Monday, November 30, 2009

The Privacy Implications and Challenges of a Smart Grid Electrical System

My article on this subject was published in the California Progress Report yesterday, so I'm going to reprint it here today:

A critically important debate has emerged regarding the privacy implications and challenges that a transition to a smart grid system for electricity poses and how such concerns can be addressed.

In California, as in states across the country, the Public Utilities Commission (PUC) is currently considering how to implement a smart grid electrical system. In response to this rulemaking, and the lack of attention being paid to consumer privacy to date, the Consumer Federation of California (CFC) recently joined The Utilities Reform Network(TURN) in urging the Commission to allow for a more comprehensive review and debate regarding such concerns.

In response, the PUC has agreed to hold separate privacy specific hearings - with accompanying workshops and public comments - at a date to be determined in mid December. While this is a temporary victory for privacy and consumer advocates, enormous challenges remain.

What is a “Smart Grid” and why is it needed?

The ‘smart grid’ is a system which will track each kwh of electricity from the generator to an individual’s home through a series of automated devices. The smart grid will come into our homes through a ‘smart meter’ and a ‘home area network’ which monitors the kwh we use.

This deployment of ubiquitous monitoring technologies will allow utilities to collect, and possibly distribute detailed information about household electricity consumption habits (e.g. ice makers will operate only when the washing machine isn't, TVs will shut off when viewers leave the room, air conditioner and heater levels will be operated more efficiently based on time of day and climate, etc.) in hopes of reducing and/or better managing electricity usage.

Home gadgets and appliances will be wirelessly connected to the Internet so consumers can access detailed information about their electricity use, and reduce their carbon footprint appropriately.

The "Smart Grid" has been trumpeted by former Vice President Al Gore for years, and our nation's transition to such a system has accelerated since President Obama announced his plan to repair our country's crumbling infrastructure - which included $ billions to construct a nationwide "smart grid".

The potential benefits of a system that allows for such monitoring of electricity flow and control over it are self evident, including: Reducing energy use and CO2 emissions (maybe 20% per home), preventing blackouts, spurring development of renewable energy sources, and improving customer service by locating trouble spots and dispatching maintenance teams to fix the problem (among others).

According to President Obama (and other environmental experts), a smart grid system "will save us money, protect our power sources from blackout or attack, and deliver clean, alternative forms of energy to every corner of our nation."

A variety of interests – in addition to consumer and environmental – also have tangible reasons to support such a transition:

Utilities could sell, if permitted, the massive amounts of household data they will be capable of gathering; Law enforcement could be able to more easily identify, track, and manage information associated with people, places, or things involved in investigations; and marketers could access consumer data that will enable them to more effectively target their products.

(Note: smart meters have recently received some bad press due to a number of customers in one California town discovering that their energy bills have skyrocketed. A lawsuit has been filed against PG&E.)

Rest assured this transition is already underway: Up to three-fourths of the homes in the United States are expected to be placed on the “Smart Grid” in the next decade. Already, some 8 million "Smart Meters," have been installed in U.S. homes. There will be an estimated nearly 50 million by 2012. PG&E is installing 13,000 per day in California, and overall, the three major state private utilities will deploy 12 million by the end of 2012.

Privacy Implications of a Smart Grid System

The paradox of a smart grid system is that what will ostensibly make it an effective tool in reducing energy usage and improving our electric grid - information - is precisely what makes it a threat to privacy: Information (ours). It is this paradox that has led some to suggest that privacy might even be the “Achilles’ heel” of the “Smart Grid”.

What are the unintended consequences of such a system? Personal privacy issues routinely arise when data collected is harmless in isolation, but becomes a threat when combined with other data, or examined by a third party for patterns. A few principles we should keep in mind as we develop a regulatory framework for such a transition will be consumer control,
transparency, and accountability.

In particular: How much information should we give up to the grid? Should it be up to the customer to decide? If not, who gets access to that information, for what reason, and what will they be allowed to do with it? How will this information be managed (i.e. how long stored?)? And how well will it be protected from those that might seek it unlawfully? Can it even be fully protected given the increasing success and technical expertise of hackers?

Because technological innovation will only accelerate, we would do well to consider more than simply the immediate privacy threats posed by current technologies, but also what we know to be just around the corner.

For instance, while the tracking of mere energy usage in one’s home may be of less concern, as home devices become increasingly “smarter”, one can easily envision a technology convergence in which a myriad of gadgets could be used to track more sensitive information. Security technology already exists to monitor presence in homes to detect break-ins.

What else will smart appliances "tell" others about what we do and when we do it in our homes?

Such concerns are already being debated by academics and privacy advocates. In addition to taking into account existing privacy protection laws, companies that develop smart grid technology would be wise to anticipate consumer reaction to any system that invades the most precious private space we occupy: our homes.

Utility companies could reconstruct much of our daily lives, from when we wake up, when we go home, when we go on vacation, and when we hit the hot tub to relax. Now consider how much money that information will be worth to third party marketing companies?

Specific examples of “unintended consequences” that may arise if proper attention is not paid to privacy include:

• Travel agencies might start sending you brochures right when your annual family vacation approaches.
Law enforcement officials might use our information against us. Where were you last night? Home listening to music, huh? That’s not what PG&E told us. Or what about the predictable desire of police to locate in-home marijuana growers by monitoring household power usage?
Lawyers might seek to subpoena your data in a divorce trial, "You say you're a good parent, so why is the television on so late on school nights? Were you with someone in the hot tub at 2 AM on Saturday when the kids were gone?"
Insurance companies, always seeking to maximize profits by denying coverage or raising premiums, might start developing connections between energy use patterns and unhealthy tendencies.
Hackers and criminals might seek to falsify power usage, pass on their charges to a neighbor, install a virus and take down the entire system, disconnect someone else from the grid, and plan burglaries with an unprecedented degree of accuracy.
• Some consumers are already getting statements that compare their use to their neighbors. Could we see a system develop in which some are penalized unfairly for “wasteful” usage? Will details such as the number of occupants and their occupations (i.e. someone who telecommutes and is on computer all day) be properly taken into account?
Landlords might be interested in knowing what's happening inside their properties.
• If recent revelations regarding warrantless wiretapping, Patriot Act abuses and increasingly intrusive surveillance techniques are an indicator, we should also expect government agencies to vigorously pursue this data.
It's not hard to envision RFID tagged labels – read by smart meters - on the food and prescription drugs that fill our refrigerators and cabinets. Could that information be sold to marketers too? Could our health insurance go up because we eat too much unhealthy food? Might we start receiving targeted brochures from Big Pharma for prescription drugs based on the content of our medicine cabinets?

The privacy implications of such a grid strike at the very heart of the Fourth Amendment and a core American value: our right to keep private what goes on in our homes.

Policy Challenges and Solutions

Ideally, the CPUC would adopt the European approach, which binds companies to collect as little information as is necessary to complete a transaction, and they must then delete that data as soon as it is no longer needed – known as “Data Minimization”. But in America, where information itself is a big money industry – and government tends to be pro-business - such an approach is unlikely.

