Experts: Smart grid poses privacy risks

Wed Nov 18 14:05:10 PST 2009

(O'RLY)

http://voices.washingtonpost.com/securityfix/2009/11/experts_smart_grid_poses_priva.html

Experts: Smart grid poses privacy risks

Technologists already are worried about the security implications of linking
nearly all elements of the U.S. power grid to the public Internet. Now,
privacy experts are warning that the so-called "smart grid" efforts could
usher in a new class of concerns, as utilities begin collecting more granular
data about consumers' daily power consumption.

"The modernization of the grid will increase the level of personal
information detail available as well as the instances of collection, use and
disclosure of personal information," warns a report (PDF) jointly released
Tuesday by the Ontario Information and Privacy Commissioner and the Future of
Privacy Forum (FPF), a think tank made up of chief privacy officers,
advocates and academics.

Smart grid technology -- including new "smart meters" being attached to
businesses and homes -- is designed in part to provide consumers with
real-time feedback on power consumption patterns and levels. But as these
systems begin to come online, it remains unclear how utilities and partner
companies will mine, share and use that new wealth of information, experts
warn.

"Instead of measuring energy use at the end of each billing period, smart
meters will provide this information at much shorter intervals," the report
notes. "Even if electricity use is not recorded minute by minute, or at the
appliance level, information may be gleaned from ongoing monitoring of
electricity consumption such as the approximate number of occupants, when
they are present, as well as when they are awake or asleep. For many, this
will resonate as a 'sanctity of the home' issue, where such intimate details
of daily life should not be accessible."

According to the study, examples of information that utilities and partner
companies might be able to glean from more granular power consumption data
include whether and how often exercise equipment is used; whether a house has
an alarm system and how often it is activated; when occupants usually shower,
and how often they wash their clothes.

Other privacy risks could result from the combination of information from two
separate users of the smart grid: For example, roaming smart grid devices,
such as electric vehicles recharging at a friend's or acquaintance's house,
could create or reveal additional personal information.

At a recent smart grid conference in Madrid, FPF co-chair Jules Polonetsky
showed how researchers have already mapped unique load patterns of different
equipment, showing that for instance washing machines pull power in different
ways than other devices (graphic below courtesy FPF).

SMloadsigs.JPG

In an interview with Security Fix, Polonestsky said some utilities have
adopted the stance that existing regulations already prevent them from
sharing customer data without prior authorization. But he noted that as power
companies transition to the smart grid, those utilities are going to be
collecting -- and potentially retaining -- orders of magnitude more data on
their customers than ever before.

"Relatively speaking, [utilities] aren't big marketing companies with big
back end databases ready to handle the tidal wave of data that's coming," he
said. "But we're a little worried that without some serious planning now,
there's going to be quite a challenge in a couple of years when people start
realizing that maybe should think about developing some solid data retention
policies that address what's going to be done with all of this data."

Indeed, the report found that "comprehensive and consistent definitions of
personally identifiable information do not generally exist in the utility
industry. Privacy concerns arise when there is a possibility of discovering
personal information, such as the personal habits, behaviors and lifestyles
of individuals inside dwellings, and to use this information for secondary
purposes, other than for the provision of electricity."

Ontario is on track to have a smart meter installed at every home and
business by the end of 2010. More than 8 million smart meters are used in the
United States today, and more than 50 million more could be installed in at
least two dozen states over the next five years, according to the Edison
Foundation's Institute for Electric Efficiency.

The report echoes some of the same concerns raised in a recent report (PDF)
drafted by the National Institute of Standards and Technology, which warned
that "distributed energy resources and smart meters will reveal information
about residential consumers and activities within the house," A NIST panel
tasked with examining the cyber security aspects of the smart grid found "a
lack of formal privacy policies, standards or procedures about information
gathered and collected by entities involved in the smart grid," and that
comprehensive and consistent definitions of personally identifiable
information do not generally exist in the utility industry.

Update, 3:30 p.m. ET: Added graphic and comment from FPF co-chair.