Zeev Shadmi’s personal reflections on Cooperative ITS and Vehicle-to-Vehicle Communication
The rationale behind the concept of V2V was that information about the position of a potential hazard beyond the driver’s field of sight could be transmitted between vehicles, to generate a warning in real time.
The 75 MHz-wide band was allocated by the FCC to be used for the purpose of “protecting the safety of the traveling public”, because it has the potential to “significantly reduce many of the most deadly types of crashes”.
It was even argued that “V2V Technology is the future of motor safety. It opens the possibility of not just reducing the number of crashes, but preventing them altogether. It was estimated that this technology could prevent or reduce the severity of up to 80 per cent of crash scenarios involving non-impaired drivers”.
Over the years the concept of Cooperative ITS became more appropriate, to include Vehicle-to-Vehicle (V2V), Vehicle-to-Infrastructure (V2I) and even Vehicle-to-Pedestrian (V2P) applications, and more generally Vehicle-to-Everything (V2X).
Although other communication technologies are being considered for V2X applications, we shall concentrate on 5.9 GHz DSRC since this is the technology under consideration to be mandated in the USA and in Europe.
V2V safety applications lost their advantage?
Since the inception of the V2V concept two decades ago, tremendous advances in detection technologies, miniaturized processing power and cellular communications have been put to use for safety and traffic information applications. Examples of technologies that have already been applied, demonstrating overwhelmingly superior effectiveness relative to V2V are:
- Machine vision for Forward Collision Warning systems and in recent years also for Autonomous Emergency Breaking systems. Mobileye is already well-known for providing very accurate and reliable perception of vehicle and pedestrian presence and movement based on monocular computerized vision.
- Automotive Frequency Modulated Continuous Wave radar for Forward Collision Warning and Adaptive Cruise Control. Antenna’s design and advanced algorithms can detect not only range, but also relative speed and angular movement. The technology is utilized for longer range detection and warning systems, which are also capable of performing better in adverse weather situations.
- Recently, LiDAR also became an attractive technology, due to the higher angular resolution and precise ranging capabilities. Introduction of solid state LiDAR have brought the price tag within a reasonable range to be considered for installation in vehicles.
These safety applications, although now installed only in premium cars, already demonstrate significant reductions in crash numbers and severity. This trend will become more apparent after they have been integrated into all categories of vehicles. These innovations have very much narrowed the potential scope of the V2V net effect on safety. They also share the same important advantage over systems based on the V2V cooperative concept: V2V applications critically depend on the presence of DSRC ITS-Stations in the “other” vehicle. Autonomous safety applications are useful for each individual vehicle equipped with them – their effectiveness does not depend on the penetration rate.
Moreover, it is argued that V2V is in certain cases the only way to generate a warning, whereas other “autonomous” safety systems have no effect. My claim is that even if the penetration rate will eventually be very high, there will be certain safety functions that shouldn’t be used, because they may have a negative effect. To demonstrate this point, let’s assume that there will be a 90 per cent penetration rate. The probability of two vehicles communicating will be 0.81 (0.92). Therefore, there is a probability of 0.19 that a warning will not be activated when it should be. If the vehicle equipped with DSRC arrives at an intersection, there is a probability of 0.1 that there is another vehicle entering the intersection without generating any warning. Giving a false indication of safety leads sometimes to more risks than not having any indication at all, as in Left Turn Assist application. According to the USDOT evaluation, the DSRC penetration rate will pass 50% in 10 years and will reach 90% per cent in 20 years from the date that it is mandated. There are several reports that estimate significant safety benefits to C-ITS safety applications, but most of them assume that all participating vehicles are equipped with the necessary technology.
When V2P applications are being developed, this last argument becomes even more relevant. Any vehicle, let alone an Automated Vehicle, should be able to detect and avoid any pedestrian (or other vulnerable road user), without the need for the pedestrian to be equipped with any kind of device. If V2P applications will be available, the notion that a pedestrian will feel safe enough to cross a highway relying on the warning that his V2P device will generate, even if technologically feasible, is to gamble on his life.
Another area regarded as an opportunity for DSRC to improve traffic efficiency, is broadcasting traffic information to the vehicle. The widespread use of smartphones with GNSS positioning and web-based navigation and routing information applications has made this function for DSRC redundant. Smartphone applications can also inform the driver about road works, vehicles stopped on the roadside, extreme weather warnings and more.
These arguments should cast serious doubts on the expectation that V2V will have any significant contribution to safety.
Opportunities for V2I still valid
Starting in about 2011, several projects specifically demonstrated the use of DSRC for V2I applications. Some of the most significant utilized communication between vehicles and traffic signals.
