Are New California PUC Smart Grid Privacy Rules Adequate?

For those that may not know, last year, March 19th to be exact, I spoke before the California Public Utilities Commission regarding the privacy challenges and implications of transitioning to a smart grid electrical system. That's not to say I spoke against the development of such a system, in fact, if implemented correctly, it makes public policy, particularly environmental and economic, sense.

First, briefly: a smart grid system will allow utilities to collect and possibly distribute detailed information about household electricity consumption habits - ice makers will operate only when the washing machine isn't, TVs will shut off when viewers leave the room, air conditioner and heater levels will be operated more efficiently based on time of day and climate. Home gadgets and appliances will be wirelessly connected to the Internet so consumers can access detailed information about their electricity use, and reduce their carbon footprint appropriately.

Soon this technology will be near ubiquitous: Up to three-fourths of the homes in the United States are expected to be placed on the “Smart Grid” in the next decade, and there will be nearly 50 million by 2012. Some foresee it becoming 100 to 1000 times larger than the internet.

But back to the presentation, and then I'll get to the first privacy rules established here in California for this burgeoning electrical system. I happened to be one of three consumer advocates that spoke that day at the CPUC's smart grid workshop...with the focus of that seminar purely on privacy. I suspect I was asked in part due to my op-ed in the California Progress Report, as well as my position at the Consumer Federation of California, and my occasional blog posts here on the topic.

To watch the presentation click here and scroll down to my name - Zack Kaldveer...and click again. The purpose of my presentation, as I will detail here today, was to breakdown ALL the different ways a smart grid system could threaten the privacy of consumers, and the real world damage such privacy violations could cause if the system wasn't developed in a way that put privacy, and consumer control, first.

As I said at the time, "But the paradox of a smart grid system is that what will ostensibly make it an effective tool in reducing energy usage and improving our electric grid – our information - is precisely what makes it a threat to privacy: our information...

The sheer volume of data provided by Smart Grid technologies will make it a prospective goldmine for numerous parties other than the utilities themselves, for reasons other than energy efficiency, and used for purposes that do not benefit the consumer: advertisers and marketers will seek to create and utilize increasingly detailed behavioral profiles, law enforcement and the government will seek to monitor our homes, and criminals will seek to steal identities and rob homes.

As such, without proper safeguards and ironclad rules in place, a myriad of new privacy threats could eventually find their way into every home in America. 

Activities that might be revealed through analysis of home appliance use include personal sleep and work habits, cooking and eating schedules, the presence of certain medical equipment and other specialized devices, presence or absence of persons in the home, and activities that might seem to signal illegal behavior. 

Personal privacy issues routinely arise when data collected is harmless in isolation, but becomes a threat when combined with other data, or examined by a third party for patterns. In other words, what are the potential “unintended consequences” of such an electrical system? And more importantly, what must we do to ensure that those unintended consequences are never realized? 

Such interest in our private data by third parties begs some important questions: How much information should we give up to the grid? Should it be up to the customer to decide? Who stores all that information and for what reasons? How will this information be managed and how long will it be stored? Who will come asking for that information, for what purposes and under what rules? And will there be proper and enforceable accountability for those that abuse our data?

So, with that general description of the system itself, and the related privacy concerns, now let's get to the unanimous vote by the CPUC to adopt the world’s first comprehensive set of rules to ensure that consumers can access the detailed energy usage data gathered by their smart meter — while also protecting the privacy and security of their data. At least...in theory....

The decision applies to the three large investor-owned utilities which serve 80% of Californians with electricity (Pacific Gas & Electric, San Diego Gas & Electric and Southern California Edison). At last count, these three utilities had installed 8 million smart meters. By the end of 2012 they will deploy the final 3 million. 

As detailed by the San Francisco Business Times, "The CPUC is requiring utilities to regularly conduct independent security audits of their wireless meters and to restrict the access of third parties, such as energy-efficiency consultants, to customers' personal details. In addition to the privacy and security rules, the commission is requiring utilities to provide pricing, usage, and cost data to customers online and update the data at least on a daily basis. Each day's usage data, along with applicable price and cost details, must be available by the next day...the standards are consistent with privacy and security principles adopted by California's Senate Bill 1476, which former Gov. Arnold Schwarzenegger signed into law last September, and by the Department of Homeland Security

.....

