Proposed mileage-based user fees (MBUF) systems would charge roadway users per mile driven. This model offers advantages over traditional fuel excise taxes, in which road users are taxed per gallon of fuel consumed. With rising vehicle fuel economy, as well as hybrid-electric and battery-electric vehicles, MBUFs offer a propulsion-neutral alternative to ensure road users pay their fair share for their road use. User privacy in the collection of MBUFs has emerged as a major public concern. Fortunately, privacy can be protected when MBUF systems are designed properly.
The simplest way to address privacy concerns is to offer MBUF measurement and collection methods that do not rely on location information. This approach has been adopted in Hawaii, which assesses MBUFs through odometer readings as part of the state’s existing annual vehicle safety inspection process. Payment for the annual MBUF assessment is then due at the time of vehicle registration renewal. MBUF programs in Oregon and Utah offer customers the option to submit mileage assessments by capturing photos of their odometers.
While odometer readings ensure customer privacy because no location information is involved, there are drawbacks. Reporting requires more effort on the part of customers. In the case of annual or quarterly reporting, billed amounts will be higher and may be burdensome for lower-income customers. Auditing and billing disputes are necessarily more challenging. Miles driven out of state or on private property are also not exempt. Oregon does allow odometer-reading MBUF enrollees the option to submit a form annually requesting reimbursement for these miles driven, but this is hardly a seamless or precise system. And simple odometer readings would preclude more advanced pricing policies in the future that could vary charges by roadway and traffic flow characteristics.
To offer the best customer experience and realize the greatest benefits from MBUFs, location information is necessary. The question then is how to protect customer privacy when these more sophisticated MBUF collection methods are used.
It is important to understand how the location information is generated. These systems rely on the Global Positioning System (GPS) constellation of navigation satellites. GPS satellites in orbit around the Earth broadcast radio signals that transmit their locations and the precise time from onboard atomic clocks. A GPS receiver, such as one incorporated into a location-based MBUF device, detects these signals and uses the time of arrival to calculate its distance from a GPS satellite. Using the measurements from at least four of the 31 GPS satellites allows a GPS receiver to determine its three-dimensional position at a given point in time.
The upshot is that because GPS signals are sent one-way from the satellites, and the location of the on-board receiver is calculated by the GPS receiver itself using multiple satellites, GPS receivers by themselves cannot be used as tracking devices. Privacy concerns arise when a GPS receiver is paired with a secondary wired or wireless communications system, such as a cellular network, that can transmit the location information that is computed locally by a GPS receiver. As such, addressing location-based MBUF privacy must focus on how that location information is transmitted, processed, and stored.
The architecture of a GPS-enabled MBUF system can be designed to protect privacy. It is possible to calculate all mileage via an onboard computer so that the location data never leaves the vehicle, such as through in-vehicle telematics or specialized aftermarket devices. However, third-party access to vehicle telematics systems is often restricted by automakers, and the aftermarket devices are expensive and bulky. For these reasons, smaller and more affordable plug-in devices that calculate and transmit location information off the vehicle have been popular in MBUF programs. It is here that combining data custody policies through detailed legal rules with system architecture becomes very important.
MBUF systems that involve location information transmitted off the vehicle should establish clear roles for the public and private players involved. Trusted third-party account managers, rather than government agencies, should be the entities that receive and process location information for billing purposes. Government transportation and revenue agencies should only receive aggregate mileage counts and revenue transfers from those private account managers.
Any location information should be retained for a limited period, after which it is destroyed. The amount of time that location data is stored will depend on how frequently billing is processed. For a billing cycle similar to a water or electric utility, the retention period should be set for one month, except in cases where an MBUF customer or collection agent has initiated a billing dispute or audit. Following the conclusion of any billing disputes or audits, location data should be destroyed.
During the brief period when location data exists to facilitate MBUF transactions, it should be strictly guarded from non-revenue purposes. Third-party account managers should be exempt from public records requests, and law enforcement should only be able to obtain access to location information through a warrant issued by a court pursuant to an authorized criminal investigation. The MBUF privacy legal framework should not allow subpoenas issued to obtain evidence in civil litigation, such as cases involving insurance claims or divorce, to compel disclosure of location information.
Oregon, the first state to create a statewide MBUF program, codified these requirements in statute after consultations with privacy advocates, including the American Civil Liberties Union of Oregon (through ORS 319.915, confidentiality of personally identifiable information used for reporting and collecting road usage charge).
Enacting such privacy protections will help lawmakers establish public trust in MBUF systems, which is a prerequisite to finding a durable road-user revenue replacement for fuel taxes.