Why Privacy-Preserving Protocols Are Sometimes Not Enough: A Case Study of the Brisbane Toll Collection Infrastructure.

The use of Electronic Toll Collection (ETC) systems is on the rise, as these systems have a significant impact on reducing operational costs. Toll service providers (TSPs) access various information, including drivers' IDs and monthly toll fees, to bill drivers. While this is legitimate, such information could be misused for other purposes violating drivers' privacy, most prominent, to infer drivers' movement patterns. To this end, privacy-preserving ETC (PPETC) schemes have been designed to minimize the amount of information leaked while still allowing drivers to be charged. We demonstrate that merely applying such PPETC schemes to current ETC infrastructures may not ensure privacy. This is due to the (inevitable) minimal information leakage, such as monthly toll fees, which can potentially result in a privacy breach when combined with additional background information, such as road maps and statistical data. To show this, we provide a counterexample using the case study of Brisbane's ETC system. We present two attacks: the first, being a variant of the presence disclosure attack, tries to disclose the toll stations visited by a driver during a billing period as well as the frequency of visits. The second, being a stronger attack, aims to discover cycles of toll stations (e.g., the ones passed during a commute from home to work and back) and their frequencies. We evaluate the success rates of our attacks using real parameters and statistics from Brisbane's ETC system. In one scenario, the success rate of our toll station disclosure attack can be as high as 94%. This scenario affects about 61% of drivers. In the same scenario, our cycle disclosure attack can achieve a success rate of 51%. It is remarkable that these high success rates can be achieved by only using minimal information as input, which is, e.g., available to a driver's payment service provider or bank, and by following very simple attack strategies without exploiting optimizations. As a further contribution, we analyze how the choice of various parameters, such as the set of toll rates, the number of toll stations, and the billing period length, impact a driver's privacy level regarding our attacks.