Although hackers and spammers have so far spared digital smart meters and electrical grids from their cyber intrusions, the massive national rollout of devices and grid upgrades planned for this decade cyber thugs.

"In all systems of this type, the install base needs to reach a critical mass before attackers start looking at breaking these things," Jun said.

In June, the Department of Energy announced that a $4.5 billion stimulus program to ramp up smart grid technology projects, matched by $5.5 billion from the private sector, has already led to the installation of 5 million of the nation's meters. The DOE requires that eligible projects include security provisions to protect against hacking, but it doesn't detail what those measures should look like.

"We are putting devices in homes where — if the right investments in security aren't made now — it is going to be impossible to retrofit them," Jun said. "For an industry that is so new and building infrastructure to last 50 years, one of our major challenges is helping people think ahead." 

More specifically in relation to the privacy component of the decision, it notes, "Consumers will be able to authorize third parties to receive their backhauled smart meter data data directly from the utility (as opposed to data that comes directly from the meter), to support services such as energy efficiency, demand response, energy advice, and more. The three major utilities will submit to the CPUC applications with specific plans, including which standards they will use — probably the Open Automated Data Exchange (OpenADE) standard in final development by NIST’s Smart Grid Interoperability Panel and the North American Energy Standards Board. The utilities, however, will bear no new liability for the actions of third parties which acquire information via this [mechanism].”

Furthermore, to protect consumer privacy and data security, the CPUC is exercising jurisdiction over third parties who receive data (via the backhaul mechanism) in the course of providing services to utilities, or when authorized by consumers. However, the CPUC is not exercising jurisdiction over third parties who receive energy usage data directly from a device installed at residence or business that receives data via the HAN interface.

In this decision the CPUC relied mainly on existing privacy law, using the Fair Information Practice Principles which the U.S. Department of Homeland Security developed as its privacy framework. To clarify the application of these principles, the CPUC decision includes an appendix with details of its privacy rules.
 
Here are the FIP principles, all of which are utilized by the CPUC:
1.    Transparency
2.    Individual participation
3.    Purpose specification
4.    Data minimization
5.    Use limitation
6.    Data quality and integrity
7.    Security
8.    Accountability and auditing

Now, there does appear to be a lot of good things about this ruling...and certainly, privacy has been seriously taken into account. But all it takes is one loophole to release the floodgate of privacy violations and loss of consumer control.

Essentially, there are two general concerns (so far) that I have - namely third party jurisdiction and the lack of adequate enforcement mechanisms (to serve as a proper deterrent).

First and foremost, and I have spoken about third parties A LOT on this blog, my concern is the line about the CPUC not using, or suggesting they don't even have, jurisdiction to enforce the same kind of privacy standards that the utilities must abide by as those that will be applied to third parties. Here’s the key passage of their decision:

“The utilities, however, will bear no new liability for the actions of third parties which acquire information via this [mechanism]"

and 

"it will not exercise jurisdiction over third parties who receive energy usage data directly from a device installed at residence or business..."

On a similar note, after talking with our staff attorney who has been deeply involved in this debate, there also  could be confusion when it comes to definitions of just which devices fall under which category, and which provide maximum privacy protection and which don't. And because of these definitional challenges, third parties will be able to circumvent the registration process by asserting that their devices are “unlocked.” I think that this challenge can be remedied if all parties who sought Smart Grid data would fall under the Commission’s jurisdiction.

