Big Data + Smart City = Weak Privacy + Weak Security?

Transcription

1 Big Data + Smart City = Weak Privacy + Weak Security? Professor John Bacon-Shone Director, Social Sciences Research Centre The University of Hong Kong

2 Benefits and Risks Is it an inevitable consequence of wanting the significant benefits of a Smart City and Big Data analysis that we must accept weak privacy and security? Who should be responsible for ensuring that this does not happen, if this does not involve data with a direct personal identifier? How should we maximise the benefits while also minimizing the risks? It is important to recognise that many big data and smart city enthusiasts assume that anonymity or consent solves all the problems other than cost

3 Broad Context: Constitutional Rights HK Basic Law: Article 29 The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident's home or other premises shall be prohibited. Question: e.g. are smart meters an arbitrary intrusion into a resident s home, if the monopoly electricity provider installs it without consent?

4 Specific Context: Data Protection Principles HK PDPO (like most EU DP laws) DPP1: lawful and fair collection where data subjects are informed of the purpose for which data are collected & used, which must be directly related to function of data user; DPP3: personal data used for purpose originally collected or directly related purpose, unless have prior consent DPP4: all practicable steps to ensure personal data are protected against unauthorized or accidental access, processing or erasure. Questions: how to obtain consent, protect against use for unrelated purposes and against unauthorised access?

5 Risk Risk has two components: chance of an outcome and consequences of the outcome, so we need to examine the possible outcomes that could have bad consequences

6 Relevance: Smart meters Fine grained energy consumption data in households allows sophisticated prediction of household (and individual) behaviour that relates to energy use, including working hours, medical needs, media consumption, when the house is empty etc. even if the identity of the individual is unknown

7 Relevance: Smart cars: Fine grained location and time data means knowing where you are at all times, assuming car is linked with a person. Self-driving cars may even be externally controlled.

8 Relevance: Smart phones: Fine grained location and time means knowing where you are at all times and possible linkage with your activity, given all the sensors on the phone including microphone, camera etc.

9 Meter Risk Outcome 1 Direct misuse of personal data collected by the smart meter operator, such as manipulation of charging rates (think of Amazon experiment that manipulated prices based on previous customer behaviour), such as raising prices when that household is most likely to consume electricity (break in favourite TV show or when come home from work) does not require identification.

10 Meter Risk Outcome 2 Sale of personal data collected from households to third parties (think of the Octopus case) such as appliance providers, home insurers etc. Arguable consumer benefit, e.g. seems you need a new electrical appliance as your fridge consumes too much electricity. Does not require identification.

11 Meter Risk Outcome 3 Breach of security, allowing unauthorised use of personal data, such as when best to burgle because there is probably nobody at home (based on power consumption). Does not require identification but does require address.

12 Meter Risk Outcome 4 Use by law enforcement would it be justified to profile likely marijuana growers, or people keeping their public rental flat unoccupied, running an untaxed business, running a brothel, using incandescent bulbs if they become outlawed? Would they need a warrant to obtain the information? Would they be able to search data looking for possible illegal behaviour or must they have good reason in advance?

13 Car Risk Outcome 1 Breach of security, allowing car jackers to identify when an expensive car is stationary for a long period in a remote location, hence easily stolen - does not require identification of the owner!

14 Phone Risk Outcome 1 Use by law enforcement meeting of many political activists. Would they need a warrant to obtain the information? Would they be able to search data looking for possible illegal behaviour or must they have good reason? Arguably does not need identification of individuals, just that they are intending to visit a specific location at a specific time

15 Other Risk Outcomes There are certainly other consequences not considered here the key point is that there certainly are possible outcomes with privacy impact, so a thorough privacy/security impact assessment is essential, indeed privacy & security must be part of the design process

16 Chances of the Outcomes? Clearly the chances can be minimized through: Well designed security system (e.g. all connections encrypted, 2 factor authentication, full audit trails) to minimise risk of personal data leakage during transfer from home to service supplier, transfer from supplier to consumer and inside service supplier Suitable regulation by regulators of service provider, privacy and law enforcement surveillance to address transfer at systems level and response to any leakage or unauthorised transfer

17 Existing laws sufficient? Certainly not without a data protection law, but what if you have a data protection law? Still insufficient, because personal data requires a direct personal identifier and much of this data may not have a direct personal identifier or may be shared (e.g. household data, pictures of a group of people etc.). A robber would not care about knowing your name, just whether your car and house are easy targets. A seller only requires knowing that an individual wants to buy, not their identity.

18 Big data problems? Need to address ability to link to an individual (possible without knowing their identity) if there are possible decisions or outcomes that may disadvantage the individuals. For example, postal codes + age and gender is sufficient to re-identify in most countries, but reidentification may not be that obvious or transparent may not even know who holds the data

19 Big data problems (more)? If I know you need or want very much to buy an item, I may be able to take advantage of that information in a discriminatory way. Think again about the case of the pregnant teenager identified by big data what if Target realised that she had not made her pregnancy public and offered her anonymous deliveries at a higher price is that a problem?

20 Public Opinion? Role of public opinion? It is difficult for the general public to assess consequences of new processes Public opinion is essential in understanding how well communication works, but of little value in designing new processes, unless they are a stakeholder group who understand the issues well or have had them explained well (e.g. through deliberative polling).

21 Lessons from elsewhere? Debate often polarised between technologists and business people who see real benefits and privacy activists and those distrustful of government who fear misuse of the data (or even reject for irrational reasons such as wireless devices causing health risks). Consent must mean a free and fully informed choice, without unfair consequences.

22 Mitigation of the risks? Some possible mitigation strategies? Discussion?

23 Some possible risk outcomes Direct misuse of personal data collected by the smart meter operator, such as manipulation of charging rates Sales of personal data Breach of security Use by law enforcement

24 Some possible mitigation strategies Consumer protection safeguards to guard against negative decisions, e.g. customers charged more when using smart meters Privacy impact assessment that is not limited to direct identifiers, but focuses on individual consequences Security assessment of entire system Access restrictions for law enforcement

25 More possible mitigation strategies Explicit consent for third party access to identifiable or re-identifiable meter data Data breach notification New crypto solutions which, even with smart meters, break the link of individual households with time of consumption, thanks to grouping of households and purchasing energy tickets.

26 Thank you!