Monday, May 28, 2012

Smart Meter Data Privacy

Utilities must take privacy and security concerns into account when designing AMI and must persuade consumers, regulators and politicians that privacy interests are adequately protected.


Navigate this Report
Back to Consumer Index
1. Background
2. Acronyms/Definitions
3. Business Case
4. Benefits
5. Risks
6. Issues
7. Success Criteria
8. Companies/Organizations
9. Links

1.Background
  • Many people also have privacy concerns if this more detailed energy usage information becomes public. Some say it is a virtual biography of household activity in near real-time. Humidity measurements can disclose private information such as human presence. Hourly power averages such as the ones produced by California's AMI system may also be used to determine presence and sleep cycles, although to a coarser degree.
  • The Supreme Court has ruled need a warrant to use thermal imaging device from outside the home to see marijuana heat lamps because violates sanctity of the home. Utility records business records fall outside the 4th Amendment protection. What will be the protections for real time data?

2. Acronyms/Definitions
  1. AES - Advanced Encryption Standard - A symmetric-key encryption standard adopted by the U.S. government. A Federal Information Processing Standard (FIPS), specifically, FIPS Publication 197, that specifies a cryptographic algorithm for use by US Government organizations to protect sensitive, unclassified information.

  2. CISPA - Cyber Intelligence Sharing and Protection Act - A proposed law in the United States which would allow for the sharing of Internet traffic information between the U.S. government and certain technology and manufacturing companies. The stated aim of the bill is to help the U.S government investigate cyber threats and ensure the security of networks against cyberattack.

    CISPA has been criticized by advocates of Internet privacy and civil liberties who argue CISPA contains too few limits on how and when the government may monitor a private individual’s Internet browsing information. Additionally, they fear that such new powers could be used to spy on the general public rather than to pursue malicious hackers.

    What sparked significant privacy worries is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It doesn't, however, require them to do so.

    By including the word "notwithstanding," House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) intended to make CISPA trump all existing federal and state civil and criminal laws. (It's so broad that the non-partisan Congressional Research Service once warned that using the term in legislation may "have unforeseen consequences for both existing and future laws.") "Notwithstanding" would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson: "For cybersecurity purposes, all of those entities can turn over that information to the federal government."

  3. CPNI - Customer Proprietary Network Information - The data collected by telecommunications companies about a consumer'stelephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill. It may provide a useful model for the development of rules and regulations governing the use and distribution of personal, sensitive information that will be gathered as smart grid technologies are deployed.

    Telemarketers working on behalf of telephone companies, attempting to either win back a customer or upsell a customer with more services, must ask the customer's consent before accessing the billing information or before using that information to offer an upsell or any change of services. Usually this is done at the beginning of a call from the telemarketer to the telephone subscriber.

  4. FIP - Fair Information Practice Principles - Guidelines created by the United States Federal Trade Commission (FTC) that represent widely-accepted concepts concerning fair information practice in an electronic marketplace.
    1. Notice/Awareness - Consumers should be given notice of an entity's information practices before any personal information is collected from them This requires that companies explicitly notify of some or all of the following:
      • Identification of the entity collecting the data;
      • Identification of the uses to which the data will be put;
      • Identification of any potential recipients of the data;
      • The nature of the data collected and the means by which it is collected;
      • Whether the provision of the requested data is voluntary or required;
      • The steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.

    2. Choice/Consent - Choice and consent in an online information-gathering sense means giving consumers options to control how their data is used. Specifically, choice relates to secondary uses of information beyond the immediate needs of the information collector to complete the consumer's transaction. The two typical types of choice models are 'opt-in' or 'opt-out.' The 'opt-in' method requires that consumers affirmatively give permission for their information to be used for other purposes; without the consumer taking these affirmative steps in an 'opt-in' system, the information gatherer assumes that it cannot use the information for any other purpose. The 'opt-out' method requires consumers to affirmatively decline permission for other uses.

    3. Access/Participation - Access as defined in the Fair Information Practice Principles includes not only a consumer's ability to view the data collected, but also to verify and contest its accuracy. This access must be inexpensive and timely in order to be useful to the consumer.

    4. Integrity/Security - Information collectors should ensure that the data they collect is accurate and secure. They can improve the integrity of data by cross-referencing it with only reputable databases and by providing access for the consumer to verify it. Information collectors can keep their data secure by protecting against both internal and external security threats. They can limit access within their company to only necessary employees to protect against internal threats, and they can use encryption and other computer-based security systems to stop outside threats.

