Vehicular ad hoc networks (VANETs) can be expected to improve traffic safety and transportation management in the near future. This is realized by letting vehicles exchange their sensed traffic environment changes with other vehicles. Such exchanges also create privacy concerns since the vehicle-generated reports contain much private information on the vehicle and its driver. In this paper we review the existing solutions to preserve privacy in VANETs and we identify unaddressed issues requiring further study.

1. Introduction

With the development of manufacturing technologies, automobiles have been a killer application. When Karl Benz built the first vehicle to use an internal combustion engine in 1885 there were less than 1000 petrol-driven cars. In 2007, there were about 806 million cars and light trucks on the road around the world. According to the Organisation Internationale des Constructeurs d’Automobiles (OICA) [1], more than 77 million vehicles had been manufactured in 2010, and now about two vehicles are manufactured each second. If present trends continue, the number of vehicles on Earth will double in the next 30 years. These vehicles are essential to the operation of the global economy and to the welfare of the world’s citizens.

Fig.1. A car after crash [2]	Fig.2. A typical traffic congestion scenario [3]

On the other hand, according to the World Health Organization [4], approximately 1.3 million people die each year on the world's roads [5], and between 20 and 50 million sustain non-fatal injuries. Nearly all data sources show that about three-quarters of traffic deaths are among men and that the highest impact occurs in the economically active age ranges, costing an estimated about $520 Billion. Also, according to INRIX, a company that tracks traffic congestion, the USA's 100 biggest metropolitan areas have increased by 11 percent in 2010 and things are only going to get worse. Congestion has several effects on travelers, businesses, agencies and cities. According to the 2010 Urban Mobility Report [6], congestion costed about $115 billion in the 439 urban areas in USA.

2. Vehicular ad hoc Networks

The global status reports on road safety results clearly show that significantly more actions are needed to make the world's roads safer. Researches imply that most traffic accidents and jams can be avoided if the drivers are alarmed in advance about changes in their driving environment. Hence, one of the most promising efforts is to enable communications between vehicles and broaden the views of the drivers. This effort dates back to 1992 when the American Society for Testing and Materials (ASTM) presented dedicated short-range communication (DSRC) technologies for vehicles. In 2003 the DSRC standard E2213-03 [7] was presented, and since 2004 the standardization work has been incorporated into IEEE802.11p and IEEE1609.

Fig.3. Architecture of a typical VANET	Fig.4. Privacy risks in VANETs

In industry, car manufacturers and telecommunication companies are gearing up to equip each car with onboard units (OBUs) that allow vehicles to communicate with each other, as well as to supply roadside units (RSUs). The OBUs and RSUs form a vehicular ad hoc network (VANET) as illustrated in Fig. 3, by which vehicles can disseminate messages to other vehicles in their vicinity. For instance, a vehicle can inform nearby vehicles about its position, speed, direction, acceleration/deceleration/brake, sensed road environment, etc. This mechanism can be expected to improve driving safety, traffic efficiency, driver assistance, and transportation regulation.

3. Privacy Challenges in VANETs

Vehicle-generated reports contain much private information on a vehicle and its driver. Since vehicular communications use open wireless media accessible to anybody, collecting vehicle-specific information becomes particularly easy if a VANET is deployed without privacy-preserving countermeasures. Consequently, the drivers could be traced and identified anywhere anytime, as shown in Fig. 4. Such lack of privacy might deter drivers from participating in VANETs, which would greatly dwindle the VANET potential to improve traffic safety.

A number of challenges must be addressed when vehicle privacy is incorporated into VANETs. First, vehicle privacy may undermine the trustworthiness of traffic reports generated by vehicles. When privacy is guaranteed in vehicular communications, vehicles are anonymous and may be tempted to generate bogus reports for selfish purposes (e.g. cause an area to become deserted) at no cost. Vehicle anonymity makes it difficult to identify the attackers. Finally, vehicle privacy may undermine the availability of the system. Usually, time-consuming cryptographic operations are required to support vehicle privacy but, to improve traffic safety, vehicles need to receive authentic traffic reports and process them in quasi-real time.

3. Solutions to Vehicle Privacy in VANETs

Considerable efforts have been devoted to guaranteeing vehicle privacy and quite a number of solutions have been proposed. Among them, for example, pseudonym-based approaches are well-understood. Indeed, the pseudonym of a node is a short-lived public key authenticated by a certificate authority. With these pseudonyms, vehicles can anonymously authenticate their own vehicular reports, as illustrated in Fig.5. This approach is conceptually simple and it is supported by the DSRC standard [7]. However, a major shortcoming of pseudonyms is that each vehicle needs to pre-load a huge pool of anonymous certificates to achieve privacy, and a trusted authority also needs to maintain and manage all the anonymous certificates, which implies a heavy burden of pseudonym management. Note that the number of pseudonyms per vehicle cannot be small, because that would cause each pseudonym to be re-used too often and might lead to vehicle re-identification: indeed, all messages authenticated with the same pseudonym can be linked and, the more messages are linked, the easier is re-identification.

