Governing AI Output in Autonomous Driving: Scalable Privacy Infrastructure for Societal Acceptance

Round 1

Reviewer 1 Report (Previous Reviewer 1)

Comments and Suggestions for Authors

the paper can be published now.

Author Response

Response to Reviewer #1

The author sincerely thanks Reviewer #1 for the valuable feedback provided in the previous review round. The suggestions contributed greatly to improving the conceptual clarity and logical structure of the manuscript.

In this minor revision, no additional changes were requested from Reviewer #1. However, based on the feedback from the other reviewers, the following refinements have been made:

• Many blocks haev been added to the manuscript.
• The English throughout the manuscript has been refined to improve grammatical accuracy, clarity of expression, and overall readability.
• Figures 1, 2, and 3 have been reformatted for improved visual presentation. In particular, Figure 1 has been enhanced by adding explanatory elements inside the "Blockchain" component to clarify its function within the VRAIO framework.

These modifications have further enhanced the accessibility and overall quality of the manuscript. The author is grateful for your earlier comments, which played an important role in shaping the improved version.

Reviewer 2 Report (Previous Reviewer 2)

Comments and Suggestions for Authors

The following are my comments. I hope they may help you improve your paper.

1. This paper would benefit from formal mathematical proofs for the VRAIO framework's security claims, particularly regarding output regulation under adversarial conditions.

2. While simulation-based testing is proposed, concrete results from prototype implementation should be included to demonstrate real-world feasibility.

3. The encryption-based security measures lack discussion about quantum computing threats. Consider adding post-quantum cryptography protocols.

4. The Recorder mechanism needs stronger institutional safeguards against regulatory capture. Blockchain-based auditor rotation could enhance trust.

5. The framework's rule-setting process could incorporate heuristic optimization. For example, adopting the metaheuristic approach from DOI: 10.3390/math13071158 would improve adaptive parameter tuning.

6. The pre-approved output list requires explicit failure protocols for unexpected system states not covered during certification.

7. Quantitative analysis of computational overhead from dual-layer firewalls (hardware+SDN) is needed to assess scalability for mass-market vehicles.

8. The paper should address how VRAIO's blockchain-based records would comply with emerging global AI regulatory standards like the EU's AI Act.

Author Response

Response to Reviewer #2

The author expresses sincere gratitude to Reviewer #2 for the insightful and constructive comments, which have significantly contributed to improving the manuscript. Each point has been carefully considered and addressed in the revised version. Below, the author provides a detailed point-by-point response.

(1) Mathematical validation of security claims in adversarial conditions

This paper would benefit from formal mathematical proofs for the VRAIO framework's security claims, particularly regarding output regulation under adversarial conditions.

Response: The following block has been added in Section 4.3.

This paper has focused primarily on the institutional structure and output governance model of VRAIO; however, several theoretical and formal challenges remain to be addressed. These include: (1) the justification for blocking outputs triggered by adversarial input commands, (2) the deterrence mechanisms against false declarations, and (3) the detectability of output tampering. Future work should incorporate formal modeling and verification techniques to assess the security of the system under such conditions.

 

(2) Prototype implementation and feasibility testing

While simulation-based testing is proposed, concrete results from prototype implementation should be included to demonstrate real-world feasibility.

Response: The following block has been modified in Section 4.3.

In future research, the plan is to secure dedicated funding and organize an interdisciplinary research team to advance the validation phase. This will involve not only performance verification in simulation environments, but also implementation testing using a functioning prototype system. The evaluation will encompass technical aspects such as system load and usability, as well as legal and societal studies related to public acceptance and institutional integration.

Although the prototype-based implementation has not yet been initiated, confirming the practical feasibility of this framework through implementation is considered essential to validate its effectiveness. Therefore, this represents a high-priority subject for upcoming research efforts.

 

(3) Quantum computing threats and post-quantum cryptography

The encryption-based security measures lack discussion about quantum computing threats. Consider adding post-quantum cryptography protocols.

Response: The following block has been added in Section 4.3.
Furthermore, the cryptographic infrastructure of VRAIO will need to be redesigned in the future to account for threats posed by quantum computing. Although this study assumes the use of standard cryptographic techniques for secure communication and data integrity, the potential incorporation of post-quantum cryptography (PQC) [52] must also be explored. In particular, ensuring the tamper resistance and confidentiality of output logs will require the integration of PQC-based cryptographic schemes as a critical next step.

 

(4) Safeguards against regulatory capture in the Recorder mechanism

The Recorder mechanism needs stronger institutional safeguards against regulatory capture. Blockchain-based auditor rotation could enhance trust.

Response: The following block has been added in Section 4.2.
Some segments of society hold the view that individuals should not expect privacy in public spaces. However, this notion is rooted in a historical context where surveillance technologies were limited in scope and capability. In recent years, advances in AI and sensing technologies have enabled the reconstruction of individual behavior patterns even in open, outdoor environments. Under such conditions, even in public spaces, the institutional regulation of data outputs that could identify individuals should be considered essential.

The VRAIO framework proposed in this study is based on the idea that, even if data collection itself is legally permitted, the institutional regulation of how such data is output and disclosed is critical. Through this approach, VRAIO enables a normative position in which the collection of information in public spaces may be legally tolerated, but the act of disclosure must be ethically constrained. In this configuration, even if the capturing, re-cording, or analysis of pedestrians without their consent is legally permissible, the out-puts are still subject to social and institutional review, and their disclosure is allowed only if found to be consistent with declared, legitimate purposes.

(5) Heuristic/metaheuristic optimization for rule-setting

The framework's rule-setting process could incorporate heuristic optimization. For example, adopting the metaheuristic approach from DOI: 10.3390/math13071158 would improve adaptive parameter tuning.

Response: The following block has been added in Section 4.3 with the suggested reference [53]
As discussed in Section 2.2, in real-world operations, it is inevitable that a certain number of outputs will fall into gray areas, due to the inherent limitations in the completeness and consistency of institutional rules. To address such borderline or exceptional cases, it is necessary to predefine policy responses on the institutional side and to flexibly adjust rule application weights and priorities based on actual operational conditions. One possible approach is the use of heuristic or metaheuristic optimization techniques. For example, in the context of short-term traffic forecasting, the GSA-KAN model [53] demonstrates how adaptive decision logic can be optimized using multivariate data - an approach that could also be applied to rule-based institutional frameworks.

