ISO 16461:2018

INTERNATIONAL ISO
STANDARD 16461
First edition
2018-08
Intelligent transport systems —
Criteria for privacy and integrity
protection in probe vehicle
information systems
Systèmes intelligents de transport — Critères de confidentialité et de
protection d'intégrité
Reference number
©
ISO 2018
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 4
5 Reference architecture . 5
5.1 Reference architecture for probe vehicle systems . 5
5.2 Context model for privacy and data integrity protection . 5
6 Basic framework . 6
6.1 Overview . 6
6.2 Structure of framework . 6
6.3 Index framework . 6
6.4 Category framework . 7
6.5 Application of evaluation framework on probe vehicle systems . 8
6.5.1 Anonymity (FPR_ANO) . 8
6.5.2 Pseudonymity (FPR_PSE) . 9
6.5.3 Unlinkability (FPR_UNL) . 9
6.5.4 Unobservability (FPR_UNO) .10
6.5.5 Integrity of exported TSF data (FPT_ITI).10
7 Criteria for privacy protection .10
7.1 Overview .10
7.2 Raw sensor data processing .11
7.3 Probe data retention .11
7.4 Probe message creation .12
7.5 Probe package creation .12
7.6 Probe package reception .13
7.7 Probe package processing .13
7.8 Processed probe data retention .14
7.9 Probe information creation .15
Bibliography .16
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 204, Intelligent transport systems.
iv © ISO 2018 – All rights reserved

Introduction
More and more attention has been paid to safety, comfort, mitigation of impact on the environment, and
energy efficiency in transport systems. The use of probe data specified in ISO 22837:2009 is considered
to be a key factor of a solution for the above issues. Usage of probe data in probe vehicle systems (PVS),
defined in ISO 22837:2009, may be subject to privacy regulations. Consequently, there is a need for
protective measures and policies in PVS.
It is necessary to develop a basic concept for protecting privacy and integrity being gathered in the
PVS so that transmission of probe data can be done without violating the privacy regulations. This
document defines criteria for protection of the anonymity and integrity of probe data.
The following topics are addressed in this document:
— definition of security and privacy requirements for probe vehicle systems;
— specification of a common interface ensuring privacy and integrity in probe vehicle information
acquisition;
— definition of a scheme for protecting probe vehicle systems in terms of integrity and privacy.
INTERNATIONAL STANDARD ISO 16461:2018(E)
Intelligent transport systems — Criteria for privacy and
integrity protection in probe vehicle information systems
1 Scope
This document specifies the basic rules to be considered by service providers handling privacy in probe
vehicle information services. This document is aimed at protecting the privacy as well as the intrinsic
rights and interests of the probe data subjects specified in ISO 24100:2010.
This document specifies the following items related to probe vehicle systems (PVS), i.e. systems
collecting probe data from private vehicles and processing these probe data statistically towards useful
information that can be provided to various end users:
— architecture of the PVS in support of appropriate protection of data integrity and anonymity in
the PVS;
— security criteria and requirements for the PVS, specifically requirements for data integrity
protection and privacy;
— requirements for correct and anonymous generation and handling of probe data.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 22837:2009, Vehicle probe data for wide area communications
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22837:2009 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at https: //www .iso .org/obp
3.1
authentication
proving or showing to be true, genuine, or valid
3.2
probe data
vehicle sensor information, formatted as probe data elements and/or probe messages, that is processed,
formatted, and transmitted to a land-based centre for processing to create a good understanding of the
driving environment
[SOURCE: ISO 22837:2009, 4.3]
3.3
probe data collector
function that receives probe messages from vehicles and creates probe information by fusing and
analysing probe messages and supplementary data from other data sources
3.4
probe data element
data item included in a probe message
[SOURCE: ISO 22837:2009, 4.4]
3.5
probe data retention
function which receives and stores probe data after they were processed by the raw sensor data
processing
3.6
probe information
information extracted from probe messages and data from other sources through the probe information
creation function
3.7
probe information application/service
entity that acts upon the received probe information and supplementary information into data input or
other action commands into the probe application or service
3.8
probe information creation
function which creates probe information from the probe data stored in processed probe message
retention according to a set of predefined rules and formats
3.9
probe information processing
function which receives probe information from the transmit probe information reception function,
and converts the received information into suitable formats for various probe information applications/
services, and then sends them to a processed probe information retention function for further
processing
3.10
probe information receiver
function which receives the probe information transmitted from a probe message collector and
provides probe information application/services
3.11
probe message
structured collation of data elements suitable for being delivered to the on-board communication
device for transmission to a land-based centre
[SOURCE: ISO 22837:2009, 4.6, modified — “to be” was changed to "for being" and the NOTE was
deleted.]
3.12
probe message creation
function which creates a probe message from probe data stored in probe data retention
3.13
probe message processing
function which receives probe messages from probe package reception and processes them so that they
are suitable to combine other data from various sources
2 © ISO 2018 – All rights reserved

3.14
probe package creation
function which arranges the
...