In the chapter on downsides I outline a serious risk to privacy. This risk -- that all your travels are tracked, recording and associated with you -- is coming from many directions, not just robocars. The cell phones we carry in our pockets, now mostly GPS-enabled, are even more threatening.
However today, car, taxi and transit travel is largely anonymous and unrecorded. If we change that, we will seriously shift the "privacy balance" in society, and this should only be done after careful consideration.
Many people believe, as I do, that the right to travel without surveillance or "showing your papers" is of fundamental importance in a free society.
Even with ordinary cars, we are starting to see systems that track them. Parking patrols (and police) now record all the licence plates in parking spaces using video cameras. Downtown cores working on "congestion charging" also are implementing licence plate cameras on every street. Many toll both systems either photograph licence plates or record RFID transponders. In some cases, the RFID transponders used for toll booths are also recorded in other locations, officially for traffic flow measurement.
Citizens want their privacy, but the government and police, seeking ways to do their jobs better and more easily, want as much data as they can get. So they will apply pressure to have cars report and record more of what goes on, or try to take advantage of when that recording takes place for business reasons. This must be resisted.
Today the taxi is largely anonymous, in fact more anonymous than driving a car. This has started changing, as taxis have started installing audio and video recorders "for the protection of the driver." Many taxis have GPS logs, which can effectively be tied to the passenger (a GPS log starting or ending at the passenger's house is a dead giveaway) and we can expect GPS logs to become common for more and more vehicles with time.
Owners of robotaxis will want to assure that passengers pay their fares, and do not damage or soil the taxis. With no driver to guard against this, they will resist anonymity. In particular, it seems unlikely that robotaxis will take cash. They will also probably be hailed by cell phone, rather than on the street, though the latter is not impossible, just inefficient.
One could develop anonymous payment systems for robotaxis, such as tickets or fare-cards. Anonymous digital cash systems, while they have been designed, have been highly resisted by government forces who like to watch the money flow.
Nonetheless I expect most people will hire robotaxis via a direct relationship with a robotaxi company. They will have an account, and get a bill. They will start their trip by making a request on a cell phone, which is tied to their account and transmits their pickup location to the robotaxi company. This is the easiest and most convenient design.
I also see the cell phone as a likely authentication system for using a hired robotaxi. When the taxi and your cell phone approach, they would ping one another (over something like bluetooth) to authenticate that you are the customer. This would trigger the taxi to open its doors for you, and to drive after your cell phone enters the vehicle.
It should be possible with robotaxis (and many other services) to use a privacy proxy company which sits between you and the vendor. The robotaxi company does not need to know who you are, it just needs to know there is a bond that will pay for the fare or damage to the robotaxi -- that somebody will pay.
This intermediary company could promise to destroy records of travel upon successful completion of a trip, or not record things at all, simply paying for damage from an insurance fund and only accepting members it feels are low risk.
Robotaxi companies themselves could also promise that they erase records of who used them, and even some records of trips after a certain amount of time. Sadly, because the public rarely cares about privacy until after it has been invaded, the history of marketing privacy as a feature is not a stellar one.
As always it is very difficult to anonymize data. Even trip logs without names associated with them can still be tied back to you in many cases if the trips involve your most common locations like your house.
One good way to handle congestion is to have a "reservation" system. If a section of road is in high demand, a computer responsible for that road can take reservations for vehicles to use it at a specified time. This is even better than congestion charging or metering lights, which try to attain the same goal. This can also be done for non-robocars, but they will not be nearly as good at predicting when they will be needing a piece of road.
Reservations can be given away, or sold to the highest bidder in a second price auction. A second price auction has the nice attribute that if nobody else wants the slot, the 2nd price is zero, so they only cost money when there is contention. Because our cities are built with grids of roads, this system will automatically spread out traffic on all the roads, as cars change their plans to use the less congested (and cheaper) roads.
However, such a system is of course ripe with risks of privacy invasion. Reservations can be pseudonymous. The car would simply make up a random identity when getting a reservation, and then present this identity when using the controlled section of road. The system does not need to know what car it is.
