PT2381425E - Device and method for creating toll data from anonymous locations - Google Patents

Abstract

The method involves transmitting location records from a thin-client onboard unit (1) to a toll calculation server (5) under a source identifier (RID) i.e. random value. Location anonymous toll data (T) is calculated from the records, and the records in the server are subsequently deleted. Waiting process for a preset time span (11) is carried out in the onboard unit. An identifier (OID) i.e. vehicle device identifier, associated to the source identifier is released from the onboard unit for associating the toll data to the associated identifier. Independent claims are also included for the following: (1) a toll calculation server for executing a method for creating location-anonymous toll data from location records (2) a location-recording vehicle device comprising an identifier for executing a method for creating location-anonymous toll data from location records.

Description

ΕΡ 2 381 425 / ΡΤ

Method and device for producing toll data from anonymous sites " The present invention relates to a method for producing location toll data made anonymous from the location register of a locally registered vehicle apparatus with a unique identification in a road toll system. The invention furthermore relates to a toll calculation server and to a vehicle apparatus for carrying out this method.

Vehicle tolls for road toll systems are also referred to as " onboard units " or OBU. The OBUs, which automatically determine and record their location, for example via a satellite navigation receiver, currently exist in two different versions. The so-called OBU "thick Client " calculate on the basis of toll cards stored from their anonymous location toll data location records and send them, for example, via the mobile network to a central of the road toll system, which requires a distribution costly to OBU tolls and high calculation capacity in OBUs. Unlike the so-called OBU " thin client " do not automatically evaluate your location records, but rather send these " " " to the central, which compares the toll cards (" map coincidence "), from there to produce toll data. The OBU " thin client " are therefore essentially configured more simply and at a lower cost, but from the point of view of data protection considered to be debatable since the central of the road toll system is aware of all the location records ( " motion profiles ") of an OBU, including stays at non-toll locations.

In WO 2008/000227 it was therefore proposed to send the location records of an OBU " thin client " with an identification made anonymous of the sender to a special toll calculation server, which proceeds to 2 ΕΡ 2 381 425 / ΡΤ "map coincidence" (" map matching "), forwarding location toll data made anonymous to the OBU, which the OBU later deposits in the exchange. Due to the arbitrary architecture of the toll calculation server it is in this system difficult to control the data protection requirements. This solution also produces additional data traffic in the road toll system. From WO 2009/001303 AI it is generally known that the exchange waits for a confirmation of deletion of the toll data made anonymous by the toll calculation server before it associates the toll data received by the toll calculation server to a user identity received by the OBU, which removes the power to dispose of a disclosure of the OBU-ID of the OBU and which involves the risk of a compromise of data security. The invention aims at overcoming the drawbacks of the prior art and in particular creating a method for producing toll data for OBU " thin client ", which provides better data protection or higher confidentiality to the user. This object is achieved by the method having the features of claim 1. The invention is based on a completely new and surprisingly simple concept for performing data protection at a physical level (" privacy by design "). The OBU waits for a period of time to allow sufficient time for the toll calculation server to compile the toll data and to delete the location records on which it is based. The OBU can, without any risk, disclose its identity or identification, because there are no longer any system location records to draw conclusions from the OBU's motion profile.

A toll calculating server particularly suitable for the invention is distinguished by having a buffer memory for receiving the location registers and means for periodically, preferably daily, deletion by less than the oldest registers of the buffer memory, in order to ensure deletion of the location records.

A vehicle apparatus particularly suitable for the invention is distinguished in that it comprises release means which, upon completion of a predefined time period, send said sender identification and thereby disclose its identity. The invention thus guarantees, in a simple and transparent manner to the user and the system operator, confidentiality conditioned by the physical medium of the location register sensitive data. The location records are stored in the central office only for the time required to process them, and are then automatically deleted. Any reservations regarding the possibility of a follow-up, respectively, of the production of a movement profile of the vehicle apparatus may therefore be excluded. Further, the invention does not cause any increase of data traffic in the road toll system. The mapping of toll data with location made anonymous to the identification released by the vehicle apparatus can be performed on both the toll calculator server and the toll server. Accordingly, there are further variants of the method according to the invention in that said release takes place at the toll calculation server, which associates toll data with localization made anonymous with the identification and sends the same to a central toll system; or the so-called release is effected in a central of the toll system, which receives toll data with an anonymous location of the toll calculation server and associates them with the identification.

