6. Privacy and Security Concerns Still Unresolved There are serious privacy concerns growing among consumers and others about this technology being imposed on us. Wireless smart meters can be hacked by outsiders. They will be able to tell you and the utility company how much energy you are using every 15 minutes; the next generation of smart meters proposed real-time monitoring. This is extremely dangerous. Do you want the utility company and manufacturers (and hackers and insurance companies among others) to know how often you use your appliances, including when you turn off and on your home security system? The Denver Post reports: The "smart" electric grid may be just a little too smart. Once a smart meter is attached to a home, it can gather a lot more data than just how much electricity a family uses. It can tell how many people live in the house, when they get up, when they go to sleep and when they aren't home. It can tell how many showers they take and loads of laundry they do. How often they use the microwave. How much television they watch and what kind of TV they watch it on. Almost 200,000 smart meters are now being installed between Fort Collins and Pueblo, and across the country 52 million smart meters will be installed by 2015, according to a Federal Energy Regulatory Commission estimate. "This is technology that can pierce the blinds," said Elias Quinn, author of a smart grid privacy study for the Colorado Public Utilities Commission. "Insufficient oversight could lead to an unprecedented invasion of consumer privacy," Quinn warned in his report to the PUC. Source: Denver Post,” New electricity grids may be smart, but not so private,” May 18, 2010: http://www.denverpost.com/frontpage/ci_15106430) For Elias L. Quinn presentation: "Privacy and the Smart Grid ,” August 29, 2009: http://www.dora.state.co.us/puc/presentations/InformationMeetings/SmartGrid/08-25-09_CWorkshop09I-593EG_Smart-GridSecurity-Quinn.pdf; or PPT version: http://www.dora.state.co.us/puc/presentations/InformationMeetings/09M-247ALL-CIMs.htm Also, Elias L. Quinn: “Smart Metering & Privacy: Existing Law and Competing Policies,” Spring 2009: http://www.dora.state.co.us/puc/DocketsDecisions/DocketFilings/09I-593EG/09I-593EG_Spring2009Report-SmartGridPrivacy.pdf Who wants your information and why?
Source: ”Potential Privacy Impacts that Arise from the Collection and Use of Smart Grid Data,” National Institute of Standards and Technology, Volume 2, pp. 30–32, Table 5-3. For this graph and more info, read the IEEE Spectrum article, “Privacy on the Smart Grid: Are smart meters spies? They don’t have to be,” October 2010: http://spectrum.ieee.org/energy/the-smarter-grid/privacy-on-the-smart-grid Will and should the utilities be required to obtain your informed consent from consumers and/or warn consumers about potential security and privacy problems? Should they be required to give consumers full access to any data they are collecting? The more people know about smart meters, the more likely they are to worry about the impact those meters will have on their privacy, according to recent studies, according to an article published in Forbes. "Technology is changing
too quickly," as an article published in KEMA (energy consultants)
points out: Forbes: “Why Smart People Are Suspicious of Smart Meters,” December 10, 2010: http://blogs.forbes.com/williampentland/2010/12/10/why-smart-people-are-suspicious-of-smart-meters/ MuniWireless: "Detailed discussion of Smart Grid security with Bob Lockhart of Pike Research," December 10, 2010, http://www.muniwireless.com/2010/12/10/detailed-discussion-of-smart-grid-security/ Maltastar.com: “Smart meter software company found guilty of data theft,” November 24, 2010: http://www.maltastar.com/pages/r1/ms10dart.asp?a=13020 IEEE Spectrum: “Privacy on the Smart Grid: Are smart meters spies? They don’t have to be,” October 2010: http://spectrum.ieee.org/energy/the-smarter-grid/privacy-on-the-smart-grid Technology Review: “How to Hack the Power Grid for Fun and Profit; Attackers could manipulate poorly protected data to make money or cause blackouts,” October 7, 2010: http://mobile.technologyreview.com/energy/26472/ CABPRO Report: "How secure is PG&E’s SmartMeter Network?" August 10, 2010, http://cabproreport.typepad.com/weblog/2010/08/how-secure-is-pges-smartmeter-network.html Electronic Frontier Foundation: "New 'Smart Meters' for Energy Use Put Privacy at Risk," by Lee Tien, March 10, 2010: http://www.eff.org/deeplinks/2010/03/new-smart-meters-energy-use-put-privacy-risk. KEMA: "Privacy and the smart grid: A quagmire of questions vexes the industry," December 2009: http://www.kema.com/services/consulting/utility-future/smart-grid/december-2009.aspx The
National Institute of Standards and Technology (NIST) was tasked by the
Federal Energy Regulatory Commission to form a national taskforce/team
to recommend voluntary privacy and security standards and guidelines,
and issued them in September 2010: "These
advisory guidelines are a starting point for the sustained national
effort that will be required to build a safe, secure and reliable Smart
Grid," said George Arnold, NIST's national coordinator for Smart Grid
interoperability. "They provide a technical foundation for utilities,
hardware and software manufacturers, energy management service
providers, and others to build upon. Each organization's implementation
