Smart Grids and the Future of Privacy

Smart grids are the future of power, but what does that mean for the future of privacy?

The transmission networks spanning nations to provide light, heat and electricity will soon undergo a radical transformation. Most of the world’s developed countries have invested in or plan to invest huge sums to implement smart energy infrastructures within the next two decades. The smart grid will revolutionize the way utilities and consumers measure and monitor electricity usage. This effort is expected to save money and aid energy conservation. But the grid will also result in the creation of massive amounts of new data, data that can reveal intimate details about households and the people who live in them. The risk of exposure or misuse of such data creates a new set of concerns for consumers and privacy professionals.

The smart grid will rely on smart meters, which will record household energy consumption and communicate it back to power providers. These new smart meters will replace the electromechanical meters that are attached to most households across the world today.

Smart appliances, which are being developed and sold by some of the world’s largest manufacturers, will enhance the intelligent grid, feeding smart meters with real-time information about electrical use down to the appliance level — smoothie at seven, treadmill at eight, for example. (According to a recent Zpryme report, the global market for household smart appliances is projected to reach $15.12 billion in 2015.)

This precision will allow utility companies to analyze peak power usage times and set electric rates accordingly. In turn, households will gain a tool for more efficient management of their energy consumption, which they could use to lower costs and conserve energy. For example, customers will have the ability to time their laundry chores for off-peak energy hours.

When the grid, the meter, and the appliances are implemented and integrated, consumers will be able to fine-tune their energy consumption to get the best rates and utilities will be able to more effectively manage power distribution and identify and resolve problems remotely.

The savings potential is expected to be massive. The grid is also expected to help power suppliers prevent blackouts and brownouts by allowing for power distribution to be delivered more evenly and on a need-based schedule.

Nations and utilities are investing in the development of the smart grid, and many companies have already deployed smart meters. But while those involved throw millions, even billions, toward the grid, cautioning voices are calling for privacy protections.

“We are talking about implementing a very new type of network…a network that people are always attached to,” says Rebecca Herold, CIPP, founder of Rebecca Herold and Associates, LLC. Herold has led the U.S. National Institute for Standards and Technology (NIST) Smart Grid privacy subgroup since June 2009 and co-authored the NIST report on smart grid privacy, which is under review by NIST and expected to be published soon.

The information collected on a smart grid will form a library of personal information, the mishandling of which could be highly invasive of consumer privacy,” said Christopher Wolf, co-author with Jules Polonetsky of a whitepaper published by the Future of Privacy Forum and the Office of the Information and Privacy Commissioner of Ontario. “There will be major concerns if consumer-focused principles of transparency and control are not treated as essential design principles, from beginning to end.”

Utilities are aware of the privacy concerns, according to Rick Thompson, the president of Greentech Media. “It’s absolutely on their radar,” he says, adding, “That doesn’t mean they have a full understanding or solution to solve that problem, but I think it’s an area that they are investigating heavily.”

It’s an area worthy of investigation, according to many. Some say the smart grid will be “bigger than the internet,” which will result in an exponential increase of coveted, valuable and potentially identifiable data.

“You come into new types of privacy issues because you are now revealing personal activities in ways that are not historically, or have not been considered to date as being personally identifiable information,” Herold says.

Beyond knowing how often the refrigerator opens or what time the garage door activates each morning, grid data may be a way of discerning when a household is empty or full, when family members go to bed at night or what time the kids come home from school. Marketers might want to tap into the data to find out when a household might be due for a new refrigerator or washing machine. Law enforcement might be interested in corroborating a story. An insurance company might want to know if a homeowner’s alarm was turned on when a burglary occurred. A divorce attorney might want to subpoena energy-use records to aid a case.

Who owns the data?

In a recent newspaper article, Simon McKenzie, the chief executive of a New Zealand electricity supplier, said in that country, where hundreds of thousands of smart meters are currently being installed, “We’re starting to see the retailers and network companies say: ‘Hey, there are a number of different ways that we haven’t even considered that we could utilize this data…to provide better service or solutions to customers.” The full potential of smart grids has yet to be realized, McKenzie told The New Zealand Herald.

But should retailers and other entities have access to the data? That is a question being examined on a global scale.

In response to the McKenzie’s comments, New Zealand Privacy Commissioner Marie Shroff said that companies need to be transparent about what information is being tracked and collected. “People need to be able to make fully informed decisions before agreeing to the new technology,” Shroff said.

Others call for limited use of the data gleaned from smart grids.

“The risk with a rich new data source is the temptation to use the information for more than originally intended,” Australian Privacy Commissioner Karen Curtis told those attending a smart infrastructure conference earlier this year.

That’s why it will be crucial to answer the question of who owns and has access to consumers’ energy usage data, which could reveal existing and emerging types of personally identifiable information, Herold says.

It’s a familiar question for privacy pros, who have grappled with it in other areas of practice, but perhaps less familiar for utilities. In a recent study, GTM asked utility companies who owns the granular data collected by smart meters — the utility company, the consumer, or a third party. The results showed a decided lack of consensus.

