Available via license: CC BY-NC-ND 4.0
Content may be subject to copyright.
Data Privacy for the
Smart Grid
Data Privacy for the
Smart Grid
Rebecca Herold • Christine Hertzog
CRC Press
Taylor & Francis G roup
600 0 Broken Sound Park way NW, Suite 300
Boca Raton, FL 33487-2742
© 2015 by Taylor & Franci s Group, LLC
CRC Press i s an imprint of Taylor & Franc is Group, an Inform a business
No claim t o original U.S . Government works
Printed on acid-free paper
Version Date: 20140 805
Internat ional Standa rd Book Number-13: 978-1-4665 -7337-6 (Hard back)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made
to publis h reliable d ata and in format ion, but the aut hor and publ isher ca nnot assume responsibil ity for t he vali dity of a ll
materia ls or the consequences of thei r use. The authors an d publishers have att empted to t race the c opyrig ht holders of all
materia l reproduce d in thi s public ation and ap ologiz e to copyright holders if perm ission to pu blish i n this for m has not
been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any
future reprint.
e Open Access version of this book, available at www.taylorfrancis.com, has been made available under a Creative
Commons Attribution-Non Commercial-No Derivatives 4.0 license.
Trademark Notic e: Product or corporate names m ay be trademarks or re gistered tradem arks, and are us ed only for identi-
fication and expla nation without int ent to infringe.
Library of Cong ress Cataloging-in-Publicat ion Data
Herold, Rebecca.
Data priv acy for the smar t grid / Rebecca Herold a nd Christi ne Hertzog.
pages cm
Summa ry: “The Smar t Grid is a convenient term to descr ibe the moderni zation of electric , natural
gas, and w ater grid infr astructu res. The term encaps ulates the convergenc e of remote monitoring
and control t echnologies wit h communicati ons technologies, renewabl es generation, and an alytics
capabilitie s so that previou sly non-communicative infr astructures like elec tricity grids can provide
time-s ensitive statu s updates and deliver situation al awareness. W hile initia lly and mostly focuse d
on electricity, ma ny of the same techno logies, particula rly in informati on and communicat ions
technol ogies or ICT apply to nat ural gas and w ater grids. Th is book addresse s privacy in al l three
of these co nsumables, but electricity oc cupies a unique plac e by virtue of the fact th at we can
produce it as well as consu me it. In addition, existin g technologie s make it easier to get ma ny more
measurements abo ut electricit y than gas or water. T hese two unique q ualities about electr icity
have very i nteresting ramifications for p rivacy, and therefore , this book wil l refer to electric ity and
electricit y use cases because that provide s the best fra mework for discu ssion of this important
topic”-- Provided by publisher.
Includes bibliograph ical references and index.
ISBN 978-1-4665-7337-6 (hardback)
1. Smart p ower grids--Sec urity measu res--United State s. 2. Public uti lities--Secu rity
measures--Unite d States. 3. Consumer protection--Unite d States. 4. Priv acy, Right of--United States .
5. Records --Access cont rol--United States. I. Hertz og, Christ ine. II. Title.
TK310 5.H46 2 015
363.60285’58--dc23 2014030904
Visit the Taylor & F rancis Web site at
http://www.taylor andfra ncis.com
and the CRC P ress Web site at
http://www.crcpress.com
Dedication
A huge thank you to Mom and Dad (may they rest in peace) for
always expecting me to do my best, and telling me I could accom-
plish anything, no matter what it was. ey never put limitations on
me because of my gender; I have only encountered that from others
since starting my career. I am grateful my parents taught me that such
gender-based limitations were ridiculous.
To my wonderful sons, Noah and Heath. You are both the apples
of my eyes and the joys in my life.
To my husband, Tom, even though he will never read a book like
this.
To Rich O’Hanley, for giving us the opportunity to write this
book, his always unwavering patience while we nished this book,
and his continuing support and condence throughout these many
years. ank you!
To Laurie Schlags, for being patient, professional, and going out of
her way to assist us in getting everything necessary completed for this
book. anks!
To Christine Hertzog, for asking me to write this book with her.
ank you! It’s been great working with you. ank you for putting
up with some of my Sheldon Cooper tendencies. We did it!
V
VI DEDICATION
To those who read these types of books, and appreciate the work
that goes into them, thank you. If you nd the information we pro-
vide useful, please let us know.
To Stephen Colbert and Jon Stewart, because I really think they
should read this book and then talk about it and Smart Grid privacy
on their shows!
Rebecca Herold
I dedicate this book to my mother, who taught me that common sense
and determination are never overrated.
Christine Hertzog
PREFACE xi
ACKNOWLEDGMENTS xvii
ABOUT THE AUTHORS xix
CHAPTER 1 THE S MART G RID
AND P RIVACY 1
What Is the Smart Grid? 1
Changes from Traditional Energy Delivery
Smart Grid Possibilities
1
2
Business Model Transformations 3
Emerging Privacy Risks
e Need for Privacy Policies
Privacy Laws, Regulations, and Standards
Privacy-Enhancing Technologies
New Privacy Challenges
IOT
4
5
5
7
8
8
Big Data 9
CHAPTER 2 WHAT I S THE S MART G RID? 11
Market and Regulatory Overview
Traditional Electricity Business Sector
e Electricity Open Market
Classications of Utilities
11
11
12
13
Rate-Making Processes
Electricity Consumers
Electricity Technology Overview
Electricity Supply Chain Vulnerabilities
e Smart Grid
14
15
16
17
18
Contents
VII
Market Changes in the Smart Grid
Prosumer Evolution
19
21
Other Relevant Market Changes
Buildings as Prosumers
Automated Demand Response and the OpenADR Initiative
Microgrids
e Future Smart Grid
21
23
25
26
28
Technology Changes
Energy Storage
Transmission Grids
28
29
30
Data Volumes within the Smart Grid 32
Data Owners, Data Custodians, and Data Managers
Energy Consumption
Smart Grid Privacy Risk Examples
Energy Regulation
Smart Grid, Smart Infrastructure
33
35
36
39
39
Key Points for Smart Grid Technologies 41
CHAPTER 3 W HAT I S P RIVACY? 43
What Is Privacy?
Categories of Privacy
What’s the Dierence between Security and Privacy?
Data Types
Smart Data Privacy Implications
Data Communications Privacy Concerns
43
44
45
47
49
51
CHAPTER 4 S MART M ETER DATA AND P RIVACY 55
Meter Comparisons
AMR Metering
Smart Meters Overview
55
57
58
Signaling Types
Smart Meter Communications Capabilities
Smart Meter Data Read Frequency
Smart Meter Data Granularity
Energy Savings Initiatives
Green Button Initiative
60
61
63
63
66
66
Green Button Connect 69
AMI Networks 71
Smart Meter Data Summary 73
CHAPTER 5 T HE C ONNECTED H OME 75
Home Area Networks 75
Communications Options
Home Energy Management Systems
HEMS Adoption
HEMS Communications with the Smart Grid
78
79
80
81
HANs Do Not Need Smart Meters 84
HANs as Communications Gateway Devices 84
VIII CONTENTS
Privacy Risks within Rentals and Other Leased Spaces
Employee Privacy Risks within Commercial Buildings and
Industrial Sites
Disaggregation Technologies
Hardware
Software
Smart Appliances
Connecting Home Appliances
DR Programs
85
87
88
88
89
90
91
93
CHAPTER 6 E LECTRIC V EHICLES, CHARGING STATI O N S,
AND P RIVACY
Publicly Owned Charging
Private Charging
Utility-Supplied Network Charging
Other Privacy Implications with EVs
Telematics
97
99
104
106
106
108
CHAPTER 7 M ITIGATING P RIVACY RISKS
Basic Risk Mitigation Strategies
Smart Grid Privacy Risks
Energy Usage Data Privacy Risks
Energy Production Data Privacy Risks
Identifying Risks
Privacy Risk Mitigation Methods
111
111
112
112
120
121
122
CHAPTER 8 H OW TO TAKE C HARGE OF YOUR P RIVACY
Roles and Responsibilities
Privacy Possibilities and Responsibilities for the Data Subject
Data Subject Privacy Use Case Example
Information Security Controls to Support Privacy Protection
Privacy Responsibilities for the Data Controller/Data
Custodian and the Data Processor/Data Manager
Other Helpful Privacy and Information Security Resources
145
145
149
152
152
158
158
CHAPTER 9 T RANSACTIVE E NERGY
Te ch n ol o g y
Microgrids
Regulatory Policy
Finance
OpenADR
Going Forward
165
16 6
168
169
171
178
179
CHAPTER 10 ADDRESSING C OMMON P RIVACY C LAIMS 183
CHAPTER 11 BEYOND
THE S MART G RID:
THE M ONETIZATION
OF D ATA
Sensor Proliferation
189
190
IX
CONTENTS
Preface
So why did we write this book? In short, we wanted to have a book
that covers Smart Grid privacy more thoroughly than the others that
were available. Additionally, we wanted to provide a book that also
represents two dierent approaches on the topic, one from a Smart
Grid sector expert and one from a privacy expert. We also wanted to
show how the convergence of the two results in not only more eec-
tive privacy actions, but also more proactive business decisions. We
each had dierent, but in many ways similar, motivations and goals.
Rebecca Herold
I became interested in the privacy issues of the Smart Grid after I
led the very rst ever Smart Grid privacy impact assessment (PIA).
I’ve been addressing privacy within business since 1994, when I was
given the responsibility of establishing privacy requirements for one
of the very rst online banks. is was in addition to my responsibil-
ity of creating the information security requirements. ere were no
privacy laws at that time, so the lawyers in the large organization
where I worked said they were not obligated to determine privacy
requirements when I asked them if they could get involved. However,
I strongly believed it was important, so I convinced my senior vice
president at the time to let me take on that responsibility. Since then
XI
XII PREFACE
I’ve welcomed the opportunity to identify privacy risks in new tech-
nologies and practices, in the absence of any laws or regulations, in a
wide range of industries.
I rmly believe that if you wait until there are laws in place to protect
privacy for specic types of technologies, information, etc., that can
reveal information about people’s lives, you will be too late in being as
eective as you can be to help prevent privacy problems. In my experi-
ence, I’ve seen that data protection laws always lag behind technology
advances by many years. I’ve been gratied to see this trend changing
in some areas, though. For example, laws are being established more
closely to the launch of new technologies in the Smart Grid in part by
the work of my NIST SGIP SGCC Privacy Group. is is evidenced,
as one example, by California being the rst state to implement smart
meter privacy law just several months, instead of years, after my
group released to the public the rst version of NISTIR 7628 Rev. 1:
Guidelines for the Smart Grid Cybersecurity: Volume 2–Privacy and
the Smart Grid as a draft in 2010. e law closely mirrors many of the
recommendations from NISTIR 7628 Rev. 1.
Since 2009, my NIST SGIP SGCC Privacy Group has created a
lot of really valuable work products, not only both versions of NISTIR
7628 Rev. 1, but also additional work products that those who will be
working in the Smart Grid environment need to know about so they
can use them to help support their privacy eorts. I am happy to have
a chance within this book to point to them.
I met Christine when she led the privacy use cases subteam
within the NIST SGIP Privacy Group, and I had the opportunity
to work closely with her as a member of that team. When Christine
approached me with the idea to write a book about Smart Grid pri-
vacy, I looked at the other books available on this topic. ere weren’t
many at that time. However, those that did have both Smart Grid and
privacy in the title had very little actual privacy discussion beyond the
mention of encryption within the text! And none of them mentioned
privacy principles to use, or privacy impact assessments that could be
performed. ey were, instead, overwhelmingly about cyber security
controls, a great injustice to the readers who actually expected pri-
vacy to be discussed in detail, and comprehensively. Our book looks
at the Smart Grid, and describes in detail how practitioners and those
building portions of the Smart Grid can address privacy.
PREFACE XIII
I also have been increasingly frustrated by those who claim that
addressing privacy (and information security for that matter) is bad
because it prevents innovations. Poppycock! I agree that the Smart
Grid holds great promise for inspiring signicant innovations,
improving upon all sectors of organizations, and bringing true ben-
et to individuals in possibly unlimited ways. However, organizations
that are part of the Smart Grid, including those that create devices
and software for use within it, must determine the associated privacy
and information security impacts before they actually put software
and hardware into use. By doing so, you are actually improving upon
innovation, because the resulting products will have the privacy baked
in, which is much more eective than trying to latch something on to
an existing product later.
I want this book to be read by three primary audiences: (1) those
building and architecting the many dierent components of the Smart
Grid, to help them to build in eective privacy controls; (2) those who
are or will be using smart meters, smart appliances, and generally liv-
ing within the Smart Grid in one or more ways, so they know the true
privacy risks, and also the ways in which those risks can be mitigated;
and (3) those who are interested in knowing more about the Smart
Grid and privacy and want to get objective, factual information. I
am concerned about privacy, and I am interested in identifying and
mitigating privacy risks within Smart Grid technologies to the extent
possible. While most in the energy industry want to identify privacy
risks and mitigate them appropriately, I know from direct experience
that there are still a few who do not want to have privacy discussed
for stated fear that it will harm consumer adoption or “thwart innova-
tion.” I want to provide the facts without having the risks downplayed
to meet the interests of those few who want to only provide positive
information about the Smart Grid. ere are also groups, some of
whom have contacted me directly, who want to scare consumers into
not using smart meters for a very wide variety of reasons. I want to
provide the facts and analysis about Smart Grid privacy that can be
used to allow readers and consumers to recognize when sensational,
exaggerated warnings are made about privacy that are not based upon
any research or facts.
We address the legal issues without getting into legal jargon. We
address the technical aspects without getting deep into the weeds of
XIV PREFACE
technical details. We point out the privacy topics without providing
the information in an academic research paper type of narrative. In
short, we are striving to make this book usable by anyone concerned
about privacy within the Smart Grid and who wants to know the
facts, in addition to providing practical privacy safeguards and guid-
ance for those entities within the Smart Grid.
Christine Hertzog
e Smart Grid is a convenient term that describes the collection of
technologies, policies, and nancial innovations that are spurring the
modernization of our electrical, natural gas, and water infrastructures.
e Smart Grid consists of multiple machine-to-machine (M2M)
applications that are characteristic of the Internet of ings (IOT).
e Smart Grid produces signicant amounts of data and can also
create new types of data. Data can be created in timescales that range
from milliseconds to hours to days, and it can also be event driven.
Smart meters are one of the most visible M2M applications for
many consumers, but hardly the only one in the Smart Grid sector.
While the focus of this book is on the Smart Grid, it also addresses
the data generated at its periphery—such as in the connected home
and in automobiles (and not just the electric ones). Every business sec-
tor is deploying technologies that are capable of collecting and com-
municating new and more data about performance, use, and status.
My focus on privacy came about from my work as the team leader
for the NIST SGIP SGCC Privacy Group’s work on privacy use cases
and the results we published in NISTIR 7628 Rev. 1. Ongoing obser-
vations about the quality and level of discussion about what is actually
transmitted as data by dierent Smart Grid technologies and applica-
tions prompted this book. e word convergence is often used in refer-
ence to Smart Grid topics. It was only logical to apply that practice to
writing this book to leverage the knowledge of two dierent experts.
Intelligent investments in Smart Grid infrastructure are best made
with accurate information. e same can be said for development of
policy and law. is book oers a clear and concise explanation of the
Smart Grid and provides a solid foundation to understand the prob-
lems being addressed and proposed solutions. It describes the most
important technologies, policies and trends, and the impacts that the
PREFACE XV
transformation to a modern grid will have on stakeholders like con-
sumers, utilities, regulators, and lawmakers, and businesses that sell
grid-related products and services to stakeholders. Most importantly,
it addresses these topics through the lens of data privacy and the con-
siderations for privacy of individuals and organizations.
is book educates readers about data that is created by the Smart
Grid and Smart Grid technologies, as well as some other M2M appli-
cations. My objective is to help educate readers to develop informed
opinions and meaningful contributions to legislation, policy, and
hardware and software technologies to preserve and protect privacy
for individuals and entities. In other words, let’s generate light instead
of heat on the topic of the Smart Grid and privacy.
Acknowledgments
• Tanya Brewer, Marianne Swanson, Vicky Pillitteri, and
Amanda Stallings provided great support and did a lot of
work for my NIST SGIP SGCC Privacy Group. Much of
that is reected in this book. My thanks to them.
• Dr. Ken Wacks and Dr. Jim Kirtley, both from MIT, pro-
vided valuable information about the rst “smart” electricity
meter, along with a great explanation for how it came to be,
and how the patented design worked. My thanks to them.
• Klaus Kursawe from ENCS in the Netherlands provided
important information about his smart meter privacy research.
My thanks to him.
• Gal Shpantzer originally got me involved with the NIST
CSWG Privacy Group. I’m grateful to him for that. My
thanks to him.
Rebecca Herold
XVII
XVIII ACKNOWLEDGMENTS
I am grateful for the assistance of my colleagues who generously gave
time and information in conversations and reference materials that
contributed to this book’s content. e following individuals provided
valuable background, ideas, and perspectives:
• Chris Kotting, Executive Director at the EIS Alliance
• Ed Beroset, Director of Technology and Standards at Elster
Solutions
• Dave Krinkel, Principal at EnergyAI
• Chris Villareal, Senior Regulatory Analyst at California
Public Utilities Commission
ank you for serving as sounding boards and sharing your exper-
tise and knowledge.
A very special thank you to Rebecca Herold, my co-author, and
the publishing team at Taylor & Francis Group. We had a vision, we
created a schedule, we put words to paper, and we got it done. And
we did it as a team.
Christine Hertzog
About the Authors
Rebecca Herold has over 2½
decades of information privacy,
security, and compliance exper-
tise. Rebecca is CEO of Privacy
Professor® and owner/partner for
SIMBUS® and has led the NIST
SGIP Smart Grid Privacy Group
since June 2009. She has been an
adjunct professor for the Norwich
University MSISA program since
2005 and has written 17 books and
hundreds of published articles.
Rebecca is invited to speak at a wide variety of events throughout
the United States, and other worldwide locations such as Melbourne,
Australia, Bogotá, Colombia, and Ireland.
Rebecca is widely recognized and respected, and has been providing
information privacy, security, and compliance services, tools, and prod-
ucts to organizations in an extensive range of industries for over two
decades. Just a few of her awards and recognitions include the following:
• Named in the Top 2 Female Infosec Leaders to Follow on
Twitter in 2014 by Information Security Buzz.
XIX
XX ABOUT THE AUTHORS
• Named to the ISACA International Privacy Task Force in
2013.
• Named on Tripwire’s list of InfoSec’s Rising Stars and Hidden
Gems: e Top 15 Educators in July 2013.
• Named one of Information Security Buzz’s list of Top 5
Female Infosec Leaders to Follow on Twitter in 2013 and
2014.
• Has been named one of the “Best Privacy Advisers in the
World” multiple times in recent years by Computerworld mag-
azine, most recently ranking number 3 in the world in the last
rankings provided.
• In 2012 was named one of the most inuential people and
groups in online privacy by Techopedia.com.
• In 2012 was named a privacy by design ambassador by the
Ontario, Canada, data privacy commissioner.
Rebecca is an owner and partner for the SIMBUS services for
healthcare organizations and their business associates to meet their
HIPAA, HITECH, and other legal requirements, with more indus-
tries added in late 2014. She is also a partner for the Compliance
Helper services and has been leading the NIST SGIP Smart Grid
Privacy Group since June 2009. Rebecca is a member of the IAPP
Certication Advisory Board, and is an instructor for the IAPP’s
CIPM, CIPP/IT, CIPP/US, and CIPP Foundations classes.
She currently serves on multiple advisory boards for security, pri-
vacy, and high-tech technology organizations. Rebecca is frequently
interviewed and quoted in diverse broadcasts and publications such
as IAPP Privacy Advisor, BNA Privacy & Security Law Report, Wired,
Popular Science, Computerworld, IEEE’s Security and Privacy Journal,
NPR, and many others. Rebecca regularly appears on the Des Moines,
Iowa-based Great Day morning television program on KCWI to dis-
cuss and provide advice for information security and privacy topics.
Born and raised in Missouri, she has degrees in math, computer
science, and education. She has lived in Iowa on a farm with her
family for the past couple of decades, where they raise corn, soybeans,
sunowers, and make hay. ey are currently renovating a house,
over 100 years old, that had previously been occupied by raccoons
XXI
ABOUT THE AUTHORS
and chipmunks for several years. See more about Rebecca, her work,
services, and products at:
Rebecca Herold, CIPM, CIPP/IT, CIPP/US, CISSP, CISM,
CISA, FLMI
Owner and CEO, e Privacy Professor (http://www.priva-
cyguidance.com and http://www.privacyprofessor.org)
Partner, SIMBUS (http://www.HIPAAcompliance.org)
Adjunct professor for the Norwich University Master of
Science in Information Security and Assurance (MSISA)
program (http://infoassurance.norwich.edu/)
Twitter ID: PrivacyProf (http://twitter.com/PrivacyProf )
Christine Hertzog is the founder
and managing director of the Smart
Grid Library and SGL Partners,
delivering consulting and informa-
tion services about Smart Grid and
Smart Infrastructure technologies,
services, and solutions. Her rm
provides pragmatic guidance to
global vendors, governmental enti-
ties, and utilities covering a broad
range of needs, such as strategic
corporate and market insights and design and deployment of pro-
sumer-centric utility operations.
Ms. Hertzog is the author of the Smart Grid Dictionary that denes
the jargon, acronyms, and terminology about technologies, interna-
tional standards, and organizations associated with the Smart Grid
and Smart Infrastructure. She is the coauthor of e Smart Grid
Consumer Focus Strategy, which identies consumer/utility challenges
and methods to ensure successful prosumer operations and interac-
tions. She is a recognized thought leader and regular speaker at indus-
try conferences and writes a syndicated blog about Smart Grid and
Smart Infrastructure topics.
Based in Silicon Valley, Ms. Hertzog serves as an advisor to Smart
Grid start-ups and industry associations and publications, including
e Energy Collective, ElectricityPolicy.com, Energy Post, Agrion,
1
THE SMART GRID
AND PRIVACY
What Is the Smart Grid?
e Smart Grid is a convenient term to describe the modernization of
electric, natural gas, and water grid infrastructures. e term encap-
sulates the convergence of remote monitoring and control technolo-
gies with communications technologies, renewables generation, and
analytics capabilities so that previously noncommunicative infrastruc-
tures like electricity grids can provide time-sensitive status updates
and deliver situational awareness.
While initially and mostly focused on electricity, many of the
same technologies, particularly in information and communications
technologies (ICTs), apply to natural gas and water grids. is book
addresses privacy in all three of these consumables, but electricity
occupies a unique place by virtue of the fact that we can produce it as
well as consume it. In addition, existing technologies make it easier
to get many more measurements about electricity than gas or water.
ese two unique qualities about electricity have very interesting
ramications for privacy, and therefore this book will refer to electric-
ity and electricity use cases because they provide the best framework
for discussion of this important topic.