of cyber security requirements should evolve as technology advances and
new threats to grid security arise." Source: National Institute of Standards and Technology, “NIST Finalizes Initial Set of Smart Grid Cyber Security Guidelines,” September 2, 2010: http://www.nist.gov/public_affairs/releases/nist-finalizes-initial-set-of-smart-grid-cyber-security-guidelines.cfm Thus, while the NIST has developed its first set of guidelines, it admits there are still "gaps" that need to be addressed (see page 116-121 of its report or Chapter 7, "Next Steps") regarding the "Privacy Issues of the Smart Grid". Excerpt: The PIA findings revealed that a lack of consistent and comprehensive privacy policies, standards, and supporting procedures throughout the states, government agencies, utility companies, and supporting entities that will be involved with Smart Grid management, information collection, and use creates a very significant privacy risk that must be addressed. The ability to access, analyze, and respond to a much wider range of data from all levels of the electric grid is a major benefit of the Smart Grid, but it is also a significant concern from a privacy viewpoint, particularly when the data, resulting analysis and assumptions, are associated with individual consumers or dwellings. Some privacy advocates have raised serious concerns about the type and amount of billing, usage, appliance, and other related information flowing throughout the various components of the Smart Grid. The privacy implications of frequent meter readings being fed into the Smart Grid networks could provide a detailed time line of activities occurring inside the home. This data may point to a specific individual or give away privacy sensitive data. The constant collection and use of smart meter data has also raised potential surveillance possibilities posing physical, financial, and reputational risks that must be addressed. Many more types of data are being collected, generated and aggregated within the Smart Grid than when the only data collected was through monthly meter readings by the homeowner or utility employee. Numerous additional entities outside of the energy industry may also be collecting, accessing, and using the data, such as entities that are creating applications and services specifically for smart appliances, smart meters and other yet-to-be-identified purposes. Additionally, privacy issues arise from the question of the legal ownership of the data being collected. With ownership comes both control and rights with regard to usage. If the consumer is not considered the owner of the data obtained from metering and home automation systems, the consumer may not receive the privacy protections provided to data owners under existing laws. It is important to also consider that the proliferation of a variety of smart appliances and devices within residences means an increase in the number of devices that must be secured to protect the privacy of the data collected and potentially stored within them. The privacy risks presented by these smart appliances and devices are expanded when they are attached to Home Area Networks (HANs) over power lines, effectively extending the perimeter of the HAN to outside the walls of the premises. While the National Association of Regulatory Utility Commissioners (NARUC) has adopted the “Resolution Urging the Adoption of General Privacy Principles for State Commission Use in Considering the Privacy Implications of the Use of Utility Customer Information,” the CSCTG Privacy Group’s research indicates that: • There is not yet consensus among state Public Utility Commissions (PUCs) on how to address the specific privacy implications of the Smart Grid. • State PUCs may not have in all instances the appropriate authority from their respective legislatures to address Smart Grid privacy issues. Vol 1: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf Vol 2: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf Vol 3: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf Thus, security and government experts continue to have serious security concerns despite the NIST guidelines. Here's an excerpt from a January 19, 2011CNET news story reporting on the GAO's outstanding concerns:Certain
smart meters have not been designed with a strong security architecture
and lack important security features like event logging and forensics
capabilities used to detect and analyze cyberattacks, while smart-grid
home area networks that manage electricity usage of appliances also lack
adequate built-in security, according to the report (PDF) released last week by the GAO, the auditing and investigative arm of the U.S. Congress. "Without securely designed smart-grid systems, utilities will be at risk of not having the capacity to detect and analyze attacks, which increases the risk that attacks will succeed and utilities will be unable to prevent them from recurring," said the report. The report also took aim at the self-regulatory nature of the industry, saying utilities are focusing on complying with minimum regulatory requirements rather than having adequate security to prevent cyberattacks. The National Institute of Standards and Technology "does not have a definitive plan and schedule, including specific milestones, for updating and maintaining its cybersecurity guidelines to address key missing elements," the report concluded. One of the important elements NIST has failed to address is the risk of attacks that use both cyber and physical means, the report said. "Furthermore, Federal Energy Regulatory Commission has not established an approach coordinated with other regulators to monitor the extent to which industry is following the smart-grid standards it adopts," the report said. "The voluntary standards and guidelines developed through the NIST and FERC processes offer promise. However, a voluntary approach poses some risks when applied to smart-grid investments, particularly given the fragmented nature of regulatory authority over the electricity industry." Source:
