Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Smart infrastructure and privacy

Speech by Karen Curtis, Privacy Commissioner, to Thinkfuture Smart Infrastructure Conference, Canberra, 12 March 2010 

Smart infrastructure and privacy

Introduction

Smart infrastructure has the potential to improve our lives and offers opportunities that we need to grab with both hands.

As Privacy Commissioner, I am not here as a blocker. I am here because smart infrastructure has the potential to impact on privacy and this is something we should address now, before we are too far down the path of implementation.

It is now that we have the best opportunity to make sure that privacy is embedded in the design and operation of smart systems. Tacking privacy protections on at the end is not the best outcome: costly and complicated to agencies and organisations and potentially less effective in protecting individuals.

Smart infrastructure generates data about the behaviours of people.

This simple fact - and the likelihood that much of the data will be about people's behaviour in their homes - means that we need to have a conversation about privacy and new infrastructure projects.

I'm not being controversial when I say that the privacy of the home is considered by most to be sacrosanct. It's where we unwind and spend time 'in the wings' of life. For smart infrastructure to be a success, individuals need to trust that the privacy of their homes and everyday activities is not under threat.

Today I'll talk about a few of the key privacy issues we face in the roll out of smart infrastructure in Australia and why addressing privacy will contribute to the successful implementation, operation and public take-up of smart systems.

Smart infrastructure

The term 'smart infrastructure' broadly refers to the use of information communications technology to enhance the operation and use of infrastructure. For example, in the energy setting, smart grids and smart meters will be able to deliver detailed information about the energy usage of individual homes. This information can be used to:

  • better manage peak usage times
  • improve energy efficiency
  • make the electricity grid more resilient and better at sensing overloads and outages, and
  • give consumers more detailed information about their own energy use.[1]
  • When coupled with smart appliances, the information becomes all the richer.[2]

The Committee's enquiry will address opportunities in the transport, communications, energy and water sectors.[3] Today I'll focus on smart electricity grid technology but I note that similar privacy issues will arise for other types of infrastructure.  

Smart infrastructure and privacy

Smart infrastructure generates information about people; their habits, behaviours and movements. The data will be detailed and there will be a lot of it. Some predict that the amount of data generated by smart power grids will be far greater than the internet.[4]

For example, smart meters and smart appliances can reveal detailed information about what you are doing at home at any one moment. The Ontario Information and Privacy Commissioner says that the raw data from smart meters and smart appliances could reveal:

Whether individuals tend to cook microwavable meals or meals on the stove; whether they have a cooked breakfast; the time at which individuals are at home; whether a house has an alarm system and how often it is activated; when occupants usually shower; when the TV and/or computer is on; whether appliances are in good condition; the number of gadgets in the home; if the home has a washer and dryer and how often they are used; whether lights and appliances are used at odd hours, such as in the middle of the night; whether and how often exercise equipment such as a treadmill is used.[5]

A seemingly innocuous roll call of information - but one full of possibilities for an enterprising business or an intrusive individual.

The risk with a rich, new data source is the temptation to use the information for more than originally intended - something we in the privacy business refer to as function creep.  So it could mean collecting data about a person's electricity usage for billing purposes and then selling data to appliance vendors.

The problem with this is that individuals enter into a relationship with a business in good faith, trusting it will only do what they say they will with their information. Not only is it ethical to keep your promises as far as personal information handling goes - it's also a fundamental tenet of privacy legislation.

Third parties that might be interested in smart meter data include:

  • Manufacturers who want to know how their products are actually used
  • Retailers who use the data to know when an appliance is old or likely to fail and provide targeted advertising to the owner
  • Insurers looking for evidence to determine when a loss occurred, whether security alarms were on or who was present[6]
  • Law enforcement agencies wanting to uncover illegal operations.

A US privacy and information security lawyer believes that other valuable uses will emerge. In his words: 'Customers, utilities, vendors, and third party data brokers will want to position themselves to sell [smart meter] data or analytics, just as credit reporting agencies have done.'[7]

Those interested in the data may not just be those with a business interest:

  • Neighbourhood busy bodies
  • Vengeful ex-spouses, jealous lovers and determined stalkers
  • Burglars intercepting data to see when a place is unoccupied and whether valuable electronics are inside.[8]

...to name a few.

We've already seen Facebook profiles used in Australian courts to cast doubt on the good character of a plaintiff.[9]  Is it that much of a leap to imagine smart grid data used in a similar way?

Some of these privacy concerns may sound a little bit 'out there' or implausible. But many of today's applications of the internet seemed equally implausible ten years ago.

