Network News

X My Profile
View More Activity

Experts: Smart grid poses privacy risks

Technologists already are worried about the security implications of linking nearly all elements of the U.S. power grid to the public Internet. Now, privacy experts are warning that the so-called "smart grid" efforts could usher in a new class of concerns, as utilities begin collecting more granular data about consumers' daily power consumption.

"The modernization of the grid will increase the level of personal information detail available as well as the instances of collection, use and disclosure of personal information," warns a report (PDF) jointly released Tuesday by the Ontario Information and Privacy Commissioner and the Future of Privacy Forum (FPF), a think tank made up of chief privacy officers, advocates and academics.

Smart grid technology -- including new "smart meters" being attached to businesses and homes -- is designed in part to provide consumers with real-time feedback on power consumption patterns and levels. But as these systems begin to come online, it remains unclear how utilities and partner companies will mine, share and use that new wealth of information, experts warn.

"Instead of measuring energy use at the end of each billing period, smart meters will provide this information at much shorter intervals," the report notes. "Even if electricity use is not recorded minute by minute, or at the appliance level, information may be gleaned from ongoing monitoring of electricity consumption such as the approximate number of occupants, when they are present, as well as when they are awake or asleep. For many, this will resonate as a 'sanctity of the home' issue, where such intimate details of daily life should not be accessible."

According to the study, examples of information that utilities and partner companies might be able to glean from more granular power consumption data include whether and how often exercise equipment is used; whether a house has an alarm system and how often it is activated; when occupants usually shower, and how often they wash their clothes.

Other privacy risks could result from the combination of information from two separate users of the smart grid: For example, roaming smart grid devices, such as electric vehicles recharging at a friend's or acquaintance's house, could create or reveal additional personal information.

At a recent smart grid conference in Madrid, FPF co-chair Jules Polonetsky showed how researchers have already mapped unique load patterns of different equipment, showing that for instance washing machines pull power in different ways than other devices (graphic below courtesy FPF).


In an interview with Security Fix, Polonestsky said some utilities have adopted the stance that existing regulations already prevent them from sharing customer data without prior authorization. But he noted that as power companies transition to the smart grid, those utilities are going to be collecting -- and potentially retaining -- orders of magnitude more data on their customers than ever before.

"Relatively speaking, [utilities] aren't big marketing companies with big back end databases ready to handle the tidal wave of data that's coming," he said. "But we're a little worried that without some serious planning now, there's going to be quite a challenge in a couple of years when people start realizing that maybe should think about developing some solid data retention policies that address what's going to be done with all of this data."

Indeed, the report found that "comprehensive and consistent definitions of personally identifiable information do not generally exist in the utility industry. Privacy concerns arise when there is a possibility of discovering personal information, such as the personal habits, behaviors and lifestyles of individuals inside dwellings, and to use this information for secondary purposes, other than for the provision of electricity."

Ontario is on track to have a smart meter installed at every home and business by the end of 2010. More than 8 million smart meters are used in the United States today, and more than 50 million more could be installed in at least two dozen states over the next five years, according to the Edison Foundation's Institute for Electric Efficiency.

The report echoes some of the same concerns raised in a recent report (PDF) drafted by the National Institute of Standards and Technology, which warned that "distributed energy resources and smart meters will reveal information about residential consumers and activities within the house," A NIST panel tasked with examining the cyber security aspects of the smart grid found "a lack of formal privacy policies, standards or procedures about information gathered and collected by entities involved in the smart grid," and that comprehensive and consistent definitions of personally identifiable information do not generally exist in the utility industry.

Update, 3:30 p.m. ET: Added graphic and comment from FPF co-chair.

By Brian Krebs  |  November 18, 2009; 9:33 AM ET
Categories:  Latest Warnings , U.S. Government  | Tags: privacy, smart grird  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft warns of Windows 7 security hole
Next: Bill would ban P2P use on federal networks, PCs


When we we wake up and realize privacy is a myth?

Posted by: jdcurry | November 18, 2009 11:09 AM | Report abuse

There are two issues I am concerned about:
1. The privacy issue - As mentioned in the article, quite a bit of information can be gleaned from electricity usage. The number of household members, their living habits (late night owls versus early to bed people), etc.

2. The insecurity of the system over the public (international) internet. Does anyone seriously think that these meters WON'T be hacked? Once someone figures out how to crack one, there will be no security of the power grid. Someone in some unnamed country can sit back and, at will, turn on and off entire sections of a city with the utilities having absolutely no control over their actions.

I understand the time-of-day pricing idea, where you encourage the individual user to shift usage to the cheaper times, but to use this simply as a way to charge the customer on a minute-by-minute basis is absurd.

Maybe the individual state public utility commissions can put some sanity into this situation.

