On May 26, Propulsion Québec, the cluster for electric and intelligent transport, organized an event dedicated to cybersecurity and safety in transport. This event brought together 17 experts and 150 participants. One of the panels addressed "Ensuring data protection in a context of collaborative innovation in mobility." Moderated by Elsa Bruyère, Co‑founder and Chief Impact Officer (CIO), Fabrique_A, it brought together several experts who shared their knowledge and best practices on data protection in the mobility sector:
- Sébastien Gambs, Professor (UQAM), Canada Research Chair in Privacy‑Preserving Analysis and Ethics of Big Data, University of Quebec in Montreal
- Karine Saboui, Research Analyst, Nord Ouvert
- Eric‑Pierre Dufour, Director of the Innovation Lab, Sopra‑Steria
- Lawyer Cynthia Chassigneux, Associate Counsel, Langlois
Two major uses of individuals’ mobility data can be distinguished:
- Understanding the overall dynamics of urban mobility: how people move, the peak flow hours. These allow cities, transit companies and other service providers to adapt their infrastructure and mobility services.
- Offering personalized services to individuals through real‑time sharing of information such as finding a restaurant near the user.
However, sharing this data exposes it to security and privacy risks, particularly when it involves innovation, technology or individuals’ identities.
" Energy‑related data can be used to cripple a country. For transport, one can imagine bad scenarios where all traffic lights might simultaneously turn green or subways stop following their routes. At the center of it all is the user as the central element." Eric‑Pierre Dufour.
What is the critical threshold of a piece of data?
The criticality of a piece of data depends largely on its inference potential, that is, what can be deduced about a person. The first thing you can deduce is their interests from the places they frequently stop at, generally called points of interest. One might think of a person who regularly goes to a hospital because they have health problems. This can be seen as the analogue in the physical world of what could be inferred from internet browsing behavior where it is also possible to build a precise profile of a person based on the websites they visit.
" It’s identical for mobility: we can infer your interests and precise profile data based on the places you frequently go. We all move in unique and repetitive ways, which makes it easier to identify people when data is shared." Sébastien Gambs.
" If we take the example of urban mobility, we will often find data concerning trips. They can come from private companies with taxi rides, shared or collective transport. These companies will collect the person’s data and it will be possible to identify them with their user number, their credit card number or their date of birth. Even if the data are anonymized, there is an issue with cross‑referencing data on social networks, for example." Karine Saboui.
Data anonymization, a technical challenge
Mobility data is difficult to anonymize because it is correlated, meaning a person’s locations are not independent but connected to one another. One solution is synthetic data. Generative models are trained on a small sample of data using artificial intelligence and then produce larger quantities of data that resemble realistic data. But here again there is a problem: if the data resemble realistic data, it becomes possible to extract sensitive information from them.
According to Sébastien Gambs, a good practice would be to explain the process used to anonymize the data, which would allow multiple actors to implement continuous improvement and identify flaws.
Data governance: toward the creation of a sharing model?
For exchanges to take place, agreements must be formalized between the private and public sectors. The sharing of this data must also be framed and the question must be asked whether sharing certain data is useful.
Two bills are still pending adoption:
- Bill 64: law modernizing legislative provisions regarding the protection of personal information;
- C‑11: law on the protection of consumers’ privacy and the Act on the Tribunal for the Protection of Personal Information and Data;
Bill 64 will include the obligation to integrate privacy impact assessments in order to anticipate risks and propose solutions aimed at eliminating or minimizing them. This mapping will make it possible, in the event of an attack, to know where the data are and their level of sensitivity for a better response.
" The term trust is the crux of the matter. When organizations put systems in place, they must take into account:
– security and privacy protection because they carry personal and therefore sensitive information;
– consent: the citizen must be informed of the data that are collected about them and of the use that will be made of it." Lawyer Cynthia Chassigneux.
One thing our experts agree on: co‑construction! It is the sharing of data security processes and collaboration among all actors in the system that will enable better progress in data protection and sharing.