Although such optimization methods have not yet been implemented in this study, they represent a promising technical option for enabling more flexible institutional responses to gray-area outputs. From the perspective of harmonizing institutional structure with technical optimization, the application of such methods may constitute a significant area of future research.

 

(6) Fail-safe protocols for uncertified outputs

The pre-approved output list requires explicit failure protocols for unexpected system states not covered during certification.

Response: The following block has been added in Section 3.1.
It is also anticipated that, during system operation, outputs may be generated that were not previously designated as subject to pre-approval. In such unexpected system states, institutionally defined exception-handling procedures are required. These may in-clude temporarily withholding the output, shifting the system to a fail-safe mode, or au-tomatically reporting the output to the Recorder for ad hoc review. By establishing such protocols, the system can retain the benefit of rapid output authorization through pre-approval, while also ensuring comprehensive governance that encompasses respons-es to unforeseen outputs outside the certified scope.

 

(7) Scalability and computational load of dual-layer firewall

Quantitative analysis of computational overhead from dual-layer firewalls (hardware+SDN) is needed to assess scalability for mass-market vehicles.

Response: The following block has been added in Section 3.2.
However, the computational overhead introduced by such a dual-layer architecture requires quantitative analysis in order to assess its scalability for deployment in mass-produced vehicles. In particular, as the number of outputs increases and communi-cation frequency intensifies, it is necessary to clarify performance limitations in terms of processing capacity and latency - both at the vehicle hardware level and at centralized server infrastructure. Although this study does not include such evaluation, it recognizes this issue as a critical subject for future validation during the implementation phase.

(8) Alignment with global regulatory standards

The paper should address how VRAIO's blockchain-based records would comply with emerging global AI regulatory standards like the EU's AI Act.

Response: The following block has been added in Section 4.3.
How VRAIO's blockchain-based output recording scheme can align and interoperate with emerging global AI regulatory frameworks - such as the EU Artificial Intelligence Act [54] and the U.S. AI Risk Management Framework [55] - remains an important subject for future consideration. However, the institutional design of VRAIO, which encloses the entire AI system within an output firewall and regulates all outputs through both institutional and technical mechanisms, constitutes a conceptual framework that may surpass these existing regulations in both scope and depth. Its core elements - including purpose-compliance screening, transparency, and immutable, auditable recordkeeping - not only encompass many of the principles found in international AI governance but also of-fer a unified mechanism for their practical implementation.

In an era where AI technologies transcend national borders, institutional governance frameworks are likewise expected to exhibit a certain level of international alignment. VRAIO is structured to meet this challenge by incorporating a two-layered design: globally shared normative principles at the foundational level, and the flexibility for local adaptation in accordance with national laws, cultural contexts, and civic values. Moving forward, it will be important to continue engaging with international standardization bodies and policy dialogue platforms to promote the institutional value and technical design of VRAIO, with the goal of maturing it into a globally shared model for AI governance.

Final Remarks

In addition to the above revisions, the author has also made the following improvements:

• Refined the English throughout the manuscript for clarity and readability.
• Reformatted Figures 1–3 for enhanced visual quality and added detailed labeling to Figure 1 to clarify the role of the Blockchain component within the VRAIO system.

The author once again sincerely thanks Reviewer #2 for the constructive and forward-looking feedback, which has been invaluable in enhancing the academic rigor and practical applicability of the manuscript.

Author Response File: Author Response.docx

Reviewer 3 Report (New Reviewer)

Comments and Suggestions for Authors

While the theme of the paper is interesting and suitable for this journal, the paper lacks in several structural issues that are required to meet the publication potential. Suggestions include:

1_ The abstract is lengthy. Please rewrite it.

2_ How do you propose reconciling the legal principle of “no expectation of privacy in public” with the ethical demand for pedestrian consent in autonomous driving systems? Please elaborate.

3_ VRAIO presumes AI decisions are transparent and interpretable enough to be judged against declared purposes. Many modern AI models (especially deep learning-based ones) are black boxes, making it difficult to determine if an output truly violates purpose-compliance criteria. How does VRAIO handle non-interpretable AI models that resist clear output justification? Please elaborate.

4_ Please discuss the issue of generalization and global standardization. In other words, can there be a global standard, or must VRAIO be region-specific?

5_ In the conclusions, add 1–2 sentences that explicitly acknowledge structural weaknesses discussed in the main body of the text.

Comments on the Quality of English Language

Moderate revisions are needed. 

Author Response

Response to Reviewer #3

The author sincerely thanks Reviewer #3 for the insightful and constructive comments. The following responses address each of the points raised, and corresponding revisions have been made in the manuscript where appropriate.

(1) [Reviewer’s comment here]

The abstract is lengthy. Please rewrite it.
Response:　The abstract has been shortened as follows,
Abstract: As the realization of fully autonomous driving becomes increasingly plausible, its rapid development raises serious privacy concerns. At present, while personal information of passengers and pedestrians is routinely collected, its purpose and usage history are rarely disclosed, and pedestrians in particular are effectively deprived of any meaningful control over their privacy. Furthermore, no institutional framework exists to prevent the misuse or abuse of such data by authorized insiders.

This study proposes the application of a novel privacy protection framework - Verifiable Record of AI Output (VRAIO) - to autonomous driving systems. VRAIO encloses the entire AI system behind an output firewall, and an independent entity, referred to as the Record-er, conducts purpose-compliance screening for all outputs. The reasoning behind each decision is recorded in an immutable and publicly auditable format. In addition, institutional deterrence is enhanced through penalties for violations and reward systems for whistleblowers.

Focusing exclusively on outputs rather than input anonymization or interpretability of internal AI processes, VRAIO aims to reconcile privacy protection with technical efficiency. This study further introduces two complementary mechanisms to meet the real-time operational demands of autonomous driving: (1) pre-approval for designated outputs, and (2) exemption of internal system communication from regulation. This framework presents a new institutional model that may serve as a foundation for ensuring democratic acceptance of fully autonomous driving systems.

