Meters: Too “Smart” For Their Own Good?

The phrase “you are what you eat” popped into my head as I began this blog post. It might be better to say “you are what you consume” and truer words were never spoken when one considers technology, analytics, and the measurement of electricity consumption. New metering technology — labeled “smart grid” — and the privacy implications associated with it have already generated (no pun intended) a lot of text, presentations and concerns.

Meters can already collect a unique meter identifier, timestamp, usage data, and time synchronization every 15 to 60 minutes. With “smart meters”, outage, voltage, phase, frequency data, and detailed status and diagnostic information from networked sensors and appliances can also be collected.  What does this mean? “Load signatures” can provide a lot of detail about life in your own home: whether you’re using the microwave or stove to cook; whether and when you’re watching television, what medical equipment, if any, is being used; how many times you get up in the middle of the night. All because you’ve turned on something that uses electricity. While the curtains may be drawn, the smart meter can blithely reveal.

Sophisticated analytics of voltage, current and consumption can say a lot about the existence and detailed use of anything that uses electricity in one’s home. And rest assured, there will be a lot of interest in that information.

Electricity distribution companies (“EDCs”) want to use usage data for a variety of purposes such as remote meter reading, outage management, load forecasting and peak load billing. Appliance manufacturers could conduct market research to find out how their products are used or how they operate in the field. Insurers may want to use the data determine how and when a loss occurred. Law enforcement authorities would naturally look to these records for evidence of criminal activity. We’ve already seen the Supreme Court of Canada sanction the admissibility of evidence gathered through the use of digital recording ammeters in R. v. Gomboc.

On privacy, the policy objective of Ontario’s energy regulator seems to be:

 “Respect and protect the privacy of customers. Integrate privacy requirements into smart grid planning and design from an early stage, including the completion of privacy impact assessments”

That’s a nice position but it doesn’t say a lot. Privacy assessments, in and of themselves, don’t solve problems.

Ontario’s Information and Privacy Commissioner and The Future of Privacy Forum have a comprehensive paper on the subject of smart grids and privacy. There is also a “case study” involving Ontario’s Hydro One that has clearly good intentions and some interesting tidbits of information but not a lot of details and leaves one wanting more. For example, it appears to suggest that energy consumption, power statistics and the meter identifier are the only data elements collected from smart meters. Just how detailed is the consumption information and power statistics collected? You do get the sense that Hydro One wants to make sure privacy isn’t used as an impediment to smart meter use.

Ontario’s Privacy Commissioner has jurisdiction over only those EDCs owned by municipalities through MFIPPA. However, not all of Ontario’s 80 local electricity distribution companies are publicly owned and therefore subject to that legislation. And under MFIPPA, the Commissioner may only order an institution to cease a collection practice or destroy collections of personal information that contravene this Act – very draconian measures that really don’t make much sense in the context of provisioning electricity.

Similarly, a search of the federal privacy Commissioner’s site for documentation reveals a reference that shows it to be a research priority for 2011-12. It may be that the federal Privacy Commissioner is only tackling the issue now with respect to non-publicly owned EDCs.

One jurisdiction has proactively implemented some of the good thinking out there on smart grid privacy. California’s Public Utilities Commission last month adopted a privacy and security rule for “smart grid” electricity consumption and there are some concepts that are worth repeating in other jurisdictions. The decision is available here and the rule, in Attachment D, is available here.

Some of the interesting concepts found in the rule are:

Real-time access requests are to be treated as wiretaps requiring approval under the federal or state wiretap law.

Prior notification, in writing, of subpoenas for disclosure, unless otherwise prohibited from doing so by a court order, law, or order of the Commission.

An independent privacy and security audit — to be reported to Commission as part of the utility’s general rate case filing.

“Reasonably necessary” requirements for data collection, retention and disclosure.

The rule applies not only to “electrical corporations” subject to the jurisdiction of the Commission but also any service provider and any third party who accesses, collects, stores, uses or discloses “covered information” whether by order of the Commission itself or with the consent of the customer concerned.

California’s efforts with respect to the personal information that can be gleaned from electricity use data is laudable as an attempt to assuage the unease about what metering technology may or may not be able to say about us. Perhaps the Ontario Energy Board should think about doing the same.