If so desired, in each embodiment the location records on the toll calculation server may, prior to its deletion, be encoded with a public key from an external file location and be sent encoded thereto. Such a filing location should be for all participants, ie for the user as well as for the system operator, of the maximum 4 ΕΡ 2 381 425 / ΡΤ trust, such as a fiduciary agent or a notary, thus in cases of litigation, be consulted by either party.

Preferably, the sending and the releasing are carried out from the vehicle apparatus through the radio network, preferably a mobile network. In this way, for example, the OBU " thin client " which are equipped with a DSRC transmitter / receiver or a mobile terminal.

According to yet another preferred embodiment of the invention the location records of a vehicle apparatus are sent in data packets, which are respectively provided with identical sender identifications, which simplifies the verification, since the vehicle device here, after waiting the time period or receiving the confirmation of deletion, shall only disclose its identification with respect to a single sender identification.

Alternatively, the location records of a vehicle apparatus may be sent in data packets with different sender IDs. In this way, the confidentiality of the transmission interface can be increased.

Preferably, data packets provided with alternating sender IDs are also provided with packet-linked identifications, which allow an association between them, whereby the vehicle apparatus needs to reveal only its identification for the sender identification of the last packet of data. The identification by which a vehicle apparatus is identified may be either an identification of the vehicle apparatus itself or an identification attributed to the user of the vehicle apparatus, for example the identification of a user account for the settlement of toll rates in the vehicle. system of road tolls. 5 ΕΡ 2 381 425 / ΡΤ The sender identification used to send the location registers to the toll calculation server may be both a random value and a code to be freely chosen by the user, which further increases the transparency for the user. The method of the invention is adapted to all types of self-locating vehicle apparatuses, in the manner in which they determine their location, for example by identifying reference points or identifying beacons, by which the vehicle is oriented. vehicle apparatus. It is particularly favorable if the vehicle apparatus determines in an already known manner its locations by means of satellite navigation, and it may be possible to use the OBU " thin client " supported by GPS. The invention is explained below in detail on the basis of embodiments shown in the accompanying drawings, in which Figs. 1 and 2 show, in the form of a block diagram, two different embodiments of a road toll system operating according to the method of the invention and having components according to the invention.

According to Fig. 1, an OBU 1 on board a vehicle moves within a road toll system with a central 2. The central 2 invoices the local uses of the OBU 1 subject to tolls, for example, traffic on a road subject to tolls, entering a room subject to payment, staying in a car park subject to a fee, etc., by means of corresponding user accounts, and this on the basis of toll data T, which are initiated by the local use of OBU 1, as is known in the art. The OBU 1 is to type " thin client " and locates, eg periodically, its location, for example with the aid of a satellite navigation receiver, and records the location records thus detected (" position fixes "), P2, P3,. .. (generally pi) in an internal location register memory. 6 ΕΡ 2 381 425 / ΡΤ

Each OBU 1 is provided with a unique OID identification in the road toll system, for example a unique identification of the OBU 1 itself and / or its user or an account thereof. Knowing the OID identification of an OBU 1 and its location register pi could complete the movement profile of OBU 1, which is avoided as follows.

The location registers pi of the OBU 1 are, although this is not required for better handling, also distributed in individual data packets 3. The data packets 3 may be equipped with a packet identification P ± (see Fig. 2), for example with a continuous numbering and a header record (not shown), which contains, for example, metadata such as number of location records pi contained in a data packet 3, an abstract value (hash) thereof, etc.

The location registers pi, respectively, the data packets 3 are sent by the OBU 1, in a first step 4, to a toll calculation server 5, for example via a mobile network, that is, with a sender identification RID " anonymous " different from the OID ID. The RID sender identification is, for example, a freely chosen code by the user or a value generated randomly by the OBU 1. Alternatively, however, also with a correspondingly reduced anonymity could also be used a temporary mobile network identification or an address Temporary Internet of the sender as an OBU RID ID 1. The toll calculation server 5 contains a " map match " ("map matching") 6, which allocates the location records pi to toll locations, routes or areas from the toll card database 6 ', calculating the respective toll rates from the base of data of toll cards 6 '. From the location register tok rates p ± received for a RID sender ID, the " map matching " 6 thus calculates the T toll data with " location made anonymous ", which no longer allow any conclusion on location register ρ ±. 7 ΕΡ 2 381 425 / ΡΤ

Toll data T is, for example, a single sum of rates for all location records p ± of all data packets 3 of a RID sender ID. The " map match " ("map matching") 6 of the toll calculation server 5 is a buffer 7 in the form of an upstream circular memory in which all of the location registers p ± sent by OBU 1 are consecutively entered to be processed by device 6. Because of the average load of the device 6, a period of time can therefore be set, in which at a precise moment in the buffer 7 the location pi registers that have been input are converted into toll data T with location become anonymous and that were automatically deleted by the input of new location data, the latter, for example, when the buffer 7, as shown in Fig. 7, is performed as circular memory, which due to the input of new data is written again continuously and cyclic. If this time period, when an extraordinarily low load of the buffer 7 is exceeded, it can by means of an additional periodic deletion, for example daily, of registers in the buffer 7, which are older than the period of time it is ensured that, after said period of time, in any case there are no longer any location records p ± on the toll calculation server 5.

If at any time, when an extraordinarily high charge of the buffer 7 respectively of the " map coincidence " ("map matching") 6, unprocessed pi location records are deleted, the OBU 1 may resend these location records pi or automatically or on demand from the toll calculation server 5 or at the request of the exchange 2.

If so desired, the toll calculation server 5 may, prior to its deletion in coded form, archive the pi location records in a trusted location for purposes of proving it, when encoding the records with a public key of a file location 9 sending them to it (step 10). The private key of the 8 ΕΡ 2 381 425 / ΡΤ file 8, which is required for the decoding of the pi location logs, can not be known to the user or operator of the road carrier system, but only to the operator of file location 9, which thus functions as a notary or trustee for both parties. The toll calculation server 5 then sends to the exchange 2 the toll data T calculated with the sender ID RID in the step 8.

On the other hand, the OBU 1 waits for the period of time mentioned (step 11) releasing or revealing its " identity ", i.e., the OID identity (step 12). The release is effected in Fig. 1, when the OBU 1 sends to the exchange 2 the identification of the RID sender, used by it with its OID identification. The control unit 2 may therefore associate the toll data T, received from the calculation server 5, with the RID sender identification, to the OID identification, received by the OBU 1 for this RID sender identification (step 13), to generate toll data T with anonymous location associated with the OBU 1. Fig. 2 shows several variants of components of the method of Fig. 1. The association of the T toll data with the OID identification is not done here in the central 2, but directly on the server. to the toll calculation server 5, when the OBU 1 releases its OID identification in step 12 to the toll calculation server 5 and the latter calculates the result of the association 13 to the central 2 (step 14).

In Fig. 2 it is further shown that OBU 1, instead of waiting for a period of time 11, waits for an explicit acknowledgment 15 of the toll calculating server 5 about the deletion effected of the location registers pi. Upon entry of the deletion confirmation 15, the OBU 1 reveals its OID identification in step 12. Fig. 2 also shows the variant in which the individual data packets 3 may be provided with alternate RIDi sender IDs, so as to make it difficult to track 9 ΕΡ 2 381 425 / ΡΤ at interface 4. In step 12 the OBU 1 can then directly identify with its OID identification several of its most recently used RIDi sender IDs.