Changes from Traditional Energy Delivery
One of the other critical ramications of the Smart Grid is that it
changes the supply chain. e traditional view is that electricity, gas,
or water is supplied by a utility to consumers, and on a periodic basis,
your consumption is metered and you pay a bill for the amount you
consume, typically at a at rate. Many technologies in the Smart Grid
1
2 DATA PRIVACY FO R THE SMART GRID
now make consumption a new point in the supply chain, and when it
comes to electricity, new technologies make it a value chain. Electricity
has a special distinction in the Smart Grid.* Consumers can become
prosumers—producing consumers—of electricity. We can generate
electricity on our rooftops or backyards and sell kilowatts back to a
utility or use it ourselves to reduce the amount we buy from a utility.
We can also participate in programs that encourage us to reduce our
electricity use, thereby generating negawatts, or watts of energy saved
through a reduction in energy use or increase in energy eciency.†
We don’t have the same range of possibilities to create water or nat-
ural gas, which is why electricity occupies the unique status of elevat-
ing us to prosumers. Water and gas meters are much simpler in design
and metrology (what is measured) than electricity too. However,
Smart Grid technologies denitely change what can be determined
about our consumption of electricity, natural gas, and water. ink
about it this way. Suppose you went to a grocery store and just walked
out of the store with a reusable canvas bag full of items every day. At
the end of the month, you received a bill with a single-line descriptor
for “groceries” and a total amount of money owed. at’s it. No iden-
tication of how many quarts of milk, pounds of bananas, or boxes
of cereal that you consumed that month. at’s how we currently get
electricity, gas, and water bills.
Smart Grid Possibilities
Now consider the possibilities with Smart Grid technologies. is is
a new situation. We’re accustomed to signicant reporting of our lives
in other aspects—we get detailed bank information identifying dates
and times of deposits and withdrawals from specic accounts. We
* Denition from the Smart Grid Dictionary (http://www.smartgridlibrary.com/shop-
smart-grid-library-books/smart-griddictionary_new/): “Bi-directional electric grids
and communication networks that improve the reliability, security, and eciency
of the electric system for small- to large-scale generation, transmission, distribu-
tion, storage, and consumption. It includes software and hardware applications for
dynamic, integrated, and interoperable optimization of electric system operations,
maintenance, and planning; distributed energy resources interconnection and inte-
gration; and feedback and controls at the consumer level.”
† Ibid.
3
THE SMART GRID AND PRIVACY
get detailed credit card summaries every month listing business, date,
time, and total of each purchase. And with the introduction of many
Smart Grid technologies, we have the opportunity to have similarly
granular, time-stamped data about our use of electricity, gas, or water,
in addition to information about the devices using such items from
those device vendors. In the special case of electricity, that data can
include our generation of electricity from solar panels on our rooftops,
kitchen appliance usage, or location and duration of charging electric
vehicles (EVs), just to name a few.
Not every Smart Grid technology that is deployed in an electricity
grid creates, monitors, transmits, or stores data about individual con-
sumption of electricity (or gas or water). And sometimes, the entity
collecting data is not a utility or aliated with a utility. is book
focuses on those technologies that do have impacts on personal pri-
vacy. Chapter by chapter, we’ll describe these technologies, existing
policies and practices, and areas that require careful consideration
for policy makers, privacy ocers in utilities and the companies that
provide solutions, and citizens. Our identication of these technolo-
gies and their associated privacy risks is not a condemnation of them.
We see these technologies as very useful tools. But any tool, used
incorrectly, can be dangerous. Recognizing the privacy implications
surrounding the new data that is created, collected, aggregated, ana-
lyzed, reported, or anonymized is key to building the solutions, poli-
cies, and processes that deliver generally accepted levels of privacy.
Business Model Transformations
But there’s another angle to this discussion, and it’s about transforma-
tion of business models. It’s likely that businesses other than utilities
may manage electricity-generating assets or water conservation equip-
ment. Depending on regulatory environments, businesses other than
utilities might even sell electricity, or collect energy usage* or energy
* Energy usage data is data that shows how much energy is used at the consumer’s
location, such as by the consumer’s computers, mobile devices running smart energy
apps, third-party energy management ser vices, smart appliances, and other types
of devices associated with that consumer. e data may also include the associated
operational and other t ypes of metadata.
4 DATA PRIVACY FO R THE SMART GRID
production* data directly from consumers. Utilities may also get into
new services outside of their traditional areas of business activity.
Indeed, a recent publication titled Reforming the Energy Vision from
the New York Department of Public Service,† the state regulatory
agency responsible for oversight of investor-owned electric utilities,
makes this point. e report describes the evolution of today’s utility
business model from a linear supply chain of centralized electricity
generation from a few players with unidirectional electricity transac-
tions to multiple consumers. e future utility business model will
accommodate decentralized electricity generation and bidirectional
electricity transactions between prosumers (producing consum-
ers), multiple energy service providers, and utilities. Smart energy
device manufacturers and vendors may also be brought in to the mix.
Businesses may form new and dierent collaborations to exploit data
about consumption or use. However, these transformations will some-
times blur the lines of responsibility for privacy protection. is book
will highlight a few of those boundary-bending trends to help readers
develop plans and policies to incorporate the appropriate actions to
protect and maintain personal privacy.
Emerging Privacy Risks
Easy and quick access to energy consumption, energy usage, and
energy production data has potential for beneting consumers and
utilities, just to name a few, to help conserve energy, keep costs as low
as possible, and discover more ways to make energy delivery more e-
cient. Along with these benets come risks related to how that energy
* Energy production data is data that identies the ow of electricity for a device that
generates or discharges electricity.
† is report was produced by the New York State Public Service Commission and is
part of an initiative that will “lead to regulatory changes that promote more ecient
use of energy, deeper penetration of renewable energy resources such as wind and
solar, wider deployment of ‘distributed’ energy resources, such as micro grids, on-
site power supplies, and storage. It will also promote greater use of advanced energy
management products to enhance demand elasticity and eciencies. ese changes,
in turn, will empower customers by allowing them more choice in how they man-
age and consume electric energy.” From the commission’s website: http://ww w3.dps.
ny.gov/W/PSCWeb.nsf/All/26BE8A93967E604785257CC40066B91A?Open
Document.
5
THE SMART GRID AND PRIVACY
usage data, and the information associated with it, are used, shared,
stored, and otherwise accessed.
Utilities, consumers, Smart Grid vendors, and other types of orga-
nizations using Smart Grid devices, applications, systems, and other
types of technologies need to be aware of these new privacy risks, as
well as those that will inevitably emerge as the Smart Grid matures.
Interconnected networks and devices (for example, smart phones with
apps that can control energy settings within the home from remote loca-
tions) expand the scope for privacy risks within the Smart Grid. Many
of these risks are not unique to the Smart Grid, but they introduce new
types of threats and vulnerabilities to address within the Smart Grid.
As new and emerging technologies and activities are deployed, they will
likely introduce even more, and dierent, privacy challenges. Privacy
risks, and ways to mitigate them, are covered in Chapter 7.
e Need for Privacy Policies
Organizations need to establish internal privacy policies and support-
ing procedures for their personnel to follow to provide direction on how
to eectively and consistently protect consumer and energy usage data,
energy consumption data, and energy production data. Such policies
should span a comprehensive set of topics, such as how the information
should be retained, distributed internally, shared with third parties, and
secured against breach. ere must also be not only online training and
awareness policies and procedures, but also regular employee training
and ongoing awareness communications sent to employees to help keep
them aware of privacy risks and how to mitigate them.
Similarly, Smart Grid services and products recipients should be
provided with a privacy notice that describes the information the
organization is collecting and how that information will be used,
shared, and secured.
Privacy policies and notices are described in detail in Chapter 7.
Privacy Laws, Regulations, and Standards
Privacy laws and regulations vary greatly throughout the world. ere
are generally four approaches in the United States to protecting pri-
vacy by law:
6 DATA PRIVACY FO R THE SMART GRID
• Constitutional protections and issues. ese are general protec-
tions provided by the First (freedom of speech), Fourth (search
and seizure), and Fourteenth (equal protection) Amendments,
which cover personal communications and activities.
• Statutory, regulatory, and case law, at both the federal and
state levels. ere are growing numbers of Smart Grid privacy
laws at the state level. e rst Smart Grid privacy law was
issued on July 29, 2011, when the California Public Utilities
Commission (CPUC) established new rules* to protect infor-
mation about consumer use of smart meter energy provision-
ing services. e California rule established Fair Information
Practice (FIP) requirements, including a consumer right of
access and control, data minimization requirements, use and
disclosure limitations, and data quality and integrity require-
ments. Electric utilities and their contractors, as well as third
parties who receive electricity usage data from utilities, must
comply with these rules.
• Data-specic or technology-specic protections, including
direct regulation of public utilities by state public utility com-
missions. ese protect specic information items such as
credit card numbers and social security numbers (SSNs), or
specic technologies such as phones or computers used for
data storage or communication, or customer-specic billing
and energy usage information used by public utilities to pro-
vide utility services. Other federal or state laws or regulations
also exist that provide privacy protections to information
within specic industries (e.g., Gramm–Leach–Bliley Act,†
Health Insurance Portability and Accountability Act,‡ etc.).
• Contractual and agreement-related protections and issues:
specic protections. ese are protections specically out-
lined within a wide range of business contracts, such as those
between consumers and businesses, businesses and their
* See the full text of the California rules at http://docs.cpuc.ca.gov/WORD_PDF/
FINAL_DECISION/140369.pdf.
† See the regulatory text at http://www.hhs.gov/ocr/privacy/hipaa/administrative/
combined/hipaa-simplication-201303.pdf.
‡ See the regulatory text at http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/
PLAW-106publ102.pdf.
7
THE SMART GRID AND PRIVACY
contracted vendors, etc. e privacy risks within the Smart
Grid will necessitate such contracts for all entities that have
access in some way to the associated customer and energy
usage data.
Privacy-Enhancing Technologies
A wide range of existing privacy-enhancing technologies (PETs) can
be engineered within the many technologies of the Smart Grid to
support privacy protections. A few examples of PETs* include:
• Encryption: Encryption is a cryptographic process used to
encode (scramble) data in such a way that only authorized
parties can read it.
• Steganography: Steganography is a method used to conceal a
message, image, or le within another message, image, or le.
• Aggregation† methodologies: Within the energy industry, data
aggregation refers to methodologies that remove personally
identiable information from collections of energy usage data.
(Other industries and groups dene this term dierently.)
• De-identication‡ methodologies: ese are methodologies
that remove all data necessary to keep the data from being
analyzed to identify individuals.
• Access control systems: ese are technical, administrative,
and physical controls implemented to ensure only those indi-
viduals with a business need can gain access to condential
information or restricted areas.
• Privacy seals for websites: ese are third-party validations
that a specic scope of the associated business has been
reviewed and determined to meet appropriate levels of pri-
vacy protections.
* Taken from Rebecca He rold, Managing an Information Sec urity and Priva cy Awareness
and Training Program, 2nd edition, CRC Press, Boca Raton, FL, 2010. http://www.
crcpress.com/product/isbn/9781439815458.
† is will be covered in detail in Chapter 7.
‡ is will be covered in detail in Chapter 7.
8 DATA PRIVACY FO R THE SMART GRID
• Spam lters: A spam lter is a program that is used to detect
unsolicited and malicious email, such as phishing messages
that can collect personal information, or keystroke loggers,
which can capture all information types and prevent those
messages from getting to a user’s inbox.
New Privacy Challenges
A variety of Smart Grid technologies are making more data avail-
able to utilities today. But beyond electric, gas, and water operations,
many other business sectors are impacted by the same technologies.
Sensors gathering more and new types of data, inexpensive data
storage making it possible to keep data indenitely, the increasing
use of mobile devices, as well as smart devices,* for data collection
and use, and the growth of reliable and robust communications
networks—mostly wireless—contribute to business opportunities
in machine-to-machine (M2M) applications and the Internet of
ings (IOT).†
IOT
e Internet of ings (IOT) generally means the computing devices
and gadgets to generate data, and then to be connected to other gadgets
to share and use that data. Such devices include smart phones, laptops,
and tablets. Also included are increasingly computerized things that
can generate data, take actions based upon automatic analysis of that
data, and automatically store data. e possibilities are endless. Already
there are computer-enabled cars, wearable technologies, smart ther-
mostats, medical devices, kitchen appliances, water treatments, baby
* As dened in the Q2 2014 issue of Protecting Information Journal (http://hipaapri-
vacy.org/product/protecting-information-journal/), “smart devices, are items that
typically have existed for a ver y long time with no computing capabilities that are
now being created with data collection, transmission, and/or processing capabilities
built into them. All connect, in some manner, to the Internet to enable sharing of
that data.”
† As dened in the Q2 2014 issue of Protecting Information Journal (http://hipaapri-
vacy.org/product/protecting-information-journal/), “the Internet of ings (IoT)
refers to uniquely identiable objects and their virtual representations in an Internet-
like structure.”
9
THE SMART GRID AND PRIVACY
monitors, clothing items, trash cans, stoplights, and the list goes on.
Such computerized gadgets are typically referenced as “smart” devices.
Just a few examples of some smart devices in the Smart Grid include:
• Electric vehicle charging stations
• In-home energy management displays
• Load control switches
• Wi-Fi range extenders
• ermostats
• Smart meters
• Voltage regulators
• Smart phone apps
• Data concentrators
Big Data
All the data collected from the Smart Grid and the Internet of ings
can become “big data” and characterized by the four Vs: volume, vari-
ety, velocity, and veracity. We can install sensors that remotely moni-
tor and control devices that previously did not have these capabilities.
at leads to increasing volumes of data. In many cases, sensors are
providing new types or varieties of data. For example, wearable devices
oer a wealth of data that weren’t available before—new variety.
Communications networks make data available for real-time or near-
real-time consumption—increasing its velocity. Veracity addresses
the accuracy of data. Inaccurate data can be benign or have serious
impacts. Just ask anyone who had inaccurate nancial data down-
grade a credit score—the impacts can mean more expensive capital for
everything from credit cards to mortgages.
However, big data oers a tremendous amount of potential
and positive impacts for families, communities, business, govern-
ments, and everyone as inhabitants on planet Earth. In May 2014,
Dr. Ernest Moniz, the secretary of the Department of Energy
(DOE), spoke at the White House Energy Datapalooza* and stated
that “freely available government data about energy is a national
resource” to be leveraged to help mitigate climate change impacts
* https://www.youtube.com/watch?v=NpcStxOq2Ug&feature=youtu.be.
10 DATA PRIVACY FO R THE SMART GRID
and improve electric grid resiliency. ere are many interesting ini-
tiatives to make data open and accessible, all the while acknowl-
edging the need to maintain privacy of data. However, as with any
benecial new technology, big data also brings with it privacy risks*
that must be mitigated.
* See a summary of 10 common big data privacy risks at http://privacyguidance.com/
blog/10-big-data-analytics-privacy-problems/.
Transmission lines Distribution lines
carry electricity carry low voltage
long distances electricity to
consumers
Power plant Transformer Substation transformer Homes, offices, and
generates converts low voltage converts high voltage factories use electricity
electricity ele ctricity to high electricity to low voltage for lighting and
voltage for efficient for distribution heating and to power
transport appliances
2
WHAT IS THE SMART GRID?
Before launching into the Smart Grid and considerations of privacy,
it is helpful to understand the traditional electricity grid structure in
the United States and what makes the Smart Grid dierent from the
existing grid. e electric sector is best described from regulatory,
market, and technology perspectives. Our discussion scope is focused
on the United States since regulatory and market structures, and even
privacy legislation, dier by nation. However, the grid technologies
are applicable everywhere.
Market and Regulatory Overview
Traditional Electricity Business Sector
e traditional electricity business sector consists of power gen-
erators and transmission and distribution operators, as illustrated in
Figure2.1. Depending on the region of the United States, all of these
functions may be performed by one company—known as a vertically
Figure 2.1 The traditional electricity supply chain. (Courtesy of Energy Efficiency Exchange
(EEX), http://eex.gov.au.)
11
12 DATA PRIVACY FOR THE SMART GRID
integrated utility. In other regions, generation, transmission, and dis-
tribution may be operated by dierent companies, reecting dierent
approaches to deregulation of the electric utility sector. From a sup-
ply chain perspective electricity is supplied by centralized, large, or
utility-scale generation and delivered via high-voltage (69 kV and up)
transmission lines connecting to low-voltage (4 to 35 kV) distribution
lines or grids.
e Electricity Open Market
Historically, electric utilities typically have had a monopoly status at
the distribution grid level—there’s only one wire that connects to a
meter attached to a building or other end point, not multiple lines
from competing suppliers.
Many regions of the United States have entities called independent
system operators (ISOs) or regional transmission operators (RTOs).*
ey ensure that all qualied power sellers (generators) have oppor-
tunities to get their electricity to buyers (utilities) by coordinating
regional transmission. In the past, generation meant the creation
of megawatts or kilowatts of power. ere is growing interest in
leveraging negawatts† as equal market participants. e Smart Grid
can help enable more negawatts to be created and managed at the
bulk market level. Later in this chapter there wil l be discussion of how
the Smart Grid can help facilitate a market for generation of kilowatts
and negawatts at the retail or distribution grid level.
* e Smart Grid Dictionary denition of an RTO is: “An independent, federally-
regulated (U.S. or Canada) entity established to coordinate regional transmission
in a non-discriminatory manner and ensure the safety and reliability of the elec-
tric system. ese organizations monitor system loads and voltage proles, operate
transmission facilities and direct generation, dene operating limits, develop con-
tingency plans, and implement emergency procedures. ISOs also have authority over
transmission expansion projects. is coordination, control, and monitoring of the
electrical power system may be within a single U.S. state or across multiple states.
ere are currently 10 ISOs and RTOs (Regional Transmission Organizations) in
North America.”
† From the Smart Grid Dictionary: “Watts of energy reduced on a temporary basis in
response to a market signal—usually price. It is the outcome of Demand Response
programs that aggregate a number of these actions to represent reductions of energy
use from kilowatts to megawatts. A permanent negawatt reduction is achieved
through energ y eciency programs and actions.”
13
WHAT IS THE SMART GRID?
At a federal level, there is oversight of the bulk or wholesale power
market to ensure grid reliability. e North American Electric
Reliability Corporation (NERC) is “an independent, self-regulatory,
not-for-prot organization whose mission is to ensure the reliability of
the bulk power system in North America. It monitors the bulk power
system; develops and enforces reliability standards; assesses future
adequacy of electricity; audits owners, operators, and users for pre-
paredness; and educates and trains industry personnel.”* e critical
importance of its responsibilities received international attention after
the August 2003 Northeast blackout that aected 50 million people
in the United States and Canada.†
Classications of Utilities
ere are over 3,000 electric utilities in the United States. ese fall
into one of four classications:
• Federal utilities like Bonneville Power Administration or
Tennessee Valley Authority
• Investor-owned utilities (IOUs), which have shares bought
and sold in stock exchanges and have operating territories that
can be intra- or interstate. Examples include Duke, ComEd,
or Southern California Edison.
• Municipal (munis) utilities, which are owned by local
communities and their governing agencies and operate
in those jurisdictions’ boundaries. Examples include LA
Department of Water and Power or the Electric Power
Board of Chattanooga.
• Cooperative (coops) utilities, which are member-owned
nonprot utilities that typically serve rural areas. Examples
include Bluebonnet Electric Cooperative and Sawnee Electric
Membership Cooperative.
* Denition from the Smart Grid Dictionary.
† http://www.scienticamerican.com/article/2003-blackout-ve-years-later/.
Cost of fixed equipment
× Allowed “Rate of Return”
Profits
+ Grid Operating Costs
+ Cost of Generation
Revenue Requirement
/ kWh Sales
Retail Rate per kWh
14 DATA PRIVACY FOR THE SMART GRID
IOUs operate as monopolies and are regulated by state agencies.*
In the United States, that translates into 50 regulatory commissions
plus agencies for the District of Columbia, Puerto Rico, and the U.S.
Virgin Islands. ese commissions oversee electric, gas, and water
utilities as well as telecommunications. At a high level, regulators are
responsible for ensuring that the consumers they represent are receiv-
ing services (electric, gas, and water) at fair, just, and reasonable rates.
Munis and coops are generally not regulated by state regulatory
agencies. However, these utilities track regulatory policy trends and
rulings, and their operations and future plans may be inuenced by
these decisions. As businesses, they are bound by laws enacted in
their home states, which can have important ramications for pri-
vacy topics.
Rate-Making Processes
Ensuring fair, just, and reasonable rates in a monopoly environment
has resulted in regulators and utilities relying on tari or rate-making
processes that guarantee a rate of return or prots to utilities to cover
their xed and variable costs. Figure2.2† breaks down a complex pro-
cess that varies by state and utility into its simplest factors.
Figure 2.2 Simple breakdown of tariff-setting process. (Cour tesy of Chris Kotting, ckotting.com.)
* Common names include public utility commissions, commerce commissions, cor-
poration commissions, and public service commissions. In some cases, regulators are
appointed by governors; in other states, regulators are elected representatives.
† Tari-setting processes are very complex and vary by jurisdiction, but this graphic
provides a good generalized description at a high level.
15
WHAT IS THE SMART GRID?
Today’s taris are xed fees for electricity. While that provides pre-
dictability for the average consumer to budget his or her electricity
use, it also shields consumers from the fact that electricity is traded
like a commodity. Just like coee, gold, or natural gas futures rise and
fall, so too do electricity prices. Electricity prices can vary based on
time and type of generation source. Electricity purchased during a
period of high demand costs more than electricity purchased during
a lull in needs.
Electricity Consumers
Consumers fall into categories that are typically organized as resi-
dential, commercial, industrial, and agricultural. Depending on the
utility, there may be other specialized distinctions or subgroupings
based on type of business or amount of electricity purchased. ese
consumer groups typically have some sort of representation with
regulatory agencies and utilities. For instance, the California Public
Utilities Commission has an Oce of Ratepayer Advocates (ORA)
with a statutory mission to “obtain the lowest possible rate for service
consistent with reliable and safe service levels. In fullling this goal,
ORA also advocates for customer and environmental protections.”*
Regardless of the type of utility, for decades the business model
has been consistent—there is one provider of electricity to consumers.
At the time of this writing, 16 states, such as Texas and Pennsylvania
plus the District of Columbia, have deregulated the market at the
distribution grid level. is is often referred to as the retail electricity
market or level, in contrast to the bulk or wholesale markets addressed
by ISOs and RTOs. Residential (or in some cases, commercial) con-
sumers in these states may choose their retail electricity provider.
ere is still just one wire and meter (smart or traditional) that con-
nects a consumer to the distribution grid, but there are multiple com-
panies competing for consumer business based on price of electricity
plus additional services. Twenty-two states have deregulated gas.
is utility business model will continue to change, and deregula-
tion policies are in some ways a minor inuence compared to some
transformative technology and nancial drivers. ese drivers include
* http://www.ora.ca.gov/default.aspx.
16 DATA PRIVACY FO R THE SMART GRID
the astonishing growth of solar photovoltaic (PV) systems on residen-
tial and commercial rooftops and the proliferation of nancial tools
that reduce the cost of capital to deploy these systems.* e end result
is that electricity revenues, the main source of funding for utilities, are
slowing and even decreasing. We’ll examine this in more detail later
in this chapter.