(2) [Reviewer’s comment here]

How do you propose reconciling the legal principle of “no expectation of privacy in public” with the ethical demand for pedestrian consent in autonomous driving systems? Please elaborate.

Response: The following block has been added to Section 4.1.

Some segments of society hold the view that individuals should not expect privacy in public spaces. However, this notion is rooted in a historical context where surveillance technologies were limited in scope and capability. In recent years, advances in AI and sensing technologies have enabled the reconstruction of individual behavior patterns even in open, outdoor environments. Under such conditions, even in public spaces, the institutional regulation of data outputs that could identify individuals should be considered essential.　

The VRAIO framework proposed in this study is based on the idea that, even if data collection itself is legally permitted, the institutional regulation of how such data is output and disclosed is critical. Through this approach, VRAIO enables a normative position in which the collection of information in public spaces may be legally tolerated, but the act of disclosure must be ethically constrained. In this configuration, even if the capturing, re-cording, or analysis of pedestrians without their consent is legally permissible, the outputs are still subject to social and institutional review, and their disclosure is allowed only if found to be consistent with declared, legitimate purposes.

 

(3) [Reviewer’s comment here]

VRAIO presumes AI decisions are transparent and interpretable enough to be judged against declared purposes. Many modern AI models (especially deep learning-based ones) are black boxes, making it difficult to determine if an output truly violates purpose-compliance criteria. How does VRAIO handle non-interpretable AI models that resist clear output justification? Please elaborate.
Response: The following block has been added to Section 2.2.

Contemporary AI models, particularly those based on deep learning, often exhibit a black-box nature, limiting the transparency and interpretability of their decision-making processes. In response, the VRAIO framework adopts a design philosophy that does not attempt to trace the internal reasoning of AI systems, but instead focuses on institutionally regulating the declared purpose and content of outputs.

Specifically, when an AI system intends to issue an output, a "permission request" is automatically generated and sent to the Recorder. This request includes a declared “purpose” and “summary” of the output, but does not contain the output data itself. Importantly, such output requests are restricted to a predefined set of purposes, which must be configured in advance by the AI system administrator (e.g., the operator of the autonomous driving system). These predefined purposes must in turn be aligned with those that have been publicly accepted through prior societal deliberation and institutional approval processes.

The Recorder formally evaluates whether the submitted purpose and summary are consistent with the pre-approved set of purposes and records the evaluation results in a tamper-proof and verifiable format. Even if the output is approved through this formal re-view, the actual output may still be subject to retrospective auditing to verify its consistency with the declared information. If any significant discrepancy is found, the case is treated as a false declaration and subject to severe penalties, thereby establishing a strong institutional deterrent against misuse.

(4) [Reviewer’s comment here]

Please discuss the issue of generalization and global standardization. In other words, can there be a global standard, or must VRAIO be region-specific?
Response: The following block has been added to Section 4.3.

How VRAIO's blockchain-based output recording scheme can align and interoperate with emerging global AI regulatory frameworks - such as the EU Artificial Intelligence Act [54] and the U.S. AI Risk Management Framework [55] - remains an important subject for future consideration. However, the institutional design of VRAIO, which encloses the entire AI system within an output firewall and regulates all outputs through both institutional and technical mechanisms, constitutes a conceptual framework that may surpass these existing regulations in both scope and depth. Its core elements - including purpose-compliance screening, transparency, and immutable, auditable recordkeeping - not only encompass many of the principles found in international AI governance but also of-fer a unified mechanism for their practical implementation.

In an era where AI technologies transcend national borders, institutional governance frameworks are likewise expected to exhibit a certain level of international alignment. VRAIO is structured to meet this challenge by incorporating a two-layered design: globally shared normative principles at the foundational level, and the flexibility for local adaptation in accordance with national laws, cultural contexts, and civic values. Moving forward, it will be important to continue engaging with international standardization bodies and policy dialogue platforms to promote the institutional value and technical design of VRAIO, with the goal of maturing it into a globally shared model for AI governance.

(5) [Reviewer’s comment here]

In the conclusions, add 1–2 sentences that explicitly acknowledge structural weaknesses discussed in the main body of the text.
Response: The following block has been added to Section 5 Conclusions

That said, while VRAIO offers a forward-looking institutional framework, it is not without limitations. The legitimacy of its output approval process fundamentally depends on the “honest declarations” made by the AI system or its operators. To ensure institutional reliability, extensive social incentive structures are essential - such as strict penalties for false declarations, reward systems for whistleblowers, and compensation schemes. Moreover, VRAIO alone cannot defend against cyberattacks such as hacking or data tampering; it must operate in conjunction with robust technical security mechanisms. In this regard, although VRAIO is the first proposal to enclose AI outputs within a formal governance structure, its trustworthiness can only be realized through multi-layered institutional and technical foundations.

Final Remarks
In addition to the above revisions, the author has also made the following improvements:

• Refined the English throughout the manuscript for clarity and readability.
• Reformatted Figures 1–3 for enhanced visual quality and added detailed labeling to Figure 1 to clarify the role of the Blockchain component within the VRAIO system.

The author once again sincerely thanks Reviewer #2 for the constructive and forward-looking feedback, which has been invaluable in enhancing the academic rigor and practical applicability of the manuscript.

Author Response File: Author Response.docx

Round 2

Reviewer 3 Report (New Reviewer)

Comments and Suggestions for Authors

None 

Comments on the Quality of English Language

Moderate changes are needed

This manuscript is a resubmission of an earlier submission. The following is a list of the peer review reports and author responses from that submission.

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

1. The abstract clearly summarizes the core idea, but it could be enhanced by explicitly mentioning your two novel contributions ("prior approval" and "unrestricted internal communication") to better highlight your originality.

2. It would strengthen the paper to briefly discuss recent alternative privacy frameworks or approaches in autonomous vehicles, thereby positioning your proposal more effectively within existing research.

3. In your review of existing privacy protection technologies, you mention several general methods (e.g., anonymization, secure multi-party computation), but specific limitations or examples relevant to autonomous driving scenarios could clarify why your method is necessary and superior.