So we need to ask ourselves some important questions about how we are going to protect privacy.

  • Where do we draw the line in terms of privacy?
  • What are reasonable, and unreasonable, secondary uses?
  • How do we avoid function creep?
  • How do we ensure that smart meter data is secure?
  • How do we ensure smart infrastructure complies with privacy laws?

Privacy impact assessment

To help answer these questions, we recommend that privacy impact assessments are done on any new smart infrastructure initiatives.

Privacy impact assessments or 'PIAs' will allow the agencies leading smart infrastructure projects in Australia to identify all personal information collected by smart infrastructure. A PIA analyses all aspects of the information lifecycle - any uses, disclosures, storage, and access- until the information is permanently deleted.

A PIA allows the agency to address any privacy risks with a new project and mitigate those risks. Importantly, a PIA will demonstrate to the community that the government is serious about ensuring that privacy is protected.

PIAs are increasingly used around the world for initiatives involving personal information.  The UK's Department of Energy and Climate Change has recommended that PIAs be carried out as part of the implementation phases for smart infrastructure.[10]  

In the US, a preliminary PIA has been done on the smart grid by the National Institute of Standards and Technology.[11] That PIA has recommended that any organisation collecting energy usage data from or about premises should do annual PIAs.

The importance of individual trust

A major advantage of PIAs is that with public consultation you can build broader community awareness and confidence in the project. Publishing PIAs also enhances transparency and demonstrates to the community that the project has been critically analysed with privacy in mind.

If trust is lacking, then individuals may view the system with suspicion, resist its introduction and find ways to circumvent it. This will make implementation difficult and could undermine the overall effectiveness of smart infrastructure.

Individual trust is a valuable but elusive commodity. Agencies that fail to build privacy into smart infrastructure design are likely to be haunted by this decision in the future. I'm sure you've all read about major data breaches that seriously damaged the credibility of organisations. Let's ensure that privacy protections are incorporated in a way that engenders community trust and participation.

Options

So what are our options for ensuring that privacy protections are incorporated into smart infrastructure? There is no one magic fix for privacy protection. The best systems involve a combination of protections including:

  • design and technology features
  • legislation and redress mechanisms and
  • user education.

Here are some of the sorts of privacy protections I would expect to see in any smart infrastructure system and features that I will be suggesting as this enquiry progresses.

Design and technology

Let's start with design and technology. The best privacy outcomes are achieved when privacy is built into the design of the system. Tacking on privacy at the end is complicated and costly. Data protection authorities in the UK and Canada use the expression 'privacy by design' to capture the idea.[12]

Privacy can be 'designed into' new systems in many ways.

Minimising data collected

The first design feature should be that systems are configured to collect the least possible personal information to achieve the desired outcome. A common mistake is to collect more personal information than is actually needed.

For example, do intelligent transport systems actually need to know the identity of the driver or the person a vehicle is licensed to? Is it necessary that short range radio transmitters are actually associated at all with personal information? -  'maybe not'.

Needless to say, minimising the personal information collected is a great privacy measure. If you don't collect the data, you cut out risks to privacy. In the smart roads example, this achieves a great privacy outcome - allowing people to use our roads anonymously while still enjoying the benefits of the technology whether that's faster travel, less traffic or increased safety.

A bad outcome is that the technology is configured in such a way that it logs the travel of a person in such a way that discourages them from moving freely. Would people avoid using their car to visit particular health and support services for fear that logs of their travels could be used against them? This may seem like an exaggerated fear, but these are issues to address to ensure that surveillance does not adversely impact people's daily lives.

Anonymisation

A second important design feature is to build systems that allow anonymity.

The related issue of de-identifying information can allow organisations to ensure that personal information is not subsequently used for unauthorised purposes. De-identified data can also be useful for research - generally the data is just as useful and comes without the hassle of seeking the consent of thousands of customers.

Data separation

Systems can also be designed to store data in such a way that usage information is held separately to identifying information where possible. A way of achieving this might be to only link smart infrastructure data with a location or customer account when needed for billing, service restoration, or other operational needs.[13]

Designing systems that ensure data separation also helps avoid the creation of data 'honey pots' - that is, masses of valuable personal information all in one place.

Internal access controls

Another important design feature is to have access controls around personal information. This is nothing new and generally a standard feature of information management systems. The key question is really: who needs to access this information? In the case of smart water systems, does a policy analyst assessing the success of water saving initiatives really need to have access to personal data and billing details of customers?

Access controls should be supported by audit trails so personal information is accessed appropriately.