Electricity Technology Overview
omas Edison and Alexander Graham Bell were contemporaries
in the late 1800s and celebrated for their respective inventions that
became the electrical grid and the telecommunications network. Mr.
Bell would not recognize today’s telecom operations because equip-
ment has undergone multiple evolutions and upgrade iterations.
Today’s smart phone is radically dierent from the xed devices that
he invented. However, Mr. Edison would recognize many elements of
an electric utility substation. ere have been updates and upgrades,
but many utilities have been encouraged to operate in a “run to fail-
ure” mindset and only replace equipment once it is past repair. ere
have not been any signicant, industry-wide technology migration
initiatives until the Smart Grid.
e power grid we enjoy today is a complex and marvelous
machine, but it is denitely replete with aging infrastructure. Many of
the transformers in the distribution grid are past their manufacturer-
warranted lifetime. According to the Galvin Electricity Initiative,
the average transformer age is 42 years on equipment designed for
a 40-year life span. Some utilities still have operating infrastructure
that was installed during Edison’s lifetime. For instance, a senior
executive for National Grid noted at a recent industry event that the
utility had a line in upstate New York that was installed by omas
Edison. Imagine a stretch of road lasting that long—it would be in
need of signicant overhauls and upgrades too.
is power grid operates as a just-in-time supply chain. What this
basically means is that Americans have been conditioned to expect as
much power as they need whenever they need it. ere’s no advance
* Interstate Renewable Energy Council, U.S. Solar Market Trends 2012 Year in Review,
http://www.seia.org/research-resources/us-solar-market-insight-2012-year-review.
17
WHAT IS THE SMART GRID?
scheduling or reservation of k ilowatts to coincide with usage changes.
System operators at the ISO and utility planners carefully project elec-
tricity needs and then schedule for that, with room to spare. When
they don’t match supply to demand, the results are voltage sags or
surges that can have very serious consequences for sensitive electron-
ics equipment, especially for commercial and industrial operations
that require steady power quality. Even worse, a mismatch of supply
and demand can cause blackouts. In 2000–2001, California experi-
enced “rolling blackouts”* that were found to be the result of illegal
market manipulations in the wholesale power grid.
Electricity Supply Chain Vulnerabilities
is supply chain is extremely fragile. While the California roll-
ing blackouts were caused by criminals manipulating markets, other
regions of the country experienced severe power disruptions from
extreme weather events, which will become more common as a result
of climate change. e supply chain of centralized generation—trans-
mission at long distances to substations that then convert the power
to lower voltages suitable for movement along the distribution grid
to consumers—lacks resiliency to quickly recover from these types of
incidents. ere is signicant concern expressed within utilities and
at the highest levels of government that the grid is also exposed to
attacks. ese attacks can be physical† or cyber based.‡ e electricity
supply chain’s weakest links are in its transmission and distribution
grids. ere are 200,000 miles of high-voltage transmission lines§ and
2.2 million miles of lines in the distribution grids. Most of these assets
consist of overhead wires and equipment, not underground facilities.
* http://www.pbs.org/wgbh/pages/frontline/shows/blackout/california/timeline.
html.
† PG&E announced a $250,000 reward for information leading to the arrest and
conviction of the perpetrator(s) who red gunshots that caused extensive damage to
its Metcalf transmission substation near San Jose in 2013.
‡ In May 2014 the Department of Homeland Security (DHS) noted that an unidenti-
ed utility’s control system network had been penetrated and compromised via an
Internet connection and a weak password system.
§ Edison Electric Institute.
18 DATA PRIVACY FOR THE SMART GRID
e costs of electric service disruptions are staggering. Estimates of
the damage done to the U.S. economy range from $104 billion to $164
billion annually.* Service disruptions also have enormous impacts on
our quality of life as well as our essential health and safety. ere are
no substitutes for electricity.
Magnifying these vulnerabilities caused by inherent supply chain
fragility, traditional grids provide very little information to their util-
ity operators about their status. For the most part, the grid has been
uncommunicative about what is going on within its lines and equip-
ment. How does the typical electric utility learn about a power out-
age? When you call to complain about your lack of service. en,
the utility narrows down suspected failure locations based on the
addresses of complaints. Finally, repair teams are dispatched to search
out the failure point, and hopefully have the right training and right
equipment to repair the failure and restore service.
e situation is only slightly better in the traditional transmission
grid. e 2003 blackout started with transmission lines sagging in the
heat of an August day and touching tree branches. What should have
been an outage limited to one utility became a multistate problem
because of human error and a lack of situational awareness. Existing
technologies provided status updates every 4 seconds. at may sound
like a reasonable rate of data, but electrons move much faster than
that. We don’t recommend that you experiment with this illustration
of the problem, but think of it in terms of driving a nonautonomous
car on a highway. Can you imagine how much you miss if you close
your eyes for 4 seconds as you’re hurtling along at 65 miles per hour,
briey open them, and then shut them for another 4 seconds? at’s
how we managed the high-voltage transmission grid.
e Smart Grid
e Smart Grid promises signicant changes to every facet or domain
of the electricity grid sector. e simplest distinction is that the Smart
Grid delivers bidirectional energy and information, in contrast to the
single directional ow of electricity and minimal ow of information
* Electric Power Research Institute (EPRI), e Cost of Power Disturbances to
Industrial and Digital Economy Companies, 2001.
19
WHAT IS THE SMART GRID?
that exists today. Smart Grid technologies can deliver signicant
amounts of data to create extraordinary situational awareness at every
stage of the supply chain.
ere are a couple of game-changing technologies that appear
in the Smart Grid—primarily in renewable energy generation and
energy storage. However, many Smart Grid technologies are merely
deployments of established telecommunications and data analytics
technologies that are already in use in other business sectors, like
nance, consumer goods, and healthcare. ey may be new to the
utility sector, but they are not new technologies.
Some Smart Grid technologies are directly visible to consumers.
You can see the smart meter that is installed on the side of a building.
But many of the technologies adopted by utilities to modernize their
grids are invisible to consumers. Again, that’s no dierent from how
our wireless carriers, our banks, or our stores upgrade the infrastruc-
ture that helps them improve the delivery of whatever service they
are providing to consumers. But unlike those sectors, the consumer-
utility relationship will undergo dramatic disruptions. Consumers
will have many of their own energy usage, production, and manage-
ment devices on their premises, some of which may connect to utility
meters, and others that may connect to the Internet. In some situa-
tions, the disruptions caused by adoption of Smart Grid technologies
will be driven by consumers rather than utilities or regulators. It will
be extremely important to understand privacy impacts as a result of
consumer-utility relationship changes.
Market Changes in the Smart Grid
Figure 2.3 is a graphic visualization of the Smart Grid. Here, the
traditional supply chain of generation, transmission, and distribu-
tion is fully and securely connected, and most importantly from a
privacy perspective, the consumer is now a full participant in that
supply chain. Consumers transform into prosumers,* or producing
* From the Smart Grid Dictionary: “A term coined by Alvin Toer to describe a pro-
ducing consumer. From a Smart Grid perspective, it would apply to distributed
energy resource situations in which the owner of electricity production or storage
assets may also have a consumer relationship with a utility, aggregator, or other
energy services provider.”
Figure 2.3 The new electricity value chain. Consumption becomes prosumption. (Courtesy of
National Institute of Standards and Technology (NIST).)
Source: NIST Smart Grid Framework 1.0 Sept 2009
Secure Communication Flows
Electrical Flows
Domain
20 DATA PRIVACY FO R THE SMART GRID
consumers, who can create electricity (typically from clean renewables
such as solar PV, wind generators, etc.) to sell back to the grid, or con-
sume their self-generated electricity and only draw power from the
grid if needed, or produce negawatts through reductions in electricity
use that are sold back to the grid.
We see the rst instances of this in states that have net metering*
taris and feed-in taris† (FiTs). ese taris either credit the solar
PV or wind generator asset owner for electricity generated (an avoid-
ance of electricity otherwise sold by the utility) or publish a price at
which excess electricity is sold back to the utility.
* From the Smart Grid Dictionary: “e capability for residential and C&I (Commercial
and Industrial) customers to generate electricity and sell back excess power to the
utility, essentially osetting their future purchases of utility power. Net metering uses
either a single, bi-directional electric meter or two meters to separately measure in and
out electricity ows at a customer’s location. Net metering is currently implemented on
a state-by-state basis with signicant variation between states.”
† From the Smart Grid Dictionary: “An energy supply policy that encourages new
renewable power generation and attempts to provide investor certainty with guaran-
tees of payments in dollars per kWh for the full output of the system for a guaran-
teed period of time.”
21
WHAT IS THE SMART GRID?
Prosumer Evolution
is early prosumer example will evolve and repeat over time as more
technologies like energy storage become commercially available or
as electric vehicles (EVs) can support smart charging applications in
which they can charge and discharge power with the grid. Prosumers
wil l have a variet y of energ y serv ices prov iders (ESPs) to c hoose from.
ESPs oer solutions that typically incorporate some management of
a prosumer’s consumption or production of electricity. For instance,
Solar City and Tesla are collaborating to oer a bundled solar PV
generation and energy storage solution for residential prosumers.
ey will oer third-party ownership and management of the solu-
tion on the prosumer’s behalf. Other ESPs aimed at the residen-
tial consumer market include AT&T, Comcast, and many smaller
companies with products and services that bundle home security and
home energy management with broadband communications. ere
are entire ecosystems of dierent ESPs that target their products and
services to the commercial, industrial, and agricultural market seg-
ments. ESPs have the potential to intermediate the traditional direct
relationship that consumers have with utilities. As the intermediary
between the electricity consumer and the electric utility, ESPs could
own the consumer relationship. Intermediation has very interesting
implications for privacy.
Other Relevant Market Changes
ere are other relevant market changes that can only occur as Smart
Grid technologies are deployed by utilities, ESPs, or prosumers. Some
state regulatory agencies and their regulated utilities are planning to
convert today’s xed residential taris to time of use
* (TOU) elec-
tricity rates in the future, which would reect the price changes in
electricity over a 24-hour time period. Prices for watts of electricity
purchased during periods of peak demand would be higher than the
* From the Smart Grid Dictionary: “A rate structure with dierent unit prices for elec-
tricity use in a 24-hour time frame, generally to encourage use during periods of
lower demand. is phrase applies to a time of use price, rate, or tari and is a
dynamic price scheme typically used with non-dispatchable demand response pro-
grams. Also known as time of day pricing.”
terawatthours
1,600
1,400 residential
commercial
1,200
1,000 industrial
800
600
400
200
0
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
22 DATA PRIVACY FOR THE SMART GRID
prices for those same watts purchased at o-peak times. For TOU to
work most eectively, consumers and prosumers benet from Smart
Grid technologies that help them manage production or consumption
of electricity to “buy low and sell high” instead of operating within
an articially xed and static market construct. It’s a step toward the
transactive energy market that is described later in this chapter.
A Smart Grid, with its ubiquitous and reliable communications
capabilities, can enable electricity consumption based on price sig-
nals. Consumers can better manage their electricity consumption
with Smart Grid technologies, and thus have better control over their
electricity bills. But there’s an existential threat here for utilities. eir
revenues from electricity sales can atline or shrink. at’s already
happening, as charted in Figure2.4.
Simultaneously, utilities need to upgrade aging infrastructure and
modernize into the Smart Grid, so their costs are increasing. ese
dual trends exert signicant pressure on the existing business model.
ere’s a colorful term for it—the utility death spiral. e death spiral
goes as follows. Regulated utilities will receive decreasing electricity
sales revenues as more consumers become prosumers. Some prosum-
ers may completely disconnect from the utility’s grid, but will main-
tain a connection as insurance in case their self-generation and energy
storage equipment fails. Utilities are mandated to deliver electricity to
everyone, and will have to maintain these connections and ensure that
they have purchased adequate megawatts of power in the bulk market
Figure 2.4 Retail electricity sales trends in the United States. (Courtesy of Energy Information
Administration.)
23
WHAT IS THE SMART GRID?
just in case it is needed for these occasions. eir costs are xed regard-
less of the number of electricity buyers. In turn, the utility increases
rates on the remaining consumers still buying electricity in order to
cover these costs. ose price increases motivate even more consumers
to defect to self-generation, and the revenues shrink even more.
A 2014 report titled “Reforming the Energy Vision,” released by
the New York Department of Public Service, the state regulatory
agency responsible for IOU oversight, is a policy game changer.* e
report describes the evolution of today’s utility business model from
that linear supply chain of centralized electricity generation sold by a
few players in unidirectional electricity transactions to multiple pro-
sumers participating in a reorganized electricity market. is report
envisions a future utility business model with decentralized, renew-
able electricity generation and bidirectional electricity transactions
between prosumers, multiple energy service providers, and utilities.
is new business model addresses the utility death spiral by pro-
posing new service opportunities for utilities to survive and thrive in
more open and intermediated scenarios.
Buildings as Prosumers
Intermediation is already happening and is most evident in the com-
mercial consumer sector, focused on buildings. Buildings use 40%
of the nation’s energy. From an energy eciency perspective, the
National Academy of Sciences noted in a study† that the “full deploy-
ment of cost-eective energy eciency technologies in buildings alone
could eliminate the need to construct any new electricity-generating
plants in the United States” until 2030.
A building operating as an electricity prosumer goes well beyond
energy eciency reductions. Energy eciency is a passive tactic that
delivers permanent energy reductions in electricity or gas. While build-
ing owners can justify investment decisions on energy savings as well
as sustainability values, there are two other opportunities for building
* Download the report at http://www3.dps.ny.gov/W/PSCWeb.nsf/All/26BE8A939
67E604785257CC40066B91A?OpenDocument.
† Report of the Building Energy Eciency Subcommittee to the Secretary of Energy
Advisory Board, http://energy.gov/sites/prod/les/Building%20Eciency%20
Report.pdf.
24 DATA PRIVACY FOR THE SMART GRID
owners to invest in technologies that reduce energy use and deliver self-
suciency to temporarily reduce consumption or produce their own
electricity. e rst reason involves demand response (DR) programs.*
e most common manifestations of today’s DR programs are vol-
untary reductions in energy use within commercial buildings, often
accomplished by modulating heating, ventilation, air conditioning
(HVAC) temperatures, or interior lighting. ese reductions are
spurred by requests from utilities or ESPs that aggregate the actions
of multiple DR participants to address times of peak demand for
electricity. ese situations are usually seasonal and predictable—
often happening during the hottest or coldest times of the year.
Upon receipt of a request, a building manager may manually adjust
thermostats or take other measures to reduce electricity use (produce
negawatts) for the requested durations of time. One of the authors
participates in a residential demand response program oered by a
utility and enjoys a year-round rate reduction in exchange for volun-
tary electricity reductions on selected days that correspond to heat
waves in the region. Other programs oer payments based on the
total amount of electricity reduced.
Industrial and agricultural businesses are also potential participants
in DR programs. eir participation hinges on the type of operations
and the exibility to reduce electricity use at times when an ESP or a
utility requests it.
e advent of more embedded intelligence and Smart Grid tech-
nologies in the forms of sensors and actuators with remote commu-
nications can create more opportunities for participation from greater
numbers of buildings. Automated demand response (ADR) tech-
nologies enable buildings (commercial, industrial, agricultural, and
* From the Smart Grid Dictionary: “Utility programs designed to change on-site
demand for energy through changes in prices, load control signals, or other incen-
tives to customers. e programs are activated at times of peak usage or when system
reliability is jeopardized. Demand response programs fall into two general categories
known as price-based programs or capacity-based programs. Price-based programs
include dynamic pricing/taris, price-responsive demand bidding, and critical peak
pricing structures that let users voluntarily reduce their electricity use. Capacity-
based programs include contractually obligated reductions and direct load control/
cycling. Utilities use these programs to address system reliability, asset use e-
ciency, and market conditions; and avoid investments in new T&D (Transmission
and Distribution) assets, peaker plants, or expensive peak power purchases.”
25
WHAT IS THE SMART GRID?
residential) to produce negawatts on an as-needed basis without the
need for human intervention. e eventual goal is that equipment or
the systems that manage buildings will respond automatically to price
signals, not just special requests to reduce energy use. Smart Grid
technologies make it feasible for DR programs to work with energy
storage to rm renewable energy like solar and wind, which are inter-
mittent by nature.
Automated Demand Response and the OpenADR Initiative
Automated demand response (ADR) applies remote monitoring and
control technologies to automatically modulate the HVAC, lighting,
or other systems where it is deployed. is convenience factor is very
important to the success of ADR. is factor is sometimes called “set
and forget,” and it eliminates the need to individually contact each
DR participant with requests to make a change to a thermostat set-
ting or another manually operated control.
For building owners and managers, DR program participation
delivers payments for reductions in electricity use or lower rates
throughout the year—nice impacts to their operating costs. Another
potential benet is to oer Leadership in Energy and Environmental
Design (LEED) credits for participation in ADR, which means that
buildings will receive sustainability recognition too. For utilities, DR
benets include the ability to avoid purchasing peak power, which is
generally the highest priced electricity. Of course, it helps if a utility
is decoupled,* but there are other reasons to embrace DR. It does have
signicant potential to help integrate intermittent renewables into
the grid without impacts to reliability or power quality. For consum-
ers, utility avoidance of purchases of the most expensive electricity or
* From the Smart Grid Dictionary: “A regulatory and market strategy that allows
utilities to invest in and prot from eciency-based capacity by assuring them a
return that is equivalent to sales of electricity. is policy decouples utility xed-
costs recovery from electricity sales. Utilities collect revenues based on the amount
determined by their local regulatory agencies, usually calculated on a per-customer
basis. Periodically, revenues are reviewed for rate adjustments to ensure the pre-
determined revenue requirement. is strategy is deployed in 17 states at the current
time with several other states in the process of setting up utility mechanisms to sup-
port decoupling.”
26 DATA PRIVACY FO R THE SMART GRID
avoidance of investments in new grid capacity helps keep electricity
taris from increasing. e growth of DR programs will almost cer-
tainly trigger new business opportunities for ESPs to develop services
that appeal to specic verticals within consumer segments. ese
ESPs may intermediate the direct relationship that currently exists
between the consumer and the utility. at means that parties other
than a utility may be working with a consumer’s energy data.
e OpenADR* initiative is focused on standardizing, automat-
ing, and simplifying demand response programs and technologies. It’s
the most comprehensive and widely used Internet Protocol (IP)-based
communications standard for electricity providers and system opera-
tors to exchange DR signals with facilities and equipment within
buildings.
As noted earlier, buildings and industrial and agricultural operations
can play important roles as prosumers for two reasons. e rst reason
is participation in demand response programs. e second reason is to
address the increasing vulnerability of the electrical grid to momentary
and sustained power outages to both natural and human causes.
Microgrids
Buildings and their occupants as well as industrial and agricultural
operations are impacted by power outages. e negative impacts
range from reduced work productivity and decreased occupant safety
and health to reductions in lifestyle standards. Just like real estate
values are higher for green buildings with LEED recognition, in the
future, buildings that are self-sucient from an energy perspective
may command premium prices because they preserve delivery of ser-
vices regardless of the status of the electric grid. Buildings that incor-
porate energy resiliency into their infrastructure will be increasingly
popular over time. Would you rather live in a high-rise apartment
building that guaranteed it could generate or store enough power dur-
ing outages to run elevators and water, or one that couldn’t deliver on
those desirable services?
* http://ww w.openadr.org.
27
WHAT IS THE SMART GRID?
Microgrids* are receiving signicant attention from consumers
ranging from the military and industrial operations to commercial
property managers and individual homeowners who want full or par-
tial functionality during grid outages. e Smart Grid oers oppor-
tunities to build microgrids that can operate independently of the grid
as well as integrate to it. San Diego Gas and Electric (SDG&E) has
demonstrated that a microgrid can be used to energize the primary
distribution system. Using microgrids as energy sources to return
power to the utility distribution grid points to new possibilities to
engineer more resiliency into electric grids, and requires innovative
new services that have interesting nancial implications.
Buildings and industrial/agricultural operations that deploy
microgrids are operating as prosumers and will have profound impacts
on utility business models and market structures. Microgrid owners
(residential, commercial and industrial (C&I), and agricultural) will
accelerate the shift of power from concentration in the hands of utili-
ties as the sole generators/distributors of electricity to prosumers on a
distributed and decentralized basis.
e Smart Grid enables compelling new value propositions for pro-
sumers. It also enables new market participation roles for residential,
commercial, industrial, and agricultural consumers. But new market
participation can only occur when the traditional power market struc-
ture has evolved to accommodate more sources of kilowatts and nega-
watts from many more prosumers. Microgrids will also bring with
them unique privacy issues that must be addressed. is is discussed
in Chapter 7.
* From the Smart Grid Dictionary. A small power system that integrates self-con-
tained generation, distribution, sensors, energy storage, and energy management
software with a seamless and synchronized connection to a utility power system,
and can operate independently as an island from that system. Generation includes
renewable energ y sources and the ability to sell back excess capacity to a utility.
On-site microgrid management software includes controls for the power genera-
tion, utility connect/disconnect, distribution, and energ y storage equipment along
with building energy management applications for industrial, commercial, or home
use. CERTS (Consortium for Electric Reliability Technology Solutions) has docu-
mented a microgrid concept.
28 DATA PRIVACY FOR THE SMART GRID
e Future Smart Grid
e Smart Grid of the future will support a vast marketplace that
operates like a stock market where any participant can buy or sell
electricity with condence that transactions are managed through
enforceable rules that apply to all. is market structure is called
transactive energy. Transactive energy enables an active prosumer
market, where prosumers include buildings, EVs, wind generators,
distributed energy resource (DER)* assets, or microgrids owned by
the consumer segments named above. Simply put, the current market
that exists at the wholesale or bulk electricity level will be mirrored
downstream at the distribution grid. It is a signicant change from
today’s electricity markets, which are only available to qualied sup-
pliers able to trade in large quantities (megawatts and negawatts) of
electricity. But it will take time for the market to restructure into a
transactive energy format.
What happens in the meantime? ere’s no one-size-ts-all sce-
nario that perfectly addresses all the possible model and market
transformation alternatives in the United States, where we have a
balkanized regulatory structure. It is easier to track the technology
trends and make some predictions.
Technology Changes
e Smart Grid has three innovation drivers: technology, policy, and
money. ere’s been no shortage of technology innovations, which
sometimes means that grid modernization isn’t an evolution, but a
revolution. at’s particularly true regarding generation. Generation
shifts from highly centralized to highly decentralized or distributed.
It moves from large-scale production to mid- and small-scale produc-
tion that is suitable for the voltages commonly found in distribution
grids. Generation ownership transforms too, and this is primarily due
to the rapid advances in renewable energy technologies.
ese technologies—particularly solar PV or wind deployments
in the low-voltage or distribution grid—are game changers for the
* From the Smart Grid Dictionary: “Grid-connected or stand-alone generation, energ y
storage, or negawatt assets that are deployed in the distribution grid. DER assets can
substitute for or supplement grid-supplied power.”