4. The visual concept presented in Figure 1 is helpful; however, it would be more informative if accompanied by a concise descriptive caption summarizing the interaction between the Recorder, AI system, and oversight institutions, aiding immediate reader comprehension.

5. The concept of "Unified Pre-Authorization" is promising; however, it would greatly benefit from a brief illustrative scenario or case example (e.g., an emergency braking event or routine software update) to concretely demonstrate the feasibility and practical benefits of your proposal.

6. The notion of "Unrestricted Internal Communication" is innovative and logical; nonetheless, adding a specific explanation or brief example of internal communication data flows (e.g., sensor fusion, route coordination scenarios) could illustrate its necessity and applicability more clearly.

7. Your discussion clearly presents societal implications, but it would enhance reader understanding if you addressed more explicitly how your proposed framework balances privacy protection and the computational or operational overheads for real-world implementation.

8. While the conclusions effectively summarize your contributions, explicitly stating the limitations or constraints of your current conceptual framework would provide transparency and suggest clear directions for practical implementation or future empirical studies.

Author Response

Point-by-Point Response to Reviewer #1

The author sincerely thanks Reviewer #1 for the thoughtful and constructive feedback. Each comment has been carefully considered and addressed in the revised manuscript. Below is a detailed response to each point:

Comment-1. The abstract clearly summarizes the core idea, but it could be enhanced by explicitly mentioning your two novel contributions ("prior approval" and "unrestricted internal communication") to better highlight your originality.
Response:
Thank you for this valuable suggestion. In the revised abstract (lines 14–24), I have explicitly incorporated the two novel contributions—namely, "prior approval for specific outputs" and "unrestricted internal communication within the system"—to better emphasize the originality and applicability of my framework. These additions clarify the practical innovations of the proposal and their importance in real-time autonomous driving contexts.

Comment-2. It would strengthen the paper to briefly discuss recent alternative privacy frameworks or approaches in autonomous vehicles, thereby positioning your proposal more effectively within existing research.
Response:
I appreciate this important point. In response, I have clarified and slightly expanded the existing discussion in Section 1, where I examine "Privacy as a Service" as a representative alternative framework. I also emphasize its limitations—particularly its lack of institutional mechanisms to prevent discretionary misuse by authorized parties—thereby highlighting the complementary role of the proposed VRAIO framework.

Comment-3. In your review of existing privacy protection technologies, you mention several general methods (e.g., anonymization, secure multi-party computation), but specific limitations or examples relevant to autonomous driving scenarios could clarify why your method is necessary and superior.
Response:
Thank you for the suggestion. In Section 2.1, I have expanded the discussion by providing specific examples of how conventional techniques such as anonymization and PPDM can be insufficient or computationally burdensome in autonomous driving contexts, particularly under real-time constraints. This enhancement underscores the necessity of the output-focused approach for achieving both privacy and operational efficiency.

 

Comment-4. The visual concept presented in Figure 1 is helpful; however, it would be more informative if accompanied by a concise descriptive caption summarizing the interaction between the Recorder, AI system, and oversight institutions, aiding immediate reader comprehension.
Response:
I agree with this observation. The caption of Figure 1 has been revised to include a brief summary of the functional relationships among the Recorder, AI system, and oversight institutions. This should improve the figure’s standalone clarity and assist readers in understanding the key institutional roles within the VRAIO framework.

Comment-5. The concept of "Unified Pre-Authorization" is promising; however, it would greatly benefit from a brief illustrative scenario or case example (e.g., an emergency braking event or routine software update) to concretely demonstrate the feasibility and practical benefits of your proposal.
Response:
Thank you for the helpful suggestion. In Section 3.1, I have added a concrete illustrative example involving an emergency braking scenario, which demonstrates how pre-authorization enables immediate response while preserving auditability. Added sentence: For example, in the case of an emergency braking event triggered by sudden pedestrian intrusion, the pre-authorized output allows the vehicle to alert nearby infrastructure and emergency services instantly, while the summary of the event is later submitted to the Re-corder for audit.

Comment-6. The notion of "Unrestricted Internal Communication" is innovative and logical; nonetheless, adding a specific explanation or brief example of internal communication data flows (e.g., sensor fusion, route coordination scenarios) could illustrate its necessity and applicability more clearly.
Response:
I appreciate the reviewer’s insight. In Section 3.2, I have clarified the types of internal communication within autonomous driving systems—such as recommended routes, traffic conditions, and vehicle status reports—highlighting their necessity for real-time responsiveness and system integrity. While not a detailed data flow model, this addition strengthens the justification for institutionalizing unrestricted internal communication.

Comment-7. Your discussion clearly presents societal implications, but it would enhance reader understanding if you addressed more explicitly how your proposed framework balances privacy protection and the computational or operational overheads for real-world implementation.
Response:
This is an important point. In Sections 4.2 and 4.3, I have added a dedicated paragraph that discusses the trade-offs between privacy protection and system efficiency, and how the VRAIO architecture minimizes operational burden by restricting regulatory mechanisms only to external outputs. This clarifies the practical viability of the framework under real-world constraints.

Comment-8. While the conclusions effectively summarize your contributions, explicitly stating the limitations or constraints of your current conceptual framework would provide transparency and suggest clear directions for practical implementation or future empirical studies.
Response:
Thank you for the helpful recommendation. In the Conclusion section, I have explicitly stated the limitations and future challenges of the conceptual framework presented in this study. These include the need for empirical validation, ensuring consistency with legal and institutional frameworks, and institutional preparation for large-scale societal implementation.
  At the same time, I have clearly emphasized the significance of this study. What this study proposes is not an entirely new concept, but rather the application of an already proposed framework—the Verifiable Record of AI Output (VRAIO)—to the highly important and challenging domain of fully autonomous AI systems. In doing so, to address the specific requirements of autonomous driving—namely, (1) the necessity of immediate decision-making and response, and (2) the extreme complexity of a system composed of a large number of interacting vehicles and components—I have introduced two original sub-concepts: “pre-approval for designated outputs” and “unrestricted internal communication.” These additions aim to achieve strict institutional control over external outputs without compromising real-time performance.
  The proposed framework is a socio-technical model with a scale and rigor unprecedented in the history of privacy governance, and it aims to achieve both complete privacy protection and the securing of social trust. Such protection is an essential requirement for autonomous AI systems to gain true societal acceptance in democratic societies.
  This study not only presents a comprehensive and robust vision for privacy protection, but also clearly identifies the challenges that must be addressed in order to realize it—such as technical validation, institutional consensus-building, and the management of operational costs. I position this study not as a finalized solution, but as a conceptual foundation and starting point for future interdisciplinary and societal discussions toward real-world implementation and institutionalization.