Fig.5. Pseudonym-based privacy-reserving VANETs	Fig.6. Tracing dishonest vehicles in VANETs

To circumvent the intricate pseudonym management, some proposals suggest using group signatures to anonymously authenticate traffic reports. In this approach [8], each vehicle registers to the transportation administration office and obtains a secret token. With this token, the vehicle can authenticate any message and the authenticated message can be verified by any vehicle getting it. However, the verifying vehicles cannot identify the author of the verified message. Unlike the pseudonym approach, a secret token can be used to anonymously authenticate exponentially many messages until it expires or is revoked, which eliminates the requirement to manage a huge number of pseudonyms. Nevertheless, the group signature approach needs to manage a number of revoked or expired tokens that grows linearly with the time since the system was deployed, and before verifying a traffic report, a verifying vehicle needs to retrieve and verify that the report is not associated with any expired/revoked tokens. This implies that the system performance degrades as the time passes.

Privacy in vehicular communications can only be preserved for honest vehicles. An anonymity revocation mechanism is required "for the prevention, investigation, detection, and prosecution of serious criminal offences" [9]. Both the above pseudonym approach and the group signature approach allow some trusted party to reveal the genuine identities of misbehaving vehicles, as illustrated in Fig. 6. By extending the existing law enforcement mechanisms to cover malicious behavior in VANETs that compromises the drivers' safety, this kind of anonymity revocation mechanisms can be viewed as a posteriori countermeasures that deter abuse of anonymity in VANETs.

With a posteriori countermeasures, punitive action is taken against vehicles proven to have originated fraudulent messages. However, such countermeasures are ineffective against irrational attackers such as terrorists. Even for rational attackers, damage has already occurred when punitive action is taken. To overcome this concern, an option is to employ a priori countermeasures [10], which attempt to prevent the generation of fraudulent messages. A report is trusted only if it was endorsed by a number of vehicles in the vicinity greater than or equal to a predefined threshold. The underlying assumption is that most users are honest and will not endorse any message containing false data; the more vehicles endorse a report, the more trustworthy it is.

One may observe that neither a posteriori nor a priori countermeasures alone are sufficient to secure VANETs. For instance, with a priori countermeasures, although the underlying assumption that there is a majority of honest vehicles in VANETs generally holds, it cannot be excluded that a number of malicious vehicles greater than or equal to the threshold be present at specific locations. To address this concern, we presented a proposal [11] incorporating both a priori and a posteriori countermeasures. This approach can achieve better trustworthiness of traffic reports while preserving privacy for honest vehicles.

Time-consuming operations are usually required to preserve privacy in VANETs. This raises the concern of the availability of the system because traffic safety can be improved only if the numerous received reports can be verified and reacted to in time. Two main approaches have been suggested to improve performance. One is to use batch verification [11], which allows the receiving vehicle to simultaneously verify a large number of reports. Another approach is to use aggregate reports [12]. This approach enables the received reports to be aggregated into a single one and then to be verified efficiently. An extra gain of this aggregation approach is that the receiving vehicle needs to store only the aggregated reports for the purpose of future accident reconstruction and liability investigation.

5. Conclusion

In this paper, we have reviewed the privacy challenges in VANETs and the solutions to address these challenges. There are still a number of unaddressed challenges to be solved for these solutions to be practically deployable. For the pseudonym-based approach, efficient management of a huge number of short-term pseudonyms remains a problem. For the group signature based approach, the challenge is to address the continually growing number of revoked vehicles. Another open question is how to efficiently store privacy-preserving traffic reports for liability investigation. Even if up-to-date aggregation technologies are used, the storage cost still grows linearly as the time passes. Finally, traffic reports may need to be statistically analyzed by third parties for transportation administration and city planning; how to produce anonymized but analytically useful traffic reports that can be released has been rarely studied in VANETs.

References

• [1] http://oica.net/.
• [2] http://www.car-accidents.com/2008-wreck-pages/2-18-08-neon-1.html
• [3] http://blogadocious.net
• [4] http://whqlibdoc.who.int/publications/2009/9789241563840_eng.pdf
• [5] Road turn video. http://www.chacha.com/videos/scitech/cars-world/youtube/x3MdhyWcB38
• [6] http://mobility.tamu.edu/ums/report/
• [7] DRSC. http://www.leearmstrong.com/Dsrc/DSRCHomeset.htm
• [8] X. Lin, X. Sun, P.-H. Ho and X. Shen. GSIS: A secure and privacy preserving protocol for vehicular communications. IEEE Transactions on Vehicular Technology, vol. 56, no. 6, pp. 3442-3456, 2007.
• [9] European Parliament. Legislative resolution on the proposal for a directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC (COM(2005)0438 C6-0293/2005 2005/0182(COD)), 2005.
• [10] V. Daza, J. Domingo-Ferrer, F. Sebé and A. Viejo. Trustworthy privacy preserving car-generated announcements in vehicular ad hoc networks. IEEE Transactions on Vehicular Technology, vol. 58, pp. 1876-1886, 2009.
• [11] Q. Wu, J. Domingo-Ferrer, and U. González-Nicolás. Balanced trustworthiness, safety, and privacy in vehicle-to-vehicle communications. IEEE Transactions on Vehicular Technology, vol. 59, no. 2, pp. 559-573, 2010.
• [12] B. Qin, Q. Wu, L. Zhang, J. Domingo-Ferrer. Secure compression of privacy-preserving witnesses in vehicular ad hoc networks. IEEE VECON'2010, pp. 541-547, 2010

Attachments:

Preserving Privacy in Vehicular ad hoc Networks