29
WHAT IS THE SMART GRID?
electric grid. Utilities and independent power producers have focused
on large-scale solar and wind generation projects that resulted in
2,847 MW of PV and 410 MW of concentrating solar power (CSP)
deployed in 2013*—usually sited for high-voltage transmission.
Commercial and residential building owners have enjoyed falling
costs, increasing choices, inexpensive nancing, and new third-party
ownership options for rooftop PV installations that are sited in the
distribution grid. Consider these two trends. From 2007 to 2013,
the costs of solar panels dropped from $3.40/watt to 80 cents/watt,
and PV deployments in the United States increased from 735 MW
to 7,200 MW. Solar generation is intermittent—the sun obviously
isn’t around at night, and weather can impact its generation abilities.
However, advanced data analytics solutions hold promise to improve
forecasts of solar availability and management, and Smart Grid tech-
nologies improve distribution grid operations to manage the voltage
uctuations on a real-time basis.
Energy Storage
Energy storage is another game-changing collection of technologies
involving dierent chemistries and uses.† Aordable and scalable
solutions are considered by some to be the holy grail of the Smart
Grid. We predict that fast iterative innovations in technologies and
nancing options will create the same trends that continue the rapid
expansion of solar PV systems. Energy storage has intriguing syn-
ergies with intermittent renewable generation too. e SDG&E
microgrid demonstration project referenced earlier included energy
storage to rm the intermittency exhibited by large numbers of roof-
top solar PV systems. Energy storage performed very well in dealing
with rapid uctuations in power. As energy storage evolves, related
privacy issues will also be created. Some of those possibilities are dis-
cussed in Chapter 7.
Generation and storage comprise two of the three categories of
distributed energy resources (DERs). e third category addresses
* Solar Energy Industries Association (SEIA).
† Examples include backup power and grid stabilization, which require dierent types
of batteries.
30 DATA PRIVACY FOR THE SMART GRID
negawatt production through participation in DR programs. One of
the most interesting plays in DER is the use of bundled solutions that
combine solar generation with energy storage. For instance, an eleva-
tor company just introduced the rst solar-powered elevator system—
one that can operate even during grid blackouts. It includes battery
storage, so it operates at night too.
A recent poll* of utility executives identied that the strong growth
of distributed generation or DER would result in grid integration
issues and represent the top challenge to utilities in the next 5 years.
DER is relatively new, and there will be a range of possibilities for dif-
ferent ownership and service models. Here are a few options:
• DER assets may be owned and managed by individuals or
businesses.
• DER assets may be leased by individuals or businesses but
owned and managed by another entity.
• DER assets may be owned by one party, leased to another,
and managed by still another entity.
DER management includes services that maintain the optimal
performance of equipment and services that monitor bidirectional
payment transactions. While the most popular ownership and service
models have to be identied, it’s clear that there will be new data
about energy production, probably new data about energy consump-
tion, and data regarding nancial transactions that will be created as a
result of DER assets. Some of this data may be personally identiable
information or have other sensitivities, such as nancial data. ere
are limited guidelines regarding energy data, and those that exist
primarily dene how regulated utilities must treat energy data from
consumers and prosumers. We’ll discuss data ownership relationships
later in this chapter and drill down into the technologies that are most
likely to touch data that merit privacy protections.
Transmission Grids
From the revolutions occurring in generation, we follow the supply
chain into transmission. Here the word is evolution. e transmission
* DNV GL, Utility of the Future Pulse Sur vey, 2014.
31
WHAT IS THE SMART GRID?
grids in many regions are deploying advanced sensor networks
through participation in an initiative called the North American
SynchroPhasor Initiative (NASPI).* While there are other tech-
nologies that increase voltages and reduce line losses, the signicant
modernization eort leverages sophisticated sensors and high-speed
communications. e NASPInet eort and other investments in pha-
sor technologies oer unprecedented monitoring and control capabili-
ties for our electric superhighways. ere are massive amounts of new
data produced from these technologies, but they are not in need of
privacy protections.
Why do we make this statement? ese advanced sensor networks
deliver wide-area situational awareness of grid stability.† e pha-
sor technologies convert the standard three-phase analog signal of
voltage or current into time-tagged measurements that result in real-
time snapshots of the transmission system. e data that is collected
includes location, time, frequency, current, voltage, and phase angle
relative to some known reference point on the grid at a frequency of 30
times per second (hence the volumes and velocity of data are massive)
to oer early warning of any disturbances in system conditions for
immediate corrective actions. Remember the 2003 Northeast black-
out mentioned earlier in this chapter? at grid catastrophe could
have been avoided with these monitoring and control devices. e
data is also valuable for diagnostic analyses to understand problem
causes and develop better protocols to avoid future operational issues
in the high-voltage transmission grid.
* From the Smart Grid Dictionary: “A collaborative initiative bet ween the DOE
(Depa rtment of Energy), NERC (Nort h American Ele ctric Relia bility Corp oration),
and electric utilities, vendors, consultants, and researchers. It receives funding from
the DOE, NERC, and industry. Its mission is to improve power system reliabil-
ity and visibility through wide-area measurement and control, using the precise,
synchronized measurements of Synchrophasor technology as a diagnostic tool.
Synchrophasor measurements will assist in wide-area monitoring, real-time opera-
tions, power system planning, and forensic analysis of grid disturbances. Phasor
technology is expected to help integrate renewable and intermittent resources, auto-
mate controls for transmission and demand response, increase transmission system
throughput, and improve system modeling and planning. e DOE has several
grant programs for large-scale prototypes, regional demonstrations, and Smart
Grid/PMU (Phasor Measurement Unit) deployments.”
† e North American SynchroPhasor Initiative oers additional explanation about
the devices and the value of data collected by them. See https://www.naspi.org.
32 DATA PRIVACY FOR THE SMART GRID
ere’s another reason that there are no privacy concerns regard-
ing this data. Phasors measure sinusoidal waveforms, which are com-
prised of streams of electrons. Electrons are not tagged with unique
identiers to indicate that they originated at your solar panel or are
heading to my meter.
e distribution grid is undergoing multiple upgrades, but it is a
much needed evolution with Smart Grid technologies, instead of a
revolution in this part of the supply chain. e traditional distribu-
tion grid, according to some industry experts, has been the laggard
in investments and grid modernization. e American Recovery and
Reinvestment Act (ARRA) of 2009,* commonly called the Stimulus
Act,† spurred signicant investments in distribution grid technologies.
ere are many technologies that improve distribution grid operations.
e most visible of these technologies to consumers that are provided
by utilities is the smart meter. is technology will be discussed in
detail in Chapter 4. At a high level, a smart meter is a specialized
measurement device that includes wired or wireless communications
capabilities, and just like any phone, it relies on a network to transmit
or receive data. ese bidirectional networks are part of the advanced
metering infrastructure (AMI).‡
Data Volumes within the Smart Grid
ere is a tremendous amount of new data and, in some cases, increas-
ing volumes of traditional data. Most of this data helps grid operators
monitor and react to real-time grid conditions, improving overall ser-
vice reliability to consumers. In other situations, analysis of histori-
cal data reveals previously hidden information about equipment that
is trending to failure. Smart Grid technologies—primarily sensors
* See http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf.
† See more about the Stimulus Act activities at http://ww w.recovery.gov/Pages/default.
aspx. For information specic to the Smart Grid, see http://www.recovery.gov/arra/
News/featured/Pages/Nation%E2%80%99s-Electric-Grid-Gets-Smart.aspx.
‡ From the Smart Grid Dictionary: “Electricity meters, bi-directional communications
network hardware and software, and associated system and data management soft-
ware that measures and records usage data at set inter vals, and provides usage data to
consumers, utilities, and other parties at set intervals. e set intervals are specied
by regulatory agencies.”
33
WHAT IS THE SMART GRID?
gathering data; robust and reliable communications networks, usually
wireless; and back-end data analytics—are essential to help integrate
renewables into the distribution grid. Smart Grid technologies help
manage intermittent renewable energy sources and maintain stable,
reliable, and safe delivery of electricity. Smart meter data has signi-
cant implications to privacy, because this data can become informa-
tion about consumption patterns and behaviors of occupants within
specic locations via data analytics. We’ll explore smart meter data in
more detail in Chapter 4.
e Smart Grid revolutionizes consumption. Consumers become
prosumers and have a range of innovative solutions that help them man-
age energy consumption, generate their own electricity, or schedule when
their EV battery should be charged. Before we launch into an overview
of some important Smart Grid technologies in the consumption part
of the electricity supply chain, it is useful to review the roles of data
owners, data custodians, and data managers because the proliferation of
companies that have a solution that impacts consumption can make it
confusing to understand what role each company plays. e topic of data
ownership is also hotly debated and lends itself to privacy as it relates to
consumers being able to control the data that applies to them.
Data Owners, Data Custodians, and Data Managers
e concepts discussed here are framed in energy usage, consump-
tion, and production data, but could have equal relevance to data cre-
ated for other purposes, such as vehicle telematics or personal health
monitoring. ese concepts are focused on data ownership, data cus-
todianship, and data management.
Data ownership identies the owner of data, the entity that has
ultimate control and decision-making authority over the data. In
California, for example, customers own their energy consumption
data derived from smart meters.* is is a critically important des-
ignation and bears repeating. In some states, utility customers are
explicitly identied as the owners of their energy consumption data.
* is is the published nal decision of the CPUC that outlines, among other ndings,
that customers own their energy consumption data, and that utilities may not sell this
data. http://docs.cpuc.ca.gov/PUBLISHED/FINAL_DECISION/140369.htm.
34 DATA PRIVACY FOR THE SMART GRID
However, with regard to energ y usage data, from such things as smart
devices (smart refrigerators, home energy management tools, and
apps running on the smart devices), the answer has not been explicitly
stated at the time of this writing. e ownership of energy production
data also has not been explicitly determined by any laws at the time
of this writing. California has often set precedents for privacy law.
Appendix B contains a list of signicant legislative and regulatory
agency privacy decisions with impacts on energy usage data in the
state of California.
e investor-owned utilities (IOUs) that are regulated by the
California Public Utilities Commission (CPUC) are designated as
data custodians. Custodians are charged with ensuring the secure
transmission, handling, and storage of data. Data managers* can be
data owners or data custodians. Utilities function as both custodians
and managers in their roles of collecting consumption data and billing
customers based on that data. Data managers can also be third-party
companies† that are authorized by the data owner to have one-time or
ongoing access to that owner’s energy consumption measurements.
Data managers typically manipulate data into information. at could
be as simple as a visual display or graphic about home energy use, or
a more sophisticated analysis of energy use data combined with other
outside sources of data.
Data owners have many good reasons to voluntarily share their
energy consumption data with data managers. However, and this
is a big caveat, once data leaves the custodianship of a utility, the
data is at the risk of the third party’s safeguards and practices. For
example, the legal responsibilities of the utility for security incidents
and privacy breaches that occur within their contracted vendors
will depend upon the utility’s published privacy notice (also often
called privacy policy). If the utility makes commitments to protect
data, then it may be held liable for any harm that occurs to the data,
* ese are also known as third parties or energy service providers (ESPs). We use the
term data manager to clarify data relationships.
† ird-party companies are the entities contracted by the custodians or the data own-
ers to access or process in some manner the energy data.
35
WHAT IS THE SMART GRID?
and associated individuals, as a result of the vendors it contracts.*
However, if consumers are passing their energy usage data directly
on to other entities themselves, then they are at the mercy of the
safeguards and practices of that entity. Call it the data equivalent of
caveat emptor (buyer beware). Data owners who value their privacy as
it relates to energ y u sage d ata wi ll need to exerc ise caution by c aref ul ly
reading the privacy policies of the third parties they authorize to be
data managers or custodians of that data.
Here’s another caveat. e description above about data owners, cus-
todians, and managers applies to the state of California. e United
States has a fragmented regulatory structure for energy, and each state
has responsibility for developing any privacy requirements for any
energy data on behalf of its citizens. At the time of this writing, some
states had not elaborated a policy or position about privacy for energy
consumption, production, or usage data.†
Energy Consumption
Let’s look at some of the revolutions occurring in the electricity sup-
ply chain’s nal destination—consumption at an end point. Utilities
traditionally supplied electricity to a meter and owned all the equip-
ment leading to that device, including the meter. e other side of
the meter—the breaker box, the interior electrical wiring, and all the
devices plugged into a residential or commercial building—is outside
* is is the explicit case in some industries, such as healthcare under the Health
Insurance Portability and Accountability Act (HIPAA). However, the Federal
Trade Commission (F TC), which has broad consumer oversight across all indus-
tries, has made many statements that businesses and other types of organizations
will bear some responsibility for ensuring the security and privacy of data they out-
source to other entities. State Attorneys General oces also have interest and have
taken action to hold organizations accountable for breaches that occur in their out-
sourced vendors. As one representative example, per legal analysis from Microsoft
(accessed from http://technet.microsoft.com/en-us/magazine/hh994647.aspx on
June 27 2014): “In the United States, both federal and state government agencies
such as the F TC and various attorneys general have made enterprises accountable
for the actions of their subcontractors. is has been replicated elsewhere, such as in
the EU with the data protection agencies.”
† To see the latest activities by each state regarding energy laws and related activities,
see http://www.ncsl.org/research/energy/energy-environment-legislation-tracking-
database.aspx.
36 DATA PRIVACY FOR THE SMART GRID
of the utility’s jurisdiction. Very little was known about consumption.
A meter was read by physically going to the meter once a month,
or sometimes with less frequency, so it was virtually impossible* to
tweeze out when, why, or what was consuming electricity. is is
another lack of situational awareness. e Smart Grid completely
revolutionizes the ability for consumers to acquire detailed knowl-
edge about electricity consumption, as well as energy usage data that
could reveal performance of their other types of smart devices, such
as a smart refrigerator. is ability to acquire detailed knowledge is a
signicant privacy concern; to be able to protect privacy, there need to
be controls on the entities that have access to this data that can reveal
such detailed knowledge about the associated individuals. is is dis-
cussed in more detail in Chapters 4 to 7.
Smart Grid Privacy Risk Examples
We will explain in more detail privacy risks throughout the remainder
of this book. However, here is a sampling of a few of the most appar-
ent areas where privacy risks exist within the Smart Grid.
1. Energy management systems and area networks for build-
ings. More granular energy consumption data, along with the
related metadata, such as the GPS, date, and time,† from smart
meters can be useful for many entities beyond the data owner
for a number of reasons, but the nature of usage or consump-
tion data can reveal much more about what happens inside
the walls of a home or oce building. Two of the enabling
technologies to collect, analyze, and communicate electricity
* Elias Leake Qu inn detailed in h is report “Smar t Metering and Privac y: Existing L aw
and Competing Policies” (Spring 2009, p. 3) how he had set up surveillance to con-
tinuously monitor a traditional meter to determine activities. However, this would
require a separate monitoring device to accomplish the insights that he obtained.
Read more about this at http://www.dora.state.co.us/puc/DocketsDecisions/
DocketFilings/09I-593EG/09I-593EG_Spring2009Report-Smart GridPrivacy.
pdf. Note: A hob heater is a top-of-stove cooking surface.
† Metadata describes other data. It provides information about a certain data item’s
content. For example, energy usage data from a smart device may also have accom-
panying it metadata that indicates the time, date, and location for when the energy
usage occurred, along with other types of data associated with the energ y usage.
37
WHAT IS THE SMART GRID?
consumption data are home energy management systems
(HEMSs) and home area networks (HANs). A HAN is on
“the other side of the meter” and serves as a communications
network within the walls of a house, apartment, or other type
of residence. HEMSs are software products that gather/ana-
lyze/display information about a home’s energy consumption
and sometimes provide control capabilities for devices man-
aged by them. Many solutions in this category are using apps
loaded on smart phones and tablets as the primary display and
control device, but there are also dedicated devices being used
as well. is is a meaningful distinction, because that means
that energy data has crossed the boundaries from utility cus-
todianship and is now managed by another entity, most likely
not bound by the same regulatory or other legal requirements.
Commercial and industrial consumers have similar solutions
that are tailored to their unique needs. ere’s more maturity
to this market segment, with a number of well-known vendors
that include Honeywell, Johnson Controls, Siemens, and IBM
oering solutions to help commercial facility managers and
occupants monitor and control energy consumption for heat-
ing, ventilation, air conditioning (HVAC), lighting, and other
plug loads. Privacy concerns exist here too, but dier from
residential ones. Consumption data is generally aggregated
or grouped together for purposes of improving building man-
agement, reducing costs, or improving occupant comfort and
safety. Data owners are building or property managers work-
ing in conjunction with authorized data custodians such as
ESPs. Data owners are typically more concerned about pro-
tecting their energy consumption data from a competitive dif-
ferentiator perspective than a privacy perspective.
e associated risks, and possible risk mitigation actions,
for HEMSs, HANs, and commercial and industrial build-
ings will be discussed further in Chapter 7.
2. Electric vehicles and charging stations. e Smart Grid
enables a proliferation of data about electric vehicles (EVs),
particularly when charging stations are involved. e conver-
gence of location-based information, electricity consumption,
times, dates, and personal identity in vehicles creates a wide
38 DATA PRIVACY FOR THE SMART GRID
range of fascinating privacy considerations and challenges.
EV charging stations are immature products, but the trends
are clear—businesses that make charging station manage-
ment software have the most to gain or lose in privacy rules,
which in some cases may be established by the public utility
commissions that regulate electric utilities or state lawmakers.
We’ll discuss this more in Chapters 6 and 7.
3. Smart appliances. e smart or connected home and the
Smart Grid intersect in smart appliances. Like smart meters,
a smart appliance has communications capabilities so that it
can interact with other devices, directly to vendors, such as
Whirlpool’s 6th Sense Live, the electric grid, and the Internet.
Some of the new devices data reports energy usage or con-
sumption data, but other new data can conceivably commu-
nicate status about device performance, including how and
when it was used.* ere are many benecial possibilities for
consumers with this new data, but careful attention will have
to be given to clearly identify ownership of this data. We’ll
discuss this further in Chapters 5 and 7.
4. Cons umer to prosumer transformat ion. We prev iously descr ibed
the revolution in energy generation at the start of our supply
chain discussion. at same revolution exists at the termination
point—consumption. Renewable generation options—particu-
larly rooftop PV—are proliferating for all electricity consumer
categories. But there’s more to being a prosumer than produc-
tion of kilowatts via solar, wind or other power. In the future
EV owners may sell excess energy stored in a battery back to
the grid, making EVs earn money for owners. is setup has
already been successfully tested in a small pilot.
e ability to reduce electricity use by participation in DR
programs is a form of negawatt generation, and transforms a
consumer into a prosumer. Smart appliances or HEMSs may be
instructed to automatically operate based on price signals, and
thus shift operations. e bottom line is that these Smart Grid
* ere are smart phones and other types of mobile smart devices that indicate GPS
locations. However, for the typical smart appliance that was in use at the time this
book was written, they were not enabled with any location-based services.
39
WHAT IS THE SMART GRID?
technologies revolutionize consumption. ese technologies also
create new data that assists in energy management and nancial
transactions. ere may be many intermediaries between a con-
sumer or prosumer and a utility, and that “chain of data custody”*
needs to be understood at each transaction point to ensure that
desired or required levels of privacy are maintained.
Energy Regulation
Every discussion about privacy in the Smart Grid is complicated by
the United States regulatory ecosystem. States have regulated monop-
olies or investor-owned utilities (IOUs) that are governed by public
utility commissions (PUCs). ere are also publicly owned utilities
or municipal utilities and cooperatives that are not as highly regu-
lated as IOUs, but often align to the policies enacted for IOUs. What
this means is that there is no one-size-ts-all policy for privacy in
the Smart Grid. You might nd consensus around some statements,
such as “consumption data is owned by the customer,” or not. Since
the Smart Grid oers some early examples of machine-to-machine
(M2M) applications, the government policies that are devised for
regulated utilities could be copied for unregulated businesses, or then
again, perhaps they won’t be adopted outside of this unique category
of businesses. ere are huge implications to this statement, and gov-
ernment policy makers are well advised to consider how their deci-
sions about using consumption data impacts consumer privacy, and
could or should be applied to products and services focused in vehicle
telematics, digital health, or wearable sensors.
Smart Grid, Smart Infrastructure
Just as there is much excitement about how communications tech-
nologies are revolutionizing utility operations and creating new prod-
uct and service opportunities, the same interest levels exist in Smart
* e chain of data custody or chain of custody borrows from the justice system’s
procedures to document each transfer of evidence. For privacy purposes, it docu-
ments each transfer point where data has privacy sensitivities and notes the privacy
guidelines in eect.
40 DATA PRIVACY FOR THE SMART GRID
Infrastructure. Government agencies, businesses, and consumers are
realizing that Smart Grid technologies can have broader applications
in all sorts of infrastructure with signicant benecial impacts.
Some favor the term Smart City, but that articially limits the
thinking to urban scenarios. We use the term Smart Infrastructure to
describe the bigger picture. Infrastructure is inclusive to urban, sub-
urban, and rural settings. For instance, the technologies that make
the electric grid smart have proven benets to rural distribution grids.
Remote monitoring and control capabilities oer new capabilities for
utilities to predict equipment wear and tear and proactively repair or
replace failing assets, thus avoiding a service disruption. Even when
lightning strikes, Smart Grid technologies can result in faster services
restoration to far-ung communities and consumers.
From a Smart Infrastructure perspective, many utilities own the
streetlights in cities and towns. ese streetlights consume a consid-
erable amount of electricity, and over the years, utilities have been
converting to more energy ecient lamps to save money. But smart
streetlights go one step further—they are starting to function as com-
munications antennas and relay stations to convey wireless signals for
a variety of public and private uses.
Trac lights and cameras can now be networked with streetlights,
and use motion sensors to detect the presence of moving vehicles
or people. One of the most interesting applications concerns smart
parking. Some estimates claim that 30%* of the trac in any city is
focused on nding a parking spot. If empty spots could communicate
their status to nearby vehicles and reduce time to park, that would
reduce street congestion and avoid emissions produced in searches for
elusive parking spots. What if cash-strapped municipalities could do
a better job of nding the parked cars that overstayed their welcome
at parking meters? ese scenarios are not far-fetched future possibili-
ties—the technologies are being deployed now, and all rely on data.
e bottom line is that a city can’t really be smart without a Smart
Grid, and a Smart Grid can enhance, and be enhanced by, a city that
intelligently manages its consumption of energy and water. All these
benecial possibilities must address the associated privacy risks that
exist as a result of collecting and analyzing all this data.
* From IBM study: http://www-03.ibm.com/press/us/en/pressrelease/35515.wss.
41
WHAT IS THE SMART GRID?
