There has been discussion about privacy questions raised by the “smart grid,” where utilities would be able to collect granular data about consumers’ energy consumption — down to the daily electricity use by the fridge in your kitchen or the TV in your bedroom. The benefits could include more consumer control over usage, more efficient energy usage, a more reliable energy grid, and faster response by utilities to power outages. But there are questions about this intelligent meter system. Who would have access to this data — law enforcement, advertisers or others? What could they do with this data? What kind of security and privacy controls are there? The data could be highly personal: Do you have an alarm system and when is it activated; when do you usually shower or bathe; if a friend plugs her electric car into your recharging station in your garage, would her data be gathered or transferred?
In a November 2009 report (pdf) from the Ontario Information and Privacy Commissioner and the Future of Privacy Forum, the groups noted, “Privacy concerns arise when there is a possibility of discovering personal information such as the personal habits, behaviours and lifestyles of individuals inside dwellings, and to use this information for secondary purposes, other than for the provision of electricity. Electric utilities and other providers may have access to information about what customers are using, when they are using it, and what devices are involved.”
They also said, “Information proliferation, lax controls and insufficient oversight of this information could lead to unprecedented invasions of consumer privacy […] the dissemination of data must be done in a trustworthy and transparent manner.”
Earlier this month, the National Institute of Standards and Technology (NIST) issued a report (pdf) with recommendations for implementing the smart grid, noting the “potential for compromise of data confidentiality, including the breach of customer privacy.” NIST asked:
- What personal information may be generated, stored, transmitted or maintained by the Smart Grid?
- How is this information new or unique from personal information in other types of systems and networks?
- What are the new and unique types of privacy risks that may be created by Smart Grid components and entities throughout the grid network?
- Do existing laws, regulations and standards apply to the personal information collected by, created within, and flowing through the Smart Grid components?
- What could suggested privacy practices look like for all entities using the Smart Grid so that following them would protect privacy, reduce risks, and support and/or enhance existing laws, regulations and standards?
Rebecca Herold, a member of the NIST working group on the smart grid, blogged about U.S. and international laws that might apply:
Because of the complexity of the smart grid, and the many different types of organizations/businesses/vendors that will be part of this vast energy management network, there are many other possibilities for U.S. laws, regulations and standards that could apply as well. A few of these include:
- The Computer Fraud and Abuse Act
- Electronic Communications Privacy Act
- Gramm Leach Bliley Act and supporting rules
- At least 48 state and territory breach notice laws
- Federal Rules of Civil Procedure (eDiscovery Rule)
- North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard
- Title XIII of the Energy Independence and Security Act of 2007
There is also the pending Cybersecurity Act of 2009 bill (S.773) that may be enacted and should be kept in mind.
And, since portions of the smart grid may go into Canada and Mexico, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and Mexico’s Federal Freedom of Information Act (FOIA) may also apply.
In a June 2009 article, “Privacy Challenges Could Stall Smart Grid,” Susan L. Lyon, an attorney with Perkins Coie’s Privacy & Security practice, said, “The nature of the smart grid requires ubiquitous deployment of monitoring technology in every home it touches. The impact of this is significant considering that privacy of the home is such an important value in our society that its protection is guaranteed in the U.S. Bill of Rights, ‘The right of the people to be secure in their … houses … shall not be violated.’ So while the benefits of a unified national smart grid system are very clear to most, as with any technology, the systems that provide these societal benefits and the policies that shape them should be designed to account for the privacy concerns of the individuals they serve.”
Here are a few articles about the issue:
CBC News notes, “In Canada, Ontario has been first off the mark. The province has already installed 1.1 million smart meters and plans to have one in every household by the end of 2010. In the U.S., Boulder, Colo., has taken the lead to become the first city with smart meters for every customer.”
MSNBC says, “Data creep will inevitably happen. Already, some consumers are getting statements that compare their use to neighbors’ usage — and ‘overusage’ premium pricing isn’t far behind. But what if the comparisons aren’t fair? Most families would want to be compared to similar families — how much power do three teen-ager daughter households use?”
CNN discusses security vulnerabilities: “Experts said that once in the system, a hacker could gain control of thousands, even millions, of meters and shut them off simultaneously. A hacker also might be able to dramatically increase or decrease the demand for power, disrupting the load balance on the local power grid and causing a blackout. These experts said such a localized power outage would cascade to other parts of the grid, expanding the blackout.”
In an op-ed at SmartGrid News, the Future of Privacy Forum’s Jules Polonetsky and Christopher Wolf wrote: “Potential Smart Grid data users, including utility companies and device manufacturers, must engage in responsible data management practices that build consumer confidence and trust. Such trust can only be achieved if consumers feel that they are receiving sufficient information about and are in control of how their personal Smart Grid data is used. Thus, Smart Grid data users must consider carefully how they will protect the integrity, privacy, and security of the Smart Grid data obtained from consumer usage patterns. In addition, Smart Grid data must be gathered responsibly, securely, and with a measure of transparency and consumer control.”