This morning I told my 15 year old daughter that I was reading about privacy problems that may arise in Smart Cities and she replied: ‘I don’t understand all the fuss about privacy. If you have nothing to hide, you have nothing to worry about.’ This carefree attitude is one of the advantages of youth. However, if city planners, IT specialists and IoT manufacturers do not bother either, data collected in current and future Smart Cities may be misused.
Data harvesting cities
Many cities around us are equipped to collect a growing amount of data about residents and their activities. Barcelona, Singapore, Boston, London, Dubai, and Hamburg are processing large amounts of data. Traffic, noise and pollution can be measured. Available parking lots can be assigned, public transport is made more efficient. Light posts are equipped with cameras.
When data gets stored in an aggregated way, they cannot be led back to individuals and therefore privacy issues are not likely to arise.
Potentially more problematic are data that are gathered real time. In Singapore, for example, the government plans to require all cars to have a satellite navigation system that will monitor the location of each vehicle at any given time, plus its speed and direction. This is an example of Internet of Things (IoT), and if and when more things get connected to the internet, more information on the user is available to companies and governments. This is not a problem in itself. A potential risk does arise when these data are either used for commercial benefits and are sold to other parties.
“The scariest thing is that we don’t know what the scariest thing is,” said Geoff Webb, senior director of solution strategy at identity and access management firm NetIQ.
At first data of city inhabitants and visitors are collected to create a smarter city for future users. Then more and more data are collected about specific users of internet connected products by a few companies. The citizens do not know much about the companies, but the companies have extensive knowledge of the citizens.
The first risk involved in this asymmetrical situation is that hackers obtain data about users intentionally or unintentionally. This situation feels creepy, since the users are not even aware that they provide so much information.
“Internet of Things: Privacy & Security in a Connected World” , a report drafted by the US Federal Trade Commission, showed that fewer than 10,000 households can generate 150 million discrete data points every day. This creates more entry points for hackers and leaves sensitive information vulnerable.
The second risk of companies harvesting information is that they might sell this personal information for marketing purposes. In this case data has a monetary value. Imagine you receive highly personalized telecom advertisements and you were not aware that your telecom provider was storing and selling so much privacy sensitive information on you.
A third risk is that more IoT products are sold for a lower price than non IoT products, because the user is the interesting product rather than the IoT device, which is merely a medium for the manufacturer to obtain valuable data.
The way ahead
In Smart Cities local governments and innovative companies work together to make public services as available as possible. Urbanization and digital developments reinforce each other. Everything is joined together and with the internet. Huge amounts of data will be shared, stored and analyzed. Municipalities can use data to develop policies to make the city more efficient and sustainable. Citizens could become more influential in shaping the city they live in.
On the other hand, Smart Cities will encounter problems. All the things connected to the internet can and may store data. This way companies do gain more influence while collecting, storing, analyzing and selling data.
Three categories of measures can be discerned in making (future) privacy problems more manageable.
We need tools to protect personal data and monitor their flow from things to the cloud. Are we equipped to learn from our mistakes and take control of our own data in a world that in the near future will be full of sensors? Perhaps the first step is to be aware of the IoT, and what it can do.
In general we could argue that there is a lack of investment in dedicated cybersecurity personnel and leadership in most cities. Smart Cities should adopt a ‘security by design’ approach.
Governments should feel the pressure and act accordingly while making privacy laws and regulations.
Public Private Partnerships will be more common in the near future and governments involved should deeply investigate the privacy and security risks when large amounts of data are involved.
Cities could and should invest in ‘White hat hacking’, which means engineers that intentionally hack the Smart City systems to discover security and privacy risks.
The European Union is working on a General Data Protection Regulation GDPR to be implemented in 2018. Companies will be required to share information on the type of data they collect. They will no longer be in the lead. European Union citizens are to agree on any data use.
Summarizing we could state that privacy awareness and knowledge will have to grow. A balance should be found between reacting on known hazards and developing a very firm security policy.
The General Data Protection Regulation may be a prelude to protecting citizens from data misuse. Probably different measures will be taken in various parts of the world, depending of the technological development, urgency, culture and political system.
Anna Verkruisen is a geographer, with 18 years of experience in ICT.