Saturday, October 7, 2017

Smart Meter Data: Privacy and Cybersecurity – Congressional Research Report 2012

By Catherine J. Frompovich


In February of 2012, three attorneys with the Congressional Research Service (CRS) issued a lengthy report “Smart Meter Data: Privacy and Cybersecurity,” which addressed many of the same questions consumers have about those high-tech utility meters being forced on to customers’ electric, natural gas and water utility services in every state and globally.  I’ve read the entire report and think consumers ought to know the more significant parts and information regarding your rights to privacy and security.


The CRS is a government agency basically providing background information about certain issues or topics members of Congress or congressional committees want to know more about.


Nothing is a “hot button” privacy and health issue more than AMI Smart Meters, which are retrofitted in place of safe analog meters that have been in exemplary use for decades.  The new AMI SMs have one advantage over the safe analog meters, which probably appeals to the United Nations: AMI SMs spy on the occupants inside the homes to which AMI SMs are retrofitted.  Those personal rights violations are real and should be of valid concern to consumers who know their U.S. Constitutional and State Constitutional rights are being violated and abrogated.


Apparently, those same issues may have been on the minds of some members of Congress, therefore, the request for a Privacy and Cybersecurity Report.


In the Summary of that report, we find


Fueled by stimulus funding in the American Recovery and Reinvestment Act of 2009 (ARRA), electric utilities have accelerated their deployment of smart meters to millions of homes across the United States with help from the Department of Energy’s Smart Grid Investment Grant program. As the meters multiply, so do issues concerning the privacy and security of the data collected by the new technology. This Advanced Metering Infrastructure (AMI) promises to increase energy efficiency, bolster electric power grid reliability, and facilitate demand response, among other benefits. However, to fulfill these ends, smart meters must record near-real time data on consumer electricity usage and transmit the data to utilities over great distances via communications networks that serve the smart grid. Detailed electricity usage data offers a window into the lives of people inside of a home by revealing what individual appliances they are using, and the transmission of the data potentially subjects this information to interception or theft by unauthorized third parties or hackers. [CJF emphasis]



Rather nonchalantly, in this writer’s opinion, the Report’s authors concede:


Unforeseen consequences under federal law may result from the installation of smart meters and the communications technologies that accompany them. This report examines federal privacy and cybersecurity laws that may apply to consumer data collected by residential smart meters. It begins with an examination of the constitutional provisions in the Fourth Amendment that may apply to the data. As we progress into the 21st century, access to personal data, including information generated from smart meters, is a new frontier for police investigations. The Fourth Amendment generally requires police to have probable cause to search an area in which a person has a reasonable expectation of privacy. However, courts have used the third-party doctrine to deny protection to information a customer gives to a business as part of their commercial relationship. This rule is used by police to access bank records, telephone records, and traditional utility records. Nevertheless, there are several core differences between smart meters and the general third-party cases that may cause concerns about its application. These include concerns expressed by the courts and Congress about the ability of technology to potentially erode individuals’ privacy.


If smart meter data and transmissions fall outside of the protection of the Fourth Amendment, they may still be protected from unauthorized disclosure or access under the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and the Electronic Communications Privacy Act (ECPA). These statutes, however, would appear to permit law enforcement to access smart meter data for investigative purposes under procedures provided in the SCA, ECPA, and the Foreign Intelligence Surveillance Act (FISA), subject to certain conditions. Additionally, an electric utility’s privacy and security practices with regard to consumer data may be subject to Section 5 of the Federal Trade Commission Act (FTC Act). The Federal Trade Commission (FTC) has recently focused its consumer protection enforcement on entities that violate their privacy policies or fail to protect data from unauthorized access. This authority could apply to electric utilities in possession of smart meter data, provided that the FTC has statutory jurisdiction over them. General federal privacy safeguards provided under the Federal Privacy Act of 1974 (FPA) protect smart meter data maintained by federal agencies, including data held by federally owned electric utilities. [CJF emphasis]


How come state public utility commissions, their kangaroo courts and utility companies’ attorneys aren’t held accountable to the legitimate seriousness of the above constitutional issues, let alone the escalating adverse health effects from AMI Smart Meter radiofrequencies non-thermal radiation waves that now scientifically have been proven to break DNA bonds?


On page 2 of that Report, the CRS lawyers say,


General federal privacy safeguards provided under the Federal Privacy Act of 1974 (FPA) protect smart meter data maintained by federal agencies, including data held by federally owned electric utilities. Section 5 of the Federal Trade Commission Act (FTC Act) allows the Federal Trade Commission (FTC) to bring enforcement proceedings against electric utilities that violate their privacy policies or fail to protect meter data from unauthorized access, provided that the FTC has statutory jurisdiction over the utilities.