Two “popular” services tested were GLOSA – Green Light Optimal Advisory Speed and TSP – Transit Signal Priority system. In both applications, the traffic signal controller transmits Signal Phase and Time information. A vehicle equipped with GLOSA software can adjust its speed to avoid unnecessary variations in speed. A bus equipped with TSP software can transmit a Request for Priority, and priority will be granted according to the policy and the real time conditions at the intersection. TSP is planned in several demonstrations and proof of concept projects, maybe the most ambitious one is in Tampa FL. TSP has the potential of widespread utilization because it answers the critical need of many metropolitan areas to supply better mass transit solutions based on Bus Rapid Transit systems with dedicated lanes and priority rights at intersections.
Recently, the terms “Automated Vehicle” and “Connected Vehicle” are jointly referred to as CAV – the Connected and Automated Vehicle concept. Communication between traffic signal and vehicles and between other roadside equipment, temporary road work sites and more, will be most valuable for automated vehicles. An Automated Vehicle (AV) will detect traffic lights, but the information on the time remaining for either red or green will add greatly to the guidance algorithms to smoothly control the movement of the vehicle. Computerized vision detectors can very effectively detect traffic signs that are just ahead of the AV, but are totally ineffective in detecting objects that are hidden by the vehicle in front of it. A human driver will be able to expect a situation based on the surrounding traffic – a judgment that machine intelligence will find hard to accomplish. Therefore, broadcasting warnings by alternate traffic signs, Lane Control Signs, and temporary road works warnings will be a very important element in automated vehicle navigation.
DSRC is currently the only standardized available technology to fulfil this requirement, and it seems that this technology has been adapted very well for this function.
My conclusion until now is that on the one hand DSRC has lost much of its expected utility with regard to V2V safety and traffic information, so that we should question the rationale to mandate this function, but on the other hand there is a growing need for other services that can very well be served by DSRC. The emphasis has definitely changed from V2V to V2I applications. This reorientation of DSRC has among other things the advantage that each individual vehicle that will be equipped with DSRC capability will be able to benefit from C-ITS V2I services from day-1 of implementation.
Challenging the protection of privacy in DSRC
The basic building block of cooperative safety systems based on the V2V concept is the transmission of a Basic Safety Message (BSM) 10 times per second. Although there are several other transmissions from on-board systems and vehicle occupants, the BSM will expand the data transmitted by cars to include current position and speed, which will make it possible to extract the driving behaviour. This data will expose the driver to unidentified parties without his consent, among them insurance companies, advertisers, and traffic enforcement agencies, potentially even self-incriminating the driver in traffic violations. Since the transmission of the BSM was meant to be mandatory, protecting the anonymity and the privacy of the individual vehicle is regarded as very important.
The privacy requirement is composed of two elements: anonymity and unlinkability – so that no one will be able to identify and track the movement of an individual vehicle by receiving its BSM transmissions. Together with privacy requirements there are other requirements for the DSRC security services that should be met:
- The ability to validate the authenticity and integrity of messages;
- Authorization check – whether the sender of the message is authorized to send this specific message;
- Non-repudiation – the sender of the message will not be able to deny sending a message;
- Misbehavior detection and protection from “misbehaving” actors.
Apparently there are some contradicting requirements. For example, how can we guarantee anonymity and still be able to deny the “bad guys” from sending malicious messages without being able to trace them? Therefore, a very complex security management system was schemed, aiming to answer these challenges.
The security mechanism is based on plain text messages accompanied with a Digital Signature and Pseudonym Certificate that validate the authenticity of the sender and the integrity of the message, while guarding anonymity. When a BSM is composed in the ITS-station, the security module attaches to each individual message a pseudonym certificate that masks the identity of the vehicle. The certificate is drawn randomly from a set of 20 certificates, to make message linking more difficult. The whole set of 20 certificates is valid for one week, and then a new set is used.
The mechanism that supplies the pseudonym certificates and digital signature keys is the Security Credential Management System (SCMS), based on Public Key Infrastructure (PKI), using a-symmetric cryptography. The mechanism has been standardized by the US DOT under IEEE 1609.2. The principles of this standard have also been used by the ETSI set of standards.
This complex SCMS has been developed, Certificate Authorities have been nominated and homologated, and the whole concept has been put to test in Proof of Concept demonstration projects in the US (Connected Vehicle Safety Pilot Model Deployment at Ann Arbor, 2014) and in Europe (Preserve, Converge). The concept of operations was found to work, but there are several important issues that still remain to be finalized. Recently, the largest SCMS Proof of Concept project is being undertaken by the USDOT in three sites, involving many stakeholders and eventually will reach 10,000 vehicles.