A superior indicator, and a useful case study, can be found in Colorado. The state public utility commission there was convinced by Elias Quinn, from the Center for Environmental and Energy Security (CEES), at the University of Colorado Law School, and author of "Privacy and the New Energy Infrastructure", to hold separate hearings dealing with privacy concerns related to a smart grid system. Mr. Quinn enumerated four general categories of personal data and its usage, including policy proposals for the Commission to consider adopting that would more adequately protect consumer privacy.

1. Who has access to your data? As one might expect, consumer consent requirements may vary depending on who is seeking your information. Those seeking access to this data were broken up into three categories - with different approaches taken for each (this does not necessarily represent a full endorsement of each of these approaches):

A. Electric Utilities: The consumer must opt-out if they choose to prevent electric utilities from accessing their data because this information is critical to the deployment of smart grid networks and to operating the next generation distribution systems. Thus when people sign-up for service, they can decline to participate in sharing any data that isn’t necessary to run the system itself.
B. Automation vendors, smart appliance manufacturers, or other related-but-not-essential companies: A one time Opt-In per manufacturer.
C. Entities wholly unrelated to electricity provision: Access is only available if the consumer Opts-In on a case-by-case basis. Perhaps such third party entities should also need to demonstrate a good reason to be able to even ask us for that information before bombarding us with requests. So if an insurance carrier seeks to examine a customer's usage data, the customer will have to be contacted for his/her informed consent first.
I would add an additional category of “data seekers” that deserves special consideration:
D. Law Enforcement: Law enforcement should be prohibited, by law, from access to our data unless they have a warrant signed by a judge based on already existing reasonable suspicion.

2. How is your data managed? The European Union's Data Directive has been cited as a good model and consists of the following core principles: [1] data processed fairly and lawfully, [2] sought or collected for specified purposes, and analyzed only for those purposes, [3] merely adequate and not excessive for the purposes motivating its collection, [4] kept accurate, and [5] kept in a form allowing for identification for no longer than necessary.

Electricity customers should also have the right to access or audit their information for accuracy - ideally in real time.

3. How is your data protected? Utilities should be mandated by law, with strong penalties, to protect information against anyone who would seek to monitor/steal/manipulate it. The challenge here then is how to best protect the 1. Security of the Database and 2. Security of the Data in Transit (which could be trickier as it is wireless).

4. What happens if your data is breached?: Consumers should be notified immediately in the event that personal information has been obtained by a party without the requisite consent.
Privacy vs. Environment? Or Data Owners vs. Data Profiteers?

How best to implement a Smart Grid system is an issue (“Pay-As-You Drive” is another) in which privacy and environmental interests might on the surface appear to bump heads. The good news is this “conflict” is unnecessary, and easily avoided.

The only real interest “clash” will be between those that want to protect privacy and the right to control one's own data versus those that seek to profit off or benefit from accessing, buying and selling it.

The fact is that smart and effective environmental policy does not, and should not, conflict with the individual’s right to privacy. It is paramount then that our state’s transition to a smart grid system addresses the potential privacy pitfalls while we are in the early stages of its implementation.

Rapid technological advancement - without the requisite regulatory safeguards – poses a significant threat to the individual's right to privacy. This threat is epitomized by the "Smart Grid". We must embrace a thorough, thoughtful and deliberative public policy process that must include ironclad privacy protections that above all else gives the individual absolute control over, and ownership of his/her data.

Establishing tough consumer privacy protections won't hamper the implementation of a smart grid system. In fact, it will increase its chances of acceptance and success by addressing the rightful privacy concerns consumers will inevitably have.

Elias Quinn, CEES, University of Colorado Law School summed up the challenge to privacy smart grid poses well:

"Here—as with all attempts at anticipating problems—the solution must involve, first and foremost, drawing attention to the potential privacy problem posed by the massive deployment of smart metering technologies and the collection of detailed information about the electricity consumption habits of millions of individuals.

From there, efforts to devise potential solutions must progress in parallel paths, the first in search of a regulatory fix, the second a technological one. The first protects against the systematic misuse of collected information by utilities, despite new pressures on their profitability, by ensuring the databases are used only for their principle purposes: informing efficient electricity generation, distribution, and management.

Such regulatory fixes are not difficult. In the final analysis, the privacy problem posed by smart metering is only a difficult one if the data gets unleashed before consequences are fully considered, or ignored once unfortunate consequences are realized. But to ignore the potential for privacy invasion embodied by the collection of this information is an invitation to tragedy."

If interested in keeping track of how this issue progresses, particularly what transpires at the upcoming PUC hearings on smart grid and privacy, regularly check back to this blog.

Tuesday, November 24, 2009

More on the Privacy Implications of the Revised Settlement with Google Books

Last week I wrote about the initial reactions among privacy advocates to the recent revised court settlement with Google Book Search (an effort to dramatically expand its current service). The Electronic Frontier Foundation (EFF), the ACLU, and the Samuelson Clinic (from the Berkeley Center for Law & Technology) have been battling the privacy allergic Google for months now on this issue, with little headway to be had.

I've written about this service in the past (from earliest to most recent), here, here and here.

Today, let me just go right to a comprehensive analysis of the settlement by EFF that adds much needed detail to my post of last week. In "Google Books Settlement 2.0: Evaluating Privacy" EFF's Fred von Lohmann writes:

We have now examined the chief promised benefit (increased public access) of the proposed Google Books settlement, as well as one of the chief potential drawbacks (impaired competition). Another down-side to the proposed settlement is its lack of adequate protections for reader privacy. And although EFF has repeatedly written about the privacy problem and outlined specific steps that could be taken to address it, as have the ACLU, CDT, EPIC, library associations, and academic authors, the revised Settlement 2.0 still does nothing new to address the serious privacy concerns raised by the Google Book Search services.

...

The products and services envisioned by the proposed settlement will give Google not only an unprecedented abililty to track our reading habits, but to do so at an unprecedented level of granularity. Because the books will be accessed on Google's servers, Google will not only know what books readers search for and access, but will also know which pages they read, how long they stayed on each page, what book they read before, and which books they access next. This is a level of reader surveillance that no library or bookstore has ever had.

...

And it's not just Google that might want records about your reading habits. A core concern EFF has with the proposed settlement is that under it Google need not insist on a warrant before turning over this sensitive reader information to governmental authorities or private third parties. This is hardly a hypothetical risk: between 2001 and 2005, libraries were contacted by law enforcement seeking information on patrons at least 200 times. And in 2006 alone, AOL received almost 1,000 requests each month for information in civil and criminal cases.

This lack of protections for reader privacy stands in sharp contrast to the privacy protections that librarians and bookstores have been fighting for in connection with physical books for decades. Nearly every state has laws protecting the privacy of library patrons. Yet when Google scans books it got from libraries, privacy protections could be left behind at the digital threshold if Google doesn't stand up for them.

...