      The integrity security service addresses prevention of unauthorized modification of data (both stored and communicated). Modification of both stored and communicated data may include changes, insertions, deletions or duplications. Additional potential modifications that may result when data is exposed to communications channels include sequence changes. The integrity service also addresses the problem of ensuring that communicating components can correctly identify those that they are communicating with.

    5. Enforcement/Redress - In order to ensure that companies follow the Fair Information Practice Principles, there must be enforcement measures. The FTC identified three types of enforcement measures: self-regulation by the information collectors or an appointed regulatory body; private remedies that give civil causes of action for individuals whose information has been misused to sue violators; and government enforcement, which can include civil and criminal penalties levied by the government.

  5. NILM - Non-Intrusive Load Monitoring - A process for analyzing changes in the voltage and current going into a house and deducing what appliances are used in the house as well as their individual energy consumption. The system can measure both reactive power and real power. Hence two appliances with the same total power draw can be distinguished by differences in their complex impedance. A refrigerator electric motor and a pure resistive heater can be distinguished in part because the electric motor has significant changes in reactive power when it turns on and off, whereas the heater has almost none.

    NILM can detect what types of appliances people have and their behavioral patterns. Patterns of energy use may indicate behavior patterns, such as routine times that nobody is at home, or embarrassing or illegal behavior of residents, without the homeowner knowing that they are being monitored. An exceptionally large fluorescent light power draw, for example, might be due to an indoor marijuana farm.

  6. SB 1476 - California law, enacted in September 2010, that prohibits an electrical corporation or gas corporation from sharing, disclosing, or otherwise making accessible to any 3rd party a customer’s electrical or gas consumption data, as defined, except as specified, and requires those utilities to use reasonable security procedures and practices to protect a customer’s& unencrypted electrical and gas consumption data from unauthorized access, destruction, use, modification, or disclosure. The law also
    • Prohibits an electrical corporation or gas corporation from selling a customer’s electrical or gas consumption data or any other personally identifiable information for any purpose.
    • Prohibits an electrical corporation or gas corporation from providing an incentive or discount to a customer for accessing the customer’s electrical or gas consumption data without the prior consent of the customers.
    • Requires that an electrical or gas corporation that utilizes an advanced metering infrastructure that allows a customer to access the customer’s electrical and gas consumption data to ensure that the customer has an option to access that data without being required to agree to the sharing of his or her personally identifiable information with a 3rd party.
    • FIP Tranparency Principle - Provides that, if the electrical corporation or gas corporation contracts with a 3rd party for a service that allows a customer to monitor his or her electricity or gas usage, and the 3rd party uses the data for a secondary commercial purpose, the contract between the electrical or gas corporation and the 3rd party shall provide that the 3rd party prominently discloses that secondary commercial purpose to the customer.