“The interesting thing is that it was pretty well split evenly between those three options,” said GTM’s Rick Thompson. Of the companies surveyed, 39 percent said the data belonged to the consumer, 29 percent said the utility itself owned it, and 32 percent were unsure.

The president of an advocacy group for the smart grid industry is more decided on the topic. “The consumer should always have access to that data,” says Kathleen Hamilton, president of the GridWise Alliance, which counts more than 100 companies and organizations as members. “I think the consumer is going to be the owner of that data,” Hamilton said. “But I think what consumers don’t understand is that when they give their data to others, if there aren’t privacy provisions in place, they can use the data in ways that either the consumer may not agree with or think appropriate.”

That’s a worry many can relate to and a debate that must play itself out soon, as 70 percent of North American utility companies polled for the aforementioned GTM survey indicated that smart grid projects were either a “strong” or “highest” business priority between now and 2015. Governments keen to the potential have invested heavily in smart grid infrastructures. In the U.S., President Obama allocated $3.4 billion in national stimulus monies to utility companies last year to encourage development of smart grid technologies. The European Parliament’s passage of the 3rd Energy Package last year will outfit 80 percent of EU electricity customers with smart meters by 2020. In Sweden, smart meters are now mandated by the government. The U.K., Canada, Australia, New Zealand, parts of Asia, Denmark, and the Netherlands have all reported plans to build intelligent grids. And the Chinese government has allocated $7.3 billion to grid projects in 2010.

It is clear that the potential privacy pitfalls loom large. Less clear is the best solution to prevent them.

“I think there are still a lot of questions out there about what the correct solution might be,” says GTM’s Thompson, predicting that solutions will vary based on the regulations of various regions.

Like other areas of data privacy, regulation is a word that could divide the debate in the months and years to come.

Some predict smart grid privacy issues to be bigger in Europe than other places due to the strength of the bloc’s Data Protection Directive.

So far in the U.S., regulation has focused primarily on securing the grid infrastructure from cyber-attack. For example, the Grid Reliability and Infrastructure Defense (GRID) Act, introduced in April, charges the FERC with safeguarding the transmission grid from cyber-threats. The bill also tasks FERC with enforcing privacy measures, stating: “the Commission shall protect from disclosure only the minimum amount of information necessary to protect the reliability of the bulk power system and defense critical electric infrastructure.” The House passed the bill in June, but the Senate has yet to vote.

Other bills have focused on ensuring that consumers have access to the data their homes’ meters produce. In March, Rep. Edward Markey (D-MA), chairman of the House Select Committee on Energy Independence and Global Warming, introduced The Electric Consumer Right to Know Act (e-KNOW), legislation to ensure consumers have access to free, timely and secure data about their energy usage. It also calls for the FERC to develop national standards for consumer energy data accessibility, to help utilities and state regulatory agencies formulate their policies, according to Markey’s website.

State lawmakers have begun drafting their own legislation. In Colorado, a state where smart meter implementation is already widespread, Senate Bill 10-180 calls for the creation of a task force to recommend measures to “encourage the orderly implementation of smart grid technology” in that state. The bill says that one of the issues the task force must determine is the potential impacts on consumer protection and privacy.

A call for standards

Privacy experts say the lack of legal protection surrounding the smart grid is concerning. They are calling for standards.

“In the absence of clear rules, this potentially beneficial smart grid technology could mean yet another intrusion on private life,” Jim Dempsey of the Center for Democracy and Technology (CDT) said in a March filing to the California Public Utilities Commission (CPUC), which held a three-day hearing that month to explore smart grid policies.

“The PUC should act now, before our privacy is eroded,” Dempsey wrote.

The CDT teamed with the Electronic Frontier Foundation (EFF) on the filing, urging the CPUC to adopt “comprehensive privacy standards for the collection, retention, use and disclosure of the data” gleaned from the smart grid.

The National Institute of Standards and Technology smart grid privacy subgroup, which Herold leads, has released two drafts of the privacy chapter “Smart Grid Cyber Security Strategy and Requirements.” The document includes a privacy impact assessment and addresses possible risks the smart grid presents — including cyber attacks, data breaches and the vulnerability of interconnected networks’ increased exposure to potential hackers.

The draft says that while most states have laws in place regarding privacy protection, those laws do not necessarily relate to the types of data that will be within the smart grid, and many existing laws are specific to industries other than utilities. The group recommends that provisions be included within privacy laws to protect the consumer data held by utility companies. The final NISTIR 7628 Version 1 is expected soon, after which it will be submitted to the Federal Energy Regulatory Commission (FERC).

Minimize, destroy, build privacy in

As with other privacy debates, those pushing for smart infrastructure privacy protections espouse mantras often heard in data protection circles-data minimization, data destruction and privacy by design.

Utilities should minimize the amount of household data collected and should keep it for the shortest amount of time possible, advocates say, in order to minimize the risk associated with storing such data.