Security of data from unauthorised access or interception

And finally, any smart infrastructure system will also need security measures to protect data from unauthorised access, modification, misuse and disclosure. Some Academics have pointed out that smart meters are extremely attractive targets for malicious hackers because vulnerabilities can easily be monetised.[14]

They also say that smart meters are built using easily obtainable hardware and software and will be subject to many or all of the maladies of internet life including: meter bots, distributed denial-of-service attacks, usage loggers, smart meter rootkits, meter-based viruses and other malware.[15]

Others point out that even if an organisation uses its own hardware for collection or transfer of smart infrastructure data, it may outsource data collection, billing, customer support or web-services. Each time information is transmitted to a third party, additional privacy and security risks arise.[16]

I encourage strong security measures to protect smart infrastructure. Encryption may offer a good way of ensuring that where data is breached, it is unusable. Good security measures is something that both individuals and organisations want. Individuals want their information protected and organisations want to protect their reputation and economic interests. So incorporating strong security measures is a win-win.

Legislation

So those are a few points on privacy and design. The second feature of a multi-faceted approach to privacy protection is legislation.

Legislation can place limits on actual collection of information and its use for purposes other than the purpose it was collected for. Limiting secondary uses and disclosures is crucial to stopping function creep. It can also offer individuals an avenue for redress if things go wrong.

In Australia, we have privacy legislation to protect the personal information of individuals. My Office administers the Commonwealth Privacy Act which covers Australian and ACT government agencies, large private sector organisations, all private health service providers and credit reporters.

Many of the states and territories also have privacy laws or arrangements in place to regulate their public sectors and a number have Privacy Commissioners or Information Commissioners.

A privacy impact assessment should determine what privacy laws apply to what smart infrastructure organisations.

The Privacy Act is technology-neutral and that approach has been re-affirmed by the Government as it accepted the Australian Law Reform Commission's recommendations from its recent inquiry.[17]

This approach helps ensure that the Privacy Act effectively handles technological change. In some cases where a technology introduces issues that fall outside the Privacy Act or other state laws, it may be necessary to have new technology-specific legislation. For example, the Spam Act 2003 regulated the sending of unsolicited commercial electronic messages made easy by the advent of the internet and email.

It will be necessary to assess the adequacy of existing privacy law and whether new clauses or legislation are necessary.

User education

Finally, roll out of smart infrastructure should be accompanied by community awareness initiatives and notices to individuals about the types of information collected using smart infrastructure and how that information will be used.

Organisations that operate smart infrastructure should also offer policies to individuals outlining the organisation's information handling practices. Giving people information about how their personal information will be collected and used allows individuals to make informed decisions about how they participate with the system. And it ensures that individuals are not surprised by the handling of their information.

Conclusion

Smart infrastructure clearly offers many benefits and I'm sure we will hear more about the gains that can be made using this new technology over the course of this inquiry. Done badly, smart infrastructure has the potential to impinge on individual privacy and risks undermining community confidence in smart systems as a whole. So we need to address and build in privacy now. It is too important an opportunity to jeopardise with poor privacy protections.

I want to finish by saying why privacy is worth protecting.

It's easy - in the midst of discussions about security settings and privacy notices and collection limitation and anonymisation - to overlook the ultimate outcome we are after; that individuals are able to live with dignity, autonomy and respect. This is really what privacy is about. It would be difficult to live a full and happy life under constant surveillance.

As Jeffery Rosen, author of The Unwanted Gaze points out:

Privacy protects us . . . in a world of short attention spans, a world in which information can easily be confused with knowledge.[18]

We might reflect on how easy it would be to draw incorrect conclusions about a person based on smart infrastructure data and how constant surveillance of the activities in our homes, our movements and communications could have a chilling effect on our behaviour - the constant feeling that someone is looking over our shoulder.

A common counter argument to privacy is that if you've got nothing to hide, you have nothing to fear. One wonders whether those with 'nothing to hide' would be happy to hand over their credit card numbers to anyone, or publish their medical records in the newspaper, or walk around naked?  As security expert Bruce Schneier notes, the 'nothing to hide' argument mistakenly accepts the premise that privacy is about hiding a wrong.[19]

Similarly, academic Daniel Solove notes that

the deeper problem with the 'nothing to hide' argument is that it myopically views privacy as a form of concealment or secrecy.'[20]

Protecting privacy is not being secretive or mistrustful. Having curtains on our windows does not mean that we are up to no good! We are simply managing the line between our public and private lives in a way that allows us to feel comfortable and live life to the full.