3. Business Case
  • On July 28, 2011, the California Public Utilities Commission (CPUC) unanimously approved rules to protect the privacy and security of customer usage data generated by Smart Meters. The decision requires utilities to provide pricing, usage, and cost data to customers online and updated at least on a daily basis. Each day's usage data, along with applicable price and cost details, and with hourly or 15-minute granularity (matching the time granularity programmed into a Smart Meter), must be available by the next day. The rules require require the three utilities to: 
    • Provide customers with detailed energy usage, bill-to-date, month-end bill forecast, and projected month-end energy price on their websites – updated daily 
    • Provide "tier alerts" via some form of rapid communication (email, tweets, etc.) when customers move from one price tier to the next 
    •  Provide a website calculator to help consumers determine if they would save money by switching to a time-of-use rate 
    • Allow consumers to authorize third parties to receive their backhauled smart meter data directly from the utility · Set up a program to roll out home area networking devices to be directly connected with smart meters.
  • These CPUC rules empower consumers by ensuring they get the data they need - and protect them by ensuring that NO data is released to Anyone outside the utility without the consumer's knowledge and permission. The rules protect utilities by laying out clear rules of the road - and clarifying that utilities are not liable for a third party misusing the data when the consumer has authorized the third party to receive the data. The CPUC considered all of the issues very thoughtfully and came down with a balanced approach that promotes innovation while providing strong consumer protections.The proposal voted on is available at http://docs.cpuc.ca.gov/WORD_PDF/AGENDA_DECISION/140188.pdf.
  • The above rule is based on the policy the CPUC adopted in May 2010 that utilities must give access to energy consumption data to individual consumers and their appointed third-party providers by the end of 2010 and then provide the data in a somewhat real-time manner by the end of 2011. To do that, Pacific Gas & Electric, Southern California Edison and San Diego Gas & Electric are all rolling out their own web portals or partnering with third parties to provide that information Up until now, the problem has been that the data has not been available.
  • In May 2011, The CPUC came out with a proposed ruling aimed at clearing up all the questions about who owns and controls data that passes through smart meters, utility back-office platforms and customers’ in-home devices. It also sets out to define who’s responsible for all that data.
    • The proposed privacy rules are based on the Fair Information Practice (FIP) Principles, which originated in 1973 and have subsequently become the basis of many privacy laws in the US and many other countries. Descriptions of these principles and additional information about data privacy can be found at the Organisation for Economic Cooperation and Development (OECD) website.
    • The CPUC assessed how the FIP principles map to provisions in the Public Utility Code and a California law passed in 2010 – SB1376 – that specifically addressed energy use data. Analysis determined that there is clear alignment with five principles – Transparency, Individual Participation, Purpose Specification, Use Limitation and Data Security. The principles that did not have direct linkages are still considered to be “consistent with California law and policy objectives” .
    • Each utility must provide pricing, usage and cost data to customers in a customer-friendly manners.. Specifically, PG&E, SCE, and SDG&E must offer residential customers bill-to-date, bill forecast data, projected month-end tiered rate, a rate calculator, and notifications to customers as they cross rate tiers. They are directed to work with the California Independent System Operator to improve customer access to wholesale electricity prices. PG&E, SCE, and SDG&E each must file an advice letter within six months that provides customers with access to usage, price, and billing data. Each must also commence a pilot study within six months on how to provide real-time or near real-time pricing information to customers.
    • Because the CPUC can’t directly control the interested companies that want to leverage that data -- Google, EnerNOC and Control4 all participated in the rule making-- it created rules for devices that will access the data from the smart meter. Regardless of how the data is obtained – from smart meters or from third party devices, the CPUC stated it will ensure equal regulatory treatment for third parties who acquire usage data from the utility via a smart meter or through an internet-connected
    • For consumers who want to share their information with an outside company, a utility tariff will require that any home area network device that is “locked” to a certain third party, which will start transferring information from the smart meter, must be in compliance with the CPUC requirements. The utilities have six months to create those tariffs.
    • For devices that aren’t locked into a particular third party, the utility will be charged with making consumers aware of “the potential uses and abuses of usage data should the customer forward or otherwise provide the data to another entity.”
    • The decision also adopts a framework to allow customers to authorize third parties who agree to comply with the adopted privacy and security rules to receive usage data from utilities via the “backhaul.
    • SDG&E must continue to provide third parties access to customer usage data and PG&E and SCE must initiate such a service. PG&E, SCE, and SDG&E must each file an advice letter within six months that creates a tariff to provide third parties, with customer authorization, with usage and billing information consistent with the polices and rules adopted to protect the privacy of customers.
    • The decision orders the three utilities to commence pilot studies within six months to connect Home Area Network-enabled devices to Smart Meters to provide real-time or near-real-time pricing information to their customers.
    • The decision also adopts reporting and audit requirements regarding the utilities’ customer data privacy and security practices, third-party access to customer usage information, and any security breaches of customer usage information.
    • The decision does not answer the question about whether or not it has the authority to regulate either the customer or other entities that acquire any energy usage data that bypasses the utility. A separate phase of this proceeding will address whether or not these rules apply to gas corporations, community choice aggregators, energy service providers, and other electric utilities outside of the IOUs.
    • The full Commission has to act on this proposal, and has the options to enact some or all of it; modify some or all of it; or ignore it and prepare its own decision. Comments may be filed on this proposed decision, and I’m sure we’ll see a number of parties offering reactions