Anonymous payment must be deliberately designed in. If the price is set by auction, this requires anonymous digital money -- something the government resists, but might tolerate if it's only good for small transactions like these.
There is one privacy-enhancing aspect of robocars that deserves mention. Today, everybody violates traffic laws, all the time. As a result, if the police want to stop you for whatever reason, they can always find a plausible excuse to pull over your car. You don't have to have actually violated a traffic law, since nobody is going to disbelieve a police officer who says you exceded the speed limit or did a rolling stop.
As a result, we get the rule of men rather than the rule of law. In a just society, police can not just detain anybody they like, there has to be reasonable grounds to suspect the occupants of the vehicle of something.
A robocar would normally never do anything to give a police officer grounds to stop it, unless the occupants give it special orders to violate the law. Perhaps if it is an experimental robocar there might be something worth noting. Otherwise, this should grant the occupants the same protections that they have in their house. If a police officer sees suspicious activity through the windows, they could still pull you over (or invade your house) but the arbitrary stop because a great deal harder.
There will be two sources of video in a car. First, I expect most robotaxis will have videoconferencing systems in them. It's actually a good place to do videoconferences. People in robocars will be seated, in a clean area, and looking presentable. They'll have time to do calls. The moving background will present a few technical challenges. Like many videoconferencing systems, the camera should have a hardwired light that shows when it is enabled, and a mechanical shutter the passengers can use to cover it, or which has a servo and makes a noise when opened.
Hired robotaxis will want to have a camera to determine who dirties or damages them. I propose an internal camera that photographs the taxi before and after the passenger enters and leaves. This camera should have a servo-controlled mechanical shield so the passenger can clearly see that it is covered. When the passenger leaves, the car can open the cover and take a photo, and compare it to the prior one (probably darkening the windows and using a very Bright flash to avoid interference from external light.)
If there is a difference, a human being might be called to look at the two photos. I expect the most common cause of difference will be an object left behind, in which case the passenger can be notified (possibly through their anonymizing service) before they leave the area of the vehicle. In the event of something that must be cleaned or repaired, the robocar can be directed to a depot for service.
It might make sense that the inspection camera have a physical shutter on it which the vehicle can't open. As you leave the car, you would need to push a lever to open it briefly -- a spring would snap it closed, and if you didn't do this the car or your phone would beep and warn you the meter is still running -- or get the next guy to flip it and send the bill to your payment service.
Robocars will of course be shooting video all around them, as part of their efforts to fully sense and understand their environment. This video may well be recorded for various motives. As such, robocars will effectively be creating a giant network of video cameras in all public spaces, though not one that is fixed. Police might demand the right to request video from robocars, both live and recorded. They will have an easier time demanding this from robotaxis -- they might well push for laws to allow them to always access live, on-demand video from all licenced robotaxis.
(Not just video, since robocars will be using a wide variety of other sensors, and even trying to come to understandings of what they are seeing -- who and what the other vehicles and objects are.)
This will happen in concert with efforts to put up cameras, or to get access to the growing networks of other private cameras that are appearing everywhere.
We must take active steps to limit the power of these cameras if we don't want to make a major shift towards a surveillance society. Robocars should not record their video as a matter of course, nor should they offer it up without the express consent of their passengers and owners. Vacant robocars and deliverbots should also not routinely offer up their video.
On the plus side, the LIDAR and radar images taken by robocars are low resolution with no great need to be super high resolution, so it's not practical to identify people from them, though some metrics like "gait detection" could apply to LIDAR.
We will of course want mobile internet in our robocar, as well as phone service. We are going to want that in any vehicle, not just robocars. Without care, this also is a way to track and record our movements.
If current trends are any indication, the default will be to produce a privacy-invasive infrastructure. Doing it better will take special effort, and engineers building the systems must design in privacy for the start, not simply say, "we'll add privacy later."
If other robocar visions -- with central control infrastructure -- come to pass, the privacy implications are probably worse.