Smart Grid technologies, policies, and nancial innovations are dis-
rupters to the energy status quo. Disruptions are nothing new to busi-
ness and society—until it happens to your chosen business sector or
consumer group. e telephone disrupted the telegraph. e automo-
bile disrupted horse and buggy services. But for every loser, there can be
multiple winners. Sometimes innovations create new value where none
existed before. at’s one of the overlooked aspects to the Smart Grid.
e modernization and transformation of the electricity infrastructure
to integrate renewables resulted in signicant job growth for solar panel
sales, design, and installation. Designing privacy controls into these
devices from the initial design stage will be more cost eective than
trying to retrot privacy within a device that is already deployed.
e bottom line is that we now have technologies—renewables
coupled with energy storage, inexpensive sensors coupled with wire-
less networks, and analytics coupled with cost-eective data stor-
age—to convert a fragile grid into an agile grid. An agile grid relies
on highly distributed energy assets (generation, demand response,
energy eciency, and storage) with highly distributed intelligence.
We all win when our energy infrastructure is safe, reliable, resilient,
cost-eective, and based on clean power. However, to be successful
and have the public embrace such technologies, the entities using
these components, as well as the agencies governing the various por-
tions of the Smart Grid, must demonstrate that privacy risks have
been identied and appropriately and eectively addressed.
Key Points for Smart Grid Technologies
e Smart Grid relies on communications and data. Here are three
main takeaways about data that are generated by Smart Grid tech-
nologies and the associated policies that utilities, regulators and legis-
lators, product and service vendors, and ESPs should consider:
1. ere will be new data about transactive market participants
as consumers and prosumers, and some of this data will have
sensitivities that require secure transport and storage as well
as privacy protections.
2. ere will be new relationships beyond the traditional con-
sumer-utility relationship. New intermediaries that negotiate
42 DATA PRIVACY FOR THE SMART GRID
on the consumer’s behalf may not be bound by the same pri-
vacy requirements that are in place for utilities—if indeed
those exist. All entities involved with collecting and using
energy data must address privacy to mitigate risks appropri-
ately, even in the absence of legal requirements.
3. If the question about who owns the consumer’s data that is
generated by Smart Grid technologies, applications, and ser-
vice providers has not been answered, it must be, and soon, to
protect privacy. However, this is a hotly debated topic, and we
don’t expect that there will be any fast or easy decisions.
3
WHAT IS PRIVACY?
What Is Privacy?
e term privacy is a subjective term. ere is not a single, universal
denition for privacy. Let’s consider some modern history of the word.
In the 1890 issue of the Harvard Law Review an essay entitled “e
Right to Privacy” by Samuel Warren and Louis Brandeis dened pri-
vacy as “the right to be let alone.” What inspired Warren and Brandeis
to write such an essay? ey were concerned about a new-fangled
technology/gadget—the Brownie camera—a new technology at that
time period that was starting to be widely used by the general public
to capture images not only in private residences, but also in public
venues. It reportedly greatly disturbed in particular Samuel Warren
that journalists were now taking photos with this new-fangled pri-
vacy-invading gadget whenever they had the opportunity. Some say
the essay was inspired by a specic incident in which journalists were
intruding on a society wedding by taking photos.* However, others
claim the inspiration was from a more general coverage of intimate
personal lives, increasingly including photos, within the society col-
umns of newspapers.† Regardless of the original denition, the deni-
tion now goes far beyond that original simple concept. One thing that
is the same, though: emerging new technologies, such as those found
within the Smart Grid, are creating new privacy concerns in ways
similar to the little Brownie camera.
Privacy also is not simply dened by laws. Laws always lag far
behind technology use and human practices, and address a small
* See, e.g., Dorothy J. Glancy, e Invention of the Right to Privacy, Arizona Law
Review, 21(1), http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1318
&context=facpubs (accessed June 13, 2014).
† Ibid.
43
44 DATA PRIVACY FO R THE SMART GRID
fraction of the actual privacy risks that exist, and that are created by
new technologies.
Instead of thinking about privacy as one denition, it is more use-
ful to think about privacy as a concept that involves revealing details
about individuals in some manner, along with controlling how that
information is used and shared, and the access individuals have to the
associated information.
Categories of Privacy
ere are four categories of privacy* that must be considered and
addressed, both with security controls and with appropriate privacy
practices.
• Information privacy is concerned with establishing rules that
govern the collection and handling of personal information.
is is the most commonly considered type of category to have
privacy implications that involve protecting specically ref-
erenced information items. A few examples include nancial
information (such as bank account numbers), medical informa-
tion (such as health insurance account numbers), government
records (such as social security numbers), and records of a per-
son’s activities (such as through access logs) on the Internet.
• Bodily privacy is focused on a person’s physical being and any
invasion of the body. Some examples include genetic testing,
drug testing, body cavity searches, information about surger-
ies, and Transportation Security Administration (TSA) scans
at U.S airports.
• Territorial privacy is concerned with placing limits on the
ability to intrude into another individual’s environment. e
environment is not limited to the home; it also includes the
workplace and public spaces. Invasion into an individual’s
* See Roger Clarke, What’s Privacy? http://ww w.rogerclarke.com/DV/Privacy.html.
Clarke makes a similar set of distinctions between the privacy of the physical per-
son, the privacy of personal behavior, the privacy of personal communications, and
the privacy of personal data. Roger Clarke is a well-known privacy expert from
Australia who has been providing privacy research papers and guidance for the past
couple of decades.
45
WHAT IS PRIVACY?
territorial privacy typically takes the form of monitoring such
as video surveillance, drones, ID checks, and use of similar
technology and procedures. Having others take an individu-
al’s photo or record individuals out in public with their smart
phones or wearable computers is included in this category.
• Communications privacy involves protection of the ways in
which individuals correspond with others. Examples include
postal mail, telephone conversations, email, Skype and simi-
lar types of voice-over Internet protocol (VoIP) solutions, and
other forms.
What’s the Dierence between Security and Privacy?*
In many organizations the people responsible for privacy are com-
pletely separated from and in entirely dierent departments from the
people responsible for security. Often these departments do not com-
municate, or even acknowledge or understand the compelling rela-
tionship that essentially exists between the two. Too often privacy is
considered a purely legal issue, the responsibility for which is often
handed to organizational legal counsel. Or, it is ignored altogether as
a separate issue, and management assumes it will be addressed by all
the various business units during the course of doing business. Security
is too often viewed as a purely technical issue, and the responsibil-
ity for security is more often than not placed within the information
technology or networking support area—often buried beneath several
layers of management. And the twain never meet. Security personnel
must be actively involved in privacy issues and crafting privacy poli-
cies, and privacy personnel must be actively involved in security issues
and crafting security policies.
So, to the crux of this topic: How is security dierent than pri-
vacy? It is really pretty simple; you must implement security to ensure
privacy. You must use security to obtain privacy. Security is a pro-
cess, privacy is a consequence. Security is an action, privacy is a result
* is section is an updated version of the passage from an essay written by Rebecca
Herold for a Computer Security Institute publication in 2002 (http://ww w.privacy
guidance.com/downloads/privacyandsecurity.pdf), recently published in Rebecca
Herold and Kevin Beaver, e Practical Guide to HIPA A Privacy and Security
Compliance, Second Edition, Boca Raton: Auerbach Publications, 2014.
46 DATA PRIVACY FOR THE SMART GRID
of successful action. Security is a condition, privacy is the progno-
sis. Security is the strategy, privacy is the outcome. Privacy is a state
of existence, security is the constitution supporting the existence.
Security is a tactical strategy, privacy is a contextual strategic objec-
tive. Security is the sealed envelope, privacy is the successful deliv-
ery of the message inside the envelope. e bottom line: enterprise
privacy management strategies and security management architecture
must be eectively and actively integrated.
What is a common mistake an organization can make that can lead
to potentially devastating public press, irreversible damage to personal
lives, and huge nes and lawsuits? Often when the privacy respon-
sibility lies in a dierent part of the organization from the security
responsibility, or the two areas do not communicate, privacy policy
notices are issued, but no security policies, procedures, or mecha-
nisms are implemented to ensure the now-published privacy policies
are enforced. ese published privacy policies are in eect a contract
with your patients, customers, and consumers. e privacy policies are
often the rst and main point of contact between the public and your
organization. If an organization tells customers that it is performing
certain activities to ensure their privacy, that organization had bet-
ter well make sure its personnel know what they have committed to,
whether or not they were involved with the privacy policy creation.
Privacy with respect to many of the current legislated regula-
tions means people are able to make informed choices when seek-
ing care and reimbursement for healthcare based on how protected
health information (PHI) may be used, or are able to make choices
about how their personally identiable nancial information is used
and shared by the organizations with which they do business. Privacy
enables patients to nd out how their information may be used and
what disclosures of their information have been made. Privacy enables
consumers to nd out how nancial information is going to be pro-
tected and know that the people handling their information have
been properly trained to protect their privacy. Privacy limits release
of information to the minimum reasonably needed for the purpose of
the disclosure. Privacy gives people the right to examine and obtain a
copy of their own personal records and request corrections.
Security with respect to these same regulations constitutes those rea-
sonable and prudent policies, processes, safeguards, controls, steps, and
47
WHAT IS PRIVACY?
tools that are used to maintain condentiality, integrity, avalability and
privacy. It involves all methods, processes, and technology used to ensure
the condentiality and safety of the once private information that has
been entrusted to a third party by the consumer, customer, or patient.
Bottom line: You must implement information security controls to
have privacy.
Data Types
Many types of information can be considered to be personal infor-
mation. Generally any data that can reveal information about an
individual or an individual’s life activities, whereabouts, etc., could
be considered to be personal information. In some locations of the
world, business-related employee information is also considered to be
personal information. Some of these types of personal information
are more sensitive than others. Table3.1 lists some common personal
information items.
Table3.1 Personal Information E xamples
GENERAL TYPES OF PERSONAL INFORMATION ITEMS
• Name
• Gender
• Age and date of birth
• Mailing address
• Email address
• User IDs
• Marital status
• Citizenship
• Languages spoken
• Veteran status
• Disabled status
• IP address (some jurisdictions)
• Dozens (hundreds?) more
ORGANIZATIONAL INFORMATION CONSIDERED PERSONAL INFORMATION THROUGHOUT THE WORLD
• Business and personal addresses
• Business and personal phone numbers
• Business and personal email addresses
• Internal identification numbers
• Government-issued identification numbers
• Identity verification information
Table3.2 Examples of Sensitive Types of Personal Information Items
UNITED STATES
SENSITIVE PERSONAL INFORMATION
• Social security number
• Financial information
• Driver’s license number
• Medical records
• Etc.
WITHIN THE U.S. AND OTHER COUNTRIES
SPECIAL CATEGORIES OF DATA (WHICH ARE CONSIDERED TO BE SENSITIVE)
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Health or sex life
• Criminal convictions or offenses
• Etc.
48 DATA PRIVACY FOR THE SMART GRID
Generally, the more personal information items you have, the more
risk that is generally associated with that personal information. One
of the best and simplest ways to lessen privacy risks is to collect and
store less personal information.
at said, there are increasingly more types of personal informa-
tion being created. Every organization must be aware of the data they
are collecting, or creating, that could be associated with individuals.
Such information would likely be considered as personal information,
even if the data is not formally dened in a law or book somewhere
(Table 3.2).
Smart Grid data, such as data collected from smart meters, when
collecting energy usage data frequently enough, can create an electric-
ity usage “ngerprint” that can be associated with specic households.
How frequently meter reads are really needed to improve energy usage,
without having this data reveal too much about personal activities, is a
question that utilities are trying to answer.
Not all personal information is equal, and so there must be varying
degrees of safeguards around certain categories, based upon sensitiv-
ity, risk, and applicable legal requirements.
Table3.3 Privacy Concerns for Smart Grid Information Disclosure and Misuse
PRIVACY CONCERN DISCUSSION
1. Identity theft Specific combinations of personal information may be used to
impersonate a utility consumer, resulting in potentially severe impacts,
such as negative credit reports, fraudulent utility use, and other
damaging consumer actions.
2. Determine
personal behavior
patterns
Access to data use profiles that can reveal specific times and locations
of electricity use in specific areas of the home can also indicate the
types of activities or appliances used. The information revealed could
be considered a new type of surveillance. The data could be (mis)used
by other entities to do target marketing, by governments to try and tax
specific activities and uses, and by persons with malicious intent.
3. Determine specific
appliances used
Energy usage data could be used to track the use of specific smart
appliances that are programmed to communicate with smart meters or
Internet of Things (IOT) applications. Appliance manufacturers may want
to get this information to know who, how, and why individuals used their
products in certain ways. Such information could impact appliance
warranties. Insurance companies may want to use this information to
approve or decline claims. And there is an unlimited number of other
possible uses as yet not imagined that these data could provide.
4. Perform real-time
surveillance
Access to real-time energy usage data could reveal if people are in the
residence, what they are doing, where they are in the residence, and so
on. This not only presents a safety risk, with burglars and vandals
using it to their destruction, but also could be used to do target
marketing based upon home energy use behaviors.
5. Reveal activities
through residual
data
If the data on the metering devices is not effectively or completely
removed when the home resident no longer needs to use them, the
residual data may possibly reveal to the new meter user, or entity that
possesses the meter, the activities of the former owner. Not only does
this present similar concerns to those listed in the first three concern
topics, but it also could be used by activists or others who have
agendas to reveal what they view as a lack of social responsibility.
However, to prevent any tampering of historical data and to satisfy the
size constraints for the new meters—providing more functionality in
the same physical meter box—the data are not likely to be stored
within the smart meter itself. But, the possibility of storing data within
residential meters should be considered in any meter functionality
plans so that if it does become possible to store personal information
in smart meters, the privacy issues will be appropriately addressed.
(continued)
49
WHAT IS PRIVACY?
Smart Data Privacy Implications
e data collected throughout the Smart Grid, from smart meters,
smart appliances, apps, and many other types of grid-connected gad-
gets, can potentially reveal much about the lives of individuals, lead-
ing to privacy invasions and breaches. Table3.3 provides 15 specic
50 DATA PRIVACY FOR THE SMART GRID
Table3.3 Privacy Concerns for Smart Grid Information Disclosure and Misuse (continued)
PRIVACY CONCERN DISCUSSION
6. Target home Malicious use of meter data for specific consumers could lead to a wide
invasions number of problems, such as physical invasions to the home because
crooks could tell when residents were away, whether or not they have
an alarm system, and so on.
7. Provide Combinations of meter data, analyzed for one purpose, could reveal
accidental unexpected information about the residents that is then used to the
privacy invasions detriment of the residents.
8. Activity The meter data could reveal resident activities or uses that utility
censorship companies may then subsequently decide are inappropriate or should
not be allowed. Without restrictions, if this information could then be
shared with local government, law enforcement, or public media
outlets, the residents could suffer embarrassment, harassment, loss of
vital appliances, or any number of other damaging actions.
9. Decisions and With meter data being stored in potentially many locations, accessed by
actions based so many different individuals and entities, and used for a very wide
upon inaccurate variety of purposes, it is a significant risk that the personal
data information data could become inappropriately modified. Not only
could automated Smart Grid decisions made for home energy use be
detrimental for residents (e.g., restricted power, thermostats turned to
dangerous levels, and so on), but also decisions about Smart Grid
power use and activities could be based upon inaccurate information.
10. Reveal activities Even more personal activities and derived personal information could be
when used with revealed if the power meter personal information was combined with
data from other the personal information from other utilities and utility meters, such as
utilities or third those for gas, water, and so on, or third parties (e.g., data brokers,
parties energy service providers, vendors, etc.). As the use of big data
analytics increases and becomes more powerful, this is made more
likely.
11. Profiling Profiling may be possible in ways that were previously not possible, or
not as easily possible. What can you tell about what you can see from
energy usage? For example, if the consumers are straight or gay?
Terrorist profiles? Affairs? Illegal activities? Will access to do data
mining for investigations put people on terrorist watch lists, etc.? Will
politicians want to use data for potential activity taxation? Performing
a gap analysis could point out scenarios and associated risks.
12. Unwanted Embarrassment and other negative impacts resulting from unauthorized
publicity and disclosure or publication of household or electric vehicle use.
embarrassment
13. Tracking behavior When a different individual owns and pays the utilities other than the
of renters/leasers resident, such as in the case of a rental unit, room subletting, leasing,
and so on, the landlord or property owner could have access to the
smart meter data and potentially track the residents’ activities. Rent
decisions could be made based on past power usage history. Power
usage profiling could follow individuals and impact a wide range of
decisions.
(continued)
51
WHAT IS PRIVACY?
Table3.3 Privacy Concerns for Smart Grid Information Disclosure and Misuse (continued)
PRIVACY CONCERN DISCUSSION
14. Behavior tracking Will there be any items within the smart meters that can act in ways
similar to browser/document cookies or web bugs? If so, these items
could potentially be misused in ways similar to how cookies and web
bugs are currently misused. Perhaps radio frequency identification
(RFID) tags can be used in some smart appliances? Perhaps GPS types
of technologies?
15. Public What kind of Smart Grid data search engines will there be? What
aggregated discussions or plans have occurred around this possibility? What
searches information would be involved? What control would consumers have to
revealing not have their data included in such searches? The privacy issues
individual would be similar to the privacy concerns that currently exist with
behaviors Internet search engines, only the implications could be more wide
reaching because the data would be based upon individuals’ actual
daily living activities, and not upon what they consciously choose to
put onto the Internet.
Source: Rebecca Herold, Smart Grid Privacy Concerns, October 2009, http://www.privacyguidance.
com/files/SmartGrid_PrivacyHeroldOct2009.pdf.
ways in which Smart Grid data could be used to reveal information
about the lives of those using or associated with all these gadgets if
proper controls are not applied.
It is important to note that each of the potential privacy risks can be
suciently mitigated with the appropriate technical, administrative,
and physical controls.
Data Communications Privacy Concerns
e manner in which Smart Grid data is communicated can also
present privacy risks. ere are a large number of possibilities for how
Smart Grid data may be transmitted.
• e data from smart appliances, smart meters, apps, and other
devices may be transmitted through utility-owned networks.
• Smart Grid device data may be sent through third-party
networks via Wi-Fi, broadband, public carriers, or private
licensed networks.
• Energy consumers’ home area networks (HANs) and home
energy management (HEM) systems may be used to send
data directly to appliance vendors, energy management ven-
dors, utilities, and Internet sites.
52 DATA PRIVACY FOR THE SMART GRID
Each of these methods has privacy risks that must be mitigated
through a wide range of controls, such as authentication, encryption,
access controls, and physical controls, just to name a few. Privacy
impact assessments (PIAs) should be done to determine the associated
risks in each situation where energy usage data that can be attributed
to specic individuals or households will be transmitted. Appropriate
controls can then be implemented to address the risks. See Chapter 7
for information about mitigating privacy risks within the Smart Grid.
e Smart Grid is only smart because of the deployment of a
wide range of sensors and actuators to remotely monitor and control
equipment coupled with a variety of communication networks. Each
network option has its pros and cons from cyber security perspec-
tives to discourage data interception during transmission. ere are
many technologies, policies, and practices that can reduce the risks of
unauthorized access to stored data. ere are also many books already
written on these topics.
In the subsequent chapters, we’ll explore the most important end
points and devices where energy usage data is created and privacy
implications for this data. We like the concept of data owners, data
custodians, and data managers* as convenient ways to think about
energy usage data and other data in general, but it’s important to note
that this concept is unique to energy consumption data that is gener-
ated from select utilities in one state.
Customers are identied as data owners for energy usage data in
a number of states. But after that, at the time this book was written,
there was no standard approach or denition that describes overall
privacy rights and responsibilities.
* In the privacy profession, and in various data protection laws throughout the world,
the following terms are commonly used:
Data protection authority (DPA): A supervisory entity chartered to enforce pri-
vacy or data protection laws and regulations.
Data controller: An organization or individual with the authority to decide how
and why information about data subjects is to be processed.
Data proce ssor: An orga nization or individua l t hat proc esses data on behalf of the
data controller.
Data subject: An individual about whom information is being processed.
However, the terms shown in the text are the terms used by the California Public
Utilities Commission (CPUC), and within some other parts of the U.S. energy
space, so we are using them in this book instead.
53
WHAT IS PRIVACY?
Energy usage data puts signicant challenges on territorial or spatial
privacy. But as we’ll explore in this book, the Smart Grid is just a col-
lection of machine-to-machine (M2M) and Internet of ings (IOT)
technologies and applications. Many other M2M and IOT applications
create even more opportunities for risking the loss of privacy. In particu-
lar, the connected home, vehicle telematics, and location-based services
on mobile devices also have real privacy implications. Some of these
applications have an association with the Smart Grid, such as moni-
toring energy usage in the connected home, or electric vehicle (EV)
charging, but other applications may have no data creation or exchange
relationship to the Smart Grid, other than to draw power from it.
4
SMART METER DATA
AND PRIVACY
Meter Comparisons
Traditional meters, such as the one shown in Figure 4.1, measure
electricity, gas, or water use. e most sophisticated metering tech-
nology goes into electric meters. e metrology for gas and water
meters is much simpler. Why? It’s a matter of power. Gas and water
meters rely on battery power, and therefore are less complex in terms
of the amounts of data they collect and transmit. Electric meters can
Figure 4.1 Traditional electricity meter. (From First Energy Corporation, https://www.first
energycorp.com/content/customer/help/billingpayments/meter_reading_schedule/reading _your_
meter.html.)
55
56 DATA PRIVACY FOR THE SMART GRID
draw the power they need to operate from the electried wire they
are connected to. More complexity in collecting and processing data
means more power is needed to perform these functions. e metrol-
ogy in electric meters is based on sensors that detect current and volt-
age. Utility meters are considered revenue grade, meaning they are
accurate enough to be trusted for nancial settlements by supplying
the data used to calculate consumption of what is measured for billing
purposes. In other words, a meter—smart or not—is a cash register.
It is the trusted transaction point for your purchase of electricity, gas,
or water from a utility.
Traditional meters require a visit from a meter reader to jot down
the dierence in gauges (those dials shown at the “mechanical reg-
ister” in Figure4.1) from their last trip. at means someone from
a utility drives up to your home, dashes over to the meter clamped
on the side of your house, on a pole in your yard, or in your house or
building, reads the register, jots down numbers on a chart or com-
puter, and then dashes o again. e family dogs sometimes went
ballistic over these invasions of their territory.
From a historical perspective, it is interesting to note that while
smart meters may seem like new technology, the rst meter designed
for measuring consumption in real time to accommodate dynamic
pricing was invented in the 1970s. James Kirtley and omas Sterling
of the Massachusetts Institute of Technology (MIT) led a smart
meter patent application in November 1979 and were granted a patent
in February 1982.* e patent was for a meter that would calculate the
cost of the energy consumed over short time intervals.
In one author’s (Rebecca Herold) discussion with Dr. Kirtley,† she
discovered there were a couple of inspirations for the invention at that
point in time.
1. e leader of the MIT research group, Dr. Fred Schweppe,
was concerned with privacy, and indicated a desire that any
real-time pricing meter should limit the ability of utilities to
accumulate detailed consumption data for each time interval.
* See http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=
PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1
=4317175.PN.&OS=PN/4317175&RS=PN/4317175.
† In a phone discussion with James Kirtley and Ken Wacks on April 4, 2014.
