On Privacy in a Connected Future
ID 126273940 © Ekkasit Keatsirikul | Dreamstime.com
- February 28, 2019
- 516 views
A recent development in New Hampshire made me think of privacy in energy systems.
Eversource, the state’s largest electric utility, has asked regulators for permission to control customers smart thermostats in a demand response pilot. The program is fairly small, representing one percent of the utility’s customers, and is opt-in.
“Raising it (the smart thermostat temperature) a couple of degrees, no more than 4 degrees is usually the optimal amount to get a benefit without affecting the customer too much. The hope is that the customers don’t even know,” said Michael Goldman, manager of regulation planning and evaluation. He also gave the usual set of reasons, such as peak shaving, for the program. This is not the first time that such an experiment has been conducted. California’s Energy Commission already has requirements for smart thermostats to pass along usage information back to the utility.
The unanswered question in all these experiments relates to privacy. Connected devices create some very visible risks to privacy. They centralize data and establish single points of failure (SPOC). In the case above, imagine a situation where hackers are able to increase or decrease temperatures for a large cross-section of population or, even, cause serious mishaps, such as electrical fires, by finding their way into the grid. There’s also the problem with misuse of energy and personal data, if it falls into the wrong hands. In spite of these problems, discussions around this aspect of connected devices has been fairly muted.
I suppose part of the reason for this is their convenience and framing their use within the context of energy. Controlling smart thermostats will enable utilities to monitor and, possibly, reduce electricity consumption and reach their climate change goals. It is all about balancing the need for privacy with the need for a greater common good - climate change. A future in which smart energy devices controlled by utilities are present in every home may not an ideal one. But, given the lack of discussion about privacy, it seems to be the only one.
In 2013, the Federal Trade Commission (FTC) conducted a panel discussion of its staff to evaluate the pros and cons of privacy in a connected world. While certain members of the panel came out against connected devices, a majority was in favor of them. In the end, the Commission staff voted in favor of not legislating Internet of Things (IoT) devices because it threatened innovation.
For what it’s worth, the Commission applies Fair Information Practice Principles (FIPP) to cases involving privacy. There are five principles - Notice/Awareness, Choice/Consent, Access/Participation, Integration/Security, and Enforcement/Redress - in FIPP. In their current form, they lack the nuances required to discuss privacy.
For example, the Choice/Consent principle has opt-in and opt-out clauses requirements but it does not discuss secondary uses of data collected. Can utilities and smart device companies sell the data to third-party providers of services? If yes, what are the requirements to make such a sale? If a grid is hacked and a disaster occurs, who is responsible for it? This discussion is similar to the current one about PG&E’s culpability in California’s forest fires.
These points apart, there is some progress being made on this topic. A group of New York utilities have asked the Public Service Commission for authority to require and enforce Data Security Agreements for entities seeking access to customer data or utility systems. The utilities claim that energy service entities (ESE) have refused to sign the data security agreement’s “reasonable and minimal data privacy and cybersecurity standards.”