Google has announced a privacy policy for Google Books. While it addresses some of the privacy concerns EFF and others had raised, it does not go nearly far enough. As we've previously explained, the privacy policy can be changed at any time, is not an enforceable obligation tied to the proposed settlement agreement...For all of these reasons, in its present form and without further affirmative steps by Google either in the context of the settlement or outside it, the proposed Settlement 2.0 makes Google Books a threat to reader privacy, which in turn is a serious a down-side that must be weighed against the settlement's potential benefits.

If you are yet to be convinced that such a service does indeed pose privacy risks - unprecedented in some respects - than I highly suggest you check out the rest of EFF's article. In it you'll find a laundry list of specifics in which Google has intentionally fought privacy protections, and for the time being beat them back, as determined by the current settlement.

The question we should continue to ask when dealing with Google's ongoing aversion to privacy protections for its customers is why? I would venture to guess that the answer to that question will be found in the same way so many related ones are answered: follow the money.

GPS Tracking Devices and Privacy

GPS tracking devices seem to becoming the rage of both government and a variety of business interests. Unfortunately for us citizens, we get the benefit of being tracked at all times through a myriad of potential devices. Before I get to an excellent editorial in the New York Times on this technology, and the continuing legal battle over whether law enforcement has the right to install GPS tracking devices in suspects vehicles, let me really briefly discuss three other recent related battles.

Tracking Farm Animals

As if there aren't enough ways that government and/or big business have found to creep into our lives, monitor our movements, trace our transactions, and listen to our phone calls, there was the story of the Bush Administration wanting to chip animals and have small farmers report nearly everything that happens to them.

I'm talking about - and this isn't a joke - the Bush administration's "National Animal Identification System" initiative. This proposal to "chip" animals with RFID tags isn't just an invasion of privacy (as explained in my post on this subject a year ago), it also would achieve an additional goal of the administration: provide an even greater advantage to agribusiness at the expense of family farms.

See, big industrial farms would have only had to track herds, not individual cattle...unlike small farmers who'd be forced to track each and every one...a HUGE pain, and cost. Family farmers see it as an assault on their way of life by a federal bureaucracy with close ties to industrial agriculture. Privacy advocates, then and now, view a database that would contain all this information as an an invasive, detailed electronic record of farmers' activities. Read about it here.

Tracking Our Vehicles

Then, there's the installation of GPS tracking devices in vehicles for auto insurance purposes. I have written extensively about this little privacy invasion in past posts, as there was legislation in California that sought to expand such an idea that the Consumer Federation of California, as well as the Consumer Watchdog, ACLU, Privacy Rights Clearinghouse, and the Electronic Frontier Foundation all opposed.

As Consumer Watchdog's Carmen Balber wrote: The possibility of installing technology in peoples' cars also brings up a host of privacy concerns: Should Californians be forced to pay higher premiums if they want to protect their privacy and reject technology?

(AB 2800)...would invite the spyware in. What kind of data do insurance companies really want to collect? They're already using a huge range of information - like speed, location and time of day - in different parts of the country and across the world.

You can read my posts about this former legislation here, here, and here.

Tracking Our Cell Phones

There's also the use of GPS tracking devices in cell phones. While serving as a U.S. attorney during the Bush administration, Christopher Christie tracked the whereabouts of citizens through their cell phones without warrants. The ACLU obtained the documents detailing the spying program from the Justice Department in an ongoing lawsuit over cell phone tracking.

While the documents reveal 79 such cases on or after Sept. 12, 2001, they do not specify how many of the applications were made during Christie's tenure. You can read more about that usage of this technology by going to my post here.

Law Enforcement and the New York Times Editorial

Now that we've got a broader understanding of what's at stake when discussing ways in which GPS tracking devices threaten privacy, let's go to the New York Timed Editorial today on the case involving the right of police to use this technology in suspects' cars:

A federal appeals court in Washington, D.C., heard arguments last week about whether police should have to get a warrant before putting a GPS device on a suspect’s car. It is a cutting-edge civil liberties question that has divided the courts that have considered it. GPS devices give the government extraordinary power to monitor people’s movements. The Washington court should rule that a warrant is required.

...

The Supreme Court has not considered the question of whether the police need a court order to install a GPS device. The government has tried to draw an analogy to a 1983 case in which the court ruled that the police do not need a warrant to use a radio beeper to track a vehicle on public roads, but the circumstances were different. In that case, the police were conducting visual surveillance of a particular suspect’s movements, and a beeper augmented the officers’ senses. A modern GPS device is a far more potent means of tracking people than a beeper.

...

The New York Court of Appeals, the highest New York court, got it exactly right earlier this year, insisting that permitting police to install GPS devices without judicial oversight would be “an enormous unsupervised intrusion by the police agencies of government upon personal privacy.” As technology advances, government will continue to acquire new and more efficient ways of monitoring people. It is critical that the privacy rights guaranteed by the Fourth Amendment keep up with those advances.

Click here to read more.

Friday, November 20, 2009

CPUC Grants Smart Grid Hearings on Privacy

As those that have been reading this blog over the past few months probably know, I've been delving into the privacy implications and challenges that a transition to a Smart Grid system poses quite a bit.

As such, rather than retread through everything I've already written on the subject, you can check out past posts from earliest to latest, here, here and here.

I also want to update everybody, before I get to a new, very thorough article in Computerworld on this subject, on the good news coming out of the California Public Utilities Commission.

As the PUC has been deliberating on what the ideal regulatory framework for a smart grid system in our state might be, the Consumer Federation of California (CFC) joined with TURN in urging for a more comprehensive review and debate regarding the privacy challenges and implications such a system poses by holding separate hearings on the subject.

I'm pleased to report that the PUC has indeed agreed to hold these hearings. Essentially, the Commission came to the conclusion that to properly address privacy and confidentiality issues more review was necessary, and that workshops will be held and comments will be accepted.

Specifically, the Commission honed in on issues related to what kind of access should third parties have to consumer data, how confidential will that data be, and what security precautions will there be for massive amounts of personal information that such as system will store?

We (CFC) will now be seeking out additional participation and expertise from our privacy advocate friends in the coming weeks and months.

Now, for a little more backdrop on Smart Grid: As I mentioned months ago, the transition to a "Smart Grid" system has been trumpeted by former Vice President Al Gore, and started gaining serious traction once President Obama announced his plan to overhaul U.S. infrastructure - including construction of a nationwide "smart grid" that promises to help address many of our current energy challenges.

According to Obama (and other environmental experts), the plan offers the hope that it "will save us money, protect our power sources from blackout or attack, and deliver clean, alternative forms of energy to every corner of our nation." What is especially interesting about this topic - to me anyway - stems from my past work as an environmental advocate versus my current work on privacy related issues.

As some of you may have gathered, there are some issues in which these two interests - privacy and environment - clash (all be it more "gently" than other more typical oppositional interests). The good news is there is no real need for such a clash to occur, as the real "conflict" will much more likely be between those that want to protect our privacy and right to control our own data, and those that want to profit off buying and selling it (as well as the Government and the law's desire to access).

Before I get to the article today, I want to really lay out, in detail, what exactly a Smart Grid is, and why it threatens privacy in a myriad of ways.

