Tuesday, November 24, 2009

Smart Grid Privacy Before Smart Grid Security


Can we have a little privacy, please? The question of how to secure a system isn't fully relevant until you've figured out what needs securing, and that often begins with policy decisions on how to manage sensitive customer data.

Here at the SGS Blog, our relentless quest for more and better info re: the state of security policy and technology for the Smart Grid sometimes has us overlooking things of a less technical, but no less impact-full nature, like privacy. As Katie Fehrenbacher of earth2tech puts it:
"Smart Grid security” is most often discussed in the terms of national security — a hacker develops a worm that can jump across smart meters and black out neighborhoods, for example, or can make a generator blow up remotely. Privacy — keeping personal information in the hands of the consumer and away from advertisers, the utility or any other third party — is an entirely different concern that utilities have to be prepared for with the build-out of the Smart Grid.
Yup. From the maltreated customers' point of view, be they large commercial or industrial enterprise or a simple household, it matters little whether their data is divulged via hacking or poor privacy controls. The simple fact that someone or some organization in a trusted position was less than fully responsible with their financial, health, behavioral (or other) info is more than enough cause to trigger a call to Attorney911. And media reports of privacy debacles will serve to greatly reduce confidence and enthusiasm for wider Smart Grid deployments.

So much depends on the customers' first experience with the Smart Grid and the amount of control over privacy decisions they are given. Here's draft privacy standard verbiage from Rebecca Herold, who in addition to being "The Privacy Professor," doubles as an energetic volunteer on NIST's Smart Grid Privacy Group:
Consent and Choice: The organization must describe the choices available to individuals and obtain explicit consent if possible, or implied consent when this is not feasible, with respect to the collection, use and disclosure of their personal information.
That sounds like a great way to begin a new relationship. Mutual consent. The freedom to say "I do" or "I do not." And why do I say "new" relationship? One thing we've learned in our recent travels through the Smart Grid universe is that the typical US utility has a less than stellar understanding of its customers. And the adverse is true: many utility customers cannot even name the company that supplies their electricity. If Smart Grid dreams do indeed come true, both parties will soon be on a first name basis. They're going to learn things they never knew about each other before. And if it's done right, they will come to trust each other with some very important information and services.

No comments: