Smart Security and Privacy for the Smart Grid

Last week, security researcher Brian Krebs reported on an FBI bulletin warning that criminals are hacking smart meters. In the bulletin, the FBI warns that former employees of smart meter manufacturers and utilities have been reprograming residential and commercial smart meters to lower power bills. The FBI identifies one particular instance where a utility may have lost hundreds of millions of dollars due to this type of hacking.

While it is unfortunate that hacking of smart meters has taken place, it is not surprising. Where there is data and money, criminals will find a way to hack and steal. Indeed, criminals have been stealing from analog meters for decades as well.

However, criminal activity should not impede our adoption of important new technologies. For example, ATMs and online banking accounts are hacked today, but nobody is suggesting we should forgo the benefits provided by banks and retail websites. Similarly, smart meters offer consumers and society significant benefits, namely increased reliability, potentially smaller electric bills, and lower carbon emissions. These benefits should not be surrendered simply because digital progress comes with a risk of digital misuse.

Rather, the appropriate response is to focus on improving security and protecting privacy. With good policies and safety measures, we can minimize the risk and protect against loss. We need to recognize that absolute security is not possible. If the bar for technology adoption was set at 100% perfect, we would still be in the Dark Ages. We should take the FBI warning seriously and examine the research needed to minimize intrusions. By instituting reasonable security and privacy measures and building privacy and security into the design process, we can ensure that consumers reap the benefits of progress.

Google Glasses and the Do Not See List?

Release of new details about the Google Glass project deservedly is getting great attention from a range of tech and privacy writers.  The idea of smart glasses is familiar to fans of Vernor Vinge’s book Rainbow’s End, which won the 2007 Hugo Award for best science fiction novel of the year.  It’s safe to say that most people, however, have not deeply imagined what it will be like to have the equivalent of a computer screen super-imposed on their vision as they go through daily life.

Reporters have been asking whether to foresee advertisements on the smart glasses of the near future.  My assumption is that we will see ads.  Ads exist on television, radio, magazines, smartphones, and the Internet, so they will almost certainly exist on smart glasses.

Will there also be privacy debates about those advertisements?  Yes, of course.  Marketing companies will emphasize that the ads are incredibly useful – you look at the restaurant when walking down the street and a coupon pops up.  Privacy advocates will emphasize the intrusiveness of seeing the world through a series of distracting and perhaps-unwanted ads.  Advocates are also likely to express concern about the power of advertising to literally shape a person’s “world view” – to alter what a person sees moment-by-moment when traveling through life.

As the privacy debates commence, I think we can even announce a likely title for a regulatory debate about smart glasses – the “Do Not See List.”  We have had “Do Not Call” for phones and “Do Not Track” for web surfing.  Should individuals have the right to opt out of targeted ads on their glasses?  It will be overwhelmingly tempting to call the privacy debate about smart glasses the “Do Not See” debate. I hereby give in to the temptation early.

For me, it is unbelievably exciting to imagine the range of new applications that will emerge to see the world differently.  It is hard to predict the killer aps for this space, except to predict that there will be many of them.  (As a professor, I immediately think how wonderful it would be to get prompts of student names when I forget them.)  It is easy to predict, though, that privacy and other tech experts will debate long and hard about who gets to affect what I see, as I look out through my new pair of smart glasses.

 

-Peter Swire

Apr. 3, 2012 – What the FTC's Privacy Recommendations Mean for Consumers & Business, Web Pro News

FPF Asks NTIA to Focus on "App Privacy"

The Future of Privacy Forum (FPF) today filed its suggestion with the NTIA that a first area that the Multi-Stakeholder Process should address is mobile device applications. In February, the White House announced a privacy initiative through which enforceable industry codes of conduct would emerge from a Multi-Stakeholder Process, and it requested input from interested parties on which privacy issues should be addressed through the process.

In a submission filed with the National Telecommunications and Information Administration (NTIA), FPF observed:  “The continued proliferation and use of mobile devices by consumers for a multitude of communication and computing purposes, with a corresponding increase in downloads and use of mobile apps, makes app privacy a priority.  Reports of privacy issues with mobile apps abound, making the issue timely and urgent.”  The mobile app issue recently was addressed by FPF co-chairs Jules Polonestky and Christopher Wolf in an opinion piece recently published by the San Jose Mercury News.

FPF strongly supports the Administration’s efforts to enhance data privacy protections and promote consumer trust in a networked society.  FPF also supports NTIA’s efforts to facilitate the development of enforceable codes of conduct through a Multi-Stakeholder Process.  With the rapid evolution of technology, an approach in lieu of technology-specific and prescriptive legislation and one that allows affected parties to participate is prudent.