The Electronic Privacy Information Center (EPIC) is providing a lot of very useful information on the topic, so let's begin there. Here's EPIC's definition of a Smart Grid system, who stands to benefit from and why:

The term "Smart Grid" encompasses a host of inter-related technologies rapidly moving into public use to reduce or better manage electricity consumption. Smart grid systems may be designed to allow electricity service providers, users, or third party electricity usage management service providers to monitor and control electricity use. The electricity service providers may view a smart grid system as a way to precisely locate power outages or other problems so that technicians can be dispatched to mitigate problems.

Pro-environment policymakers may view a smart grid as key to protecting the nation's investment in the future as the world moves toward renewable energy. Another view of smart grid systems is that it would support law enforcement by making it easier to identify, track, and manage information or technology that is associated with people, places, or things involved in an investigations.

National security and defense supporters may see the efficient and exacting ability of smart grid systems to manage and redirect the flow of electricity across large areas as critical to assuring resources for their use. Marketers may view smart grid systems as another opportunity to learn more about consumers and how they use the items they purchase. Finally, consumers, if given control over some smart grid features, may see smart grid systems as tools to assist them in making better informed decisions regarding their energy consumption.

Smart meter technology is the first remote communication device designed for smart grid application. These meters have moved into the marketplace and are poised to change how data on home or office consumption of electricity is collected by service providers. Additional changes that smart grid systems may bring are not limited to meters but extend to monitoring other devices, e.g. washing machines, hot water heaters, pool pumps, entertainment centers, lighting fixtures, and heating and cooling systems.

Consuming electricity will take on new meaning in the context of privacy rights. A smart grid pilot project in Fayetteville, NC reports that it can manage over 250 devices in customers homes. The system would be able to selectively reduce demand among its 80,000 customers by turning off devices in homes that are part of the smart grid program.

As I wrote in a past post as well, the paradox of a smart grid system is that what will ostensibly make it an effective tool in reducing energy usage - information - is precisely what makes it a threat to privacy: Information (ours).’

With all that said, here's a few questions we should all be asking: How much information should you give up to the grid? Who gets access to that information and why? How long does that information remain in a database? And how do we protect it?

EPIC lists the potential privacy consequences of a Smart Grid:

Identity Theft
Determine Personal Behavior Patterns
Determine Specific Appliances Used
Perform Real-Time Surveillance
Reveal Activities Through Residual Data
Targeted Home Invasions (latch key children, elderly, etc.)
Provide Accidental Invasions
Activity Censorship
Decisions and Actions Based Upon Inaccurate Data
Profiling
Unwanted Publicity and Embarrassment
Tracking Behavior Of Renters/Leasers
Behavior Tracking (possible combination with Personal Behavior Patterns)
Public Aggregated Searches Revealing Individual Behavior

With that, let's get to the article in Computerworld entitled "Will the smart grid protect consumer privacy?" Jay Cline, a former chief privacy officer at a Fortune 500 company and now president of Minnesota Privacy Consultants, writes:

This outlet-specific control will remind us that power companies will be receiving a lot of data about us -- when we come and go, what kinds of appliances are plugged in and how much of our energy use could be classified as waste. There will perhaps be no richer profile of who we and our families are.

That data profile will only become richer with the introduction of smart appliances. These remotely programmable appliances will be able to track, record and optimize usage and send data to each other. And quite possibly, their data could feed back to the power company.

...

So it's possible that your power company could become your Internet service provider; know your daily rhythm, carbon footprint, eating and medicine habits, and relative income level; and be able to micromanage your outlets. Just about every appliance maker, manufacturer, clinical-research organization and service provider is going to be knocking on the door of your power company to buy this data.

Landlords may also be very interested in keeping tabs on what's happening inside their properties. Litigants, law-enforcement entities and defense agencies are also certainly going to be pursuing this data on a regular basis.

Privacy consultant Rebecca Herold, writing in the September 2009 document by the National Institute of Standards and Technology (NIST),
Smart Grid Cyber Security Strategy and Requirements, outlined the key privacy risks needing to be managed by smart-grid operators. Among them:

Personal profiling -- Accumulating massive data files on people that eventually become used for purposes beyond delivering them energy.
Identity theft and home invasions -- Not sufficiently protecting these rich data profiles from criminals who could harm individual consumers.
Activity censorship -- Determining what energy uses are not acceptable or should be taxed at a higher rate.
Decisions based on inaccurate data -- Turning off power to an outlet that is providing a health-sustaining appliance or device, or providing inaccurate data to credit-reporting agencies and government agencies.


...

What kind of privacy requirements should they be building into the smart grid? I think the seven Safe Harbor privacy principles point the way. Here they are, applied to the smart-grid world:

Notice. Prior to hooking up a smart meter, give consumers a detailed privacy notice that lists all the potential data that will be collected, all the potential uses, all the potential parties who could get access to it, and how long the power company will retain this information.

Choice. Obtain opt-in consent from consumers for any collection and use of their data that is not strictly required to provide and bill for energy service.


Access. Give consumers the ability to review all of the data that has been collected about them.

Data integrity. Give consumers a way to correct mistakes in their data, especially regarding outlets and appliances that, if turned off, could harm them.


Security. Certify against the NIST standards for smart-grid security.

Onward transfer. Hold business partners and service providers who may access consumer data contractually accountable to these same terms. If consumer data has been subpoenaed, immediately notify affected consumers so that they can exercise their rights.

Enforcement. Maintain an independent dispute-resolution process of the likes managed by Truste to expediently resolve consumer-privacy complaints. Regularly conduct privacy and security audits and report the findings to the appropriate regulator.


Click here to read the article in its entirety.

To be sure, the article by Cline is one of the most comprehensive to date, at least in terms of explaining how the system works, and how it might evolve. The privacy protections laid out, while useful, require a lot more detail, and that, no doubt, will be the challenge for privacy advocates in the upcoming hearings held by the CPUC.

In the case of the "Smart Grid", we must move beyond and "either or" scenario (i.e. environment v privacy, efficiency v. privacy), and embrace a thorough, thoughtful and deliberative public policy process that in the end, must include ironclad, "opt-in" privacy protections along with the kinds of smart, efficient, and sustainable environmental benefits nearly everyone agrees should also accompany such a system.

Again, the privacy implications should not be taken lightly, as Bob Sullivan, who covers Internet scams and consumer fraud for MSNBC.com, explains:

...others see a darker side. Utility companies...might sell this information to marketing companies -- perhaps a travel agency will send brochures right when the family vacation is about to arrive. Law enforcement officials might use this information against us ("Where were you last night? Home watching TV? That's not what the power company says … ”).

Divorce lawyers could subpoena the data ("You say you're a good parent, but your children are forced to sleep in 61-degree rooms. For shame ...").

A credit bureau or insurance company could penalize you because your energy use patterns are similar to those of other troublesome consumers. Or criminals could spy the data, then plan home burglaries with fine-tuned accuracy.