 

Reviewer 2 Report

Comments and Suggestions for Authors

1. Clarify Real-Time Implementation of VRAIO (Section 3.1)

The proposed unified pre-authorization mechanism requires elaboration on how real-time auditing aligns with the latency constraints of autonomous driving operations. Specifically, the paper should define the maximum tolerable delay for post-execution validation by the Recorder and describe fallback protocols for scenarios where outputs are retrospectively flagged as non-compliant. This clarification is critical to ensure operational safety while maintaining audit integrity, particularly for time-sensitive actions like collision avoidance.

2. Justify Unrestricted Internal Communication Assumptions (Section 3.2)

The assumption that unrestricted communication between central and onboard AI systems carries no privacy risks warrants rigorous validation. The authors should address potential adversarial scenarios where compromised subsystems could exploit internal channels to exfiltrate sensitive data, and clarify whether techniques like differential privacy or lightweight anonymization are applied to V2V/V2I communications. A threat analysis comparing attack surfaces with and without internal communication constraints would strengthen the argument for this design choice.

3. Quantify Blockchain Overhead for Tamper-Proof Logging (Section 2.2)

While blockchain is proposed for tamper-proof logging, the paper lacks concrete performance metrics essential for autonomous driving applications. The authors should estimate transaction volumes per vehicle and analyze the computational/storage implications of permissioned versus permissionless ledger architectures. This quantification is necessary to evaluate the framework’s scalability across vehicle fleets and compatibility with edge computing infrastructure.

4. Define Purpose-Conformity Evaluation Criteria (Section 2.2)

The paper’s abstract description of "Rules" for output screening needs operational specificity. Concrete examples of prohibited output patterns and technical details about compliance-checking mechanisms should be provided. This will demonstrate how the framework distinguishes legitimate safety-critical outputs from privacy-violating transmissions in practice.

5. Elaborate Whistleblower Incentive Mechanics (Throughout)

The whistleblower reward system requires explicit operational design details, including reward calculation methodologies (fixed vs. severity-based incentives), safeguards against false reporting , and integration with existing legal frameworks for whistleblower protection. Clarifying these elements will address concerns about the system’s susceptibility to malicious audits while ensuring alignment with labor laws and corporate accountability standards.

6. Validate Prior Approval Scalability (Section 3.1)

The static categorization of pre-approved outputs may not accommodate evolving edge cases in autonomous driving. The authors should propose mechanisms for dynamic rule updates, such as federated learning approaches to refine approval criteria across vehicle fleets, along with metrics for determining rule update frequency. This would demonstrate the framework’s adaptability to new privacy challenges while maintaining audit consistency.

Author Response

Point-by-Point Response to Reviewer #2

I sincerely thank Reviewer #2 for the detailed and insightful feedback. Each comment has been carefully considered and has significantly contributed to improving the clarity, depth, and technical rigor of the manuscript. My responses to each point are provided below:

Comment-1. Clarify Real-Time Implementation of VRAIO (Section 3.1)
The proposed unified pre-authorization mechanism requires elaboration on how real-time auditing aligns with the latency constraints of autonomous driving operations. Specifically, the paper should define the maximum tolerable delay for post-execution validation by the Recorder and describe fallback protocols for scenarios where outputs are retrospectively flagged as non-compliant. This clarification is critical to ensure operational safety while maintaining audit integrity, particularly for time-sensitive actions like collision avoidance.
Response:
Thank you for this important comment. Section 3.1 of the manuscript explains that the unified pre-authorization mechanism is specifically designed to accommodate real-time operational constraints in autonomous driving systems. Outputs related to time-sensitive tasks—such as collision avoidance and emergency communications—are granted pre-approval in advance (e.g., at system startup or software updates) and executed immediately when needed. The output histories of such actions are then reported to the Recorder retrospectively, with a delay ranging from several minutes to several days.
  The Recorder conducts a formal approval assessment on these pre-approved outputs using the same criteria as real-time screening. If no issues are found, the full decision-making process is preserved and disclosed in a tamper-proof and verifiable manner. In the event that a problem is detected, the framework stipulates immediate reporting to the Government Regulatory Agency and the initiation of an investigation into the source of the error.
  This structure ensures that latency-sensitive outputs can be issued without delay, while still maintaining accountability through delayed but rigorous auditability. I believe this satisfies the dual requirements of operational safety and institutional oversight, as outlined in your comment.

Comment-2. Justify Unrestricted Internal Communication Assumptions (Section 3.2)
The assumption that unrestricted communication between central and onboard AI systems carries no privacy risks warrants rigorous validation. The authors should address potential adversarial scenarios where compromised subsystems could exploit internal channels to exfiltrate sensitive data, and clarify whether techniques like differential privacy or lightweight anonymization are applied to V2V/V2I communications. A threat analysis comparing attack surfaces with and without internal communication constraints would strengthen the argument for this design choice.
Response:
Thank you for this important and constructive comment. In the extensively revised Section 3.2, I have clarified the institutional rationale, technical boundaries, and risk assumptions underlying the design choice to exempt internal communication from VRAIO-based output auditing.
   Although advanced techniques such as differential privacy and lightweight anonymization are not currently detailed in the manuscript, their application to V2V/V2I communications can be considered a complementary option, particularly for data that may inadvertently involve personal information (e.g., environmental imagery containing pedestrians). That said, such additions may increase processing overhead and are therefore left as implementation-level decisions depending on the deployment context. These points have been directly incorporated into the revised Section 3.2, as follows..

