System model and scenario

We assume a traffic scenario with the following entities.

  • 1. Participating vehicles Vi equipped with a V2X on-board unit and mobile Internet access. The participants are willing to share information about their trips’ origin, destination, start and end times but only if their privacy is protected at the same time.
  • 2. They upload reports about their trips to the central but untrusted trip database.
  • 3. The traffic authority (TA) queries the trip database to obtain information about traffic flows.

Figure 5.1 shows an overview of our system model. We assume that the V2X system is protected by a privacy-friendly authentication mechanism, either the basic scheme described in Section 2.3.3 or, preferably, the combination of PUCA and REWIRE we presented in Chapter 4.


We define the following requirements to capture the interests of the traffic authority on the one hand and participating drivers on the other hand:

R.1 Availability of information. Traffic centers require information about traffic flows for the purpose of operational traffic control and assessment of requirements for infrastructure. We assume that while the information does not have to be totally accurate, the higher its accuracy the more useful it is. In particular, origin and destination of trips must be reported together in order to enable macroscopic traffic analysis.

R.2 Privacy protection. Drivers require protection of their privacy, quantified by the concept of k-anonymity. They will be reluctant to participate in data collection if the information they report can be used to create individual mobility profiles. For maximum protection we put forward the requirement of verifiable privacy, i.e., technical protection that augments organizational controls but has the added benefit that it can be verified by technical means.

R.3 Scalability. The system must work with a large number of participants. The interactions required and the communication overhead should be minimal, and the storage requirements for central databases must remain within practical limits.

< Prev   CONTENTS   Source   Next >