It is unclear how Fourth Amendment protection from unreasonable search and seizures would apply to smart meter data, due to the lack of cases on this issue. However, depending upon the manner in which smart meter services are presented to consumers, smart meter data may be protected from unauthorized disclosure or unauthorized access under the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and the Electronic Communications Privacy Act (ECPA). If smart meter data is protected by these statutes, law enforcement would still appear to have the ability to access it for investigative purposes under procedures provided in the SCA, ECPA, and the Foreign Intelligence Surveillance Act (FISA). [CJF emphasis]


Page 3 addresses Smart Meter Data: Privacy and Security Concerns


Residential smart meters present privacy and cybersecurity issues 19 that are likely to evolve with the technology.20 In 2010, the National Institute of Standards and Technology (NIST) published a report identifying some of these issues, which fall into two main categories: (1) privacy concerns that smart meters will reveal the activities of people inside of a home by measuring their electricity usage frequently over time;21and (2) fears that inadequate cybersecurity measures surrounding the digital transmission of smart meter data will expose it to misuse by authorized and unauthorized users of the data. [CJF emphasis]


While addressing specific details, the Report claims


Smart meters offer a significantly more detailed illustration of a consumer’s energy usage than regular meters. Traditional meters display data on a consumer’s total electricity usage and are typically read manually once per month.23


In contrast, smart meters can provide near real-time usage data by measuring usage electronically at a much greater frequency, such as once every 15 minutes.24


Current smart meter technology allows utilities to measure usage as frequently as once every minute.25


By examining smart meter data, it is possible to identify which appliances a consumer is using and at what times of the day, because each type of appliance generates a unique electric load “signature.26  [which will tie into the Internet of Things.]


NIST wrote in 2010 that ““research shows that analyzing 15-minute interval aggregate household energy consumption data can by itself pinpoint the use of most major home appliances.”” 27


A report for the Colorado Public Utilities Commission discussed an Italian study that used “artificial neural networks” to identify individual “heavy-load appliance uses” with 90% accuracy using 15-minute interval data from a smart meter.28


Similarly, software-based algorithms would likely allow a person to extract the unique signatures of individual appliances from meter data that has been collected less frequently and is therefore less detailed.29   [One algorithm program is “ONZO” (2).]


By combining appliance usage patterns, an observer could discern the behavior of occupants in a home over a period of time.30 For example, the data could show whether a residence is occupied, how many people live in it, and whether it is “occupied by more people than usual.”31


According to the Department of Energy, smart meters may be able to reveal occupants’ “daily schedules (including times when they are at or away from home or asleep), whether their homes are equipped with alarm systems, whether they own expensive electronic equipment such as plasma TVs, and whether they use certain types of medical equipment.”32


Figure 1, which appears in NIST’s report on smart grid cybersecurity, shows how smart meter data could be used to decipher the activities of a home’s occupants by matching data on their electricity usage with known appliance load signatures. [CJF emphasis]


Here is the part about AMI SMs that really needs to be understood and factored in to the privacy and security paradigm the microwave industry, utility companies and even state public utility commissions, which should know better, are not paying attention to nor dealing with: Potential for Theft or Breach of Data, like we had with the Equifax data breach affecting about half of the country’s consumers.


Increased Potential for Theft or Breach of Data


Smart grid technology relies heavily on two-way communication to increase energy efficiency and reliability, including communication between smart meters and the utility (or other entity) that stores data for the grid.46 Many different technologies will transmit data to the grid, including ““traditional twisted-copper phone lines, cable lines, fiber optic cable, cellular, satellite, microwave, WiMAX, power line carrier, and broadband over power line.””47 Of these communications platforms, wireless technologies are likely to play a ““prominent role”” because they present fewer safety concerns and cost less to implement than wireline technologies.48 According to the Department of Energy, a typical utility network has four “tiers”” that collect and transmit data from the consumer to the utility.49 These include “(1) the core backbone—the primary path to the utility data center; (2) backhaul distribution—the aggregation point for neighborhood data; (3) the access point—typically the smart meter; and, (4) the HAN—the home network.”50 Energy usage data moves from the smart meter,51 and then to an “aggregation point” outside of the residence such as “a substation, a utility pole-mounted device, or a communications tower.””52  [CJF emphasis]


Two U.S. Supreme Court decisions, Kyllo v United States [1] and United States v Karo, have defended “the home as a sacred site at the core of the Fourth Amendment.”


Kyllo and Karo demonstrate that the Supreme Court “has defended the home as a sacred site at the ‘core of the Fourth Amendment.’””169 Although neither the Supreme Court nor any lower federal court has ruled on the use of smart meters, a few propositions can be deduced from Kyllo and Karo bearing on this question. Because smart meters allow law enforcement to access information regarding intimate details occurring inside the home, a highly invasive investigation that could not otherwise be performed without intrusion into the home, a court may require a warrant to access this data. In Kyllo, the police merely obtained the relative temperatures of a house,170 and in Karo the police only generally located the beeper in the house.171 Although this information was limited, the Court nonetheless prohibited such investigatory techniques. Smart meters have the potential to produce significantly more information than that derived in Kyllo and Karo, including what individual appliances we are using; whether our house is empty or occupied; and when we take our daily shower or bath.172 Further, a look at Figure 1, supra, makes it clear that this level of information is much more intimate than prior technologies used by law enforcement. This depth of intrusion suggests that customers may have a reasonable expectation of privacy in smart meter data. [CJF emphasis]


The CRS lawyers thought there is/was Statutory Protection of Smart Meter Data!


Question: Which law school courses did they take that utility company lawyers and public utility commissions judges somehow missed during law school?


This section discusses federal statutory protections that may be applicable to the contents of communications sent by a smart meter, independent of the Fourth Amendment, while they are either stored within the smart meter prior to transmission, during transmission, or after they have been delivered to the utility. Three federal laws, the Electronic Communications Privacy Act (ECPA),199 the Stored Communications Act (SCA),200 and the Computer Fraud and Abuse Act (CFAA)201 may be applicable to these situations and are discussed in more detail below. [CJF emphasis]





No comments:

Post a Comment