CNET News: "Report finds smart-grid security lacking,” about the GAO
report finding security problems with smart grid technology, January 19,
2011, CNET News: http://news.cnet.com/8301-27080_3-20028992-245.html#ixzz1BXtMS8zI, To read the full GAO Report: United States Government Accountability Office: “Report to Congressional Requesters: ELECTRICITY GRID MODERNIZATION: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed,” January 2011, found on-line here: http://www.gao.gov/new.items/d11117.pdf Other stories about government and security experts and their concerns: CNET News: "Money trumps security in smart-meter rollouts, experts say,” June 15, 2010: http://news.cnet.com/8301-27080_3-20007672-245.html#ixzz1BdK85z90 Columbus Dispatch: “'Smart' meters' flaws aid hacking,” March 27, 2010: http://www.dispatch.com/live/content/business/stories/2010/03/27/smart-meters-flaws-aid-hacking.html Washington Post: “Experts: Smart grid poses privacy risks” by Brian Krebs, November 18, 2009: http://voices.washingtonpost.com/securityfix/2009/11/experts_smart_grid_poses_priva.html Technology Review: Four Ways to Hack the Smart Grid, September 01, 2009: http://www.greenbiz.com/blog/2009/09/01/four-ways-hack-smart-grid#ixzz0sBjDNb6o U.S. News & World Report: “Security Researchers Offer Caution on Smart Grids,” August 4, 2009: http://www.usnews.com/science/articles/2009/08/04/security-researchers-offer-caution-on-smart-grids Wall Street Journal: "Electricity Grid in U.S. Penetrated By Spies," April 8, 2009, http://online.wsj.com/article/SB123914805204099085.html California Proceedings It’s clear that even though
there are national efforts to address privacy and security problems, they
are still yet to be resolved. As a result, in current California Public Utility Commission proceedings, the consumer advocates and utilities are still trying to arrive at what standards they will adhere to -- with the utilities say they don’t want to be required and regulated to ensure consumer info doesn’t end up in third party hands. Consumer groups and consumer advocates, meanwhile, as we have seen and read, want these security and privacy problems resolved before states and utilities are allowed to install the wireless smart meters on our homes and businesses. So why are smart meters continuing to be installed?
Read documents filed with California Public Utilities Commission, which is currently having a Proceeding for Rulemaking-0812009 regarding the privacy issues at stake: http://docs.cpuc.ca.gov/published/proceedings/R0812009.htm In particular, a Brief filed on December 6, 2010, the Utilities Consumers' Action Network (UCAN) in San Diego, the Division of Ratepayer Advocates, and TURN (The Utility Reform Network), which are consumer groups advocating for California utility consumers, explains the problems that have yet to be resolved:Page 1-5 (IOU = Investor Owned Utilities): There are precious few areas of consensus in the jurisdictional briefs, but there is a notable one: the jurisdictional issue focuses primarily on the legal question of the Commission’s jurisdiction over third parties that approach customers directly without contractual relationships with an IOU. More specifically, at issue is whether Commission can apply and enforce consumer protection rules on parties who gain energy usage data directly from the customer’s Home Area Network (HAN) device and who are not in privity/contract with the IOUs. Another area of consensus is that most of the parties cite the same authorities. Unfortunately, the unity ends there. The interest groups interpret those same authorities differently.The third-party companies seemingly want to avoid regulatory oversight at all costs, so they distort the meaning of SB 1476 so as affirmatively block Commission jurisdiction. The utilities seek to avoid any potential liability in the event that the data is misused, and therefore they construe the Commission’s jurisdiction, and thus their liability, as narrowly as possible. The representatives of utility customers, who seek to avoid a repeat of the many abuses visited upon California’s telecommunications and financial services customers, construe the law to maximize the Commission’s jurisdiction – that is to say, accurately. We say “accurately” because the Commission has been tasked with protecting consumers by the same legislature that passed AB 1476. Public Utilities Codes Sections 391, 394, 495, 701, 5810 and 8380 are among the many recent laws that require the Commission to protect utility consumers, even in demonstrably competitive markets. These laws make clear that the Legislature cannot have intended in SB 1476 to force the Commission to abdicate its consumer protection obligations. There is another issue upon which consensus is scarce – in large part because the third-parties and