Space-aged visions of talking appliances may seem farfetched. They're not. Data creep will inevitably happen. Already, some consumers are getting statements that compare their use to neighbors' usage -- and "overusage" premium pricing isn't far behind. But what if the comparisons aren't fair? Most families would want to be compared to similar families -- how much power do three teen-ager daughter households use?

And perhaps even more to the point, Susan L. Lyon, who has an has extensive background representing multinational companies on privacy, data security, online safety and Internet laws, breaks down the Constitutional ramifications:

"The nature of the smart grid requires ubiquitous deployment of monitoring technology in every home it touches. The impact of this is significant considering that privacy of the home is such an important value in our society that its protection is guaranteed in the U.S. Bill of Rights, "The right of the people to be secure in their...houses...shall not be violated." So while the benefits of a unified national smart grid system are very clear to most, as with any technology, the systems that provide these societal benefits and the policies that shape them should be designed to account for the privacy concerns of the individuals they serve."

For an excellent case study of what we may have in store in California, I suggest you take a look at what's been going on in Colorado. The state public utility commission there was convinced by Elias Quinn CEES, Uni. Colorado Law School, and author of "Privacy and the New Energy Infrastructure", to hold separate hearings dealing with privacy concerns related to the smart grid. His paper provides detailed analysis of each privacy related component of a Smart Grid system and specific policy proposals designed to address them.

Come back here for more coverage of this issue as it plays out in the California Public Utilities Commission.

Thursday, November 19, 2009

ACLU Launches MUCH NEEDED DotRights Campaign

My friends at the ACLU, with special thanks to Nicole Ozer, the Norther California branch Technology and Civil Liberties Policy Director, have launched an exciting, and what I consider to be an incredibly important campaign called"DotRights".

The campaign was launched yesterday with an ENORMOUS task in front of it: both educating the public about our right to control our data on the Internet and throughout our evolving cyberspace reality, as well as the concrete steps we need to take to protect our privacy rights. And as the campaign notes, some fairly broad rights were granted - though its intent is rarely followed - to each and every one of us by the Electronic Communications Privacy Act of 1986.

In other words, while the campaign's goal and challenge appear to be almost revolutionary in scope, the fact is its making a rather simple point: the law itself is not currently being followed (or at least its intent) when it comes to our privacy and the use of our personal data on the Internet and its time it is. For that to happen, the rules of the game must be strengthened and updated (i.e. brought into the 21st Century). I'm in!

In a statement released yesterday as the group unveiled its slick, interactive, and informative Web site called, as you might guess: dotrights.org, the ACLU said its goal was to "spotlight the need to upgrade laws protecting consumer data".

For anyone that ever reads this blog you probably already are aware of the myriad of ways in which companies and government agencies take advantage of both a lax legal landscape that allows massive amounts of our personal data to be collected and sold simply based on our browsing habits...and the lack of consumer understanding of this growing business practice.

Think behavioral marketing, think Google books, think Facebook, think the coming smart grid, think locational tracking, think government surveillance, and so on, and so forth. The list is becoming infinitely long as today's information economy grows and evolves...which is precisely the point of the ACLU'S DotsRights effort.

Check out this particularly useful tool on the site...as it takes you through step by step how your data can be used for purposes other than what you want it to be...

Among some of the specific policy recommendations being made by the site, we've got updating Internet privacy laws (a major theme I highlight on this blog: the need for regulation to catch up with technological innovation) - such as new legislation forcing Web sites to disclose what information they gather about users and permitting those visitors to have their information deleted free of charge.

But enough of my description of the campaign, let's get to Nicole Ozer's, as published in the California Progress Report yesterday.

Nicole writes:

Your life, your data. Or is it? When we update our status on Facebook, post those photos on Flickr, or shop for holiday gifts on Amazon, a whole lot happens behind the scenes. The more we do online, the more digital footprints we leave behind. Many sites we visit collect detailed information about us—our politics, hobbies, relationships and more.

Outdated privacy laws often fail to keep your personal information from being shared, sold, or handed over to a snooping government—without a warrant! And the government and some Web companies don't exactly want us to connect the dots.

...

Online companies regularly receive demands for personal information about their users—with little to no judicial oversight. Facebook reportedly receives up to 100 demands each week seeking information about its users. AOL reportedly receives 1,000 demands a month.

In 2006, a U.S. Attorney demanded book purchase records of 24,000 Amazon.com customers. (In a show of loyalty to users, the company successfully fought back against the subpoena.) Other companies, like Google, don't make public how often information about their users is demanded or disclosed.

No one should be forced to choose between using the Internet and keeping their personal information from being misused. We shouldn't have to pay for these seemingly free online services with personal details about our lives.

That's where the ACLU of Northern California's new Demand Your dotRights campaign comes in. It provides a behind-the-scenes look at everything from social networking, to photo sites, to search engines. The campaign helps you connect the dots to see how your favorite online activities make it harder for you to keep your private information, well, private. If you've seen our ACLU Facebook quiz, you're already aware of the problem—but that's just the tip of the iceberg.

...

Consumers clearly want more control over personal information, so it's good business for companies to join consumers in demanding a privacy upgrade. A 2009 national telephone survey conducted by the University of California, Berkeley, and University of Pennsylvania revealed that 92% of American adults believe they should retain the right to delete their information from a site, and 69% feel there should be a law that gives people the right to know everything that a website knows about them.

Click here to read the rest of the article.

Tuesday, November 17, 2009

Revised Google Book Search Court Settlement Fails to Address Core Privacy Concerns

I'm guessing everyone is aware of one of Google's latest ventures that, as one might have guessed, poses a threat to privacy rights: A dramatic expansion of its Google Book Search service. I've written about this in the past here, particularly the court battle that has been underway over the service pitting the Electronic Frontier Foundation, the ACLU, and the Samuelson Clinic (from the Berkeley Center for Law & Technology) against the technological Juggernaut, and privacy allergic Google.

As I have noted in the past, the good news is that millions of books will be available for browsing and reading online. The befuddling question remains however as to why Google continues to refuse to bring privacy protections into the 21st Century along with its innovative products. Under its current design, Google Book Search can monitor the books you browse, the pages you read, and even the notes you take in the "margins."

Thus, without strong privacy protections, as the ACLU has outlined so well, all of our browsing and reading history could be collected, analyzed, and turned over to the government or third parties without our knowledge or consent.

But before I go deeper into the privacy implications of the service and ways to address them, let's discuss the revised court settlement regarding Google Book Search that was just released this past Friday (hint: its done little to assuage concerns of privacy advocates).

The University of California, Berkeley's, Pamela Samuelson, a law professor and director of the Berkeley Center for Law & Technology, noted:

I also raise questions about user privacy. There are dozens of provisions in the settlement agreement that call for monitoring of what users do with books and essentially no privacy protections built into the settlement agreement. While I think that there were some substantial changes that were made to it, it more had to do with getting foreign rights holders out of the settlement and trying to respond at least in part to issues that the Department of Justice raised. So I think there are dozens and dozens of issues that were raised by objectors to the settlement agreement that are, in fact, not addressed in this revision.

