Home‎ > ‎Smart Meter Concerns‎ > ‎

Privacy and Security Concerns Still Unresolved


6.  Privacy and Security Concerns Still Unresolved

There are serious privacy concerns growing among consumers and others about this technology being imposed on us.  Wireless smart meters can be hacked by outsiders. 

They will be able to tell you and the utility company how much energy you are using every 15 minutes; the next generation of smart meters proposed real-time monitoring. 


This is extremely dangerous. Do you want the utility company and manufacturers (and hackers and insurance companies among others) to know how often you use your appliances, including when you turn off and on your home security system?  The Denver Post reports:

The "smart" electric grid may be just a little too smart. Once a smart meter is attached to a home, it can gather a lot more data than just how much electricity a family uses.

It can tell how many people live in the house, when they get up, when they go to sleep and when they aren't home.

It can tell how many showers they take and loads of laundry they do. How often they use the microwave. How much television they watch and what kind of TV they watch it on.

Almost 200,000 smart meters are now being installed between Fort Collins and Pueblo, and across the country 52 million smart meters will be installed by 2015, according to a Federal Energy Regulatory Commission estimate.

"This is technology that can pierce the blinds," said Elias Quinn, author of a smart grid privacy study for the Colorado Public Utilities Commission.

"Insufficient oversight could lead to an unprecedented invasion of consumer privacy," Quinn warned in his report to the PUC.

Source: Denver Post,” New electricity grids may be smart, but not so private,” May 18, 2010: http://www.denverpost.com/frontpage/ci_15106430)

For Elias L. Quinn presentation: "Privacy and the Smart Grid ,” August 29, 2009: http://www.dora.state.co.us/puc/presentations/InformationMeetings/SmartGrid/08-25-09_CWorkshop09I-593EG_Smart-GridSecurity-Quinn.pdf; or PPT version: http://www.dora.state.co.us/puc/presentations/InformationMeetings/09M-247ALL-CIMs.htm

Also, Elias L. Quinn: “Smart Metering & Privacy: Existing Law and Competing Policies,” Spring 2009: http://www.dora.state.co.us/puc/DocketsDecisions/DocketFilings/09I-593EG/09I-593EG_Spring2009Report-SmartGridPrivacy.pdf

Who wants your information and why?

Who wants smart meter data?

How could the data be used?

Utilities

To monitor electricity usage and load; to determine bills

Electricity usage advisory companies

To promote energy conservation and awareness

Insurance companies

To determine health care premiums based on unusual behaviors that might indicate illness

Marketers

To profile customers for targeted advertisements

Law enforcers

To identify suspicious or illegal activity*

Civil litigators

To identify property boundaries and activities on premises

Landlords

To verify lease compliance

Private investigators

To monitor specific events

The press

To get information about famous people

Creditors

To determine behavior that might indicate creditworthiness

Criminals

To identify the best times for a burglary or to identify high-priced appliances to steal

Source: ”Potential Privacy Impacts that Arise from the Collection and Use of Smart Grid Data,” National Institute of Standards and Technology, Volume 2, pp. 30–32, Table 5-3.  For this graph and  more info, read  the IEEE Spectrum article, “Privacy on the Smart Grid: Are smart meters spies?  They don’t have to be,” October 2010: http://spectrum.ieee.org/energy/the-smarter-grid/privacy-on-the-smart-grid


So as to just who owns and licenses your personal info gathered from smart meters is still up in the air. 

Will and should the utilities be required to obtain your informed consent from consumers and/or warn consumers about potential security and privacy problems?  Should they be required to give consumers full access to any data they are collecting?  

The more people know about smart meters, the more likely they are to worry about the impact those meters will have on their privacy, according to recent studies, according to an article published in Forbes. 

"Technology is changing too quickly," as an article published in KEMA (energy consultants) points out:

Forbes: “Why Smart People Are Suspicious of Smart Meters,” December 10, 2010: http://blogs.forbes.com/williampentland/2010/12/10/why-smart-people-are-suspicious-of-smart-meters/

MuniWireless: "Detailed discussion of Smart Grid security with Bob Lockhart of Pike Research," December 10, 2010, http://www.muniwireless.com/2010/12/10/detailed-discussion-of-smart-grid-security/

Maltastar.com: “Smart meter software company found guilty of data theft,” November 24, 2010: http://www.maltastar.com/pages/r1/ms10dart.asp?a=13020

IEEE Spectrum: “Privacy on the Smart Grid: Are smart meters spies? They don’t have to be,” October 2010: http://spectrum.ieee.org/energy/the-smarter-grid/privacy-on-the-smart-grid

Technology Review: “How to Hack the Power Grid for Fun and Profit; Attackers could manipulate poorly protected data to make money or cause blackouts,” October 7, 2010: http://mobile.technologyreview.com/energy/26472/

CABPRO Report: "How secure is PG&E’s SmartMeter Network?" August 10, 2010, http://cabproreport.typepad.com/weblog/2010/08/how-secure-is-pges-smartmeter-network.html

Electronic Frontier Foundation: "New 'Smart Meters' for Energy Use Put Privacy at Risk," by Lee Tien, March 10, 2010: http://www.eff.org/deeplinks/2010/03/new-smart-meters-energy-use-put-privacy-risk.

KEMA: "Privacy and the smart grid: A quagmire of questions vexes the industry," December 2009: http://www.kema.com/services/consulting/utility-future/smart-grid/december-2009.aspx

The National Institute of Standards and Technology (NIST) was tasked by the Federal Energy Regulatory Commission to form a national taskforce/team to recommend voluntary privacy and security standards and guidelines, and issued them in September 2010:

"These advisory guidelines are a starting point for the sustained national effort that will be required to build a safe, secure and reliable Smart Grid," said George Arnold, NIST's national coordinator for Smart Grid interoperability. "They provide a technical foundation for utilities, hardware and software manufacturers, energy management service providers, and others to build upon. Each organization's implementation of cyber security requirements should evolve as technology advances and new threats to grid security arise."

Source: National Institute of Standards and Technology, “NIST Finalizes Initial Set of Smart Grid Cyber Security Guidelines,” September 2, 2010: http://www.nist.gov/public_affairs/releases/nist-finalizes-initial-set-of-smart-grid-cyber-security-guidelines.cfm

Thus, while the NIST has developed its first set of guidelines, it admits there are still "gaps" that need to be addressed (see page 116-121 of its report or Chapter 7, "Next Steps") regarding the "Privacy Issues of the Smart Grid".  Excerpt:

The PIA findings revealed that a lack of consistent and comprehensive privacy policies, standards, and supporting procedures throughout the states, government agencies, utility companies, and supporting entities that will be involved with Smart Grid management, information collection, and use creates a very significant privacy risk that must be addressed.

The ability to access, analyze, and respond to a much wider range of data from all levels of the electric grid is a major benefit of the Smart Grid, but it is also a significant concern from a privacy viewpoint, particularly when the data, resulting analysis and assumptions, are associated with individual consumers or dwellings. Some privacy advocates have raised serious concerns about the type and amount of billing, usage, appliance, and other related information flowing throughout the various components of the Smart Grid.

The privacy implications of frequent meter readings being fed into the Smart Grid networks could provide a detailed time line of activities occurring inside the home. This data may point to a specific individual or give away privacy sensitive data.

The constant collection and use of smart meter data has also raised potential surveillance possibilities posing physical, financial, and reputational risks that must be addressed. Many more types of data are being collected, generated and aggregated within the Smart Grid than when the only data collected was through monthly meter readings by the homeowner or utility employee. Numerous additional entities outside of the energy industry may also be collecting, accessing, and using the data, such as entities that are creating applications and services specifically for smart appliances, smart meters and other yet-to-be-identified purposes. Additionally, privacy issues arise from the question of the legal ownership of the data being collected. With ownership comes both control and rights with regard to usage. If the consumer is not considered the owner of the data obtained from metering and home automation systems, the consumer may not receive the privacy protections provided to data owners under existing laws.  It is important to also consider that the proliferation of a variety of smart appliances and devices within residences means an increase in the number of devices that must be secured to protect the privacy of the data collected and potentially stored within them. The privacy risks presented by these smart appliances and devices are expanded when they are attached to Home Area Networks (HANs) over power lines, effectively extending the perimeter of the HAN to outside the walls of the premises.

While the National Association of Regulatory Utility Commissioners (NARUC) has adopted the “Resolution Urging the Adoption of General Privacy Principles for State Commission Use in Considering the Privacy Implications of the Use of Utility Customer Information,” the CSCTG Privacy Group’s research indicates that:

•  There is not yet consensus among state Public Utility Commissions (PUCs) on how to address the specific privacy implications of the Smart Grid.
• State PUCs may not have in all instances the appropriate authority from their respective legislatures to address Smart Grid privacy issues.

To read the full NIST report, “Introduction to NISTIR 728: Guidelines for Smart Grid Cyber Security,” September 2010, you can find it on-line here: http://csrc.nist.gov/publications/nistir/ir7628/introduction-to-nistir-7628.pdf

Vol 1: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf

Vol 2: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf

Vol 3: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf

Thus, security and government experts continue to have serious security concerns despite the NIST guidelines.  Here's an excerpt from a January 19, 2011CNET news story reporting on the GAO's outstanding concerns:

Certain smart meters have not been designed with a strong security architecture and lack important security features like event logging and forensics capabilities used to detect and analyze cyberattacks, while smart-grid home area networks that manage electricity usage of appliances also lack adequate built-in security, according to the report (PDF) released last week by the GAO, the auditing and investigative arm of the U.S. Congress.

"Without securely designed smart-grid systems, utilities will be at risk of not having the capacity to detect and analyze attacks, which increases the risk that attacks will succeed and utilities will be unable to prevent them from recurring," said the report.

The report also took aim at the self-regulatory nature of the industry, saying utilities are focusing on complying with minimum regulatory requirements rather than having adequate security to prevent cyberattacks.

The National Institute of Standards and Technology "does not have a definitive plan and schedule, including specific milestones, for updating and maintaining its cybersecurity guidelines to address key missing elements," the report concluded. One of the important elements NIST has failed to address is the risk of attacks that use both cyber and physical means, the report said.

"Furthermore, Federal Energy Regulatory Commission has not established an approach coordinated with other regulators to monitor the extent to which industry is following the smart-grid standards it adopts," the report said. "The voluntary standards and guidelines developed through the NIST and FERC processes offer promise. However, a voluntary approach poses some risks when applied to smart-grid investments, particularly given the fragmented nature of regulatory authority over the electricity industry."


Source: CNET News: "Report finds smart-grid security lacking,” about the GAO report finding security problems with smart grid technology, January 19, 2011, CNET News: http://news.cnet.com/8301-27080_3-20028992-245.html#ixzz1BXtMS8zI,

To read the full GAO Report: United States Government Accountability Office: “Report to Congressional Requesters: ELECTRICITY GRID MODERNIZATION: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed,” January 2011, found on-line here: http://www.gao.gov/new.items/d11117.pdf


Other stories about government and security experts and their concerns:

CNET News: "Money trumps security in smart-meter rollouts, experts say,” June 15, 2010: http://news.cnet.com/8301-27080_3-20007672-245.html#ixzz1BdK85z90

Columbus Dispatch: “'Smart' meters' flaws aid hacking,” March 27, 2010: http://www.dispatch.com/live/content/business/stories/2010/03/27/smart-meters-flaws-aid-hacking.html

Washington Post: “Experts: Smart grid poses privacy risks” by Brian Krebs, November 18, 2009: http://voices.washingtonpost.com/securityfix/2009/11/experts_smart_grid_poses_priva.html

Technology Review: Four Ways to Hack the Smart Grid, September 01, 2009: http://www.greenbiz.com/blog/2009/09/01/four-ways-hack-smart-grid#ixzz0sBjDNb6o

U.S. News & World Report: “Security Researchers Offer Caution on Smart Grids,” August 4, 2009: http://www.usnews.com/science/articles/2009/08/04/security-researchers-offer-caution-on-smart-grids

Wall Street Journal: "Electricity Grid in U.S. Penetrated By Spies," April 8, 2009, http://online.wsj.com/article/SB123914805204099085.html




California Proceedings

It’s clear that even though there are national efforts to address privacy and security problems, they are still yet to be resolved. 

As a result, in current California Public Utility Commission proceedings, the consumer advocates and utilities are still trying to arrive at what standards they will adhere to -- with the utilities say they don’t want to be required and regulated to ensure consumer info doesn’t end up in third party hands.  Consumer groups and consumer advocates, meanwhile, as we have seen and read, want these security and privacy problems resolved before states and utilities are allowed to install the wireless smart meters on our homes and businesses.  So why are smart meters continuing to be installed?

Read documents filed with  California Public Utilities Commission, which is currently having a Proceeding for Rulemaking-0812009 regarding the privacy issues at stake: http://docs.cpuc.ca.gov/published/proceedings/R0812009.htm

In particular, a Brief filed on December 6, 2010, the Utilities Consumers' Action Network (UCAN) in San Diego, the Division of Ratepayer Advocates, and TURN (The Utility Reform Network), which are consumer groups advocating for California utility consumers, explains the problems that have yet to be resolved:

Page 1-5 (IOU = Investor Owned Utilities):
        There are precious few areas of consensus in the jurisdictional briefs, but there is a
notable one: the jurisdictional issue focuses primarily on the legal question of the
Commission’s jurisdiction over third parties that approach customers directly without
contractual relationships with an IOU. More specifically, at issue is whether Commission
can apply and enforce consumer protection rules on parties who gain energy usage data
directly from the customer’s Home Area Network (HAN) device and who are not in
privity/contract with the IOUs.
        Another area of consensus is that most of the parties cite the same authorities.
Unfortunately, the unity ends there. The interest groups interpret those same authorities
differently.The third-party companies seemingly want to avoid regulatory oversight at

all costs, so they distort the meaning of SB 1476 so as affirmatively block Commission
jurisdiction. The utilities seek to avoid any potential liability in the event that the data is
misused, and therefore they construe the Commission’s jurisdiction, and thus their
liability, as narrowly as possible. The representatives of utility customers, who seek to
avoid a repeat of the many abuses visited upon California’s telecommunications and
financial services customers, construe the law to maximize the Commission’s jurisdiction
– that is to say, accurately.
        We say “accurately” because the Commission has been tasked with protecting
consumers by the same legislature that passed AB 1476. Public Utilities Codes Sections
391, 394, 495, 701, 5810 and 8380 are among the many recent laws that require the
Commission to protect utility consumers, even in demonstrably competitive markets.
These laws make clear that the Legislature cannot have intended in SB 1476 to force the
Commission to abdicate its consumer protection obligations.
        There is another issue upon which consensus is scarce – in large part because the
third-parties and utilities are silent on the matter of choice – or rather, absence of choice.
The state’s electric customers were not given options as to whether smart meters with
HAN devices were to be installed upon their houses and businesses. They were not given
an option to decline these intrusive instruments if they were concerned about their
privacy being preserved. Unlike phones, railroads, moving trucks or other necessary
services overseen by this Commission, the smart meters that currently pose threats to
customer privacy were mandated for every customer. There was no choice involved.
Further, it was the Commission's desire to further energy goals that caused it to extend
smart meter installation universally. Thus, at every step of the way, the Commission is
involved in regulation. It simply cannot abdicate the final step in this process by leaving
consumers alone to suffer the vicissitudes of the third party’s customer service policies
and practices.
        As importantly, the existence of those meters creates a very real danger that
electric customers will be tricked or inappropriately persuaded to release their personal
data to third party companies. The Commission must assume that the customers that it is
legally required to protect will, in some cases, be relinquishing control over their private
data without their informed consent. The Commission must act to ensure that customers
are protected to the maximum possible extent by requiring all parties that seek and
receive Smart Grid data, from whatever point in the system, be required to live by some
basic and uniform rules.
        Customer Representatives UCAN, DRA and TURN make the following points in
this brief:
1. The legislative history makes clear that SB 1476 was not intended to limit
Commission oversight to utilities and their contractors.
2. Parties opposing the Commission’s exercise of jurisdiction misconstrue the
applicable law.

...The Commission should find it has jurisdiction to protect the privacy of consumers
regardless of who seeks or uses their Smart Grid data, and of the point in the electric
network from which is obtained. SB 1476 gives the Commission the right to exercise this
traditional consumer protection function, and the Commission should exercise its
jurisdiction given that customers have no choice to opt out of the smart metering
program.

Source: For more details on the privacy and security issues that utilities and third-party vendors are failing to
address or which they do not want the CPUC to assert its jurisdiction, please read the rest of this Brief, found on-line at: http://docs.cpuc.ca.gov/efile/BRIEF/127721.pdf.  FYI, Michael Shames, of UCAN, prepared this brief for UCAN, DRA and TURN.

The Consumer Federation of California, meanwhile, is raising these important and alarming points with its Brief filed December 6, 2010:

        ...PG&E argues that agents of the utility are the only third parties over whom the
Commission may exercise jurisdiction, as exemplified by an examination of penal
statutes.  The statutes it cites do not support its argument.
        ...It is clear from the review of the Public Utility Code and privacy statutes,
discussed below and in the Appendix, that the legislature intended any entity in
possession of personal information be held to the same standards as the utilities. The
Legislature was aware of the practice of third parties purchasing personal information of
a customer from the entity which gathered it.
        ..The Commission may find that a public utility’s practice of releasing information to third
parties is unjust, unreasonable and improper, and order utilities to institute a procedure
which makes any third party obtaining consumption data from the utility abide by the
Commission’s privacy rules.
        ...Southern California Edison (SCE) claims “the IOUs have no reasonable means
of investigating or verifying suspected misuse of customer energy usage data by
customer-authorized third parties, or adjudicating or enforcing such matters.”  The
statement is somewhat ambiguous. SCE should provide further explanation because
there appear to be a number of means by which SCE could investigate misuse of
customer data. If SCE means it doesn’t have the money it needs to investigate, that
can be rectified in its current rate filing. SCE could create a procedure for customers to
complain about mishandling of the data (e.g., using the data to market a product), and
investigate those claims. In the absence of proof to the contrary, it appears that if SCE
wanted to investigate data misuse, it could find ways to do so.
        SCE says it “prefers to allow its customers to continue to have the responsibility
for monitoring and managing the use of data by their authorized third parties, as is the
case today for customer authorized releases of data from the IOUs.” In order to
monitor and manage the consumption data, however, the customer would have to be
given the right to make sure the meter is providing accurate information, to test the
meter and have it fixed, if necessary. The accuracy of data registered by the meter is
critical in the energy management process. The utilities have not offered to give up
control of their meters.
        ...SCE argues that rather than enforcing state laws protecting customers’ privacy,
the Commission should “direct the IOUs to engage in appropriate education and
outreach efforts to help empower customers to protect themselves from misuse of
energy usage and other data gathered through customer HANs.” Education provided
by a utility may be biased.
        The likelihood that a utility can impartially “inform customers that they are not
obligated to authorize third party data access because they can access energy usage
data and other energy management tools from their IOUs” is slim. Look at PG&E’s
efforts to ‘educate’ consumers in Marin County, San Francisco and the San Joaquin
Valley about community choice aggregation. According to a Marin County Supervisor,
“PG&E met Marin's efforts [to establish community choice] with a skillfully executed
misinformation campaign.” The general manager of the San Joaquin Valley Power
Authority described PG&E’s response to formation of the Authority as “a continuum of
opposition and non-cooperation.”  Utilities have their own interests to protect. Any
educational outreach should be performed by the Commission or a neutral and qualified
agency.
        ...San Diego Gas & Electric and SoCal Gas argue there is sufficient regulation of
customers’ privacy because there are “extensive state and federal regulations and
statutes that already address the misuse of customer data,” consumer protections are
“already appropriately addressed” and therefore, should not be duplicated by the
Commission. An attachment to SDG&E’s brief lists and summarizes the regulations
and statutes to which it refers. CFC has found, in examining those statutes, that many
would not apply to electric and gas utilities. None apply to energy consumption data.
        ...The legislature has required that a utility releasing consumption data to a 3rd
party require by contract that the third party implement and maintain reasonable security
procedures and practices appropriate to the nature of the information, to protect the
personal information from unauthorized access, destruction, use, modification, or
disclosure.” They suggest that the Commission direct the utility to interrupt or cutoff
the flow of utility information regarding a consumer’s energy usage.” The legislature
has appointed utilities, not the Commission, with the duty to withhold information from
third parties when there is any suspicion that the third party will not protect it. If utilities
would perform the duties given them by the Legislature, there would be no need for the
Commission to exercise jurisdiction over third parties.