utilities are silent on the matter of choice – or rather, absence of choice. The state’s electric customers were not given options as to whether smart meters with HAN devices were to be installed upon their houses and businesses. They were not given an option to decline these intrusive instruments if they were concerned about their privacy being preserved. Unlike phones, railroads, moving trucks or other necessary services overseen by this Commission, the smart meters that currently pose threats to customer privacy were mandated for every customer. There was no choice involved. Further, it was the Commission's desire to further energy goals that caused it to extend smart meter installation universally. Thus, at every step of the way, the Commission is involved in regulation. It simply cannot abdicate the final step in this process by leaving consumers alone to suffer the vicissitudes of the third party’s customer service policies and practices. As importantly, the existence of those meters creates a very real danger that electric customers will be tricked or inappropriately persuaded to release their personal data to third party companies. The Commission must assume that the customers that it is legally required to protect will, in some cases, be relinquishing control over their private data without their informed consent. The Commission must act to ensure that customers are protected to the maximum possible extent by requiring all parties that seek and receive Smart Grid data, from whatever point in the system, be required to live by some basic and uniform rules. Customer Representatives UCAN, DRA and TURN make the following points in this brief: 1. The legislative history makes clear that SB 1476 was not intended to limit Commission oversight to utilities and their contractors. 2. Parties opposing the Commission’s exercise of jurisdiction misconstrue the applicable law. ...The Commission should find it has jurisdiction to protect the privacy of consumers regardless of who seeks or uses their Smart Grid data, and of the point in the electric network from which is obtained. SB 1476 gives the Commission the right to exercise this traditional consumer protection function, and the Commission should exercise its jurisdiction given that customers have no choice to opt out of the smart metering program. Source: For more details on the privacy and security issues that utilities and third-party vendors are failing to address or which they do not want the CPUC to assert its jurisdiction, please read the rest of this Brief, found on-line at: http://docs.cpuc.ca.gov/efile/BRIEF/127721.pdf. FYI, Michael Shames, of UCAN, prepared this brief for UCAN, DRA and TURN. ...PG&E argues that agents of the utility are the only third parties over whom the Commission may exercise jurisdiction, as exemplified by an examination of penal statutes. The statutes it cites do not support its argument. ...It is clear from the review of the Public Utility Code and privacy statutes, discussed below and in the Appendix, that the legislature intended any entity in possession of personal information be held to the same standards as the utilities. The Legislature was aware of the practice of third parties purchasing personal information of a customer from the entity which gathered it. ..The Commission may find that a public utility’s practice of releasing information to third parties is unjust, unreasonable and improper, and order utilities to institute a procedure which makes any third party obtaining consumption data from the utility abide by the Commission’s privacy rules. ...Southern California Edison (SCE) claims “the IOUs have no reasonable means of investigating or verifying suspected misuse of customer energy usage data by customer-authorized third parties, or adjudicating or enforcing such matters.” The statement is somewhat ambiguous. SCE should provide further explanation because there appear to be a number of means by which SCE could investigate misuse of customer data. If SCE means it doesn’t have the money it needs to investigate, that can be rectified in its current rate filing. SCE could create a procedure for customers to complain about mishandling of the data (e.g., using the data to market a product), and investigate those claims. In the absence of proof to the contrary, it appears that if SCE wanted to investigate data misuse, it could find ways to do so. SCE says it “prefers to allow its customers to continue to have the responsibility for monitoring and managing the use of data by their authorized third parties, as is the case today for customer authorized releases of data from the IOUs.” In order to monitor and manage the consumption data, however, the customer would have to be given the right to make sure the meter is providing accurate information, to test the meter and have it fixed, if necessary. The accuracy of data registered by the meter is critical in the energy management process. The utilities have not offered to give up control of their meters. ...SCE argues that rather than enforcing state laws protecting customers’ privacy, the Commission should “direct the IOUs to engage in appropriate education and outreach efforts to help empower customers to protect themselves from misuse of energy usage and other data gathered through customer HANs.” Education provided by a utility may be biased. The likelihood that a utility can impartially “inform