4. Benefits
CPUC Order

  • Transparency (Notice) - Covered entities shall provide customers with meaningful, clear, accurate, specific, and comprehensive notice regarding the collection, storage, use, and disclosure of covered information. Covered entities shall provide notice in their first paper or electronic correspondence with the customer, if any, and shall provide conspicuous posting of the notice or link to the notice on the home page of their website.
  • Data Minimization - Covered entities shall collect, store, use, and disclose only as much covered information as is reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose or for a specific secondary purpose authorized by the customer.
    • (b) Data Retention. Covered entities shall maintain covered information only for as long as reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.
    • (c) Data Disclosure. Covered entities shall not disclose to any third party more covered information than is reasonably necessary or as authorized by the Commission to carry out on behalf of the covered entity a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.
  • Use and Disclosure Limitation - Covered information shall be used solely for the purposes specified by the covered entity. An electrical corporation may collect, store and use covered information for primary purposes without customer consent. Other covered entities may collect, store and use covered information only with prior customer consent, except as otherwise provided here.
  • Data Quality and Integrity - Covered entities shall ensure that covered information they collect, store, use, and disclose is reasonably accurate and complete or otherwise compliant with applicable rules and tariffs regarding the quality of energy usage data.
  • Data Security - Covered entities shall implement reasonable administrative, technical, and physical safeguards to protect covered information from unauthorized access, destruction, use,
    modification, or disclosure
  • Accountability and Auditing - Covered entities shall be accountable for complying with the requirements herein, and must make available to the Commission upon request or audit—
    1. The privacy notices that they provide to customers,
    2. Their internal privacy and data security policies,
    3. The identities of agents, contractors and other third parties to which they disclose covered information, the purposes for which that information is disclosed, indicating for each category of disclosure whether it is for a primary purpose or a secondary purpose,
    4. Copies of any secondary-use authorization forms by which the covered party secures customer authorization for secondary uses of covered data.

5. Risks
  • Marketers can’t buy information from your utility company, but hope to access your data by getting you to sign an authorization form for release of your smart meter information. And there aren’t rules regarding third-parties, such as websites, software, mobile apps or electronic displays that help monitor energy usage.
    • Imagine getting a call from your computer’s manufacturer informing you that your use voided your warranty.
    • Imagine getting on-screen advertising for new dryers from Samsung and Whirlpool when energy use showed you had to run your dryer longer than usual.
    • Imagine your health insurance going up because you never use your treadmill or your home insurance going up because you don’t actually set that fancy alarm that got you a discount
  • Law Enforcement traditionally must get a search warrant to access meter data from your utility company, just like they would to search anywhere else in your home. Those protections don’t apply to data revealed to third parties—such as a company that helps you monitor your energy use online or from a smart phone, or a company that makes a counter-top device to monitor energy use.
  • Criminals - Such as burglars, vandals or abusive partners could monitor real-time data and patterns to see when your house is vacant—or not.
  • Abusive Partners may be able to track and monitor victims who have gone into hiding by using personal information transmitted through the Smart Grid.
  • Identity Thieves and computer hackers could gain access to your unique data from the smart grid, and either match it to other financial data, or use it to fraudulently impersonate you as a utility customer, ruining your credit.

6. Issues
  • Jurisdiction Over Third Parties
    • What authority does the Commission have over entities that receive information on a consumer's energy usage from the utility? What actions, if any, can the Commission take in response to misuse of data by such an entity?
    • What authority, if any, does the Commission have over entities that receive information on a consumer's energy usage from sources other than the utility (from a HAN device or from the customer, for example)? What actions, if any, can the Commission take in response to misuse of data by such an entity?
    • What authority the Commission has over those entities not involved in utility operations that have obtained customer approval to access their usage data?
  • Closed Markets for Information - As long as the utilities hold onto meter data and don’t share it with everybody, the market will be very constrained on what can be done without spending a lot of money.
  • Usage Privacy - A major concern is that folks don't want to be inundated with telemarketing calls associated with their usage behavior," he says. "There's also some concern about what they're doing being known minute by minute. The average utility customer does not understand why a utility would want to know how often she opens her refrigerator door, how many loads of laundry she does on what days -- yet that data and more will be available to utilities. ;A person can drop their cell phone and walk away or choose to use cash rather than a traceable credit card -- but people can’t just choose not to use power in their home, thus they are locked into the decisions about privacy that will be made as the smart grid develops.
  • Data Ownership - When does the customer “own” the data? That’s a tricky question. Utilities in most states are considered to be custodians, rather than owners, of the energy data that comes from their customers. Still, they own the smart meters that deliver the data, and the back-office IT that calculates bills — and they’ve got to protect that data from misuse.
  • FIP Weaknesses - The FIPs are criticized by some scholars for being less comprehensive in scope than privacy regimes in other countries, in particular in European Union and other OECD countries. Additionally, the FTC's formulation of the principles has been criticized in comparison to those issued by other agencies. The FTC's 2000 version of FIPs is shorter and less complete than the privacy protection principles issued by the Privacy Office of the Department of Homeland Security in 2008, which include eight principles closely aligned with the OECD principles.

