Vulnerable passwords, financial records or personal data are likely what first comes to mind when thinking of cyber-privacy and cyber-security. But if recent reports are to be believed, the newest and most pervasive threat to personal privacy could be the smart meter that public utilities departments are increasingly using to measure electricity consumption.
The U.S. Energy Independence and Security Act of 2007 supercharged a movement that's developing a power grid that gives power to users via digital technology. But some say this smart grid might be too smart for everyone's own good.
In May 2010, The Denver Post reported that smart meters can gather more data than just how much electricity a household uses. They can tell how many people live there, when they sleep and when they aren't home. Smart meters track when household members take showers, how much TV they watch or how often they use the microwave. According to the newspaper, 52 million smart meters will be in the country by 2015.
"Currently there are multiple levels of security concerns. In terms of consumers, to start with, the concerns are privacy -- how their information will be safeguarded and how it will be used for or against them, permissions for how data will be shared with multiple agencies, who is liable in holding that particular data and who the consumer will go after if something goes wrong for them," said Sarav Periasamy, CEO and president of PERI Software Solutions, a technology consulting company.
The federal government's National Institute of Standards and Technology (NIST) released a 300-page report on the matter and stressed the importance of keeping personal data confidential when meters are used. The report, Smart Grid Cyber Security Strategy and Requirements, also found that smart grid technology provides more avenues for disgruntled employees and cyber-criminals to compromise data.
A lot of specifics about the cyber-security of smart meters will come down to local utilities, where power is disseminated.
The California Public Utilities Commission is requesting comments on a proposed decision to require Pacific Gas and Electric, Southern California Edison and San Diego Gas and Electric -- the state's three major power providers -- to follow a common outline in smart grid deployment.
California isn't the only state to take up the issue. In August 2009, the Colorado Public Utilities Commission opened a docket on the matter and requested comments to see if the state's current rules involving personal privacy protection were enough to deal with smart grid technology. Seven parties filed comments as of February 2010.
One response from of the Colorado Office of Consumer Counsel's (OCC) was that the Commission, "should consider establishing policies which err on the side of providing too much protection of customer-specific usage information rather than too little protection, at least at the initial state of the deployment of smart grids."
The OCC stated that consumer privacy should not be vulnerable to compromise when data mining of any kind is done by interested parties. The commission noted in its original docket document that personal data collected via the smart grid could be requested by third parties for several reasons -- industries conducting market research on power use, for example, or police officers requesting the information to analyze zones of criminal activity.
"The Commission should consider separate policies for residential and nonresident classes of customers," said one Black Hills/Colorado Electric Utility Company response. "This may be a more practical approach since consumer marketers have different tactics and motives than business-to-business marketers, and policy protections should be designed accordingly."
The private sector already is penetrating the marketplace with its own products for cyber-security of the smart grid. The Microsoft Hohm and Google PowerMeter packages are just two examples of products designed to give consumers the ability to analyze their own energy use.
In an e-mail response to Government Technology, Microsoft said, "Microsoft Hohm is committed to protecting privacy and will not share your personal information with others without your consent."
When asked to what degree consumers could trust a third-party corporation with their own personal energy data, Microsoft said that no personally identifiable information would be shared unless a customer chose that option.
"Individual data may be stripped of personally identifiable information and used for calculating region averages [or] research by third parties," the e-mail said.
NIST's Cyber Security Coordination Task Group is developing security architecture for the smart grid from a federal perspective, but calls and e-mails to Annabelle Lee, the computer scientist leading the effort, from Government Technology were not returned.