Maintaining Privacy in the Robotaxi

While I've been in love for a long time with the idea of mobility-on-demand and the robocar taxi, I continue to have some privacy concerns. The first is simply over the idea that a service company gets a map of all your travels. Of course, your cell phone company, and companies like Google with their Location History (Warning, don't click or you will be freaked out if you didn't know about this) know this already, as does the NSA and probably all the other spy agencies in the world. That doesn't make it much better to add more trackers. The online ride companies like Uber are tracking you too.

It will be sad to lose the anonymous taxi we used to have, where you hailed a cab and paid in cash and no record was made (until cabs got tracklogs and video) of your travels. In my article on Robocars and Privacy written many years ago I outlined some plans for anonymous taxi service and I continue to push this idea.

In the article, I outline the concern that a taxi company will want to be able to photograph the vehicle when you're not in it, to assure you haven't dirtied or damaged the interior, and also to check if you left something in the vehicle by accident. People will be less comfortable with a camera that can be turned on all the time, and LEDs to inform you if a camera is on can't really be trusted, so we want to have a physical shutter.

This led me to a simple solution: The physical shutter on the camera could be the switch by which you signal the start and end of a ride. The ride can't begin until you close the physical shutter, and it doesn't close out until you open it. You want a lever for the shutter on the outside of the car by the main passenger door, so you can open and close it when you are not in the car, so it doesn't take a picture of you if you are trying to use an anonymous taxi. A connected lever inside could allow people who are not trying to be anonymous (but rather just private on their journey) to both control the shutter, and signal the car to go or conclude the ride.

You might not want to be inside when it takes the photo anyway, because a bright flash would be advised, for a millisecond brighter than the sunlight coming in the car. That way the images will be under the same light, night or day, making it easy to compare before and after images to detect dirt or lost items. The camera could also shoot in the ultraviolet, able to see things like bodily fluids not so visible to the eye.

If you leave the car without opening the shutter, it would honk at you, or ding on your phone to remind you to come back and open it.

Cars will likely have some other cameras too, for video conferencing. I expect video conferences to be popular in robocars, and while your own phone can do that for you, a camera with stabilization in it could be a useful idea. Here, we could use a physical shutter, though this time with a remote actuator that makes noise, so you can easily see if it's open. Even more simply, the video camera and monitor might not connect to anything in the car, but rather only connect to your phone via a car dock. (The connection must be wired, unfortunately.) If the camera is not connected you can be reasonably confident it's not spying on you.

Of course, a truly malicious operator could have hidden cameras, or a secret connection to the video conference camera, but there's not to much you can do about that. What we want protection from are attackers breaking into the car's system, and vendors who change their mind about your privacy. We also want a stake in the ground that routine surveillance of passengers is not acceptable.

People would not half to close the mechanical shutter. They could elect to trust the camera, and then they would not be required to open it when leaving or be billed for not opening it.

Of course, when the next passenger comes to a car and sees damage or soiling or smells, they would report it as well, and get a replacement car, the other being sent for cleaning.


Hey Brad,
I read an article in mother jones about robo cars.
They suggested a price of 1 dollar per mile for the use of a robo car.
That would be too high of a cost for me to get rid of my human driven car.
(~$20,000 per year for an average driver)

What is your estimate for the cost per mile of driving in a robo car? (could you show the math for the estimate?)
I am guessing that it would need to be around 0.50$ per mile for me to get rid of my car.

First of all, the average US driver goes 10,000 miles a year, 20,000 is well above average.

Most common estimates of the cost of owning and operating your car are about 50 to 65 cents/mile for average cars, more for luxury cars. Plus parking. So $1/mile is not that much more, but I actually predict the cost will come down to match that 50 cent price fairly soon, and then dip below it. It will dip below it because most of your trips can be in small, light, cheap cars which are meant for 1-2 people and may not even be able to get on the highway if your trip doesn't involve highway. These cars are really cheap. They will also be engineered for longer life in miles (meaning lower cost per mile,) low cost electric power and lower maintenance.

When you add parking, I think the break-even point for most people will be around 60 to 70 cents. But when you add the hassles of car ownership, some will have little trouble with a dollar.

Since there is no human representative of the company operating the taxi service on site, and lives might be at stake, the bare minimum is internal & external cameras. They may be off 99.9% of the time, but the ability to see what is happening and call emergency services if needed is a must.

Examples include checking up on passengers following an accident (especially a relatively minor one), if the passenger is not leaving the car at the end of the ride and is non-responsive to audio queues, irresponsible parents putting a little kid in the car alone and send him to kindergarten on his own, etc.

BTW - I believe there must also be a "remote operator" capability - if the autopilot fails (say complicated road construction, flooding, etc), the taxi operators may drive it remotely. Not real-time drive, of course, but more like the Mars rovers - mark a path on the map/video and have the car follow it very slowly while using its internal resources to void hitting anything, but overriding some of the normal rules (e.g. ignore the "don't drive on the shoulders, even if it is technically possible" rule).

Sure, you want remote operators, but they don't need to see inside.

I don't actually buy the internal camera need in emergencies. If they talk to me and I don't respond by activating the video system or answer the call, then they know it's a problem and should send emergency help. They will also know the speed of any impact and have video of what went on. They can't send the crew any faster because they can see me, and if I won't answer after an accident, then send the crew as fast as possible. You won't learn anything that you can act on from an internal camera.

However, if people are really paranoid about that, then you can make a system where, if I don't answer a call, they can remotely open the camera shutter, but do it in a way that's obvious and makes noise and can't be remotely made silent. You can design it that way, indeed you can design it so the LED on the camera can't be faked, but nobody does because that's harder.

Add new comment