It should be emphasized that “unrestricted internal communication (unconditional approval)” applies only to the institutional oversight layer governed by the Recorder. It does not imply any waiver of technical security measures. On the contrary, standard cy-bersecurity protections—such as encryption, authentication, access control, and anomaly detection—remain essential and non-negotiable for ensuring the confidentiality and in-tegrity of internal data flows. This functional separation between institutional auditing and communication-layer security lies at the core of the rationale for internal communica-tion liberalization under the VRAIO framework.
  For internal communications that may contain personally identifiable infor-mation—such as data from onboard sensors or video streams—the selective adoption of Privacy-Preserving Data Mining (PPDM) techniques is recommended. PPDM encom-passes a family of technologies designed to reduce identifiability in data use contexts, in-cluding anonymization, masking, and noise injection. Practical examples include re-al-time video masking, voice obfuscation, and generalization of demographic attributes. However, since these techniques may incur computational overhead and latency, their application should be context-sensitive, based on system real-time constraints and the as-sessed privacy risk of each communication channel.
  To enforce external output control at the system level, a two-layered outbound fire-wall architecture is proposed. The first layer consists of hardware-based VRAIO-compliant outbound firewalls embedded in individual vehicles, responsible for suppressing and inspecting outgoing data at the vehicle edge. The second layer consists of a software-defined outbound firewall (SDN-based) deployed at the cloud or centralized control level, which enforces VRAIO rules across the entire autonomous driving AI system. This multi-tiered architecture, combining distributed filtering and centralized enforcement, is compatible with security paradigms already adopted in the IoT and connected vehicle domains, and is considered highly implementable.
  The degree to which the exemption of internal communications from VRAIO audit-ing increases the system’s attack surface, or to which extent such risks can be mitigated by existing security technologies, remains an important topic for future research. The current framework assumes that even if internal data are maliciously exfiltrated, they must pass through the Recorder for external transmission, where institutional auditing acts as a final barrier. This design is intended to provide strong deterrence against intentional privacy violations. However, in order to validate this assumption, adversarial simulations based on compromised subsystem scenarios will be necessary, and are identified as a subject of future expansion.

 

Comment-3. Quantify Blockchain Overhead for Tamper-Proof Logging (Section 2.2)
While blockchain is proposed for tamper-proof logging, the paper lacks concrete performance metrics essential for autonomous driving applications. The authors should estimate transaction volumes per vehicle and analyze the computational/storage implications of permissioned versus permissionless ledger architectures. This quantification is necessary to evaluate the framework’s scalability across vehicle fleets and compatibility with edge computing infrastructure.
Response:
Thank you for your important and practical suggestion. In response to this comment, I have expanded Section 2.2 to address the performance, storage, and scalability implications of tamper-proof logging within the proposed framework. While the framework identifies blockchain as a leading option, it does not mandate a specific recording method. Instead, it emphasizes the need for flexibility based on operational constraints and cost-efficiency. The following blocks have been added to Section 2.2 to clarify this point and to address implementation considerations in a more concrete manner:
Blockchain technology is one of the most promising options for ensuring tamper-proof logging of output audit records, and lightweight, high-speed implementations of blockchain are gradually reaching practical viability [34–38]. In addition, architectures that combine federated learning with blockchain have gained attention as privacy-preserving distributed learning infrastructures in the Internet of Vehicles (IoV) domain [39].
　　That said, the present framework does not mandate any specific logging method. Rather, the recording approach should be selected flexibly based on cost-effectiveness and operational context. The Recorder does not store the output data themselves, but instead logs metadata related to the output audit process—such as the purpose and summary of the output, the result of the audit, the timestamp, and information about the sender and recipient. As a result, the size of each individual record is relatively small.
　　To improve logging efficiency, methods such as batch recording—aggregating entries by vehicle or by day—and limiting retention periods (e.g., to three months or one year) may be employed. Additionally, a portion of the records may be randomly selected for long-term storage.
　　Moreover, a hybrid approach may be adopted in which routine records are stored using lightweight cryptographic techniques, such as digital signatures, while only a randomly selected subset is committed to the blockchain. This design is expected to offer a practical balance between scalability and tamper-resistance.

These additions clarify that the system is designed to be compatible with edge computing infrastructure and large-scale deployments by minimizing the volume and frequency of blockchain transactions, using selective recording and lightweight alternatives where appropriate.

Comment-4. Define Purpose-Conformity Evaluation Criteria (Section 2.2)
The paper’s abstract description of "Rules" for output screening needs operational specificity. Concrete examples of prohibited output patterns and technical details about compliance-checking mechanisms should be provided. This will demonstrate how the framework distinguishes legitimate safety-critical outputs from privacy-violating transmissions in practice.
Rsponse:
Thank you for this important and constructive comment. In response, I have significantly expanded Section 2.2 to provide greater operational specificity regarding the Rules for output screening and the purpose-conformity evaluation process.
  The revised section introduces a seven-element structure of VRAIO, which clarifies the institutional, procedural, and technical mechanisms for regulating AI output. In particular, elements (1) to (3) define how Rules are democratically established, how a Government Regulatory Agency oversees their application, and how the Recorder performs metadata-based screening to ensure conformity.
  To directly address your request, the section now provides:
* Concrete metadata criteria used for screening, including purpose, content category, degree of anonymization, volume, frequency, and recipient.
* Formal evaluation principles, based on operational utility, public safety, and privacy protection.
* Explicit examples of outputs that would be approved or rejected depending on anonymization level and purpose (e.g., anonymized pedestrian images sent to law enforcement for public safety vs. raw images without anonymization).
* A definition of sufficient anonymization, involving techniques such as face masking, voice obfuscation, and generalization of personal attributes.
  Furthermore, the revised text clarifies that any receiving AI system must also reside within the VRAIO framework. This ensures that once data are subject to institutional safeguards, they remain protected throughout their lifecycle.
These additions aim to demonstrate precisely how the proposed framework distinguishes between legitimate safety-critical outputs and privacy-violating transmissions in practice.