Posted by: blasher | November 18, 2009 11:10 AM | Report abuse

Some of the concerns seem rather overblown. How can a meter tell whether a house has an alarm system??? How can it tell if you are showering? All it can do is tell that electricity is being consumed in some manner. You might make educated guesses but they would be nothing but guesses unless you could correlate known actions with known consumption.

For smart metering to do any good, it must be able keep track up the minute to match load and demand and bill for higher demand when it costs the power company more to generate it. Power is wheeled around on a minute to minute basis to match demand. It also allows construction of fewer future plants if the peak demand is not so high compared to average demand. People do NOT have to run their clothes dryers the moment they get home.

Too bad they did not ask any power company people to be on their panel.

As for information over the open internet, at first the information from the various meters is sent over the air at about 900 Mhz to a tower within 20 miles from the meter. I'd say it was up to the utility company to decide whether to carry the data from the tower back to their offices using either a private network or the internet. If it were my choice, I'd rather not have my data delayed by some kid downloading a new cheesed album, and hire a private network or string it on my own company's poles.

I don't work for a power company. I'm just a tech who bothered to look up the system which the academics seem to have not.

Posted by: eteonline | November 18, 2009 12:50 PM | Report abuse

I work as a privacy professional, and IMHO it is an overblown concern. Another article I read noted that different appliances have signatures. The comment, paraphrasing, was, "If they determine you were watching television at 3:00 a.m., will you start getting ads for insomnia treatments?" The point is, they don't know that *I* was watching TV. It could have been my teenager coming home and turning on the tube. Or, I could have gotten up to feed a baby, and turned on the television for background noise. So I wasn't watching it because of insomnia.

The bottom line is that I don't believe that the use of appliance is a good indicator of behavior. It's a good indicator of appliance use.

-- Michael Seese, CISSP, CIPP, author of "Scrappy Information Security"

Posted by: MichaelSeese | November 18, 2009 10:41 PM | Report abuse

This is something that I can speak to as I have a 3rd-party product (TED-5000) that provides a lot of the functionality of a smart meter. At present these devices merely measure the total amount of electricity that the house is using at any given moment. You can tell the thing about certain loads within the house (perhaps the AC compressor is 1200W +/- 100 W), but it is kind of inexact and it oftentimes guesses wrong. Perhaps I don't have the load profiles set quite correctly, but my gut feel is that using heuristics like this is never going to be all that accurate.

The device has a web interface, but you can plug it into your own secure (i.e. behind firewall) network. Or you can choose to not connect it at all if you wish, I suppose.

The thing which might have more privacy concerns to some people is the new interface to Google PowerMeter. The device transmits information every so often to google, but currently this is entirely optional.

When the thing is turned on, every time I go to google and I am logged in I see a little chart that shows the electricity usage profile. But this doesn't really show all that much information - really just a graph of consumption versus the time of the day.

Posted by: jackrussell252521 | November 19, 2009 8:29 AM | Report abuse

I should add that my device is only able to read the consumption. It has no way of turning anything on or off.

Posted by: jackrussell252521 | November 19, 2009 8:37 AM | Report abuse

The obvious motivation for the smart meters is to uncover people who are using electricity but are not paying for it. When everyone is required to have a smart meter, it will be much easier to spot leakage.

Also, as a side benefit, it will be easier to identify indoor marijuana grow facilities. If you have a pot house, smart meters are very bad for business.

Posted by: taskforceken | November 19, 2009 3:24 PM | Report abuse

Well the pot growers should all use CFL grow lights :-).

A geek who has a rack of computers in the basement wouldn't look that much different from a pot grower. At least to the power company..

Posted by: jackrussell252521 | November 19, 2009 5:22 PM | Report abuse

The whole smart grid idea gives me the willies. First, it will be used an excuse to block the building of generating capacity of any type. All electric generators have an environmental downside. The existence of a "smart" grid will be another excuse to not boost generating capacity. If the wind mills don't produce electricity, so what? we will just turn off your computer. Problem solved.

Second, the smart grid is a new avenue for government intrusion into our lives. Members of "minority" groups will claim that any action to cut power to their neighborhoods is racism. Power cuts to the districts of Nancy Pelosi, John Murtha and Barney Frank will be rarer than hen's teeth. Don't bother to buy a new refrigerator if you live in John Boehner's district.

Non-union factories won't get electricity, but Government Motors and Fiatsler will have all they need. But wait, there is more. Too fat? No electricity for your kitchen. Want to stay up late. Sorry, lights are out at 10 p.m. in this town.

Posted by: WalterSobchak1 | November 20, 2009 12:39 AM | Report abuse

Smartmeter technology is immune from privacy assaults. The power utility is a monopoly and charged with the responsibility to deliver services in connection with which is has the right to read the meter at a time of its own choosing so that it does not violate the "quiet enjoyment" of the leasehold.
The barrier to change this right is higher than Israeli settlement walls.

Posted by: chartwaysearch | November 20, 2009 9:13 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company