phone of one of the San Bernardino gunman.

Apple CEO Tim Cook claimed he was defending civil liberties in his refusal, while the FBI’s James Comey said Apple needed to assist in bringing justice to the 14 victims.

Eventually the FBI was able to unlock the phone without Cook’s help.

So, if Neville Boston wants to be more Tim Cook and less Mark Zuckerberg, does this mean Reviver Auto would refuse to handover it’s transport metadata to authorities if required?

If the plates make it to Australia, there could soon be a legal obligation for Reviver Auto to help law enforcement access the encrypted data of suspected criminals.

Minister for Law Enforcement and Cyber Security Angus Taylor, recently told ABC radio that under proposed new laws, companies would face significant fines if they did not assist with requests for data.

"It's not appropriate to have a world where we can do this for analogue data, analogue communication, but we can't do it in the digital world," he said.

Angus Taylor wants the government to be able to access encrypted data. Source: Goulburn Post

Later that day, speaking at the Sydney Institute, Taylor continued his proposal.

“While encryption enhances our cyber security, it also poses a very significant challenge for our law enforcement agencies, as they lose access to intelligible data they need to conduct investigations, to gather evidence, to convict criminals and pre-empt crime and terrorism.

“We need access to digital networks and devices, and to the data on them, when there are reasonable grounds to do so. These powers must extend beyond traditional interception if our agencies are to remain effective and pre-empt and hold to account criminal activity.

“There will also need to be obligations on industry – telecommunications and technology service providers – to cooperate with agencies to get access to that data. Existing powers were established in an era of analogue communications when smartphones and the Cloud were science fiction. Well they’re not today, they’re real.”

How about Australia?

From an Australian perspective, the security concerns raised by Dubai’s scheme could perhaps provide a glimpse into the future.

In November 2016 the Queensland government announced the launch of its Cooperative Intelligent Transport Systems (C-ITS) as part of its wider Cooperative and Automated Vehicle Initiative (CAVI).

The trial, which will use 500 public and fleet vehicles in Ipswich, allows vehicles to communicate with infrastructure, other vehicles, transport management systems and mobile devices.

By sharing data on location, direction and speed it is hoped the system will provide authorities with better insights into what is happening on the road.

“These rapidly developing technologies have the potential to significantly reduce crashes and crash-related gridlock, as well as reduce vehicle emissions and fuel use over coming decades,” said Main Roads and Road Safety Minister, Mark Bailey in 2016.

“While industry is leading the development of advanced vehicle technologies, the success of these will rely upon connecting to our existing traffic systems.”

But not dissimilar to the RPlate Pro, promises of efficiency are followed with questions of safety.

“Security is paramount to the deployment of C-ITS - No security, no C-ITS,” a conference paper presented at the Australian Institute of Traffic Planning and Management National Conference said.

Concern has been met with action, with a Security Credential Management System (SCMS) recently unveiled as an “additional control” over existing security measures, according to Bailey.

Number plate recognition

Another Australian scheme that has perked the ears of privacy advocates in recent times is Automated Number Plate Recognition (ANPR).

Dating back to the 1980s in Australia, ANPR technology is used by police to detect unregistered vehicles, previously convicted drivers and wanted criminals.

The technology is also now being used for average speed calculations.

But for the Australian Privacy Foundation (APF), anxiety remains about the way in which this technology is used.

In 2008 it made a submission to the Queensland Parliamentary Travelsafe Committee detailing the use of the technology as a mass surveillance technique.

Vice chair Roger Clarke has been a privacy advocate since the 1970s and it was he who first coined the term ‘dataveillance’ in 1986.

Speaking to Information Age he shared his concerns on the way this data is collected.

“There is a very reasonable purpose for them (ANPR)… the obvious application is for unregistered vehicles, where a number plate is seen which hasn’t currently been paid for,” he said. “But it’s got to be blacklist-based.”

“As soon as the camera says, ‘I’ve just picked up a number on a car, is that number on my watchlist? No it’s not’ – lose it.

“Toss it out of the buffer, never record it anywhere.”

He said that while there have been attempts to “pour that data into government databases so that they can establish tracking mechanisms for all the vehicles in Australia,” ANPR technology in Australia remains mostly blacklist-based.

But this isn’t to say it can’t be done.

“The United Kingdom is the opposite. In the United Kingdom they have such a database,” he continued.

Comparing ANPR technology with Dubai’s smart number plate scheme, Clarke explained that the main point of difference is simply proficiency.

“They’re recording it via a different mechanism… I would have thought this was a more efficient way for an authoritarian government to set up mass surveillance of traffic.”