57
SMART METER DATA AND PRIVACY
2. Dr. Kirtley indicated he was thinking more about issues
related to data rates than about privacy. ere was no wide-
spread Internet in 1978, and available communications tech-
nologies were very immature. e smart meter invention
allowed time-varying rates for electricity to be downloaded
into the meter by the utility. e meter measured consump-
tion during the time interval when a rate was in eect and
applied that rate to calculate the cost. e reason for doing the
calculations in the meter was to minimize data trac, which
was relatively expensive then.*
See the rst of four diagrams of the invention in Figure4.2. When
asked how the invention was received at that time by the utilities,
Dr. Kirtley told Rebecca, “e industry folks said, uniformly, that
we were idiots, because they thought it [the meter invented] wasn’t
usable.” As we can see now, it took close to 30 years before a smart
meter would be practical and deployed for residential use.
One of the authors, Christine Hertzog, lives in a neighborhood
that has had smart electric and gas meters since 2009. ere’s no meter
reader entering the backyard anymore to conduct a monthly read. e
water meter, which is denitely not smart, still requires someone to
come out to the sidewalk meter vault, lift a heavy cover, and peer
down to read consumption information. at cover isn’t secure, so
anyone could lift it and read the numbers.
AMR Metering
Meter technology called automated meter reading (AMR) is one evolu-
tionary step away from smart meters. AMR enables specially equipped
vehicles to pick up stored data that is transmitted wirelessly to the
vehicle driving by or an individual walking by to create the bills for
usage. Collection of data only occurs when the right receiver is within
the physical range of meter transmitters equipped to communicate with
that receiver. Each meter has to be “polled” to transmit the latest con-
sumption data, which cover the time period since the last poll.
* See more about the concept in a paper by the inventors entitled “Impact of New
Electronic Technologies to the Customer End of Distribution Automation and
Control” (Kirtley et al.).
POWER
SUPPLY
MCCL
MCCL
INTERFACE
POWER
SENSOR
SENSORS
LOADS
80
101
4
70
71
6
14
12
72
73
7
74
9 8 10
11
ERAC
BDL
2
CUSTOMER
DOMAIN
DRIDM
75
81
5
3
MIC
DRIDM
CONTROL
LOGIC
BDL
INTERFACE
1
81
Figure 4.2 The first of four diagrams in the first “smart meter” patent by Kirtley and Sterling.
(See all four meter diagrams from the patent filing at http://www.google.com/patents/US4317175,
and also at http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1
&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=4317175.PN.&OS=PN/4317175
&RS=PN /4317175.) (From U.S. Patent US 4317175 A.)
58 DATA PRIVACY FOR THE SMART GRID
Smart Meters Overview
Smart meters have communications technology—wired or wireless—
that can transmit data on a more frequent basis than once a month or
whenever a drive-by AMR-style meter read takes place. is com-
munications technology accompanies the same metrology that existed
in traditional, electromechanical meters. Smart meters are part of an
advanced metering infrastructure (AMI) that includes the revenue-
grade meters, data collection equipment, and communications equip-
ment needed to exchange data with a utility. Figure4.3 shows an
example of a typical smart meter.
59
SMART METER DATA AND PRIVACY
Figure 4.3 Smart meter example. (From PG&E, see http://www.pgecurrents.com/2012/06/12/
pge-catches-wave-on-smartmeter-deployments/.)
e time and fuel savings eliminated in manual or AMR meter
reading is signicant.* It results in reduced miles driven and subse-
quent reductions in carbon emissions as well as improved productiv-
ity, as meter readers can focus on the “outlier” meters.
Smart meters can provide more data than previously collected by
traditional electromechanical meters as kilowatt-hours (kWh) or con-
sumed electricity. e typical residential smart meter gathers the fol-
lowing data:
• Instantaneous voltage
• Instantaneous current
• Peak voltage/current
• System frequency
• Root mean square (RMS) voltage/current
• Phase displacement
* Examples of utility savings: http://w w w.clarkpublicutilities.com/index.cfm/payment-
options/about-your-bill /meter-reading/remote-meter-readin g/ and htt ps: //smartgrid
.gov/sites/default/les/doc/les/Central%20Maine%20Power%20Case%20Study
_0.pdf.
60 DATA PRIVACY FOR THE SMART GRID
• Power factor
• Instantaneous apparent power
• Instantaneous real power
• Instantaneous reactive power
• Energy use/production
• Harmonic voltage distortion
• Total harmonic distortion*
Smart meters are collections of sensors with some data storage
and communications capabilities. ey measure the current coursing
through a wire, record readings at specic time intervals, store some
meter usage data (from 1 day to 1 month is typical in the United
States), and communicate the meter data, along with the code that
represents the meter, to utilities.
Smart meters can also be enabled to communicate on the “other
side of the meter,” or inside a home or business. For residential envi-
ronments, some typical protocols for a home area network (HAN) are
ZigBee, Z-Wave, or HomePlug. ere is a variety of communications
protocols in place for communications with the other side of the meter
for commercial and industrial environments too. We’ll briey discuss
some of the types of signaling that could occur from smart meters to
devices in a home, but more substantial discussion will be reserved for
Chapter 5 on the connected home.
Signaling Types
In the United States smart meters must comply with American
National Standards Institute (ANSI)† C12.19 standards for meter
data structure—in other words, establishing a common structure for
what is collected. Meter data is typically dened in terms of tables.
Dierent standards are in place for Europe (DLMS/COSEM) and
* http://breakingenergy.com/2013/07/24/the-true-roi-of-smart-meter-deployments/.
† e American National Standards Institute is a standards development organization
(SDO) that creates standards through a consensus-based process. e C12.19 stan-
dard’s participating entities included utilities, meter manufacturers, automated meter
reading service companies, ANSI, Measurement Canada (for Industr y Canada),
National Electrical Manufacturers Association (NEMA), Institute of Electrical and
Electronics Engineers (IEEE), Utilimetrics, and other interested parties.
61
SMART METER DATA AND PRIVACY
Asia (DLT/645 is used in China), but with the same principle in
mind—to structure the data tables.
Depending on the manufacturer, meters can also provide data
about power quality or tamper detection. e list above describing
smart meter data includes measurements for power quality, which
helps identify power surges and sags that can be harmful to devices
that rely on a steady source of power. It’s a valuable source of data that
was previously not available in the vast majority of meters since it can
provide measurements more than once a month. is data can help
utilities diagnose the “health of the grid” and, in particular, the ow
of electricity into the smart meter.
Many utilities are utilizing smart meters to deliver much more
granular sensing of voltages in their distribution grids. Commonly
known as conservation voltage reduction (CVR) regulation, smart
meters serve as the sensors to communicate voltage levels. Before
smart meters, utilities had much less visibility into their distribution
grid operations. ey managed by oversupply to ensure that the last
meter on a circuit had sucient power. However, smart meters can
communicate details about voltages, and this data allows utilities
to modulate power in the grid much more eectively. Utilities can
reduce overall power needs—often to the tune of millions of dollars
in annual savings.*
e data about energy usage or generation is what is most visible
and useful to consumers, since it supplies the data that measures kilo-
watt-hours (kWh) and is used for billing. Other specialized meters
collect similar data about natural gas or water consumption.† Some of
these are smart too—meaning they have the ability to remotely com-
municate measurements.
Smart Meter Communications Capabilities
Drilling down into the communications capabilities of the smart
meter, there are a couple of deployment options that utilities consider.
* http://www.elp.com/articles/2013/09/report-smart-meters-oer-multiple-benets-
to-utilities-customers.html and https://ww w.smartgrid.gov/les/doc/les/SGIG_
progress_report_2013.pdf and http://www.intelligentutility.com/article/13/06/
time-take-second-look-conservation-voltage-regulation.
† Gas is typically measured in therms; water is measured in 100 cubic feet or CCF units.
62 DATA PRIVACY FOR THE SMART GRID
Every smart meter has a communications card that connects to the
external world via the utility’s wireless or wired network that supports
the distribution grid. e external communications connection can
be wired using power line carrier (PLC) technology. is means that
the communication signal is carried in the same wire that is supplying
electricity. Smart meters also have the ability to communicate on the
other side of the meter to a HAN, which is discussed in more detail
in Chapter 5 on the connected home.
Smart meters are a collection of sensors. In addition to sensing
voltage or current, smart meters can also serve as actuators, or devices
that have a control capability. For instance, a smart meter can be
remotely connected and disconnected and automatically send mes-
sages about service outages. at means that consumers with smart
meters no longer have to wait for a eld technician to arrive to turn
electric service on or o for relocations; this can be done remotely by
the utility. For utilities, smart meters can alert them to outages the
moment they occur and reduce the time that homes and businesses
are without electric service. With traditional meters, utilities don’t
know there’s a problem until someone calls in with a service com-
plaint. Smart meters collect much more data about usage because they
have digital storage, and smart meters can provide data on a much
more frequent basis than the traditional meter reads.
is increased data collection delivers more granular awareness
about energy usage. What granularity really means is that you can
obtain a more detailed graph of electricity usage over the course of
an hour or a day or week than what would be available from a simple
monthly read of tota l kWh. It’s important to note that many of today’s
commercial meters installed on oce buildings and factories have
these communications capabilities and collect the same power quality
data that is now collected for residential dwellings. ese commercial
meters have been “smart” for a number of years. But these are also
more expensive meters because they typically are polyphase meters—
measuring three phases of electricity. So are smart meters really
new? e answer is yes when it comes to the meters now deployed
in residential buildings, which are sometimes called single-phase
meters. Because single-family homes and many multiunit residential
buildings operate on a one meter per home allocation, the granularity
63
SMART METER DATA AND PRIVACY
of consumption (and production) data merits discussion about the
privacy risks associated with the use of and access to that data.
Smart Meter Data Read Frequency
In the past, the typical U.S. electric utility collected consumption data
from a meter 12 times a year—12 data points. Now, smart meters
have the ability to collect and transmit data as often as once a minute
or less.* Even at meter data collection at 15-minute intervals, a utility
would gather 3,000 reads (or receipts of data) per meter per month. At
the time of this writing, the authors could not nd a U.S.-based util-
ity that had shown an appetite for collecting data from every meter at
more than a 15-minute interval, which would create signicant strains
on the communications infrastructure and internal utility systems to
manage and store all this data.
However, it is possible that utilities would selectively and tempo-
rarily examine the power quality meter data on a more granular basis
to conduct diagnostics for customers who experience service issues.
More granular data could detect power surges or sags that can dam-
age sensitive electronics in appliances and computers. It is also possi-
ble that utilities could schedule more granular meter reads for selected
meters in order to obtain more ne-grained consumption knowledge.
We’ll explore that more in Chapter 5 on the connected home.
Smart Meter Data Granularity
e granularity of meter consumption data can create insights into
activities within a dwelling. For instance, the well-known graph in
Figure4.4 oers an interesting distillation of appliance activity from
a study done by Elias Leak Quinn where he established ongoing sur-
veillance of a traditional electric meter. e attribution of specic
appliance activity does not come from the meter itself, which collects
* Regulatory policies often dictate the frequency of data collection. In the United
States, the typical utility collection frequency is around once per hour, although
some utilities have permission to obtain data on 15-minute intervals. Realistically,
any utility could overwhelm its data management capabilities if it sought to collect
data on residential meters at a read per minute. Some utilities could have issues
managing data collected on an hourly basis.
Power, kW
8
7
6
Peak = 7.18 kW
Mean = 0.49 kW
Daily load factor = 0.07
Energy consumption = 11.8 kWh
Hob heaters
Oven preheating
Oven cycling
5 Toa s t er
4
3 Kettle
Washing
machine Kettle
2
1
Refrigerator
0 0 2 4 6 8 10 12
Time of day, h
14 16 18 20 22 0
64 DATA PRIVACY FOR THE SMART GRID
Figure 4.4 Activities shown by energy usage. (From Elias Leake Quinn, Smart Metering and
Privacy: Existing Law and Competing Policies, Spring 2009, p. 3, http://www.dora.state.co.us/puc/
DocketsDecisions/DocketFilings/09I-593EG/09I-593EG_Spring2009Report-Smart GridPrivacy.pdf.)
an aggregation of consumption data at the point of the meter out-
side of the house. e identication of specic appliance activity in
this chart occurs because of specialized technologies or algorithms
that disaggregate that electric current into the specic amounts used
by them. is disaggregation is possible because each appliance has
a unique electricity signature in the amount of power drawn from
a meter. Without the technology or disaggregation algorithms, edu-
cated guesses would need to substitute for accurate appliance identi-
cation when working solely with smart meter data.
What’s missing from smart meter data now? Personal information,
such as the name of the person paying the bill associated with that
meter, or the address of that person. Why? e reasons are not about
privacy, although that is a welcome beneciary of them. e reasons
have to do with payload and relevance. Information theory* focuses
on minimization of the amount of data that needs to be sent in a
transmission. e most important data is the data that identies a
* Claude Shannon’s paper, “A Mathematical eory of Communications,” has been
called the “Magna Carta of the information age.” Read it at http://cm.bell-labs.com/
cm/ms/what/shannonday/shannon1948.pdf.
65
SMART METER DATA AND PRIVACY
change—such as the total kWh drawn or the price of electricity.* e
bigger the message, the more power that’s needed to transmit it, and
the more capacity that is needed in the network. With apologies to
Mr. Shannon, think of it as a transport decision. If you have to go to
the grocery store to purchase a bar of soap and quart of milk, do you
need a huge cargo truck or a smart car? Obviously, the smart car will
take less energy to get to and from the store, and it takes up less space
on the roads, which means more cars can also use the highway. is
is a key practice in Shannon’s information theory—keep the data to a
minimum to optimize the bandwidth.
ere’s no provision in meter data standards for transmission of
traditional personal information. A unique meter identication (ID)
is associated with the person who has established a customer relation-
ship with the utility. is unique meter ID is a code that serves as
the shorthand identication of the customer. e unique meter ID is
matched to data about the customer once it has been transmitted back
to a utility’s billing operations. It is extremely important that utilities
protect the personal customer data that is collected for their opera-
tions, including the association between the meter IDs and custom-
ers, but this data is not contained within smart meter communications
themselves.
ere’s another key point to the data that is collected and trans-
mitted by smart meters. Most of the meter manufacturers operating
in the United States have standard encryption capabilities for data.
ey use 128-bit Advanced Encryption Standard (AES-128),† which
is also widely used in a variety of other products. A number of utilities
note that they are encrypting meter data within the AMI networks,
including Pacic Gas & Electric (PG&E), CenterPoint Energy, and
Florida Power & Light (FPL).‡ However, other countries may require
* Pricing information is useful for dynamic pricing and time of use (TOU) tari
structures. is information could be communicated via a meter to smart appliances.
† http://csrc.nist.gov/publications/ps/ps197/ps-197.pdf.
‡ PG&E, http://www.pge.com/en/myhome/customerservice/smartmeter/howitworks/
index.page; Centerpoint, http://www.centerpointenergy.com/staticles/CNP/
Common/SiteAssets/doc/123062_%20SmartMeterDataSecurity.pdf; FPL, http://
www.fpl.com/energysmart/pdf/facts_about_smart_meters_and_privacy.pdf.
66 DATA PRIVACY FOR THE SMART GRID
encryption. For example, the Netherlands requires that selected smart
meter data must be encrypted.*
Energy Savings Initiatives
e old adage that knowledge is power is literally true about the results
of collection and feedback of consumption data on energy or water
use. A number of studies† have shown that once people are aware
of how and when they use electricity, they are more likely to take
steps to reduce the use of it. is recognition of the power of knowl-
edge coupled with a feedback loop spurred development of a couple
of interesting initiatives that involve energy data owners, custodians,
and managers. e bottom line is that data can be correlated from a
number of sources and analyzed to create meaningful information for
the owners of the energy usage data. As we’ll discuss later, data has
signicant monetary value to many entities.
Green Button Initiative
e Green Button initiative leverages the purpose and use of smart
meter data.‡ e objective of this 2011 federal government initiative
is to oer utility customers easy access to their electricity usage data.
It is modeled on the popular Blue Button§ program that rst made
military veterans’ medical data easily available for them to download,
view, and share with medical resources. e data is organized in a
standard machine-readable le format that can be shared by the data
owner with third-party entities (data managers) of the owner’s choos-
ing to turn into visual displays and applications that help the data
owner manage his or her electricity consumption. e common data
format lets application developers build one interface that will work
* See more about this in EN 13757-x at www.cenelec.eu, and also http://oms-group.
org/en/standard-sources/.
† www.scienticamerica.com/article/do-smart-meters-mean-smart-electricity-use/.
‡ http://www.data.gov/energy/page/welcome-green-button.
§ http://bluebuttondata.org. Since its inception, a growing number of private sector
organizations are also implementing similar programs for their medical services
consumers.
Data Class Description
UsagePoint e location of measurements—a meter or
submeter, or individual load or appliance
ReadingType e type of measurement contained in MeterReading
MeterReading A collection of the same ReadingType measurements
LocalTimeParameters A universally recognized time stamp to ensure time
has the same meaning for all measurements
IntervalReading A single measurement that may include cost or quality
IntervalBlock A collection of IntervalReadings, usually by day,
week, or month
ElectricPowerUsageSummary A summar y of measurements for a specific period
of time
ElectricPowerQualitySummary A summary of statistics about power quality for a
specific period of time
67
SMART METER DATA AND PRIVACY
with the energy usage data across all utilities that agree to participate
in the Green Button program.
is data is available in some states now, and a growing number
of utilities are supporting this initiative.* For consumers, detailed
data about how and when they use electricity can inuence decisions
about how to save money on electric bills, identify appliances that
are energy hogs and potential savings through use of more energy
ecient models, or even build business cases for energy eciency
renovations or investments in distributed energy resources (DERs)
like solar photovoltaic (PV). e granularity of this data is unique.
Instead of a single number identifying the kilowatt-hours consumed
last month, consumers can see usage at daily, hourly, or smaller incre-
ments of time.
Figure4.5 shows the major classes of data supplied by meters in the
Green Button format.
e Green Button initiative is based on the premise that energy
usage data has real value to consumers. Each consumer’s electrical
usage data belongs to that consumer, and consumers may opt to share
their data with companies (data managers) that oer information
services or products. Information services may create comparisons
Figure 4.5 Green Button data classes. (From http://en.openei.org/wiki/Green_Button.)
* http://en.openei.org/wiki/Green_Button.
68 DATA PRIVACY FOR THE SMART GRID
of electricity usage with anonymous peers (usually based on demo-
graphic, geographic, and property information) or oer recommenda-
tions on how to reduce electricity use. e services include web-based
and mobile apps, oering a wide range of information options for
consumers. Products may include smart plugs or more energy ecient
appliances.
e federal government has promoted private sector development
of applications that leverage Green Button data through a challenge*
in 2012 that oered monetary prizes to the best solutions. ere’s sig-
nicant potential for applications that can go beyond simply tracking
existing energy usage. Green Button data can be combined by autho-
rized data managers with other data to analyze the value of rooftop
solar panels or electric vehicles for individual consumers, or to iden-
tify local utility rebates that consumers can claim to help reduce over-
all energy costs through investments in energy-ecient appliances
or building upgrades. Smart Grid-enabling technologies like smart
meters and Green Button apps create new data, and new information
based on this data. at information has value to consumers, utilities,
and a range of other entities.
Perhaps energy usage data will enjoy an evolution similar to that
seen for credit card data. Once upon a time, we simply received our
monthly bill with itemized expenses. en credit card companies
started summarizing those monthly expenditures into categories, and
sent annual reports about spending patterns. e summary reports
helped consumers understand exactly how much money over the
course of a year was spent on dining or entertainment or fuel. at
is powerful information that can shape budgets and spending habits.
e same logic can be applied to energy usage habits and decisions.
Green Button data also serves to illustrate the roles of data owner-
ship, custodianship, and management. Green Button data is owned
by the consumer. e local utility supporting Green Button is a cus-
todian of this data. e investor-owned utilities (IOUs) follow the
privacy and security mandates for this data as dened by their state
regulatory agency. A third party or service provider selected by the
data owner to receive Green Button data becomes a data manager.
* http://appsforenergy.challengepost.com.
69
SMART METER DATA AND PRIVACY
A key point is that there is not one national data privacy policy that
covers all the roles.
For instance, if the California-based author, Christine, chooses the
Best Data Company to receive her Green Button data, that triggers
notication to her local utility, the data custodian, that she authorizes
it to allow Best Data Company to access and receive her data on a one-
time or ongoing basis. Best Data Company is now a manager of her
data. In California, even when the data has crossed the utility boundary
to Best Data Company, the utility’s data privacy policy is in force for
her data. Her consumption data cannot be sold by Best Data Company.
However, if she directly hands her data over to a third party without her
utility’s involvement, then these privacy safeguards no longer apply; but
if the third party has a privacy policy in place, it will apply.
is is an important point: many consumers may not be aware this
data can cross boundaries and be subjected to dierent public util-
ity commission (PUC) privacy policies. California serves as a good
example of requiring legal privacy protections for energy usage data.
e California Public Utilities Commission (CPUC) has been very
supportive of the Green Button initiative and a follow-on project
called Green Button Connect, which we’ll explore below.
Green Button Connect
Green Button Connect is an extension of the initial W hite House Green
Button initiative.* e Connect project encourages utilities to make it
procedurally a nd uniformly ea sy for consumers to provide authorization
to release data to their selected third parties. Large organizations like
utilities can create unintended complexity for consumers to complete
a service request that authorizes their selected data manager to receive
their Green Button data. Green Button Connect denes a standard
process to request data and authorize data managers to access Green
Button data on behalf of the data owner. Green Button Connect does
not create new energy usage data; it makes it easier for consumers to
get access to this data. However, as noted above, if the utility has not
been involved as a data custodian, this data is now at the mercy of the
* See http://ww w.whitehouse.gov/blog/2013/12/05/expanded-green-button-will-reach-
federal-agencies-and-more-american-energy-consumers.
70 DATA PRIVACY FOR THE SMART GRID
privacy policy in place at the third party selected by the consumer (the
data owner) and any other applicable privacy laws for that location.
e CPUC, in collaboration with its three IOUs and other interested
parties, created Decision 13-09-025,* issued September 19, 2013, that
requires that the third-party companies that seek to become Green
Button data managers must comply with the same requirements for
privacy and security that apply to the regulated utilities themselves.
Utilities, as data custodians, have a dened process to follow if a third
party is identied or suspected of data abuse. Most importantly, if a
consumer believes his or her privacy has been compromised by a third
party with access to the energy usage data, a request to the utility to
terminate that third party’s authorized access can occur immediately.
One California utility, San Diego Gas and Electric (SDG&E),
relies on the TRUSTed Smart Grid Privacy Program† for the Green
Button Connect program. TRUSTed is “a self-regulatory program
that certies that companies use responsible privacy practices as they
collect and share consumer smart grid data.” is program was devel-
oped by the Future of Privacy Forum in collaboration with TRUSTe‡
and is somewhat similar to an Underwriters Laboratories (UL)
approval or a Good Housekeeping seal of approval. e privacy cer-
tication must be annually renewed. is program requires that data
owners (consumers) be notied of any security incidents that could
impact or result in a privacy breach.