I look forward to participating in the inquiry as it progresses.

Thank you.


[1] See Information and Privacy Commissioner, Ontario, Canada, SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of Electricity Conservation, November 2009, pp 4-5.

[2] Smart appliances can be configured by the end user to communicate information directly to the utility operator for efficient and more productive use of electricity (in turn saving the consumer money on electricity consumption). For example, appliances will be able to automatically turn off during times of high electricity demand. Information and Privacy Commissioner, Ontario, Canada, SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of Electricity Conservation, November 2009, pp 8-9.

[3] See House Standing Committee on Infrastructure, Transport, Regional Development and Local Government, Terms of Reference, Inquiry into Smart Infrastructure, www.aph.gov.au/House/committee/itrdlg/smartinfrastructure/tor.htm

[4] Martin LaMonica, 'Cisco: Smart grid will eclipse the size of the Internet', CNET, 18 May 2009, news.cnet.com/8301-11128_3-10241102-54.html

[5] Information and Privacy Commissioner, Ontario, Canada, SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of Electricity Conservation, November 2009, p11.

[6] See Mark F Foley, 'The Dangers of Meter Data (Part 1)'  Smart Grid News.Com, 2 July 2008, http://www.smartgridnews.com/artman/publish/Technologies_Metering_News/The_Dangers_of_Meter_Data_Part_1-446.html

[7] Mark F Foley, 'The Dangers of Meter Data (Part 1)'  Smart Grid News.Com, 2 July 2008, http://www.smartgridnews.com/artman/publish/Technologies_Metering_News/The_Dangers_of_Meter_Data_Part_1-446.html

[8] See Mark F Foley, 'The Dangers of Meter Data (Part 1)'  Smart Grid News.Com, 2 July 2008, http://www.smartgridnews.com/artman/publish/Technologies_Metering_News/The_Dangers_of_Meter_Data_Part_1-446.html

[9] Catharine Munro and Paul Bibby, 'Courts throw Facebook at digital navel gazers', Sydney Morning Herald, 21 April 2009, http://www.smh.com.au/news/technology/courts-throw-facebook-at-digital-navel-gazers/2009/04/20/1240079605140.html

[10] See Department of Energy and Climate Change, Impact Assessment of Smart / Advanced Meters roll out to small and medium businesses' May 2009, p 24 www.decc.gov.uk/Media/viewfile.ashx?FilePath=Consultations%5CSmart%20Metering%20for%20Electricity%20and%20Gas%5C1_20090508152843_e_@@_smartmeterianondomestic.pdf&filetype=4

[11] See National Institute of Standards and Technology, US Department of Commerce, 'Smart Grid Cyber Security Strategy and Requirements (Draft)', Smart Grid Interoperability Panel, Cyber Security Working Group, February 2010, pp 100-115, http://www.smartgridnews.com/artman/uploads/1/nist_cyber_security.pdf

[12] See http://www.privacybydesign.ca/  and http://www.ico.gov.uk/about_us/news_and_views/current_topics/privacy_by_design.aspx

[13] See National Institute of Standards and Technology, US Department of Commerce, 'Smart Grid Cyber Security Strategy and Requirements (Draft)', Smart Grid Interoperability Panel, Cyber Security Working Group, February 2010, pp 108, http://www.smartgridnews.com/artman/uploads/1/nist_cyber_security.pdf

[14] Patrick McDaniel and Stephen McLaughlin, 'Security and Privacy Challenges in the Smart Grid', IEEE Security and Privacy, May/June 2009, p 73.

[15] Patrick McDaniel and Stephen McLaughlin, 'Security and Privacy Challenges in the Smart Grid', IEEE Security and Privacy, May/June 2009, p 73.

[16] Mark F Foley, 'Data Privacy and Security Issues for Advanced Metering Systems (Part 2)' Smart Grid News.Com www.smartgridnews.com/artman/publish/industry/Data_Privacy_and_Security_Issues_for_Advanced_Metering_Systems_Part_2-453.html

[17] See Australian Government First Stage Response to Australian Law Reform Commission Report 108, October 2009, Recommendation 18-1, p 37 www.dpmc.gov.au/privacy/alrc_docs/stage1_aus_govt_response.pdf.

[18] Jeffery Rosen, The Unwanted Gaze: The Destruction of Privacy in America, Random House, 2000.

[19] Bruce Schneier, 'The Eternal Value of Privacy', Wired News, 18 May 2006.  

[20] Daniel J Solove, "I've got nothing to hide" and other misconceptions of privacy' San Diego Law Review, no. 44, 2007, 16.