If the individual data packets 3 are chained together, for example, by corresponding references in their packet identifications P ±, it is sufficient for the OBU 1 in step 12 to only identify the last RIDi sender identification of a sequence of data packets with an OID identification, since the toll calculation server 5 may open, due to packet chaining, the RIDi antecedent sender IDs.

Alternatively, the toll calculation server 5 could also accumulate the RIDi sender IDs to be chained from toll data Ti continuously to enter, for example, a sum of rates and in this case delete only the last RIDi sender ID. Also in this case it suffices that OBU 1 in step 12 only identifies its last RIDi sender ID with its OID identification. Fig. 2 finally also shows the use of a reverse list memory as buffer 7. The reverse list memory 7 is for example periodically cleaned or its oldest records are, after a predefined period of time, removed, if not are processed in a timely manner and / or the OBU 1 in this case continuously awaits confirmation of deletion 16. The invention is not restricted to the embodiments shown but covers all variants and modifications which fall within the scope of the appended claims.

Lisbon, 2012-07-31

Claims (12)

A method for producing location toll data (T) made anonymous from location registers (pi) of a vehicle device (1) which registers the location with an identification (OID) in a road toll system comprising the steps of: sending (4) the location registers (pi) with at least one sender ID (RID) other than the identification (OID) of the vehicle apparatus (1) for a toll calculation server (5), toll data calculation (6) with localization made anonymous of the location registers (p ±) and then deleting the location registers (pi) in the (5), wherein the deletion is in any case periodically terminated within a predefined period of time, in the vehicle apparatus (1): after the completion of said predefined time period (11) the release ( 12) to from the vehicle identification device (1) of the identification (OID) corresponding to the sender identification (RID), to match the toll data (T) with an anonymous location of this sender identification (RID) with the corresponding identification (OID) . Method according to claim 1, characterized in that said release (12) is carried out on the toll calculation server (5), which matches (13) the toll data (T) with a location made anonymous to (OID) and sends them to a central (2) toll system. Method according to claim 1 or 2, characterized in that said release (12) is carried out in a central (2) of the toll system, which receives the toll data (T) with the location made anonymous of the calculation server (5) and causes them to coincide with the identification (OID). ΕΡ 2 381 425 / ΡΤ 2/3 Method according to one of Claims 1 to 3, characterized in that the location registers (p ±) are encoded in the toll calculation server (5) with the public key of an external file station (9) and are sent for this before suppression. Method according to one of Claims 1 to 4, characterized in that the sending (4) and the release (12) are carried out from the vehicle apparatus (1) via a mobile network, preferably a radio network mobile. Method according to one of Claims 1 to 5, characterized in that the location registers (pi) of a vehicle apparatus (1) are sent in data packets (3), which are respectively provided with the same identification data of sender (RID). Method according to one of Claims 1 to 5, characterized in that the location registers (p ±) of a vehicle apparatus are sent in data packets (3), which are provided with alternating sender IDs (RIDi) . The method according to claim 7, characterized in that the data packets (3) are provided with linked packet (P +) identifications, which enable their mutual association, wherein the identification (OID) is only performed for the sender identification (RIDi) of the last data packet (3). Method according to one of Claims 1 to 8, characterized in that said identification (OID) is a vehicle identification or a user account identification. Method according to one of Claims 1 to 9, characterized in that the sender identification (RID) is a random value or a user selection code. Toll calculating server (5) for carrying out the method according to one of claims 1 to 10, configured to receive the location register ΕΡ 2 381 425 / ΡΤ 3/3 (ρι) and calculation from anonymous location toll data (T), characterized in that it comprises a buffer (7) for the admission of location registers (Pi) and means for a periodic suppression, preferably daily, of at least the oldest buffer registers (7), respectively, within one and the same predefined time period. Locating register vehicle apparatus (1), with an identification (OID) for carrying out the method according to one of the claims 1 to 10, configured for sending (4) of its location registers (pi) with at least one sender identification (RID) other than the identification (OID), characterized in that it comprises release means which, upon completion of a predefined time period (11), send said sender identification (RID) with identification (OID). Lisbon, 2012-07-31