The following blocks In Section 2.2 have been changed/ added as follows,
The structure of VRAIO consists of the following seven elements:
(1)         Rulemaking based on democratic consensus
The “Rules” that define the permissible scope of AI system outputs—such as the purpose, content category, degree of inclusion or removal of personal information, volume, frequency, and recipients—are formulated through legislative and adminis-trative procedures and public discussions based on social consensus grounded in democratic deliberation. These Rules provide the normative legitimacy and societal acceptability necessary for regulatory governance.
(2)         Institutional oversight by a governmental agency
A Government Regulatory Agency for AI is responsible for disseminating and su-pervising the established Rules, and mandates their implementation across all rele-vant actors. This agency also evaluates the public interest and privacy-protection ef-ficacy of the defined output boundaries (purpose, content category, degree of anony-mization, volume, frequency, recipient, etc.) and provides feedback for democratic rule revisions through periodic public reporting.
(3)         External output screening via output firewall and Recorder
The AI system is enclosed within an "Outbound Firewall" maintained by an inde-pendent third-party institution called the Recorder. For each external output, the sys-tem must submit a request including metadata such as purpose, content category, degree of anonymization, volume, frequency, and recipient. The Recorder then per-forms a formal conformity check against the predefined Rules. If the output falls within the permitted range, the Recorder authorizes the release by unlocking the firewall. Notably, the Recorder is technically restricted from accessing the content of the output itself; it only interacts with the metadata.
(4)         Tamper-resistant logging and disclosure
The output’s purpose, summary, and approval rationale are recorded using tam-per-resistant technologies such as blockchain, and are made available for public au-diting to ensure transparency.
(5)         Third-party auditing by citizens and external institutions
Records maintained by the Recorder, after undergoing anonymization and other protective processing, are open to audit by citizens, NGOs, and external oversight bodies. This mechanism supports the transparency and accountability of the overall system.
(6)         Institutional deterrence mechanisms
The VRAIO framework presumes that AI systems report their output history truth-fully. To enforce this assumption institutionally, penalties are imposed for false re-porting, while high-value rewards are provided to whistleblowers or bounty hunters who expose violations. This structure eliminates incentives for deception and en-hances systemic reliability.
(7)         Randomized spot checks to prevent false reporting
As an additional safeguard, randomized inspections of output data are introduced. The Recorder randomly selects certain outputs and requires AI system operators to disclose decryption methods for direct inspection by oversight bodies. Since this process constitutes an exception to the Recorder's non-access policy and may involve privacy-sensitive data, careful institutional design is required.
　　The permissible scope of output (purpose, content category, degree of anonymization, volume, frequency, recipient, etc.) is defined as a set of Rules based on democratic con-sensus and evaluated against the following criteria:
[1] Operational and developmental efficiency for AI system operators or owners
[2] Public safety (e.g., crime prevention, victim rescue, suspect tracking) and social effi-ciency (e.g., traffic signal control)
[3] Privacy protection and data minimization
　　Examples of outputs that may be approved for transmission include:
[a] Information around the vehicle during autonomous operation (e.g., video, sensor da-ta) may be sent to the autonomous driving system after anonymization.
[b] Information about pedestrians walking on roadways (e.g., images and metadata) may be sent to law enforcement (e.g., traffic control centers) after anonymization.
[c] Information about road flooding (e.g., images and metadata) may be sent to disaster response centers after anonymization.
　　Examples of outputs that may not be approved are the cases [a], [b], or [c] above, where sufficient anonymization has not been applied. Sufficient anonymization refers to pro-cessing that renders individual identification impossible—for example, by masking faces in images, obfuscating voices in audio, or generalizing attribute data.
　　Additionally, any receiving AI system of output data originating from within the VRAIO framework must also be subject to the VRAIO framework. This ensures that data entering the VRAIO ecosystem remains under regulated and protected conditions throughout its lifecycle.

Comment-5. Elaborate Whistleblower Incentive Mechanics (Throughout)
The whistleblower reward system requires explicit operational design details, including reward calculation methodologies (fixed vs. severity-based incentives), safeguards against false reporting , and integration with existing legal frameworks for whistleblower protection. Clarifying these elements will address concerns about the system’s susceptibility to malicious audits while ensuring alignment with labor laws and corporate accountability standards.
Response:
Thank you for your comment. To address this point, I have added brief but concrete descriptions in Section 2.2 regarding the whistleblower reward system and its associated safeguards. These include the basic structure of fixed and severity-based incentives, protections against false reporting, and the role of randomized spot checks. The additions are as follows:
(6)         Institutional deterrence mechanisms
The VRAIO framework presumes that AI systems report their output history truth-fully. To enforce this assumption institutionally, penalties are imposed for false re-porting, while high-value rewards are provided to whistleblowers or bounty hunters who expose violations. This structure eliminates incentives for deception and en-hances systemic reliability.
(7)         Randomized spot checks to prevent false reporting
As an additional safeguard, randomized inspections of output data are introduced. The Recorder randomly selects certain outputs and requires AI system operators to disclose decryption methods for direct inspection by oversight bodies. Since this process constitutes an exception to the Recorder's non-access policy and may involve privacy-sensitive data, careful institutional design is required.

Comment-6. Validate Prior Approval Scalability (Section 3.1)
The static categorization of pre-approved outputs may not accommodate evolving edge cases in autonomous driving. The authors should propose mechanisms for dynamic rule updates, such as federated learning approaches to refine approval criteria across vehicle fleets, along with metrics for determining rule update frequency. This would demonstrate the framework’s adaptability to new privacy challenges while maintaining audit consistency.
Response:
Thank you for your insightful comment. In response, I have added a detailed explanation to Section 2.2 to clarify how the proposed framework addresses the scalability of pre-approval rules. While the Rules themselves are established through democratic consensus and are intended to remain stable over multi-year periods, the system also allows for technical refinement in their application. Specifically, mechanisms such as Federated Learning can be employed—within clearly defined institutional boundaries—to support the adaptive interpretation and operational tuning of the Rules in response to borderline or exceptional cases observed in real-world use. The following blocks have been added to Section 2.2 to elaborate on this point.