Ontario Privacy Commissioner Ann Cavoukian agrees. In her whitepaper, she also cautions that privacy concerns must be considered early in the planning stages in order to mitigate the risks surrounding the revealing data meters collect.

By designing privacy into the grid, “we can have both privacy and a fully functioning smart grid,” Cavoukian wrote in a Toronto Star Op-Ed.

The government of Ontario has committed to the installation of smart meters in every home and business by the end of 2010 and Cavoukian has partnered with major utilities to develop “gold standards” for building privacy into grid projects.

Some privacy advocates point to Ontario’s Hydro One as a utility company setting the standard for baking privacy provisions into its policy before deploying smart meters. Rick Stevens, director of distribution development at Hydro One says the protection of consumer’s information was built into smart meters’ designs based on Ontario’s privacy regulations.

“The regulations certainly set the context for the project,” Stevens said. “We’re just really ensuring that we bake those protections into the product that we put out there. Given that this is new technology, we’re going to be very careful to protect consumer interest as we roll these out. I know we, as an industry, take it very seriously.”

Hydro One has 1.1 million meters already deployed, and at least 700,000 of them are currently reporting data back to the utility on an hourly basis. Stevens says that, as a rule, the utility does not sell customers’ data to third parties and would only share data after obtaining written authorization customers.

The president of LinkGard Systems, an Armenian software maker, says his company’s Energy Management System, which is currently being tested in the U.S., was built with privacy in mind. “It is our strong belief that the utility company has no need to control individual appliances in a residence or a commercial location,” said Hovanes Manucharyan. “The same effect can be achieved by using solutions that don’t require the customer to expose their private energy usage information….We feel that this model is friendlier towards privacy since the utility doesn’t need to acquire, store and manage potentially private data from a customer.”

Hovanes said the stronger regulatory framework of the EU could result in slightly different implementations of smart grid technologies in that market.

Beyond PII

We haven’t yet heard a debate on whether our garage-door-opening habits qualify as personal data, but it’s a question that privacy experts say should be answered.

“People have to realize it’s a new type of network,” says Herold. “It’s ‘always on,’ passively collecting information about people in their homes. It’s more than just PII, it’s personal activities,” she adds.

This is what concerns a California man who staged a dramatic protest recently when Pacific Gas & Electric attempted to install a smart meter at his home. Calling it an “unconstitutional invasion of his privacy,” he locked his existing meter, saying, “PG&E needs to be stopped in their tracks here.”

Education needed

But smart meters are being rolled out in many places, and typically without protest. Indeed, though smart grids are certainly on the radar of utilities and governments, most consumers are in the dark. According to a recent Harris Interactive poll, 68 percent have never heard of the smart grid and 63 percent “draw a blank” about smart meters. Experts say that will change.

“You are going to see a lot more awareness over the next 24 months,” says Greentech Media’s Rick Thompson, “but in terms of becoming a true household name, I’d say that’s still three to five years out.” Thompson says utility companies are just starting to understand the importance of launching educational campaigns aimed at consumer awareness.

A newly formed coalition of companies and organizations — the nonprofit Smart Grid Consumer Collaborative — hopes to increase consumer awareness in the area. “The grid is not really smart unless the consumers are able to be active participants,” said Katherine Hamilton of the GridWise Alliance, one of the founding members of SGCC.

Hydro One’s Stevens says building consumer awareness by communicating the cost-savings potential and environmental benefits is what helped make his company’s transition to smart meters successful in Ontario.

“For the most part, it’s been positive,” Stevens said. “I think the reason for that is the type of information we’ve been able to provide to customers.”

Stevens said, however, given his company’s success with smart meters, that the only reason to have increasing regulations in the future would be if issues arise that require them.

When asked whether utility companies’ self-regulatory efforts will be sufficient to stave off regulations, Herold said it’s important to consider just how many different players will be involved in the smart grid, including non-energy sector companies creating applications and appliances.

“Self-regulation is a good goal, but when you start looking realistically, how do you ensure entities consistently provide protections throughout the entire smart grid if you don’t establish requirements they must all follow?” Herold asks.

She points to the health care and financial industries as evidence that regulations are often necessary.

“It’s always important, in dealing with privacy, to not only take what we know from past experiences, but also have our minds open to possible impacts going forward.”

Some say that having the right people on board will help companies avoid issues. “One of the key things utilities should be doing today is training and hiring privacy professionals,” says Future of Privacy Forum Director Jules Polonetsky, CIPP. “Data enables the grid, but could also be its Achilles’ heel, if companies don’t have the experts in place to help shape decisions as the grid is being built.”

Stevens agrees, saying that it’s in the utility industry’s best interest to maintain consumer privacy protections moving forward.

“It’s a necessity,” he says. “Otherwise, it’ll backfire on us.”

***

This article was originally published in the July 2010 edition of the International Association of Privacy Professionals’ member newsletter, The Privacy Advisor and here.