customers that they are not obligated to authorize third party data access because they can access energy usage data and other energy management tools from their IOUs” is slim. Look at PG&E’s efforts to ‘educate’ consumers in Marin County, San Francisco and the San Joaquin Valley about community choice aggregation. According to a Marin County Supervisor, “PG&E met Marin's efforts [to establish community choice] with a skillfully executed misinformation campaign.” The general manager of the San Joaquin Valley Power Authority described PG&E’s response to formation of the Authority as “a continuum of opposition and non-cooperation.” Utilities have their own interests to protect. Any educational outreach should be performed by the Commission or a neutral and qualified agency. ...San Diego Gas & Electric and SoCal Gas argue there is sufficient regulation of customers’ privacy because there are “extensive state and federal regulations and statutes that already address the misuse of customer data,” consumer protections are “already appropriately addressed” and therefore, should not be duplicated by the Commission. An attachment to SDG&E’s brief lists and summarizes the regulations and statutes to which it refers. CFC has found, in examining those statutes, that many would not apply to electric and gas utilities. None apply to energy consumption data. ...The legislature has required that a utility releasing consumption data to a 3rd party require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” They suggest that the Commission direct the utility to interrupt or cutoff the flow of utility information regarding a consumer’s energy usage.” The legislature has appointed utilities, not the Commission, with the duty to withhold information from third parties when there is any suspicion that the third party will not protect it. If utilities would perform the duties given them by the Legislature, there would be no need for the Commission to exercise jurisdiction over third parties. Source: For more statements and supporting information provided in the Brief filed by the Consumer Federation of California, you can read the CFC brief on-line here: http://docs.cpuc.ca.gov/efile/BRIEF/127999.pdf. The brief was submitted by Alexis K. Wodtke of the CFC. Due to Human Rights and Privacy Concerns, Netherland Residents Can Opt Out: So Should We November 2010 presentation by the BEUC (European Consumers' Organization) reports how the 2008 mandatory smart metering program in the Netherlands constituted a violation of the European Convention of Human Rights (Art. 8 ECHR) protecting privacy of information. As a result, the newly proposed Dutch smart metering proposal (2010) includes:
1. Right to refuse instead of duty to accept; 2. A smart meter, but no communication; 3. Standard information (default), 6 times a year. Source: Read pages 9 and 10, "Data privacy and security in smart meters; How to face this challenge?" presentation by Monika Štajnarová, http://www.florence-school.eu/portal/page/portal/FSR_HOME/ENERGY/Policy_Events/Workshops/2010/Smart_Metering/Presentation_Stanjarova.pdf Presented November 26, 2010, at the Workshop on Regulatory aspects of data transmission, data security and data protection in relation to smart metering conference, European University Institute, Florence, Italy, November 26, 2010: http://www.florence-school.eu/portal/page/portal/FSR_HOME/ENERGY/Policy_Events/Workshops/2010/Smart_Metering Consumentenbond, the Netherland's version of Consumers Union/Consumer Reports, supported the residents --- it would be great if our Consumer Reports here in the U.S. did the same and supported the right to opt out! Read
NRC Handelsblad: "Smart energy meter will not be compulsory; The 'smart
energy meter' will not be compulsory in the Netherlands. Minister of
economic affairs Maria van der Hoeven backed down after consumer groups
raised privacy concerns." April 8, 2009: http://www.nrc.nl/international/article2207260.ece/Smart_energy_meter_will_not_be_compulsory DISCUSSION OF MAIN CONCERNS: Read these and helpful information about the wireless smart meter issue -- click each of the discussion items below. 1. First and Foremost: Are Wireless Meters Mandatory?
2. Smart Meters Unite Consumers, Citizens and Residents from Opposite Backgrounds and Political Affiliations 3. Actions Being Taken: What Are Consumers Doing To Protect Their Civil Liberties and Affirm Their Rights to Refuse or Opt Out? 4. Going Deep: Understanding the Big Picture and Real Costs and Concerns, Helpful News Reports and Consumer Advocacy Reports and Analysis 5. Smart Meter Consumers Anger Grows Over Higher Utility Bills 6. Privacy and Security Concerns Still Unresolved 7. Health Concerns Grow: Consumers Are Getting Sick From Wireless Smart Meters 8. Consumers Report Public Safety Hazards and Interference Problems 9. Cities and States Outside of California Pull Back 10. Resident Campaigns In Other States 11. Options 12. Lessons Learned: What's Happened in Australia 13. Lessons Learned: Major Problems for Canada 14. Actions You Can Take & Other Helpful Organizations and Websites 15. City
and County Documents including Agendas, Minutes, Video Meeting links,
Staff Reports, Proposed and Approved Ordinances, Resolutions,
Correspondence, etc.
16. Wireless Smart Meter Background Information for Burbank/Glendale Or: Return to Wireless Smart Meter Concerns home page |
Home > Smart Meter Concerns >