Here's more on the ruling from Wendy Davis of mediapost:

Civil liberties organizations have pointed out that the agreement leaves Google in a position to amass at least as much in-depth information about users' reading habits as libraries. For that reason, groups like the Electronic Frontier Foundation have said the settlement should have terms obligating Google to protect users' privacy -- such as provisions requiring the deletion of loggin information. Instead, the amended pact merely says that Google won't share private information with the registry without "valid legal process."

This promise doesn't go nearly far enough to solve the privacy problems posed by a digital book registry. First, requiring "valid legal process" doesn't set the bar all that high considering that any judge can rubber-stamp a subpoena requiring Google to disclose information about readers. Sure, Google can challenge subpoenas in court, but nothing in this agreement appears to require the company to do so.

...

The reality is, as long as Google plans to collect and retain information tying users -- or even IP addresses -- to reading material, users' privacy is vulnerable...If Google doesn't want that to happen, the company should agree to some new limits on its ability to collect and retain data about the books that people read online.

Click here to read more.

I don't think its too much to ask, as the ACLU has advocated, that Google promise it will protect reader records by responding only to properly-issued warrants from law enforcement and court orders from third parties. It also must promise that it will tell readers if anyone demands access to information about them, before that information is disclosed if possible.

If none of this takes place, and no additional protections are afforded users, EFF and the ACLU warn that Google Books could "become a one-stop shop for government surveillance into the reading habits of millions of Americans."

As I wrote a month back, we're not talking about just another library mind you - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act. The concerns of privacy advocates are not hypothetical - nor should they be discarded as paranoia.

Our country has a long history of government efforts to compel libraries and booksellers to turn over customer records and information. Why would anyone believe, particularly after the warrantless wiretapping scandal, that the government won't ask a company like Google to turn over the treasure trove of private personal information it has on millions of Americans? For these reasons and more, it is essential that Google Book Search incorporate strong privacy protections.

The ACLU lays out how users privacy should and could be better protected:

Limited Tracking: Just as readers can anonymously browse books in a library or bookstore, they should be able to anonymously browse, search, and preview books using Google Book Search. Google must allow users to browse, search, and preview books without being forced to register or provide any personal information. Google must not keep logging information for any of its Google Book Search services longer than 30 days. In addition, Google must not link any information about a reader's use of Google Book Search with any information about that reader's use of other Google services without specific, informed consent.

User Control: Readers should have complete control of their purchases and purchasing data. Readers must be able to review and delete their records and have extensive permissions controls for their "bookshelves" or any other reading displays. Readers also must be able to “give” books to anyone, including to themselves, without tracking. Google also must not reveal any information about Google Book Search use to credit card processors or any other third parties.

User Transparency: Readers should know what information is being collected and maintained about them and when and why reader information has been disclosed. Google must develop a robust privacy policy and publish annually the number and type of demands for reader information that are received. Google needs to know that readers will not pay with digital books with their privacy. The time is now to make sure that Google doesn't close the book on reader privacy.

You can join the ACLU and EFF's effort here.

Monday, November 16, 2009

Google Voice Violates Google's Privacy Policy

I've done a whole lot of posts on Google and their ever expanding technological empire and the rather confrontational relationship its had with privacy advocates that can add some perspective to this latest "privacy snafu" (all be it a minor one).

I've written about the approaching launch of Google Books just around the corner in which the ACLU, Electronic Frontier Foundation, and the Samuelson Clinic have even launched a Google Book Search privacy campaign to address.

I've written about the loss of "Locational Privacy" and how a host of Google products relate to that growing privacy protection challenge.

And I've posted a lot about other examples demonstrating Google's less than stellar record on privacy in the past, from their lobbying efforts in Congress, to cloud computing, and to its increasing usage and expansion of behavioral marketing techniques.

In a nutshell, as I wrote a few months back, "It's inarguable that Google is rapidly becoming the official technology sponsor of the nation and globe. For the sake of argument, let's just accept this as truth, and assume this company's reach and breadth will only grow. With that in mind, it becomes paramount - and beholden on all those that relish privacy - to keep a close eye on this global leader's attention to this constitutional protection as it relates to their technological innovations.

While it might be an exaggeration to say that Google has been hostile to privacy advocates and their concerns, they've been resistant to say the least. Google has become a concern for advocates for a myriad of reasons, stemming from their lobbying activities to the actual privacy implications of some of their product lines."

With that, the Washington Post published an article in last Friday's edition entitled "How Google Voice Violates Google's Own Privacy Policy", in which it details how the Google Voice service systematically replaces friend's phone numbers with their Google Voice numbers when they call, even when they aren't calling from Google Voice. As the author notes, this is a clear violation of Google's own privacy policy.

Michael Arrington of TechCrunch.com writes:

Here's how this works: Let's say you signed up for Google Voice sometime in the past. The main benefit of Google Voice is that it forwards calls to your other phones "one number for life" thing. So you probably told Google Voice a few of your other phone numbers, home, work, mobile, etc. And then perhaps you stopped using the service after testing it.

Now if you call my Google Voice number from any of those real phone numbers that you told Google about, the caller ID and archived information on Google Voice (missed and received calls, voicemails) says your Google Voice number, not the number you are calling from.

That creates confusion. If I have your mobile number stored in my phone, it doesn't recognize the Google Voice caller ID and I tend to ignore the call. Then I read the transcribed voicemail and realize it's someone I know. I check my address book and the number isn't right, though. I add the new number and maybe delete the old one, thinking you've changed phones. It's a mess.

Inbound text messages have the same problem. And if I return the text message and you don't have the feature turned on to your real mobile phone, you won't get them.

...

What if you sent me an email from your work account to my Gmail account, and Google automatically changed the from address to your Gmail account? This is a direct analogy to what's happening with Google Voice.

And it's a clear violation of Google's privacy policy, which states:

Information sharingGoogle only shares personal information with other companies or individuals outside of Google in the following limited circumstances: We have your consent. We require opt-in consent for the sharing of any sensitive personal information. We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures.

We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.


Click here to read more.


As noted by the author, none of the exceptions listed in the privacy policy apply to this case, and as such, Google needs to add an opt in for this feature. As it is, Google wants consumers who have Google Voice to use that number, and this problematic feature is a way of ensuring this happens.

Nonetheless, as again the author notes, just because someone gives you one of their phone numbers doesn't mean they want to give you their Google Voice number. Maybe they abandoned the service. Or maybe they just don't want you to have that number. Regardless, this is a clear example of an "opt-in" feature.

Thursday, November 12, 2009

EFF Battles US Government Over Efforts to Subpoena Info on Left Wing Site's Visitors

Now here's one of those "holy crap there really is a Big Brother" type stories. Apparently my friends at the Electronic Frontier Foundation (EFF) have been tangling with the US Government over its efforts to subpoena the IP address of every visitor to a left leaning political website called IndyMedia.us. But that's not all, the grand jury subpoena also required the site "not to disclose the existence of this request" unless authorized by the Justice Department.

Just what in the hell is going on here? And what does it say about online journalism and privacy rights? One problem with this government subpoena is that its illegal. It's also disturbing and, how can one say it?: "antithetical to the founding principles of our country"!