The other concern I have, is what appears to be weak penalties  for those that violate basic consumer privacy rules. As I understand it, the only real penalty is that they can no longer ask for data…not exactly a powerful deterrent. AS our attorney wrote to the CPUC, “CFC stated that the proposed rules should be modified to reflect a balance in responsibility between customers and utilities/third parties. When it comes to consumer authorized access to energy data, consumers are left to regulate themselves with what CDT states “a heightened responsibility [for consumers] to understand the implications of this disclosure.” Moreover, there is no penalty or enforcement if utilities or third parties violate these privacy rules. CFC supports the Commission’s adoption of requirements that promote customer education, awareness, and empowerment. However, customer empowerment is only one piece of the puzzle when it comes to effective consumer protection. Proper accountability that includes penalties for violations by utilities and third parties is the other piece."

Now, let's say a third party is given access to this data unknowingly or unwittingly by the consumer...what  are some potential, specific examples of the kinds of “unintended consequences” that might take place? Well, here's the list I gave personally:

• Travel agencies might start sending you brochures right when your annual family vacation approaches.

• Financial institutions making home mortgage loans might also be interested in their customers’ energy usage records to verify whether the customers are actually living in those houses.

• Law enforcement officials might use our information against us. Consider the predictable desire of police to locate in-home marijuana growers by monitoring household power usage? What about increasingly intrusive surveillance of proclaimed suspects homes?

• Lawyers might seek to subpoena your data in a divorce trial, "Have you ever left your child home alone? If so, how often, and for how long?

• Insurance companies, always seeking to maximize profits by denying coverage or jacking up premiums, might start developing connections between energy use patterns – like eating late at night - and unhealthy tendencies.

• Soon RFID tagged labels – read by smart meters – will be found on more and more of the food and prescription drugs that fill our refrigerators and cabinets. Could our health insurance go up because we eat too much unhealthy food? Might we start receiving mailers trying to sell us new prescription drugs that their detailed behavioral profile has led them to conclude we need?

• Hackers and criminals might seek to falsify power usage, pass on their charges to a neighbor, take down the grid entirely, disconnect others, and plan burglaries with an unprecedented degree of accuracy.

• Some consumers are already getting statements that compare their use to their neighbors. Could we see a system develop in which some are penalized for more “wasteful” usage? What if the comparisons aren't fair? Will details such as the number of occupants be properly taken into account?

• Landlords might be interested in know more about what's happening inside their properties.

• If recent revelations regarding warrantless wiretapping, Patriot Act abuses and increasingly intrusive surveillance techniques are an indicator, we should also expect government agencies to come seeking our data.

As I also said that day, "such privacy implications strike at the heart of the Fourth Amendment, the California Constitution, and a core American value: our right to keep private what goes on in our homes, and the inherent freedom that that right provides us. The challenge that now stands before us is how to both protect consumer privacy while simultaneously empowering customers with the ability to access their data in near real time and potentially share it with entities other than the utility.

It is paramount then that our state’s transition to a smart grid system addresses the potential privacy pitfalls while we are in the early stages of its implementation; because once that genie is out of the bottle it’s difficult to put him back in.

A few principles we should keep in mind as we develop a regulatory framework will be consumer control, informed consent, transparency, security and accountability - including strict limits on the amount of data collected, its use, and the length of time it’s stored.

Such privacy safeguards will increase, not decrease, the long-term viability of, and consumer confidence in, the system itself. The only real conflict I foresee in implementing such a system is between those that want to protect their personal data versus those that seek to access and profit off it; as well as the expected public policy rush to get the system up and running before it’s truly ready.

The endless accumulation of our personal data – combined with the outlandish profits being made off it and growing government demand for it – represents a direct assault on our right to privacy. We would do well to contemplate the steady erosion of this right and its long-term implications.

Corporations, by definition, care about profit, not reducing energy usage, and certainly not protecting privacy, just as governments, particularly federal, care more about access and control.

Rapid technological advancement - without the requisite regulatory safeguards – will only add to the increasing disintegration of privacy rights in this country - something the Smart Grid could come to epitomize if we allow ourselves to be seduced by arguments that claim we have no time to spare or to just “trust” those with inherent conflicts of interest."

At this point, its too early to say whether my warnings have been properly heeded...certainly the jurisdiction issue suggests they have fallen short - so far.  But nothing is in stone yet...so I'll keep you posted.