United States Cybersecurity Magazine

ProcessBolt
From the Winter 2021 Issue

Are Smart Cities the Next Principal Step in the Loss of Privacy?

Alan S. Tilles, Esquire
Attorney | Shulman Rogers

Ian R. McAndrew PhD
University Dean | Capitol Technology University

There are many advantages and opportunities to integrate transport, work, shopping, and the control of all interconnecting aspects.

Architects, town planners, environmental groups, and many others believe smart cities are a feasible step in the creation of a zero-carbon footprint way of living. There are many advantages and opportunities to integrate transport, work, shopping, and the control of all interconnecting aspects. These benefits range from food deliveries to electrical power demands, based on our personal ways of living. Artificial Intelligence (AI) will be able to offer heating schedules that balance our level of comfort in advance, whether we are at home or while working. This will ensure that electrical power planners can minimize the over-production of electricity. The technology currently exists to make this happen if we accept that control needs to be managed on a larger scale. However, what is rarely discussed or addressed is the erosion of our privacy and how that will potentially create issues regarding who owns our data and recorded ways of living. While the concept of “Big Brother” is not new, the collection and use of data, even when anonymized, has serious societal and legal implications that must be addressed by policymakers to ensure that the benefits of a connected city are realized.

Smart Cities are being designed, justified, and planned in many different countries. Current technology exists to deliver the majority of innovation that planners want and offer. One example is the plan to make an integrated electric car charging system “two-way”. That means they will be charged in batches as to not overload demand.  In extreme cases, the charge in a car can be returned to the national grid. To achieve this, private information about the owner’s demands each day, as well as their habits and limitations, must be captured. This does not add much complexity to designing a system. On a larger scale, the daily habits of each car user will be stored. This will be the input for the calculations. Additionally, AI and predictive patterns will be used for the charging of all cars, whereby the supply (possibly wind turbines) will be managed fully. Technically, data access is easy to obtain, but what are the implications of unfettered use and the legal implications of data use?

On a more narrow focus, managing your house in a smart city offers equally positive and negative ways to live. A lost key? We can find a locksmith or break a window to enter. Even if alarmed, the key is entered and disarmed. On a biosecurity security level, what happens if the sensor does not recognize the owner or approved person? If there is a system fault, how does one enter? A broken window may be difficult with modern toughened glass. Do we have our information shared with a cyber-locksmith? If so, which one? Must that cyber-locksmith be licensed by the municipality? Indeed, the hacking of this company by external people, or the simple theft of data, may have much wider implications. Technology leads and the law seems to catch up in most cases. In smart cities, lagging legislation can cause significant problems that must be addressed as part of planning. They must consider the possibility that there will be cybersecurity problems inherent in the implementation.

Further, the potential of a municipality to monetize collected data, combine data from a variety of trusted and non-trusted sources, and exchange data with other collectors significantly impacts the smart city vision.

Another focus is the ability of law enforcement to access this information and make use of it. The legal implications of such access are huge. In doing so, decisions must be made with regard to whether search warrants are necessary for data acquisition and how that impacts the  Fourth Amendment’s bar on unreasonable searches and seizures. They must also make decisions on the transmission and storage of data (chain of custody issues) and who has the ability to de-anonymize data.

Further, the potential of a municipality to monetize collected data, combine data from a variety of trusted and non-trusted sources, and exchange data with other collectors significantly impacts the smart city vision. Ensuring that a reasonable balance is struck between these varying interests is a core component to the system rollouts.

There have been several cases lately reporting on how Apple and Amazon partners are using Siri and Alexa devices to ‘spy’ and record conversations. If this is possible within a household, then the implications of smart cities, when audio, video, and facial recognition software is universal, is that the boundary of privacy is now not controlled by anyone. Furthermore, responsibility is not borne by any entity or person. Imagine how a stalker in a position of authority could track every movement of an individual.[1] A criminal could accurately predict that an apartment will be empty.  They could enter to commit that ever-nefarious action or deed, with the added potential consequence of blurring the lines of responsibility for law enforcement. The complex question of what is illegal is now unclear and crime is more difficult to define or attribute.