Before you start thinking "Oh no, another Obama Adminstration betrayal" let me point out that the subpoena from U.S. Attorney Tim Morrison was filed on June 25, 2008...during the good ole' Constitution burning Bush years.

A report published by EFF, describes how these U.S. attorneys issued a federal grand jury subpoena to Indymedia.us administrator Kristina Clair demanding “all IP traffic to and from www.indymedia.us" for a particular date, potentially identifying every person who visited any news story on the Indymedia site.

Among other things, it instructed Clair to "include IP addresses, times, and any other identifying information," including e-mail addresses, physical addresses, registered accounts, and Indymedia readers' Social Security Numbers, bank account numbers, credit card numbers, and so on.

After talking to other Indymedia volunteers, Clair ended up calling the Electronic Frontier Foundation in San Francisco, which represented her at no cost.

EFF Senior Staff Attorney Kevin Bankston explains that this overbroad demand for internet records not only violated federal privacy law but also violated Clair’s First Amendment rights, by ordering her not to disclose the existence of the subpoena without a U.S. attorney’s permission. Other problems with the subpoena, include that it was not personally served, that a judge-issued court order would be required for the full logs, and that Indymedia did not store logs in the first place.

As Bankston notes, "Because Indymedia follows EFF’s Best Practices for Online Service Providers and does not keep historical IP logs, there was no information for Indymedia to hand over, and the government withdrew the subpoena. However, as the report describes, that wasn’t the end of the tale: Ms. Clair wanted EFF to be able to tell the story of the subpoena and shine a light on the government’s illegal demand, yet the subpoena ordered silence. Under pressure from EFF, the government admitted that the subpoena’s gag order had no legal basis, and ultimately chose not to go to court to try to force Ms. Clair’s silence despite earlier threats to do so."

Bankston then sums up why this story is important:

This story is an an important example of how government abuses breed in secrecy, and an argument for Congress to step in and require meaningful reporting about how the government uses its surveillance authorities. How often does the government attempt such illegal fishing expeditions through internet data? How many online service providers have received similarly bogus demands, and handed over how much data, violating how many internet users’ privacy? How many of those subpoena recipients have been intimidated into silence by unconstitutional gag orders?

...until Congress exerts stronger oversight, we can’t know, except in those occasional instances where a brave online service provider steps up, pushes back, and tells the world. We encourage other online service providers to follow the example of Indymedia.us and Kristina Clair by standing up for their users' rights when the government secretly overreaches. If you're an ISP, a web host, an email provider, an app developer, a Web 2.0 start-up or any other kind of online service provider and you receive a government demand for your users' data, please call a lawyer. If you don't have a lawyer, call EFF.

As noted by CBS news, this is not the first time that the Feds have focused on the liberal Indymedia Web site whose that hosts a myriad of activist writers and advocates. In 2004, the Justice Department sent a grand jury subpoena asking for information about who posted lists of Republican delegates while urging they be given an unwelcome reception at the party's convention in New York City that year. A Indymedia hosting service in Texas once received a subpoena asking for server logs in relation to an investigation of an attempted murder in Italy.

The fact that the government is actively targeting liberal media sites should be a concern to everyone.

For a full fleshing out of this story, the EFF report is the place to go. For those without the time to read it all, here is the closing summation entitled "Closing Lessons":

The experience of Ms. Clair in dealing with the subpoena for Indymedia's logs brings with it several lessons — not only for online service providers but also for the average Internet user, Americans who care about civil liberties, and Congress.

The first lesson is for the average Internet user: yes, your IP address can be and typically is logged by the online services that you use, and yes, the government can obtain those logs, sometimes with only a subpoena issued directly by a prosecutor. If you want to anonymize your IP address to prevent the violation of your online privacy, you can use anonymizing software such as "Tor". You can find out more about Tor and how it works in this section of EFF's Surveillance Self-Defense Manual and at http://www.torproject.org/.

For online service providers, the second lesson is straightforward, and one that EFF has highlighted both in its "Best Practices for Online Service Providers" and its Surveillance Self-Defense manual: if you don't have it, they can't get it. When providers avoid keeping unnecessary Internet logs, responding to subpoenas and other legal demands for such information becomes very simple: "Sorry, but we don't keep those logs and so we don't have any information that's responsive to this subpoena."

The third lesson, again for providers, is that they can and should seek legal advice when they receive legal demands for information. Without a lawyer's advice, providers may hand over data that the government isn't legally entitled to or that the provider is legally forbidden from disclosing, and may be cowed into silence by bogus gag demands.

For example, assume that the subpoena in this case had been served on a service that did keep logs of site visitors' IP addresses. Without advice from counsel like EFF, the recipient would not have known that the request, purportedly based on the SCA, actually violated the SCA, and that providing the information to the government could have created liability for the service provider.

Nor would the provider have understood that the subpoena's purported requirement of secrecy was actually an unenforceable request, or that if there was a gag order it could be challenged in court on First Amendment grounds. Absent advice from a lawyer, the provider's unquestioning silence would unnecessarily add to the growing fog of secrecy that surrounds the government's practices in this area.

This leads to our fourth and final lesson, for members of Congress and their constituents: the level of secrecy surrounding how the government uses its surveillance authority under the Stored Communications Act encourages abuses. Sunlight is the best disinfectant, and the best protection against such abuses is more clarity and transparency when it comes to how the SCA is used. Americans who care about civil liberties should press Congress to update the SCA to further clarify what it does and does not authorize, and to require detailed public reporting about how the statute is used, just like the federal wiretap statute requires annual reports on law enforcement's wiretapping activities.

Without such reform, we may never know how often the government issues unlawful demands like the one described here, or how often providers secretly comply with those demands. The government must be held accountable for its uses — and abuses — of its surveillance authority, and with your and Congress' help, it can be held to account.

Until that day, EFF continues to stand ready to provide assistance the next time the government knocks on someone's door with an unlawful, invalid, overbroad, free speech-threatening, privacy-invasive demand for your sensitive Internet data.

Click here to read the report in its entirety.

For now I'll just send my personal thanks to EFF for their outstanding work!

Tuesday, November 10, 2009

The Smart Grid and Privacy

At a now annual gathering of privacy advocate leaders in Sacramento yesterday I was given the opportunity to address our state and nation's transition to a smart grid system and the privacy challenges it poses. I have written about the subject on this blog here and here. As such, I thought I'd share the general outline of that presentation, particularly in light of the the approaching decision by the California Public Utilities Commission as to whether separate privacy specific hearings will be held on smart grid.

What is a Smart Grid?

The ubiquitous deployment of monitoring technologies (called smart meters) that will allow utilities to collect detailed info about electricity consumption habits of homes. As such, they will be able to determine how to operate appliances more efficiently, i.e. ice makers will operate only when the washing machine isn't, TVs will shut off when viewers leave the room, 'air conditioner and heater levels will be controlled”, etc.

Similarly, utilities will be able to adjust home energy usage based on times of the day and temperatures and there will be an increased ability to ensure renewable sources of energy are distributed more efficiently.