Source: For more statements and supporting information provided in the Brief filed by the Consumer Federation of California, you can read the CFC brief on-line here: http://docs.cpuc.ca.gov/efile/BRIEF/127999.pdf.  The brief was submitted by Alexis K. Wodtke of the CFC.


Due to Human Rights and Privacy Concerns,
Netherland Residents Can Opt Out:
So Should We


November 2010 presentation by the BEUC (European Consumers' Organization) reports how the 2008 mandatory smart metering program in the Netherlands constituted a violation of the European Convention of Human Rights (Art. 8 ECHR) protecting privacy of information.  As a result, the newly proposed Dutch smart metering proposal (2010) includes:
  • Voluntary role out
  • Consumer choice:
1. Right to refuse instead of duty to accept;
2. A smart meter, but no communication;
3. Standard information (default), 6 times a year.

Source: Read pages 9 and 10, "Data privacy and security in smart meters; How to face this challenge?" presentation by Monika Štajnarová, http://www.florence-school.eu/portal/page/portal/FSR_HOME/ENERGY/Policy_Events/Workshops/2010/Smart_Metering/Presentation_Stanjarova.pdf

Presented November 26, 2010, at the Workshop on Regulatory aspects of data transmission, data security and data protection in relation to smart metering conference, European University Institute, Florence, Italy, November 26, 2010: http://www.florence-school.eu/portal/page/portal/FSR_HOME/ENERGY/Policy_Events/Workshops/2010/Smart_Metering


Thus, in the Netherlands, the legislature approved allowing citizens the right to opt out of wireless smart meters, due to concerns about privacy.  If they can have that right there, why can't we? 

Consumentenbond
, the Netherland's version of Consumers Union/Consumer Reports, supported the residents --- it would be great if our Consumer Reports here in the U.S. did the same and supported the right to opt out!

Read NRC Handelsblad: "Smart energy meter will not be compulsory; The 'smart energy meter' will not be compulsory in the Netherlands. Minister of economic affairs Maria van der Hoeven backed down after consumer groups raised privacy concerns." April 8, 2009: http://www.nrc.nl/international/article2207260.ece/Smart_energy_meter_will_not_be_compulsory




=====================================================

DISCUSSION OF MAIN CONCERNS: Read these and helpful information about the wireless smart meter issue -- click each of the discussion items below. 

1.  First and Foremost: Are Wireless Meters Mandatory?

2.  Smart Meters Unite Consumers, Citizens and Residents from Opposite Backgrounds and Political Affiliations

3.  Actions Being Taken: What Are Consumers Doing To Protect Their Civil Liberties and Affirm Their Rights to Refuse or Opt Out?

4.  Going Deep: Understanding the Big Picture and Real Costs and Concerns, Helpful News Reports and Consumer Advocacy Reports and Analysis

5.  Smart Meter Consumers Anger Grows Over Higher Utility Bills

6.  Privacy and Security Concerns Still Unresolved

7.  Health Concerns Grow: Consumers Are Getting Sick From Wireless Smart Meters

8.  Consumers Report Public Safety Hazards and Interference Problems

9. Cities and States Outside of California Pull Back

10. Resident Campaigns In Other States

11. Options

12. Lessons Learned: What's Happened in Australia

13. Lessons Learned: Major Problems for Canada

14. Actions You Can Take & Other Helpful Organizations and Websites











Comments