The capacity of the SCMS to guarantee the privacy of the vehicle has been attacked on several grounds. The most obvious is the fallacy of the claim that it is not possible to follow the route of the vehicle by linking its messages because the certificate ID is changing periodically. But since the BSM is transmitted every 0.1 seconds, it is easy to follow each change of ID due to the almost same position – for a vehicle travels less than its length in this period of time. Once the identification of the vehicle has been established, it will be trivial to link a specific vehicle to all its messages.
There is one DSRC security challenge that has not received satisfactory solution – the identification of “bad” messages and the revocation of certificates from the misbehaving source. One approach is to publish periodic CRLs (Certificate Revocation List) that contain the certificate IDs that should be ignored. This approach is far from being sufficient, because it leaves the task of identifying and reporting malicious sources without any satisfactory mechanism. On top of that, the length of time that will elapse between the first detection of a misbehaving source until the information about the messages with the pseudonym certificates that should be ignored reaches ITS-stations, is too long. Nowhere is there a realistic evaluation of the effectiveness of this concept of protection from misbehaving messages because such a threat has not materialized so far.
If BSM will be identified with the vehicle license number plate, it may serve as deterrence to misuse or deliberately broadcast malicious messages. I suggest that transmitting messages with unobscured identity of the source will contribute to much fewer initiatives to use the DSRC messages for evil purposes.
The right for privacy is reserved for persons, not machines. Vehicles are not individuals who are the subjects of personal data. Motor vehicles on our roads are not “anonymous” – every vehicle has a unique number plate number that singularly identifies the vehicle and should be clearly readable. Ten years ago ISO has published international standard ISO 24535 “Basic electronic registration identification (Basic-ERI)” for an electronic system that uniquely identifies a registered vehicle.
The technique of Automatic License Plate Recognition with computerized vision is already widespread, mature and reliable. There are several categories of authorities that have access to the motor vehicle registry for the fulfilment of their duties, among them the police, municipalities, and toll road operators. Every agent with the requisite authority can instantly obtain full information related to the vehicle, straight to his smartphone application. The vehicle registration file contains all the information on the vehicle owner. Even if identifying the vehicle and its owner, accomplished with ALPR, does not directly lead to the accumulation of individuals’ movement profiles, I have already explained above that it is relatively simple to do so with the current SCMS ConOps.
In the future when automated vehicles will be on our roads, and more acutely when there will not be a driver in the vehicle (autonomy level 5), the requirement that the vehicle should be fully identifiable is crucial. I hardly imagine any road authority that will accept unidentifiable driverless vehicles operating on public roads. I would even argue that an officer of a traffic enforcement agency should be authorized and be able to take control of a driverless vehicle by gaining access to the vehicle’s management software.
For many years to come there will be mixed traffic of human-driven vehicles and automated vehicles with various levels of automation on a public road. It will not be feasible to distinguish between human-driven vehicles and driverless vehicles. All vehicles should comply with the same requirements regarding traffic control and safety, therefore they should share the same communication protocols, including the requirement to be fully identified with each message that they transmit.
Practical approach for C-ITS deployment based on DSRC
I have argued above that V2V safety services have lost their importance, and even risk offering safety applications with negative effects. The impact of the penetration rate on the effectiveness of V2V safety applications make this track not very compelling for early adopters. Communication security considerations and fears of privacy breaches are also substantial obstacles to such service deployment.
More practical will be to deploy V2I traffic control applications, with emphasis on Transit Signal Priority, Green Light Optimal Speed Advisory and in-vehicle Red Light Warning applications. All of these services will be effective from day-1 to all participants – since their effectiveness is not dependent on the penetration rate.
The rationale for these early applications is based on the assertion that all the stakeholders involved are public entities: Road authorities and public transit service operators. Traffic signals as well as public transit vehicles owned by public authorities are therefore not constrained by privacy requirements. The implementation of a communication security policy with much simpler Security Credential Management System will be a catalyst to C-ITS services’ development and application.
Traffic systems that are based on wireless communication are susceptible to threats regarding the robustness of the communication. One does not have to be a sophisticated software expert to cause damage: a simple jammer can be easily purchased on-line and can cause havoc to traffic signal communication with vehicles. We have to patiently study the threats, and develop strategies to mitigate these threats. This is one more reason why public authorities should be the first to operate C-ITS services with DSRC.
Zeev Shadmi is Research and ITS program Manager, Chief Scientist Office of the Israel Ministry of Transport & Road Safety