In proposing mobile apps as a first area of focus for the MSHP process, FPF noted the   important work that has already been done in the area and urged the integration of the foundational work already done and the continuation of parallel activities.

It noted the app best practices guidelines and model app privacy policies already have been produced by the GSMA (representing mobile operators, the Electronic Frontier Foundation (“EFF”), the Center for Democracy and Technology (“CDT”), the Future of Privacy Forum and the Mobile Marketing Association (“MMA”), which provide a substantive starting point for consideration of binding Codes of Conduct.  And it observed that further progress is expected from efforts such as the April 25, 2012 App Developer Privacy Summit convened by the Future of Privacy Forum, the Application Developers Alliance and the Stanford Center for Information and Society.

Media: For more information, please email [email protected]

Polonetsky Interviews with Capital Insider

On Monday, March 5th Jules Polonetsky interviewed with the NewsChannel 8 program “Capital Insider.” Viewers in Maryland, Virginia and Washington, DC watched Jules speak about mobile app privacy issues and Google’s privacy policy. To watch the interview, please click here.

Yahoo Launches Global Support for Do Not Track

Kudos to Yahoo for once again being an industry leader in advancing online privacy measures. We were pleased to work with Yahoo on both the first implementation of an industry symbol labeling behavioral ads, as well as their Ad Preference manager. As the FTC continues to urge successful Do Not Track implementation as an alternative to a Do Not Track law, it is critical that companies show progress by offering users actionable tools. Although there are details still to be worked out in fleshing out the parameters of Do Not Track between industry, browsers, and the W3C, real progress through major Do Not Track implementations demonstrates that business practical privacy enhancing steps are truly feasible. To see Yahoo’s post on the news, please click here.

 

FPF to Speak at Event about the Latest Privacy Developments

Tomorrow morning from 8:30am – 10:30 am, Jules and Chris will participate in “The Latest Developments in Internet Privacy,” a panel hosted by ISOC-DC TV at SRI International (1100 Wilson Blvd. Suite 2800 Arlington, VA). Justin Brookman, Director of the Project on Consumer Privacy at the Center for Democracy and Technology will also participate on the panel. Free registration and more information about the event can be found here. The event will also be livestreamed here.

Context and Legitimate Basis: US-EU approaches to data processing

The Federal Trade Commission released its report on consumer privacy on Monday to provide policy recommendations for American businesses and legislators. Combined with the recently released Privacy Bill of Rights, the report helps lay out a path for the emerging comprehensive US data privacy framework.

As the EU also advances a revision of its data privacy regime through its new draft regulation a key factor to examine is how the two continents’ modified approaches will interact. Put another way, considering the need for data collection and processing, are the two distinct privacy regimes becoming more interoperable or are they diverging?

For example, the three documents consider when consumer choice (known as consent in the EU) should be offered before personal data can be collected or further processed. While the FTC report and Privacy Bill of Rights may result in a simplification of consumer choice principles, the EU draft regulation aims to toughen the concept by requiring “explicit consent”.

The major difference is in the two continents’ approach to individual control, i.e. when and to what degree must choice and transparency be provided to the data subject before the controller is able to collect data. The US’s proposed approach relies on the concept of “context”, meaning that processing should only be carried out in the context of the services requested by the consumer. The EU’s draft regulation, by contrast, calls for controllers to demonstrate a “legitimate basis” for data processing.

In both cases, companies are limited to processing data for purposes that are compatible with the original collection of data. Furthermore, both concepts have been proposed in an effort to allow companies to fulfill their contractual obligations to data subjects without having to solicit permission for each required data operation.

However, While the EU’s “legitimate basis” is exclusively intended to be a derogation from a process which otherwise relies on strict (explicit) consent, the US provides a framework in which companies need only provide choice and heightened transparency when data is used in a manner diverging from “commonly accepted principles”, i.e. when processing is outside the context of why a particular set of data was collected.

The ability for data collection to lead innovation has propelled the debates on choice and explicit consent to become a key issue in today’s global privacy debate. Forthcoming legislation will determine whether data privacy regulation is compatible with innovation and therefore provides policy-makers on both sides of the Atlantic with the opportunity to bridge the gap between their distinct privacy approaches.

 

-Julian Flamant

Mar. 26, 2012 – Facebook May Rummage Through Your Trash, SmartMoney

Mar. 26, 2012 – Mostly Public Praise for FTC Privacy Report, Broadcasting & Cable