Like any other data, energy usage data should have privacy protec-
tions. Given that this data is new and there’s little experience with it,
we should expect that consumers won’t always know who is responsi-
ble for the security and privacy of the data that they have made avail-
able to utilities and third parties. Consumer education is essential
to help data owners understand the chain of data custody and what
privacy safeguards exist if data is transferred from a utility to a third
party, or from the consumer directly to a third party without utility
involvement.
* Available for download at www.cpuc.ca.gov/PUC/energy/smartgrid.htm.
† http://www.sdge.com/newsroom/press-releases/2013-01-27/powertools-app-
helps-sdge-customers-manage-save-energy.
‡ See http://www.truste.com/privacy-program-requirements/TRUSTed-smart-grid/.
71
SMART METER DATA AND PRIVACY
Data
Information
Knowledge
Wisdom
Figure 4.6 The value of data.
California is very interested in making energy usage data available
for academic research. e CPUC is actively working on developing
data practices and policies that make energy usage data available
while protecting consumer privacy. e CPUC rules indicate that if
data has identiable characteristics removed, it can be available for
research use without individual consumer consent. Data privacy prac-
tices of anonymization and aggregation will factor in to these policies
and guidelines. As we noted before, knowledge is power.
Figure4.6 puts it another way. Data is the starting point for us to
learn how to manage our energy usage as intelligently as possible.
Applications that illustrate when and what our energy usage is can be
as helpful as reports that summarize spending categories and manage
nancial budgets.
AMI Networks
Let’s briey review the networks that transmit smart meter data.
ese are sometimes called advanced metering infrastructure (AMI)*
networks. e typical utility has several networks that are deployed
* From the Smart Grid Dictionary: “Electricity meters, bi-directional communications
network hardware and software, and associated system and data management soft-
ware that measures and records usage data at set inter vals, and provides usage data to
consumers, utilities, and other parties at set intervals. e set intervals are specied
by regulatory agencies.”
72 DATA PRIVACY FOR THE SMART GRID
for specialized services. e AMI network is one of them. It trans-
ports smart meter data from meters to collection points where routine
data—like consumption data—is usually aggregated and then trans-
mitted on a scheduled basis back to a utility’s central operations. Some
smart meter data is considered high priorit y and sent in real time back
to a utility for immediate action. High-priority data includes a “last
gasp” message from a meter—an indicator that there’s a service dis-
ruption causing a cessation of electricity to that meter. Smart meters
give utilities the ability to detect an outage in real time and initiate
restoration activities immediately—not hours later when impacted
customers call to complain.
AMI networks are bidirectional. Utilities can send messages or com-
mands to smart meters as well as receive data. One useful command is
to activate or connect a meter. is simple command eliminates count-
less hours spent waiting for the utility service representative to arrive
and start the ow of electricity into a new home or apartment. is
same functionality lets utilities determine if restoration services have
been successful in returning all aected customers to full power.
is bidirectional network functionality has real promise for trans-
active energy. It is technically possible for a utility to send price sig-
nals to the meter, and then into a building to any appliances or other
devices that are capable of receiving that signal. is “prices to devices”
scenario is discussed as a means to automate decisions about when to
use electricity. It is intriguing, but as of mid-2014, there were only a
few pilots exploring this capability. ere are a number of reasons,
but from a technology perspective, it’s a chicken-and-egg dilemma. If
there isn’t a communications capability from the utility, then there’s
no need for electricity-consuming devices to have communications
functionality to a utility. And if the devices lack communications
capabilities, there’s no need to build utility networks that can send
signals to them.
e introductions of smart appliances and smart plugs are chang-
ing this situation. However, in many instances, there’s little or no
reliance on a utility network to communicate pricing information. e
73
SMART METER DATA AND PRIVACY
communications are occurring over cellular, broadband, and Wi-Fi
networks that may not belong to utilities. Smart meters could be one
gateway to data exchanges of consumption data, but other gateways
are proposed by companies including AT&T, Comcast, Google, and
Apple.*
Smart Meter Data Summary
In summary, smart meters and their AMI networks do collect and
transmit energy usage data and voltage measurements. Green Button
data enables electricity customers to get more detailed information
about their consumption that can help them save money. It’s a volun-
tary, opt-in program where the customer controls who gets access to
his or her data.
Once smart meter data is transmitted back to a utility, what hap-
pens to it? ere are several utility software applications that use data
from smart meters, as well as traditional, noncommunicating meters.
Meter data management systems (MDMSs) are specialized software
applications that handle the volumes of data that are derived from
smart meters. At a high level, MDMS applications generally include
a data repository that holds meter reads, events such as outage and
restoration with time stamps, and support audit trails to document
any data updates or changes. MDMS applications excel at manag-
ing large volumes of data, and smart meters can create signicant
amounts of data. As of mid-2014, no U.S.-based utility was collecting
smart meter data at a smaller time increment than 15 minutes. at
translates into 35,040 annual data collection events per smart meter.
MDMS applications also perform validation, estimation, and edit-
ing (VEE) of meter read data. ese functions help ensure the accu-
racy of meter data, which is vital for utility bill calculations. Some
MDMS applications oer additional analytics capabilities on energy
usage data. Some MDMS applications have personal information,
such as customer name or address; others just reference unique meter
IDs to associate consumption with a particular meter.
* See their corporate websites for more information: https://my-digitallife.att.com/
learn/ and http://corporate.comcast.com/news-information/news-feed/comcast-
launches-new-xnity-home-control-and-energy-management-service-2.
74 DATA PRIVACY FOR THE SMART GRID
Other utility systems may not contain detailed energy usage data,
but generally do contain personal information such as name, address,
and even nancial data. e customer information system (CIS) and
customer relationship management (CRM) applications are a couple
of these applications. Another is the utility billing application that
generates the monthly bills consumers receive for electricity, gas, or
water. ese applications generally hold the customer name, address,
and depending on which system is in play, nancial information.
Some utilities own these applications and keep all data within logical
utility boundaries as dened by their data networks.
Utilities may outsource some of these capabilities to third parties
and allow consumer data (that could range from smart meter data to
automated payment data) to leave the utility’s computer systems and
communications networks and travel across public networks to non-
utility destinations. To be clear, outsourcing functions like customer
service or billing is a standard practice across many business sectors.
Many businesses are migrating to cloud-based solutions that are def-
initely outside of their logical perimeters, meaning that sometimes
sensitive data resides outside of their direct control. What we want to
point out is that energy usage data could end up outside of a utility’s
controlled domain of computers and communication networks.
Smart meters produce more data, there’s no question about that.
Smart meter data has many privacy protections, with a number of
states clearly stating that the consumer is the data owner of the data
coming from the smart meters. is is not the case with most loca-
tion-based services. ere are legitimately benecial reasons for con-
sumers to have their energy usage data correlated with other data and
analyzed to bring about changes in energy use that reduce costs and
carbon footprints. However, to conform with generally accepted pri-
vacy principles, all entities accessing, using, and possessing smart data
meters should be held accountable for protecting the data, and not
using the data beyond what the data owner has authorized.
Utilities and any third parties that have custodianship or manage-
ment of energy usage data or any other sensitive data, such as personal
information, need to exercise all required precautions for physical
and cyber security and privacy. Mapping and auditing the commu-
nications and computer facilities where data travels and resides is
extremely important to ensure the privacy of the data owners.
5
THE CONNECTED HOME
Smart Grid technologies embed new sensing, control, and communi-
cations technologies into utility networks and devices. e same tech-
nologies can also be incorporated in the networks and devices found
in homes, businesses, and factories. In many cases, they already are.
e connected home* is a convenient term to describe the burgeoning
applications that can improve security and quality of life and reduce
operating costs for people in a dwelling. Some people also call it a
smart home. By either term, it consists of communications networks
and communications-enabled devices or equipment, most notably
appliances, electronics equipment, and sensored (sensor-equipped)
home structures, and depending on the solution and degree of sophis-
tication, it may be controlled remotely. Figure5.1 illustrates the main
consumption domains. is chapter focuses on the activity in the resi-
dential or home domain.
Home Area Networks
Commercial and industrial buildings have interior communications
networks that serve the same purpose as home area networks (HANs).†
A HAN, as its name describes, is a network in your home. It is also a
gateway for connection to the outside world. You may have one today
in the form of a wireless router that connects your laptops, printers,
tablets, smart phones, and entertainment devices to the Internet. As
* See more about connected homes at http://solartoday.org/2014/06/interest-in-
connected-home-and-alternative-energy-solutions-to-increase-six-fold-accenture-
research-shows/.
† ese may be specialized M2M networks called building automation systems
(BASs) or energy management systems (EMSs) to manage HVAC, lighting, and
other building ser vices separately from networks that transmit human communica-
tions. In factories, these networks typically monitor and manage processes.
75
76 DATA PRIVACY FOR THE SMART GRID
Figure 5.1 Smart Grid domains. (From Report to NIST on the Smart Grid Interoperability
Standards Roadmap, Electric Power Research Institute (EPRI), Palo Alto, CA, 2009.)
(mostly) wireless technologies proliferate in North American homes*
in the form of Wi-Fi† routers for computers, laptops, tablets, and other
mobile devices, similar technologies can enable home thermostats,
clothes dryers, hot water heaters, and other appliances outtted to
communicate within the home and with the outside world.
* Power line carrier (PLC) technology uses the electrical wiring to send communica-
tions. It is more commonly used in Europe than in the United States.
† From the Smart Grid Dictionary: “An IEEE (Institute of Electrical and Electronics
Engineers) standard 802.11 that refers to a family of specications developed by
the IEEE for wireless LAN technologies that use unlicensed radio spectrum. e
term Wi-Fi initially described operations in the 2.4-GHz band, but the term has
also been applied to unlicensed wireless devices operating in the 5-GHz band in
accordance with IEEE 802.11a. Wi-Fi technologies may also work in licensed spec-
trum. e FCC (Federal Communications Commission) does not require devices
operating in unlicensed spectrum to meet the IEEE standards. e IEEE 802.11i
standard addresses security issues with Wi-Fi.”
77
THE CONNECTED HOME
HANs connect energy management devices (like programmable
communicating thermostats (PCTs)*), consumer electronics, appli-
ances, and energy management applications inside the home.† A
HAN in a smart home logically connects devices that can be remotely
monitored and controlled, and communicates status between devices
and a homeowner. e key common capability is that all devices in a
HAN are communications enabled or “smart.” erefore, a refrigera-
tor may be drawing electricity, but unless it is equipped with an abil-
ity to transmit or receive communications through either “in skins”
or built-in communication capabilities or an external smart plug,‡ it
won’t appear as a connected device in your HAN. Your HAN could
be your gateway to the Internet for bidirectional communications
to the rest of the world and will be discussed later in this chapter.
Communication that occurs solely between devices is also known as
machine-to-machine (M2M) communications, and in many aspects
a HAN is an example of M2M.
is book won’t explore the technological pros and cons of each
HAN communications technology or protocol. Other books debate
the distinctions between wireless and wired signaling technologies for
home automation.§ Regardless of the communications scenario, here’s
a key point. ere is data that can be created by devices and carried by
a HAN. Communication options and their standards and protocols
oer dierent degrees of security of data, and dierent mechanisms
(technical, physical, and administrative) for securing the data. While
good security is integral to data privacy protection, our discussion in
* From the Smart Grid Dictionary: “A thermostat that controls HVAC components
based on consumer time and temperature preferences. It may communicate with a
smart meter or a smartphone. PCTs may be used to deliver automated participation
in demand response programs.”
† From the Smart Grid Dictionary: “A network of energy management devices, digi-
tal consumer electronics, signal-controlled or enabled appliances, and applications
within a home environment that is on the home side of the electric meter. It is similar
to a home-based LAN, but it connects more than personal electronics like comput-
ers, printers, and TVs. HAN specications include OSHAN, ZigBee, HomePlug,
Z-Wave and Wireless M-Bus (a wireless variant of M-Bus).”
‡ From the Smart Grid Dictionary: “Hardware that enables remote monitoring and
control of devices in homes or businesses. It retrots existing 120V AC wall outlets
with (typically wireless) communications capabilities.”
§ Here are some of t he other contenders for home automation: 6LoWPAN, LonWorks,
Wi-Fi, FlexNet.
78 DATA PRIVACY FOR THE SMART GRID
this chapter remains focused on the policies and practices that gov-
ern energy usage data. Chapter 8 includes discussion of the security
methods that can be used to secure energy usage and production data.
Key points to consider in any communications scenario are the own-
ership, custodianship, and management of energy usage data, because
they have signicant impact on the privacy risks accompanying this
data, but are too often overlooked after the security controls have been
established.
Communications Options
With regard to ownership, custodianship, and management of energy
usage data, there are two primary communications scenarios to con-
nect HANs to the external world. e rst option is utility-based
communications. In this scenario, utility networks carry data back
and forth between the HAN and the utility head end.* Utility-based
communications may use the smart meter as the transmitter and
receiver to relay messages between the utility and the devices con-
nected to a HAN (i.e., the gateway.) A smart meter that can serve as
a gateway has two wireless radio communications chips. One chip
enables communications between the utility and the meter. e sec-
ond chip enables communications between the meter and the HAN,
or directly with devices in the home that are enabled to transmit and
receive data. At the time of this writing, only a small percentage of all
the smart meters in the United States have an activated second chip.
e vast majority of installed smart meters do not have an active com-
munications channel established in the home.† Utility-based commu-
nications may also use some other communications platform. What
makes them utility based is that the electric utility owns and manages
the communications between the HAN and the utility.
e second category covers broadband service providers such as
AT&T, Verizon, Comcast, and some alarm companies. ese com-
panies provide home automation services and home security services
* e head end is industry jargon to denote the centralized reception point for data
that is behind the utility (or other entity’s) logical rewall protecting its operations.
† e reasons are generally summarized as an absence of a predominant home auto-
mation standard and a paucity of utility services that can leverage communications
capabilities inside residential dwellings.
79
THE CONNECTED HOME
along with their traditional voice, Internet, and cable TV services.
You may have seen the ads about remotely monitoring or adjusting
thermostats to enhance comfort or save money. e gateway device
into the home that supports these capabilities is not a smart meter,
nor is it owned and controlled by the electric utility. It is a broadband
router or other network device that functions as a hub for these ser-
vices in the home.
Home Energy Management Systems
Home energy management systems (HEMSs) are software applica-
tions that display information about a home’s energy consumption
and may also provide control capabilities for devices that are capable
of being managed by it. Some HEMS solutions also bundle in spe-
cialized hardware such as programmable communicating thermostats
(PCTs) or smart plugs. HEMSs leverage the communications capa-
bilities of a HAN. HEMSs are fairly new solutions with little stan-
dardization, and there’s a wide range of vendors that provide varying
features and functionality. We’ll discuss HEMS solutions in general
terms and avoid any comparisons of them.
Your home might already have a programmable thermostat. You
can dene and modify the timing for heating or air conditioning to
occur, and the temperature setting for that heating or cooling. With
a PCT and an interface with a HEMS solution, you can do that pro-
gramming from a laptop, tablet, or smart phone. Your connection
could be a HAN, a utility-supplied interface with the local grid, or
the Internet via a third-party solution from a cable provider.
HEMSs often start as a software solution that controls a PCT
since heating, ventilation, and air conditioning (HVAC) is the largest
use of electricity or gas in the average residential building.* e solu-
tion could be part of an oering from a company that you authorize to
work with your Green Button data. HEMSs are targeted to residen-
tial buildings, and typically single-family use. Similar management
systems called building energy management systems (BEMSs) or
simply energy management systems (EMSs) provide similar functions
* HVAC loads are also predominant for most commercial buildings, but we’ll focus
on residential buildings in this discussion.
80 DATA PRIVACY FOR THE SMART GRID
for commercial buildings or multifamily housing such as apartment
buildings. Given the focus on the privacy risks related to energy usage
data, most of our discussion will address HEMSs and the single- and
multifamily residential market sectors, which have the most apparent
privacy-related risks. However, there are still risks for other types of
locations and buildings. ese are discussed in the next sections of
this chapter.
HEMS Adoption
Today, HEMS applications are still in early adoption stages. ere
are many reasons that these applications are slow to achieve mass
popularity, but two important reasons are: (1) a lack of common com-
munications standards or protocols between consumer products such
as appliances and electronic devices, and (2) lack of common com-
munications standards or protocols between those devices and the
grid. According to Chris Kotting, executive director of the Energy
Information Standards Alliance (EIS Alliance), “e development
of a common expression of fundamental or abstract information for
Home Energy Management Systems (HEMS) is crucial for manu-
facturers and service providers to develop systems that allow for dif-
ferent appliances, HVAC, lighting, entertainment and other home
systems to work together. is is true not only for equipment entering
the marketplace now [at the time this book was written], but for prod-
ucts still on the proverbial ‘drawing board.’ ese systems may each
use dierent ways of expressing information internally, and having a
common expression all can refer to will allow them to communicate
needed data, and only needed data, for intelligent coordination.”*
Here’s an easy way to think about it, and this is equally true about
interoperability concerns for manufacturers of any Smart Grid tech-
nologies. For instance, some manufacturers may use yes/no to indicate
if power is on or o in a device. Other vendors may program this
status data as on/o. When converting back to binary machine code,
everyone has to agree that if yes is the equivalent of on, and no equals
o, then 1 now corresponds to the yes/on state and 0 corresponds to the
* http://www.eisalliance.org/index.php/press-releases/5-home-energy-management-
systems.
81
THE CONNECTED HOME
no/o state. Simply put, dierent ways of saying the same thing pre-
vent dierent companies’ products from working together, and that
increases costs and complexity for consumers.
Industry associations such as the EIS Alliance exist to encourage
dierent systems and architectures from vendors to operate together
in homes with appropriate communications and coordination. at
means that consumers can install dierent vendors’ products in homes
with the condence that the products can “play well together” under
the monitoring and control of HEMSs and HANs. Just like we would
like all the equipment in our entertainment centers to work with a
single remote control, we will want one HEMS solution to be used
for our kitchen, laundry, and electronics appliances and devices found
in homes. As noted above, most communications service providers are
bundling additional services, including healthy lifestyle applications,
along with dedicated touchscreen displays that function as sophisti-
cated remote controller devices.* Current trends point to the smart
phone becoming a universal home controller via apps.† Whatever
the type of app or device that is chosen, app developers, smartphone
manufacturers, and communications service providers will need to
ensure they engineer the apps and devices with privacy controls to
address the associated risks if they hope to be well received by a pri-
vacy-breach-weary public. Additionally, the legal privacy protections
regarding energy usage data vary based on the provider and the type
of device that serves as the interface to a utility, a broadband or mobile
carrier’s network, or another service provider via the Internet.
HEMS Communications with the Smart Grid
Here’s one scenario that describes how HEMS solutions or smart
devices connected by a HAN can communicate with a utility or an
* As just one example, in Rebecca’s home state of Iowa, Mediacom, a cable and tele-
communications company, is seeking to become the home energy management
solution of choice with its dedicated devices and apps that run on laptops, smart
phones, and other types of devices. See more at https://mediacomcable.com/site/
bundlesdg/home_security.html. See “HEMS Vendor Taxonomy” showing a wide
range of the possibilities at http://www.greentechmedia.com/research/report/
home-energy-management-systems-2013-2017.
† http://www.electricaltimes.co.uk/blogs/blog-entry/the-rise-of-home-automation.
82 DATA PRIVACY FO R THE SMART GRID
ESP and become part of the Smart Grid. A homeowner has enrolled
in a utility’s program that asks customers to voluntarily reduce elec-
tricity use on specic dates and times.* ese selected time frames
typically occur on the days when a utility has the greatest demand
for electricity. As noted before, wholesale electricity markets obey the
laws of supply and demand. When demand is greatest, supply is most
expensive. e utility wants to avoid buying megawatts of electricity
at this most expensive peak price because it is regulated or managed
to keep electricity rates as low as possible for consumers.
One way to avoid buying expensive electricity is to ask customers to
voluntarily reduce their use. So on a very hot day in California when
every air conditioner in the Central Valley is running full blast, the
utility asks our hypothetical homeowner to cut back on electricity use.
How does the utility do this? Some programs are set up so the hom-
eowner gives permission for the utility to automatically raise the tem-
perature on residential thermostats by a deg ree or t wo, or cycle AC unit
compressors on and o.† e homeowner can opt out of participation
if needed. Other demand response (DR) programs send a message by
our homeowner’s preferred means of communication—usually a text,
email, or phone alert—requesting voluntary cutbacks in electricity use.
ese reductions in energy use are made by the homeowner—the con-
sumer—not the utility. e reduction impacts are negligible to each
participating homeowner, but on an aggregated scale, these actions
add up to sucient reduced electricity usage to avoid that purchase of
the most expensive electricity. at has a benet to the utility and to all
customers by keeping electricity costs lower. Our homeowner enjoys a
reduction in electricity rates or a rebate on the bill.
HANs and HEMSs oer interesting possibilities to expand the
number of electricity-using devices that could automatically partici-
pate in these programs, increasing the potential for signicant reduc-
tions in electricity during the times when it is most expensive. When
* ese are usually known as demand response (DR) programs within utilities, and
are branded by a variety of dierent names when marketed to utility customers.
† Programs operate today in this fashion without a HAN or a smart meter to support
them. Simple radio controllers are axed to outdoor AC units and these respond to
signals from utility networks. Some other programs control residential pool pumps
in the same fashion. ese programs are eective, but require that each AC unit or
pool pump have its own radio device co-located with it.
83
THE CONNECTED HOME
“smart” appliances, which have communications capabilities, are added
to the equation, the hypothetical amounts of electricity consumption
that can be avoided at certain times dramatically increase. Here’s an
example of how this might look in the future and on the path of a
transactive energy future. If you have a HAN connecting your smart
appliances and have designated that your thermostat, refrigerator’s ice
maker, clothes dryer, dishwasher, and electric hot water heater can par-
ticipate in a DR program, each of these devices must have communica-
tions capabilities to receive and transmit data to your HEMS—which
is mostly likely in a laptop, tablet, or smart phone. You would program
settings for demand response, such as “don’t make ice between 2:00
and 7:00 p.m.” or “start a dishwashing cycle only after 6:00 p.m.,” in
order to avoid using electricity during the hours of greatest demand.
Sure, you could run around the house and turn things o manually in
response to an email or text, but there might come a day where you for-
get to adjust something and receive an expensive electric bill as a result
of consuming electricity at the wrong time. is is why the concept
of set and forget is very important to developers of connected homes,
smart appliances, and HEMS solutions.
Continuing with this scenario, on those DR event days, your appli-
ances would receive signals via your HAN that instructed them to
operate with the restrictions you put in place on them. ese signals
could come from a utility and be sent via a smart meter, or they could
be sent over the Internet to your HAN from the utility or from an
energy services provider (ESP). is distinction becomes extremely
important, as you’ll learn later in this book. If you choose to override
those controls, you can—so on that DR event day when you have a
party planned for 50 people, you will have all the AC and ice you
need, but it may cost you.
In this future scenario, here’s where the granularity and value of
data beyond energy management come in to play. e utility or ESP
will need to know if you are complying with the electricity reduction
request, and if not, how much variance there is in your electricity use.
