In the Frankfurt Nordend on Monday, a few days later in the bank district, in Heidelberg on the weekend: a bank employee’s movement profile. It can be easily determined, because he drives an electric car; the charging stations betray him. In order to prevent this scenario becoming everyday reality, researchers at the Horst Görtz Institute for IT Security are developing a secure and privacy-enhancing process for electric car holders to charge their vehicles without becoming traceable.
In 2011, the German newspaper “Die ZEIT” published the movement profile of Malte Spitz, a Green Party politician, that had been extracted from his mobile phone data, thus drawing the public’s attention to this technology’s major drawback. Each mobile phone user leaves a data trail behind and can therefore be traced. The same thing might be in store for electric car users. And yet it all seems so simple: hold your RFID card over the charging station’s reader or connect the plug (fig. 1). Charging an electric car is straightforward and, according to the Federal Government’s plans, will become routine for at least one million people from 2020 on. However, each charging is accompanied by a plethora of complex processes that happen in the background; the system saves information on when and where charging took place and by which customer – a privacy hazard. Electric cars are charged more often than conventional cars are fuelled up, because the expensive car battery should not be completely discharged. Electric car dealers therefore often advise their clients to recharge whenever possible.
Experience has shown that problems that are not identified until late, such as data trails of mobile phone users, are often rooted deeply within a technology’s actual design. In new technological areas such as electromobility, it is therefore vital to ensure that data security is incorporated into the design from the outset. In the course of the project “SecMobil”, supported by the German Federal Ministry of Economics and Technology, we are researching secure electromobility solutions. An important aspect is a privacy-enhancing charging infrastructure. Just like roaming in mobile communication, customers will be able to charge their cars at the stations of different providers who clear the costs via a clearing house.
The simplest solution would be if customers were anonymous. They could pay for the energy for their electric cars in cash, would not leave a data trail and nothing would have to be cleared, as the money would end up directly at the provider who supplied the electricity. However, cash logistics results in costs for the charging station providers. If the charging stations are spread across a large area in the public space, a central pick-up point for a cash transport service does not exist. Rather, the transport service would have to call at each station individually. These costs can be avoided if customers simply identified themselves at the charging station with their RFID card and received an invoice at the end of each month. Each utility company does already have the infrastructure necessary for issuing invoices. Therefore, customers are known by name and address.
If the customer cannot remain anonymous, is it possible for the charging station to be so? Our aim is to transfer and store the accounting data authentically, without the provider being able to track where the charging took place. The tools we use for this purpose are cryptographic methods, i.e. efficient encryption methods and modern digital signatures.
At the same time, we must also consider the legal aspects. If, for example, a user wants to appeal against his or her invoice in court, certain location-related data, such as the metre numbers, are necessary to resolve the issue. Using these data, one can determine if the energy metre at a charging station had been correctly calibrated and, consequently, if it had measured the customer’s energy consumption correctly. If we want to apply our system in practice, we have to reconcile data protection and data security with legal regulations. To this end, we are collaborating with project partners from the Institute for Mining and Energy Law as well as with colleagues from the Faculty of Law who deal with IT law.
An important legal aspect is the following: the charging station provider must be able to prove that he had sold a certain energy volume to a customer. Digital signatures are frequently used in order to provide such a proof and to ensure that a message or a data set has not been altered. The individual providing such a signature thus confirms that they are the sender. In order to prove that the billing data is correct, the public charging station would transmit a digital signature alongside the billing data to the provider. Unless there is a legal dispute, the provider would not have to know which station has actually generated those data. He only requires proof that the correct data were transmitted by one of the authorised stations.
In addition to conventional digital signatures, our toolbox of cryptographic methods also contains group signature schemes. In these schemes there are no individual authorised senders, but groups thereof. However, there are mechanisms in place to determine which authorised group member, i.e. which charging stations, has generated the signature. In order to be able to discover fradulent use, many group signature schemes operate with a trusted third party, a so-called opener, which may be described as a kind of notary. That opener alone is permitted to open an additionally secured section of the signature. That section contains the name of the actual group member, namely the charging station that has generated the signature.
For our system, we have chosen eXtremely Small Group Signatures (XSGS). XSGS require little storage space and the process is comparably fast. We then modified the signature scheme to be able to comply with legal requirements: through a slight modification, location-related data such as metre numbers can be incorporated into that section of the signature that only the opener can decrypt. They are thus cryptographically protected, while it is possible, at the same time, to legally solve potential disputes regarding billing data with the opener’s aid.
Data transfer from the charging station to the clearing house is protected by a provable secure version of the encryption protocol TLS. To ensure that the charging station’s anonymity is not compromised on the network level, we use the Tor network in order to conceal the sender of the respective message.
For the customers, such a system works pretty much like an itemised telephone bill: the default is that the energy supplier does not know the individual charging processes; with the customer’s permission or by special court order, the complete data regarding the individual processes may be disclosed.
At present, our solution is in an early prototype stage. Charging infrastructure for electric cars, too, is worldwide in its infancy – an ideal opportunity to incorporate data protection and data security into the design process.