Ensuring that motor carriers have appropriate safety ratings is a crucial responsibility of regulatory authorities overseeing transportation. The presence of unsafe and unfit carriers on the road poses significant risk, not only to the drivers and personnel directly involved, but also to the general public. The consequences of accidents involving such carriers can be severe, leading to injuries, loss of lives, property damage, and environmental hazards.
There is a real and probable risk that federally regulated Alberta carriers have been upgraded to a Satisfactory or Excellent safety ratings using unreliable audit scores. The Province has been made aware of this, yet has taken no action to correct it, putting the Province at serious risk of liability.
The Alberta government is permitting private third-party auditors (TPAs) to use encrypted Record of Duty Status (RODS) for conducting NSC Standard 15 Audits. There are concerns about the validity of the audit results because encrypted data was used to conduct the audit. The specific concern is that encrypted RODS may lead to inaccurate and unreliable hours of service scores, which significantly contribute to the overall audit score, potentially rendering the entire audit ineffective.
Any federally regulated carriers in Alberta that have undergone an NSC Standard 15 audit by a TPA since January 1, 2023, should have their audit fees refunded, administrative penalties and conditions repealed, and their safety rating rescinded to preaudit status.
In 2021, Transport Canada updated the Federal Commercial Vehicle Drivers Hours of Service Regulations (SOR/2005-313) to include Electronic Logging Devices (ELDs), (Section 77), and also refers to the Technical Standard, developed by the CCMTA. All certified ELD devices must meet the Technical Standard.
The Technical Standard requires all ELD systems to generate standardized ELD output file (CSV and PDF) and transfer those record of duty status (RODS) to an authorized safety official upon request (System Design 1.4 d). The Technical Standard specifies the minimum data required to be included on the standard ELD output file (CSV and PDF) (System Design 1.4 e). For a TPA to audit RODS that fully meet the Technical Standard, the RODS must be sent via one of the transfer methods specified, and in the manner specified in Technical Standard 4.8.2 ELD Output File. Data must be transmitted via:
Transport Canada compiled a list of email addresses for inspectors authorized to have PKI encryption keys. PKI is an acronym for public key infrastructure, which is the technology behind digital certificates. A digital certificate fulfills a similar purpose to a driver’s license or a passport – it is a piece of identification that proves your identity and provides certain allowances.
When a government safety official receives the RODS from a trucking company, the RODS are unencrypted, via PKI, because government enforcement officials have the encryption key. TPAs do not, because they are not designated as inspectors. This is a critical gap in the auditing process when a trucking company transmits encrypted Record of Duty Status (RODS) to a government-certified TPA. The TPA cannot access all the required data for a comprehensive audit.
TPAs do not have encryption keys primarily to protect driver privacy during periods of personal conveyance. Driver privacy is paramount and there is a Technical Standard specific to that end (Technical Standard 4.7.3 Privacy Preserving Provision for use during personal uses of a CMV).
To compound the issue, TPAs are not required to retain the RODS reviewed in an audit, therefore previous audits cannot be reviewed to ensure correct RODS were used.
Both of these factors raise significant concerns about the transparency and accountability of Third-Party Auditors (TPAs) in the auditing process, particularly regarding the handling and verification of unencrypted Record of Duty Status (RODS) data. If there is no mechanism to confirm whether TPAs are using unencrypted data and no requirement for them to submit evidence for retention, it creates a potential vulnerability in the accuracy and reliability of audits.
Private industry is aware of the problem to some degree. Private Motor Truck Council of Canada (PMTC) president Mike Millian said in a 2022 press release:
“We are also waiting for a PKI vendor and system to be announced by Transport Canada that allows for ELD data to be transferred securely from the device to enforcement personnel, as well as enforcement protocols, training, and how the regulation will be enforced uniformly between jurisdictions.”
In June 2022, the CTA (Canadian Transportation Association) released information via email regarding the PKI system:
“Encryption of Record of Duty Status Email Files
The process for establishing the encryption of records of duty status (known as PKI) for email transfer to Roadside officials is the responsibility of Transport Canada. The process for implementing the Transport Canada work is the responsibility of each provincial and territorial jurisdiction, which includes submitting email addresses of enforcement officials who will be engaged in hours-of-service enforcement. The requirements and format for ELDs to produce the encrypted record of duty status are contained in the ELD technical standard, which is the result of a collaborative effort between Transport Canada, representatives from all provincial and territorial governments and ELD vendors. Devices certified through the Transport Canada and Standards Council of Canada process will meet the required format for record of duty status.”
As of January 1, 2023, NSC Audits conducted by Third Party Auditors in Alberta can not be considered accurate to a threshold that can be used to assess carrier safety risk.
There is no way to confirm the RODS used by a third party auditor were unencrypted because unlike the government auditors, TPAs are not required to submit the evidence reviewed for retention in the TSIS system. If you compare this to evidence used in criminal matters, if evidence is considered suspect or deficient, it cannot be used to convict. If the RODS used in a Third Party Auditor audit are suspect or deficient, the information cannot be used to assess an administrative penalty, condition or SFC rating.
Recommendations
There are two possible resolutions to the issues at hand.
Recommendation 1
A simple three-part solution exists to mitigate and correct the issues at hand.
Recommendation 2
Designate government-certified TPAs as “inspectors” which would enable them to access the PKI encryption key required to access full and correct ELD RODS datasets. The Federal Commercial Vehicle Drivers Hours of Service Regulations (SOR/2005-313) defines an
inspector as:
(a) a person designated under subsection 3(2); or
(b) a peace officer within the meaning of section 2 of the Criminal Code.
Section 3(2) of the same regulations notes that:
(2) A director may designate inspectors for the purposes of these Regulations.
References