    Some in the privacy community criticize the FIPs for being too weak, allowing too many exemptions, failing to require a privacy agency, failing to account for the weaknesses of self-regulation, and not keeping pace with information technology. Many privacy experts have called for omnibus privacy protection legislation in the US in lieu of the current blend of self-regulation and selective codification in certain sectors.

    Critics from a business perspective often prefer to limit FIPs to reduced elements of notice, consent, and accountability. They complain that other elements are unworkable, expensive, or inconsistent with openness or free speech principles.

7. Success Criteria
  • Communicate Benefits - Consumers will have to be shown the benefits of Smart Energy outweigh its privacy risks.
  • Make Data Security a Priority - Chief privacy officers should be a fixture at every utility and they should perform a thorough privacy check-up on any supplier or partner firm.
  • Harden data handling procedures - While there may be dubious benefit to stealing the private data from individual citizen's smart meters, it is naive to think that privacy concerns will not find their way into regulation. That means data will have to be partitioned when needed longer term, destroyed when transient, and never left in an unknown state.
  • Involve Stakeholders- For example, providing infrastructure to communicate wide-area measurement data across the grid requires agreement by the stakeholders on the information network architecture, the supported functions, data exchange interface definitions, and legal conditions for granting use of the data.


8. Companies/Organizations
  1. CPUC - California Public Utility Commission - Smart Grid Privacy Ruling, Comments, Responses and Motions are included in Proceeding R0812009 - Order Instituting Rulemaking to Consider Smart Grid Technologies Pursuant to Federal Legislation and on the Commission's own Motion to Actively Guide Policy in California's Development of a Smart Grid System.
  2. EPIC - Electronic Privacy Information Center - Washington, DC - a public interest research center established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values
  3. NAESB - North American Energy Standards Board - Has created a task force on data privacy. That task force will hold a series of conference calls beginning March 2011, so that guidance is available for consideration when the National Association of Regulatory Utility Commissioners (NARUC) meets in Los Angeles in July 2011. The NAESB task force will engage in an open, transparent process to identify standard business practices with regard to consumer energy use data and is co-chaired by Christine Wright, a member of the Public Utility Commission of Texas, and Robin Lunt, assistant general counsel for NARUC. (Click on the NAESB link for information on the conference calls.)
  4. The task force will not reinvent the wheel, but will include a review of existing laws and standards, including California's efforts and the guidelines on cyber security and privacy set forth last year by the National Institute of Standards and Technology.
  5. TURN - The Utility Reform Network, San Francisco, CA - Utility watchdog that stand up for consumer rights, affordable rates and a more livable California. Smart Meter data privacy is one of their current issues. Smart meters tell utilities how much energy you use, when you use it, what you use it for and even what appliances you use it with. All of this information leaves you at risk for identity theft, surveillance, physical danger and other misuse of your information. Learn what you can do to protect yourself, and what needs to be done to insure your right to privacy.


8. Links
  1. California Public Utilities Commission - Documents for ASmart Meter Data Privacy Proceedings (R0812009)
  2. CPUC - Smart Grid Homepage
  3. Elias Leake Quinn - A Report for the Colorado PUC Spring 2009 Smart Metering & Privacy: Existing Law and Competing Policies (PDF)- Demonstrates how the frequency and quality of SG load readings can be used to identify which appliances -- and therefore which activities -- are taking place behind the meter, and when.
  4. Computational Disclosure Control A Primer on Data Privacy Protection (PDF)- A 2000 study by Carnegie Mellon University researcher Latanya Sweeney, who obtained publicly available health insurance information on Massachusetts state workers that was stripped of names, addresses, social security numbers and other identifying information. Sweeney then purchased state voter rolls for Cambridge, including the name, ZIP code, address, sex and birth date of every registrant.

    The insurance data showed that there were six people in Cambridge born on the same day as the governor: half were men. The voter data allowed Sweeney to pinpoint the state's governor as the only one of those residing in a particular ZIP code in Cambridge. The corresponding health-insurance data included the governor's medical diagnoses and prescriptions. Thus, Latanya managed to use two data sources to obtain personal information that couldn't be learned from either one alone.
  5. Lerner, J. I., Mulligan, D. K., Taking the 'Long View' on the Fourth Amendment: Stored Records and the Sanctity of the Home Stanford Technology Law Review (STLR), Vol. 3, 2008.

No comments:

Post a Comment