The Rules (i.e., the permissible scope of output) are to be established through democratic deliberation and social consensus. To ensure their legitimacy, these Rules must be intuitively understandable to the public and sufficiently general and versatile so that revisions once every few years will not cause practical disruptions. For new functions that companies wish to introduce, it is not appropriate to demand immediate incorporation; instead, such proposals should be submitted in advance as requests for consideration in the next scheduled rule revision.

In actual system operation, however, there may be cases where the Rules are not comprehensive, or where internal inconsistencies lead to ambiguities in their application order or judgment criteria. As a result, so-called borderline or exceptional output patterns may arise. For instance, when a pedestrian is captured by a high-resolution camera, a certain level of image clarity may be necessary for accident prevention, yet if the person’s face is clearly visible, it could constitute a privacy violation. In such cases, the required level of anonymization may vary depending on the situational context—for example, whether the output is treated as emergency-related or as part of routine traffic monitoring. Similarly, if designated recipient systems are unavailable during a disaster, the decision to transmit flood information to unofficial groups such as local volunteer fire brigades may raise questions regarding the legitimacy of the output destination. Moreover, outputs such as video recordings triggered by emergency braking or conversations between passengers often involve uncertain thresholds for assessing urgency or required anonymization, making them subject to operator discretion.
  To address such highly uncertain output patterns, it is important for the Government Regulatory Agency to collect and analyze real-world operational cases and identify statistical trends. This enables flexible refinement of the judgment criteria and supplementary logic for output approval. In particular, for functions not yet covered by existing Rules—such as outputs from newly installed emotion recognition sensors that detect passenger stress—methods like Federated Learning (FL) can be used to detect usage patterns and provide input for future rule revisions.
  However, such technical optimizations must remain strictly within the scope of interpreting and applying Rules that have been established through democratic procedures. They must not possess the authority to unilaterally alter the Rules themselves. In this proposal, operational trends observed at the local level (e.g., individual AI systems) are to be aggregated centrally via Federated Learning and used to continuously improve automatic judgment algorithms and the operational guidance for Rules, based on output metadata. For such mechanisms to be institutionally permissible, the Rule documents—established through democratic procedures—must explicitly authorize the Government Regulatory Agency to collect and analyze anonymized data within a defined scope for such purposes.

Reviewer 3 Report

Comments and Suggestions for Authors

While the author introduces the "Verifiable Record of AI Output (VRAIO)" concept and illustrates its application to autonomous driving systems, the contribution of this work appears to be quite marginal. The core idea of VRAIO, as the author himself acknowledges, was originally developed as a privacy protection mechanism for AI-monitored public spaces in his own paper [14]. Its application to autonomous driving, while perhaps a novel domain, seems to be a direct transfer of an existing concept without significant adaptation or the introduction of substantial new insights specific to the unique challenges and requirements of autonomous vehicles. The paper does not delve deeply into how the specific characteristics of autonomous driving such as the complex interplay of various sensors and algorithms necessitate significant modifications or extensions of the original VRAIO framework. Consequently, the proposed approach seems to primarily demonstrate the applicability of an existing idea to a new context rather than offering a truly innovative solution or addressing fundamental open questions within the field of autonomous driving. The lack of in-depth exploration of the specific benefits and potential limitations of VRAIO within this new domain further weakens the novelty and impact of this work, leading to the conclusion that the contribution, while relevant, remains on the periphery of significant advancements in the field.

 

Author Response

Comments by Reviewer#3

 

Comment:

While the author introduces the "Verifiable Record of AI Output (VRAIO)" concept and illustrates its application to autonomous driving systems, the contribution of this work appears to be quite marginal. The core idea of VRAIO, as the author himself acknowledges, was originally developed as a privacy protection mechanism for AI-monitored public spaces in his own paper [14]. Its application to autonomous driving, while perhaps a novel domain, seems to be a direct transfer of an existing concept without significant adaptation or the introduction of substantial new insights specific to the unique challenges and requirements of autonomous vehicles. The paper does not delve deeply into how the specific characteristics of autonomous driving such as the complex interplay of various sensors and algorithms necessitate significant modifications or extensions of the original VRAIO framework. Consequently, the proposed approach seems to primarily demonstrate the applicability of an existing idea to a new context rather than offering a truly innovative solution or addressing fundamental open questions within the field of autonomous driving. The lack of in-depth exploration of the specific benefits and potential limitations of VRAIO within this new domain further weakens the novelty and impact of this work, leading to the conclusion that the contribution, while relevant, remains on the periphery of significant advancements in the field.

 

Response:

Thank you for this critical and thought-provoking comment. While it is true that the core concept of the Verifiable Record of AI Output (VRAIO) was originally proposed for AI-monitored public spaces [14], this study does not simply transfer the idea to a new domain. Rather, the manuscript has been substantially revised to clarify that this application to autonomous driving systems involves structural adaptation and functional extension to address the unique technical and institutional challenges specific to this field.

 

In particular, the following Sections have been added or expanded to address this point:

 

The introduction now explicitly frames the internal misuse problem in autonomous driving contexts, including the lack of user agency and the impossibility of prior consent for pedestrians. This highlights the need for an auditable, output-based governance model tailored to autonomous systems.

 

Section 2 has been substantially expanded to clarify these contributions. In particular, Section 2.2 now lays out the VRAIO framework in greater detail, including its core institutional design, the formal structure of output approval, metadata-based rule enforcement, and examples of permissible and impermissible outputs. These revisions aim to demonstrate how VRAIO is structurally adapted to the autonomous driving context.

 

Section 3 presents two original sub-concepts: (1) prior approval for specific outputs and (2) unrestricted internal communication, introduced specifically to handle the real-time demands and architectural complexity of autonomous driving systems (see 3.1–3.2).

 

Section 4.2 explains how these extensions enable the VRAIO framework to balance privacy protection with technical efficiency, a tradeoff that is central to autonomous driving deployments.

 

Section 4.3 positions this contribution not as a direct reuse of a past idea, but as a structural redesign grounded in the operational constraints and governance needs of fully autonomous vehicles.

 

Taken together, these revisions demonstrate that this work offers more than a domain transfer: it presents a substantially redesigned framework aligned with the requirements of large-scale, real-time AI governance in the autonomous driving context.