Smart cities are likely to heavily, if not totally, rely on driverless cars. It has been suggested that no one will own a car and a form of Taxi-use similar to Uber will prevail. If travel is controlled centrally, then the control of reducing travel will be held by a few. This, for example, could allow such entities to control how many taxis are available at any one time. Independence will be removed and the basic human right for “freedom of movement” guaranteed by the Fifth Amendment could disappear for the good of traffic management. How would we establish a non-biased travel priority? Many cases of AI in the criminal justice systems have been alleged to be racist or biased against groups.[2] Without answers, smart cities may compound the problem and perhaps be free from challenge, as sufficient laws do not presently exist to hold those legally accountable.

Independence will be removed and the basic human right for “freedom of movement” guaranteed by the Fifth Amendment could disappear for the good of traffic management.

The creation of data privacy laws is not only complicated in terms of making choices of what to protect but is fraught with public perception issues. The recent experience with Covid-19 masking regulations infringing on civil liberties is not a singular example. In 1974, the public outcry against seat belt ignition interlock regulation bears reexamination of how to manage public perceptions and expectations for future situations.

Presently, there are a variety of industry segments that have Federal Data Privacy Regulations. Most people are familiar with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Children’s Online Privacy Protection Act of 1998 (COPPA).[3]  Less publicly familiar is the Federal Communications Commission’s Customer Proprietary Network Information rules (CPNI).[4]

States have taken on data privacy, too, most famously California’s Consumer Privacy Act (CCPA). However, there is scant consideration at a federal level, beyond HIPAA and COPPA, taking into account the sheer volume of data that is made available through the “magic” of IoT. This ranges from sensors and cameras in government-controlled spaces to private spaces such as homes, office buildings, sports arenas, businesses, etc. States must also consider data collections that perhaps haven’t been routinely considered before now, such as vehicles or Family Ancestry sharing DNA information with law enforcement.

There have been some governmental efforts to provide limitations on data collection, such as San Francisco’s ban on governmental use of facial recognition, followed by Somerville, Massachusetts, and Oakland, California. However, we are still missing a universal consideration of these issues. A hodge-podge of rules by different municipalities results in uncertainty by businesses in the development and deployment of advanced technologies. This has the impact of delaying the creation of smart cities and potentially limiting the benefits which smart cities are designed to enable.

As a result, there have been a number of industry efforts to step in to create standards where regulatory bodies have so far failed to do so. In 2019, Cisco called for governments to establish privacy as a fundamental human right in the digital economy.[5] Cisco laid out certain principles, which it seeks to have included in the legislation. Cisco urges this legislation to be adopted. Similarly, the Alliance for Telecommunications Industry Solutions (ATIS) created a framework for data sharing in smart cities.[6]

Our collective experience with lockdowns during the COVID-19 pandemic may actually hasten regulation. What the pandemic demonstrated was that data privacy regulations, necessitated by remote meetings, need revision. In the case of telehealth, guidance was developed to define acceptable means of secure communications and the handling of private information passed as a part of it. Similar action should be taken at a federal level regarding similar data privacy issues, which will allow the unimpeded development of smart cities with adequate protection for the individual.

[1] While the CBS Network television show “Person of Interest” is fictional, as technology advances the possibility becomes very real.

[2] https://medium.com/@mauriziosantamicone/https-medium-com-mauriziosantamicone-is-artificial-intelligence-racist-66ea8f67c7de.

[3] On the international level, there are privacy regulations such as the European Union’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and Australia’s Notifiable Data Breach Scheme.

[4] Please note that this article focuses on data privacy rules, and not cybersecurity. Obviously, cyber breaches can result in the release of private data. However, we must first determine the information sought to be protected (data privacy) and then how to perform the actual protection (cybersecurity).

[5] https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1965781

[6] https://www.atis.org/smart-cities-data-sharing/.

Alan S. Tilles, Esquire, Attorney, Shulman Rogers
Ian R. McAndrew PhD, University Dean, Capitol Technology University

Leave a Comment