All of these home gadgets will be wirelessly connected to the Internet so consumers can access detailed information about their electricity use (although when and how this will be done is not decided).

The benefits of such a system are self evident: Reduce energy use and CO2 emissions (maybe 20% per home), prevent blackouts, spur development of renewables, and improved service because utilities will know when service down immediately (among others)

(Note: the system has just ran into its first major hiccup in California, as the energy bills of smart grid homes in the state have skyrocketed, resulting in a lawsuit against PG&E.)

Up to three-fourths of the homes in the United States are expected to be placed on the “Smart Grid” in the next decade. Already, some 8 million "Smart Meters," have been installed in U.S. homes. There will be nearly 50 million by 2012. PG&E installing 13000 per day in California, and overall, three major utilities will deploy 12 million by the end of 2012.

Let me also be clear, I used to work on climate change and other related energy and environmental issues, so the need for such innovations as smart grid represent a critical step forward and an important component to any comprehensive global warming and sustainability strategy. This however, in no way means we should rush its implementation without considering unintended consequences, particularly related to privacy.

Privacy Implications/Threats

The paradox of a smart grid system is that what will ostensibly make it an effective tool in reducing energy usage - information - is precisely what makes it a threat to privacy: Information (ours).

It is this paradox that has led some to suggest that privacy might even be the “Achilles’ heel” of the Smart Grid.

So what's being done to implement the system and develop proper rules and regulations? The Energy Information and Security Act of 2007 asked state PUC’s to answer a series of smart grid implementation and regulation questions. The data access issue (as in who has it), both a consumers right to their information (ideally in real time) as well as a third party's access to it, was addressed - but privacy was not mentioned.

So what are the unintended consequences of such a system? Privacy issues routinely arise when data collected is harmless in isolation, but becomes a threat when combined with other data, or examined by a third party for patterns.

Bob Sullivan, who covers Internet scams and consumer fraud for MSNBC.com, explains this dilemma well:

...others see a darker side. Utility companies, by gathering hundreds of billions of data points about us, could reconstruct much of our daily lives -- when we wake up, when we go home, when we go on vacation, perhaps even when we draw a hot bath.

They might sell this information to marketing companies -- perhaps a travel agency will send brochures right when the family vacation is about to arrive. Law enforcement officials might use this information against us ("Where were you last night? Home watching TV? That's not what the power company says … ”).

Divorce lawyers could subpoena the data ("You say you're a good parent, but your children are forced to sleep in 61-degree rooms. For shame ...").

A credit bureau or insurance company could penalize you because your energy use patterns are similar to those of other troublesome consumers. Or criminals could spy the data, then plan home burglaries with fine-tuned accuracy. Space-aged visions of talking appliances may seem farfetched. They're not.

Data creep will inevitably happen. Already, some consumers are getting statements that compare their use to neighbors' usage -- and "overusage" premium pricing isn't far behind. But what if the comparisons aren't fair? Most families would want to be compared to similar families -- how much power do three teen-ager daughter households use?

Jules Polonetsky, director of The Future of Privacy Forum, states: "The potential benefits of the Smart Grid are fabulous. I just think that it's critical that sober and adequate thinking be done at this stage. We must do this right or we could hamper the rollout of the Smart Grid and you could have folks unwilling to participate...We are trying to help before it's too late...Knowing what’s going on in people’s homes…this strikes at some of our most core values."

Let's also not forget perhaps the greatest threat of all: Hackers. We must consider the potential of the falsification of power usage, passing on charges to a neighbor, disconnecting someone else from the grid, etc.

It's also not hard to envision RFID tagged food and prescriptions filling our refrigerators and cabinets in the future which could be read by these smart meters. Could that information be sold to marketers too?

Could our health insurance go up because we eat too much unhealthy food? Might we start receiving brochures about other prescription drugs that the company believes they might be able to convince us we need based on others we are taking?

Policy Challenges and Solutions

With all that said, here's a few questions we should all be asking:

How much information should you give up to the grid?

Who gets access to that information and why?

How long does that information remain in a database?

And how do we protect it once in the grid?

Ideally, we'd take the European approach, which binds companies to collect as little information as is necessary to complete a transaction, and they must delete the data as soon as it is no longer needed – known as “Data Minimization”. That's unlikely, however.

So a more likely indicator, and an excellent case study, is what's been going on in Colorado. The state public utility commission there was convinced by Elias Quinn CEES, Uni. Colorado Law School, and author of "Privacy and the New Energy Infrastructure", to hold separate hearings dealing with privacy concerns related to the smart grid. He (and likewise Colorado now) breaks down privacy challenges into four general categories including accompanying policy proposals:

1. Who has Access to Data?
Consumer consent requirements may vary depending on who is seeking your information. Three categories of interests seeking that data were discussed in Colorado, and different approaches were taken for each:

A. Electric Utilities: Opt-Out because the information is critical to the deployment of smart grid networks and to operating the next generation distribution systems, so when people sign-up for service, they can decline to participate.

B. Automation vendors, smart appliance manufacturers, or other related-but-not-essential companies: a one time Opt-In per manufacturer.

C. Entities wholly unrelated to electricity provision: Opt-In in case-by-case (and I'd add proof of good reason to be able to even ask us). So if insurance carrier seeks to examine a customer's usage data, the customer has to be contacted for her informed consent first, and every time.

And let me add a fourth: Law enforcement should be prohibited, by law, from routine access (but of course can subpoena the data when they have a warrant signed by a judge based on already existing reasonable suspicion).

2. How Data Managed? The EU's Data Directive has been cited as a good model, though again, we are far from realizing this here in the states: [1] processed fairly and lawfully, [2] sought or collected for specified purposes, and analyzed only for those purposes, [3] merely adequate and not excessive for the purposes motivating its collection, [4] kept accurate, and [5] kept in a form allowing for identification for no longer than necessary.

Electricity customers should have rights of access or to audit the information for accuracy, or perhaps the right to be given the information in a timely and usable manner, that they might seek their own, third party partners in home automation.

3. How Data Protected?: Utilities should be mandated by law, with strong penalties, to protect information against anyone who would like to monitor/steal/subvert it. That means how to best protect: 1. Security of the Database and 2., Security of the Data in Transit (which could be trickier as it is wireless).

Ideally the data at point of transmission in home would be encrypted, but that is expensive and needs to be done as the system built, not after. We may look back at this missed opportunity with regret.

4. Data Breach Notification: There should be notice requirements such that an electricity consumer is notified in the event that personal information is somehow obtained by a party without the requisite consent.

Update on Progress Here in California

As the California Public Utilities Commission decides on a regulatory framework for a smart grid system in our state, CFC has joined with TURN in urging for a more comprehensive review of the privacy threats such a system poses by holding separate hearings on the subject.

We expect a decision in December. It's too late for other groups to file now in this regard, but the PUC is preparing another notice with a new set of questions that we urge more organizations to participate in, and to certainly contribute if possible to any privacy specific hearings that might be granted.

If privacy concerns are not taken into proper consideration than pursuing a legislative solution may be appropriate.