Depending on the turnaround times between their initial request and
their checkup to see if your appliances are performing as expected,
your utility or ESP might send a text alert to let you know that your
home hasn’t reduced electricity use as much as anticipated. Is this a
problem? Maybe, maybe not. Perhaps your refrigerator compressor is
84 DATA PRIVACY FOR THE SMART GRID
failing, so it is running more than it should, and consumes more elec-
tricity as a result. Perhaps a device isn’t programmed correctly. Perhaps
you have out-of-town guests and overrode all appliance instructions
while they are in town. All your utility or ESP can tell you is that you
are using more electricity than you promised to use. Or is there more
it can tell about your electricity use? Quite possibly yes, if it correlated
this data with other energy usage data.
HANs Do Not Need Smart Meters
Here’s a key point to remember: a HAN does not need a smart meter
to perform as described here. It could work with an Internet connec-
tion—wired or wireless. is is the approach adopted by companies like
Comcast or Verizon. It also requires a collection of smart plugs or appli-
ances that can communicate across that HAN supporting a common
protocol. Just like the wireless local area network (LAN) in your home
can connect to all computers, entertainment displays, tablets, and smart
phones that have communications capabilities, a HAN could connect
smart appliances and other types of smart electronic devices. We’ll dis-
cuss smart appliances in greater detail later in this chapter.
HANs as Communications Gateway Devices
A HAN could be the gateway device for communications “on the other
side of the meter,” meaning it could serve as the interface between utility
or ESP equipment and smart devices in the home. However, its ability
to function within a dwelling is unrelated to a connection to the outside
world. HANs and HEMSs, like wireless modems, should have strong
passwords to prevent unauthorized access to devices in your home. For
instance, an article in Forbes magazine* detailed how that author hacked
into several homes that deployed a device from an unnamed manufac-
turer—a device that had no password protections and no other security
controls implemented. e author was able to obtain personal informa-
tion, and remotely control devices like lamps that were connected to the
hacked systems. No smart meter or HEMS solution was involved in
this scenario, but without proper security safeguards, privacy and data
* http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/.
85
THE CONNECTED HOME
integrity can be compromised. It is critical for each consumer to ensure
all the appropriate security controls are implemented within his or her
HAN to minimize the risk that unauthorized entities can gain access
to the data within the HAN.
History just continues to repeat itself. Years ago, the examples of
password carelessness concerned companies that installed expensive
telecommunications equipment and never changed the default pass-
word of 1234 to something unique, exposing themselves to all sorts
of nefarious havoc. More recently, the Department of Homeland
Security encouraged transportation agencies to change default pass-
words for the digital signs that oer trac advisories after a couple of
quite visible hacks.*
Comcast was contacted as part of an inquiry to learn more about
the home automation services, and in particular, ask questions about
encryption of data and privacy policies. e answers, or rather the
lack of them, reveal a great deal. At the time of this writing Comcast
had not received too many questions about data privacy, and there-
fore didn’t have much information about technologies and policies in
this topic area. at’s not a criticism leveled solely at Comcast. It’s a
cautionary message to all of us. However, we had to feel sorry for the
contact center agent—she obviously hadn’t been trained to address
these questions and had no resources to turn to.† e investigating
author, Christine Hertzog, asked about obtaining a copy of the data
privacy policy for one of its home automation services that included
home energy controls. e response was, “We’ll get back to you in 3–5
days.” Christine is still waiting for that information.
Privacy Risks within Rentals and Other Leased Spaces
e prior discussion focused on single-family residences. However,
there are additional concerns with using HEMSs within rental
* http://www.torontosun.com/2014/06/06/after-godzilla-attack-us-warns-about-
trac-sign-hackers.
† An SGIP SGCC Privacy Subgroup training subteam led by Rebecca Herold cre-
ated sets of “train the trainer” type of training slides for a variety of entities to use.
Included in these was a set to train those who must answer such questions from
customers. You can obtain the training slide sets at https://collaborate.nist.gov/
twiki-sggrid/bin/view/SmartGrid/CSCTGPrivacy#Privacy_Training_Slides.
86 DATA PRIVACY FOR THE SMART GRID
properties. Rent payments sometimes include utility services like
electricity or water, particularly in properties where one meter is asso-
ciated with all units. is creates the concern that the named party for
the meter supplying a rental unit would then have access to detailed
energy usage data for renters. Could tenants subsequently be discrim-
inated against, evicted, or have their rent payments raised if the land-
lord determined the renter was using too much electricity? Would
landlords be able to monitor tenant activities through their energy
usage throughout the day and in various locations of their rented
spaces? It is technically feasible, but not practically feasible, at least
without some level of awareness on the part of the tenants. However,
these privacy concerns need to be addressed as more laws mandating
the reporting of energy usage are deployed in cities and states to drive
energy savings and job creation.*
Utilities are struggling with how to provide energy usage reports to
entities legally entitled to such information for residential rental units
without infringing on the privacy of those living within them. For
example, in January 2013, Xcel Energy asked Minnesota state regula-
tors for guidance† on the minimum number of customers to include in
aggregated energy usage data reports without infringing on the pri-
vacy of those whose data was being used. Could they aggregate total
building energy usage data for a 50-tenant property without exposing
any individual customer’s information? e privacy risks of a building
with just two or three renters would be more signicant because of
fewer tenants being involved—the ability to perhaps even intuitively
guess at unit’s energy usage data would be much easier to accomplish.
Xcel Energy requested more legal guidance and state policy to protect
consumer privacy to help utilities to make better decisions whenever
aggregated energy usage data was evaluated with the goal of energy
usage improvement.
* California’s Assembly Bill (AB) 1103 mandates benchmarking at a whole building
level of energy eciency information for nonresidential buildings, which raises pri-
vacy concerns for commercial and industrial tenants. Resolution of these concerns is
ongoing as of this writing. http://www.energy.ca.gov/ab1103/.
† See https://www.edockets.state.mn.us/EFiling/edockets/searchDocuments.do?
method=showPoup&documentId={D3334DBB-4851-4606-BEEF-3D59B2DC71
1D}&documentTitle=20131-83405-01.
87
THE CONNECTED HOME
While current laws protect social security numbers (SSNs) and
standards protect credit card numbers, at the time this book was writ-
ten, no known laws or regulations existed to protect renters’ energy
usage data from building owners or landlords,* or indeed from being
published for public review. Since housing trends are moving toward
more multifamily and rental housing,† this area should be addressed
sooner rather than later, given the associated privacy risks. Chapter 7
provides more discussion of the various privacy risks of renters, and
Appendix A documents the privacy risk levels for energy usage data
within privately owned dwellings and commercial and industrial sites.
Employee Privacy Risks within Commercial
Buildings and Industrial Sites
Similar to the privacy concerns within residential rentals, there have
also been concerns expressed about the privacy risks of HEMSs
within commercial buildings and industrial sites. However, unlike
residential dwellings, industrial and commercial facilities have his-
torically not been locations where there is an expectation of privacy
outside of locker rooms, bathrooms, or other personal care spaces.
In 2010 one of the authors, Rebecca Herold, participated in a team
that included a National Institute of Standards and Technology
(NIST) representative and the security ocer from a large Midwest
utility that spent several months researching and discussing the pos-
sible privacy issues within commercial buildings and industrial sites.
Appendix A documents the privacy risk levels for these areas. e
conclusion was that since these areas have historically been subject to
monitoring and surveillance for safety reasons, and because business
owners typically have established policies that employees and others
within the premises are subject to monitoring, and with consideration
* is scenario applies when a building owner, landlord, property management com-
pany, etc., pays for the utility bills.
† Fannie Mae report: http://www.fanniemae.com/portal/research-and-analysis/
data-note-0312.html. For more discussion about the unique challenges of rental
housing and the Smart Grid, see these blogs by Christine Hertzog: http://ww w.
smartgridlibrary.com/2014/04/28/wanted-smart-grid-policies-for-14-million-
homes/ and http://www.smartgridlibrary.com/2014/04/14/the-smart-grid-and-
multifamily-dwelling-challenges/.
88 DATA PRIVACY FOR THE SMART GRID
of the bulk electricity usage in commercial sites, there were mini-
mal privacy risks within such locations specically related to electric-
ity usage. However, when considering the use of personally owned
electric devices, plug-in electric vehicles (PEVs), and mobile devices
with smart energy apps loaded on them that could reveal information
about an employee’s o-business-site activities, there are some privacy
risks involved.
Chapter 7 provides more discussion of the various privacy risks of
renters and employees.
Disaggregation Technologies
Disaggregation technologies use specialized current-sensing equip-
ment and data algorithms to break down electricity use into indi-
vidual device or appliance consumption. ese technologies can be
deployed at the smart plug level or at the electrical panel as a “whole
home” solution. Here’s a basic overview of disaggregation technolo-
gies. e associated privacy risks of disaggregation will be discussed
in Chapter 7.
Hardware
One version of this technology deploys a smart plug that connects
into the wall socket, and then the appliance or device to be studied is
plugged into that smart plug.
Whole home disaggregation technology incorporates sensors at the
electrical panel or breaker box* that samples the ow of household
current and detects patterns of energy use that are common to a spe-
cic appliance, based on comparison of those patterns to a collection
of other power consumption patterns. ose collections of patterns or
signatures are usually derived from plug-level research. Each type of
appliance has a unique signature, and if you collect enough examples
of signatures, you could match electricity signatures the way crime
technicians match tire or shoe treads. is could be useful for home
energy audits, spotting appliance failures before they happen, or other
* e electrical panel box is also known as a fuse box, panelboard, circuit breaker box,
and breaker panel.
89
THE CONNECTED HOME
helpful predictive uses, as discussed below. However, as with other
benets, this also brings insights into energy usage that create privacy
concerns, as discussed in Chapter 7.
Software
ere are disaggregation technologies that are software based too.
ese solutions take smart meter data and run sophisticated analy-
ses of the energy usage data correlated with such things as weather
data and even information gathered from queries with their custom-
ers. Typically cloud based, software disaggregation technologies also
seek patterns based on large libraries of electricity signatures. e big-
gest distinction between the hardware- and software-based solutions
is that the hardware solutions have much more granular data than
software solutions, which are at the mercy of the utility’s scheduled
meter read. e dierence can be 25 milliseconds (hardware) to 15 or
60 minutes (software).*
Here’s an important point. Disaggregation technology was not
installed in smart meters at the time this book was written, and meter
manufacturers weren’t too keen on installing this technology into
their meters. Meter manufacturers and utilities want to keep meters
focused on what they are meant to do—measure the electricity you
use so they can send you an accurate bill. Loading a meter down with
processor-intensive comparisons of electricity signatures, or consum-
ing valuable utility network space to communicate to a cloud, just to
learn what appliance is operating at any point in time, conicts with
the primary mission of keeping track of how much power is owing
through each meter.
In conclusion, disaggregation software and hardware technologies
are opt-in technologies that are visible to homeowners (as hardware
installed in the breaker box, or software feedback loops). So why would
someone want this technology? e answer is that the ability to break
down an electric current into the unique signatures of consumption
* See http://www.greentechmedia.com/articles/read/perfecting-energy-disaggregation-
in-the-home for discussion of hardware. Software disaggregation technologies rely
on the data transmitted by smart meters; thus, the interval is set by the utility. To
date, utilities in the United States have not collected smart meter data in intervals
less than 15 minutes.
90 DATA PRIVACY FOR THE SMART GRID
by dierent devices is a powerful tool to assist consumers, utilities,
and manufacturers in understanding energy consumption behaviors
and patterns for appliances and electronics. ere are a number of
academic studies that demonstrate the value this data delivers to help
consumers make informed and fact-based decisions about usage.* It
could show a homeowner that a replacement of an aging appliance
for a more energy ecient one is a great money-saving investment.
From a utility perspective, this data could help formulate programs
to encourage selection of more energy ecient appliances or target
new categories of devices for demand response programs based on
when they are used. Even from a market research perspective, this
data could be quite valuable for manufacturers to inuence product
designs or future services. We emphasize the use of the word could
here because the numbers of disaggregation devices were fairly low at
the time this book was written, and much of the existing work with
this data had been in academic research.
Disaggregation technologies eliminate the guesswork involved to
see when the blender is whirring or the hot tub jets are bubbling,
because “libraries” of electricity signatures can easily compare and
match the signatures disaggregated from plug devices or technology
at the electric panel.
However, while disaggregation activities bring benets as descr ibed,
they also bring signicant privacy risks that must also be addressed.
ese risks and a few possible mitigation methods are discussed in
Chapter 7.
Smart Appliances
Appliance is the generic term we use for kitchen equipment or white
goods like refrigerators, stoves, microwaves, and dishwashers. It also
covers laundry devices—washers and dryers. Electronic devices like
TVs and receivers, hot tubs, smoke alarms, baby monitors, and closed-
circuit TV (CCTV) surveillance systems can also be considered
appliances. Finally, there’s equipment that resides in a utility closet
or basement or outside—the heating, ventilation, air conditioning
* is paper studies disaggregation and lists additional research. http://web.stanford.
edu/group/peec/cgi-bin/docs/behavior/research/disaggregation-armel.
91
THE CONNECTED HOME
(HVAC) gear, water heaters, spas, and pool pumps. is last group-
ing has some special characteristics.*
A smart appliance is a device or appliance that can bidirection-
ally share data with a utility or service provider, and some even have
data storage or data processing capabilities. It is also likely to contain
more sensors than ever before to create new or more data. One of the
authors would like to have a sensor or two in the oven to warn about
possible overbaking before activating the sensor called the nose or the
sensor called the smoke detector.
Connecting Home Appliances
As noted earlier in the discussion about HANs, there are two basic
scenarios to deliver connectivity to home appliances. e rst sce-
nario is that selected smart appliances communicate with the electric
grid via utility-owned equipment. e second scenario is that smart
appliances connect to the Internet, and a hub or gateway within a
residential dwelling is the communications manager. For the rst
scenario, that could be a HAN controller, and in the second scenario,
it could be a Wi-Fi router or hub supplied by a telephone or cable
service provider, or even an appliance manufacturer.† e connected
smart appliances (in the future, to include EVs, energy storage,
and private generation assets such as rooftop solar in this category)
communicate with this hub or gateway, which in turn manages the
connectivity to the utility or another vendor or energy services pro-
vider. It turns out there is a third scenario, in which smart appliances
communicate directly to the cloud and use an operating system like
Android or iOS and apps to deliver information to the appliance
owners. And as our research discovered, this data was provided to
the appliance manufacturers.
Increasingly more appliances, even a hairdryer or toaster oven,
could be outtted with communications capabilities. e annual
* Some of these devices are typically powered by natural gas rather than electricity.
Particularly when it comes to furnaces or water heaters, the operations are already
automated courtesy of sensors for temperature (air or water).
† http://www.greentechmedia.com/articles/read/whirlpool-launches-the-wi-fi-
smart-appliance.
92 DATA PRIVACY FOR THE SMART GRID
Consumer Electronics Show in Las Vegas highlights this trend. Here
are some smart devices available when this book was written:
• A smart lock that can be controlled remotely and have a cam-
era to record who is at your door*
• Smart appliances that may track energy usage, but can also
provide detailed information about usage and have cameras
built in to record those using them†
• Wi-Fi-enabled crock pots, and lightbulbs with remote control
capabilities‡
• ermostats that analyze heating and cooling settings to
detect trends with remote monitor and control capabilities§
• Smart toothbrushes that collect data on your brushing habits,
including duration, frequency, and neglected zones in your
mouth, and then communicate with your iOS or Android
smart phone via Bluetooth technology¶
From a utility perspective, appliances that consume the most elec-
tricity or gas are most important for DR programs. ese appliances
may have operational exibility or discretionary use—meaning the
device or appliance owner can postpone use to dierent points in time
or modify parameters such as heating or cooling temperature, or even
operate dierently to provide other (somewhat esoteric) services back
to the utility or ESP. For utilities, these are the appliances that make
sense to enroll in demand response programs. ese generally include
HVAC equipment, clothes dryers, dishwashers, ovens, and hot water
heaters—devices that tend to be the biggest energy users. ese smart
appliances must somehow connect to a utility or third party that man-
ages DR programs to receive or transmit data.
* For example, see htt p://abcnews.go.com / Technology/ces-2014-smart-devices-mashed-
home-appliances/story?id=21468578#1.
† For example , see htt p://abcnews.go.com /Technolog y/ces-2014-smar t-device s-mashed-
home-appliances/story?id=21468578#2.
‡ For example , see htt p://abcnews.go.com /Technolog y/ces-2014-smar t-device s-mashed-
home-appliances/story?id=21468578#4.
§ For example, see http://ww w.cnet.com/products/nest-learning-thermostat/.
¶ For example, see http://www.kolibree.com/.
93
THE CONNECTED HOME
DR Programs
DR programs are price based or capacity based. Price-based systems
are precursors to future transactive energy markets and are predicated
on the assumption that electricity (or gas or water in the future) is in
some sense dynamic in price. Smart appliances could have the intelli-
gence to be programmed or instructed to operate or not based on price
signals. e programming is controlled by the appliance owner and,
once in place, would automatically perform based on those instruc-
tions. Owners have the ability to override the usual programming for
any special circumstance. is is the basic construct for OpenADR,
an industry group that promotes an open protocol for all appliance and
device manufacturers to adopt to readily accept utility price signals.
OpenADR, the acronym for Open Automated Demand Response,
is an open standard for electricity providers and system operators to
communicate DR signals over any existing Internet Protocol (IP)-
based communications network like the Internet. It has support from
a number of industry stakeholders, including appliance manufacturers,
building managers, ESPs, and utilities who see the value in widespread
adoption of the standard. We’ll discuss OpenADR more in Chapter 9.
We alluded to data collection by appliance manufacturers a few
paragraphs back, and this deser ves careful examination. is is another
new area of data collection. Some data is based on energy consump-
tion, but most of the data collected today focuses on consumer use of
appliances, and that concerns privacy. One of the pioneers in smart
appliances is Whirlpool Corporation. At the time of publication,
there were four electric appliances—a refrigerator, a clothes washer, a
dryer, and a dishwasher—that were equipped with a technology called
6th Sense Live™,* and similar technology is embedded in some water
heaters that are powered by natural gas.† is technology includes a
platform for aggregated communications and control from a company
called Arrayent.
Arrayent supplies the wireless communications platform to connect
these Whirlpool appliances to the Arrayent cloud. e communica-
tions are bidirectional, meaning data can be sent to or received from
a connected appliance. ere can be benets to that exchange of data.
* See http://www.whirlpool.com/smart-appliances/.
† See http://www.whirlpoolwaterheaters.com/learn-more/gas-water-heaters/6th-sense™/.
94 DATA PRIVACY FOR THE SMART GRID
For instance, an appliance could submit data that assists in diagnosis
of a problem and speeds repair time. A manufacturer could provide
an over-the-air (OTA) update of software or rmware in an appli-
ance, extending the useful life of that appliance. But manufacturers
could also monitor use of an appliance. For instance, the Whirlpool
refrigerator equipped with 6th Sense Live can send an alert to the
owner’s smart phone if the fridge door is open for 5 minutes. A sensor
monitors appliance status, and then communicates this data to the
Arrayent cloud. Arrayent’s communications are encrypted, which is
commendable. But who owns this data? It’s not energy usage data, so
it is not governed by state laws or utility policies that address energy
usage data. is is data about how and when, and often where, an
appliance is used.
e view of data custodianship gets even murkier. A consumer
buys the product from Whirlpool. He or she might assume that the
privacy policy on Whirlpool’s website covers his or her purchase. at
would be a mistaken assumption, because website privacy policies
typically cover use of the Whirlpool website unless the posted privacy
policy specically says the privacy promises also apply to sites where
the data is shared (neither of the authors has seen such a privacy policy
with this type of statement). Does Arrayent have custodianship and
management of consumer data? e data is based in its cloud, but its
stance is that the device or appliance manufacturer is responsible for
the user data it collects.
Here’s what the Arrayent website says about data privacy for data
that resides in its cloud: “If you are an end user of the Arrayent
Cloud Service, please check with the applicable device manufacturer
(or other Arrayent enterprise customer) regarding treatment of your
information on and in connection with the Arrayent Cloud Service.”*
is statement indicates that in the scenario described above, the
data management responsibilities reside with Whirlpool. We do
not know if the U.S. Federal Trade Commission or State Attorneys
General oces would consider Arrayent’s position to be congruent
with their views of custodial responsibilities. Historically custodians
of personal information, and information with privacy impacts, have
* At the time this book was written, this statement was extracted from the Arrayent
privacy policy regarding the Arrayent Cloud Service at w ww.arrayent.com/privacy.
95
THE CONNECTED HOME
been accountable to varying degrees when security incidents and pri-
vacy breaches have occurred. We use this example to highlight today’s
realities about data in the connected home. We do not have any reason
to believe that Whirlpool or Arrayent abuses or misuses consumer
data. However, certain types of data—energy usage data—have spe-
cial privacy safeguards in some states. Other data that may be used
in conjunction with energy usage data may not enjoy the same safe-
guards, or may be governed by other policies, as is the case for nan-
cial data or health data.
Here’s another example that blurs the line between energy usage
data and other usage data. Smart phones and tablets are growing
in popularity as the preferred device for home energy management.
Some home goods manufacturers are installing Android or Apple
operating systems into their appliances too. For instance, Google’s
Android operating system (OS) can be added to devices that range
from rice cookers to refrigerators. e Android OS capability would
oer convenience to consumers—that Android smart phone or tablet
could notify you when a laundry cycle is complete or when it’s time to
take the cookies out of the oven. However, the OS also oers Google
or appliance makers an opportunity to collect usage data. is data
may or may not include energy usage data. is data will not be the
revenue-grade usage data pulled from a meter that is used to calculate
bills. is could be the appliance’s own measurement of its electric-
ity use, or this could be melded with Green Button data. One point
is clear: at the time of this writing, this data did not enjoy the same
protections imposed on electric utilities regarding energy usage data.
A new release of Android capabilities will allow proximity sensing
so that your home lights could automatically turn on as you or your
smart phone approach your dwelling. A smart tracking capability
can be a great convenience. But there’s probably some time-stamped
data collected somewhere that creates a detailed mapping of personal
movement inside a home. Apple has similar products and plans for
more home/iOS connectivity. Its HomeKit allows iPhone control of
appliances, door locks, and plugs.
Mobile devices and their operating systems oer portability, con-
venience, and ubiquity to consumers. We expect to see them used for
status updates and more as home or business-based on-site generation,
energy storage, and consumption management solutions are deployed.
96 DATA PRIVACY FOR THE SMART GRID
Mobile devices have a very special role in data privacy, particularly
with regard to capabilities such as location-based services (LBSs),
geo-fencing, and smart tracking.
In summary, HEMSs, HANs, and smart appliances can help con-
sumers intelligently manage energy use. Smart appliances can provide
additional value, as noted, in the form of performance monitoring
and troubleshooting diagnostics, and could save consumers money.
However, the veritable explosion of sensors that can be embedded
into appliances, and the communications capabilities that make them
smart, creates new data. e addition of mobile devices and their
operating systems creates even more data and the means to natively
communicate it. e data provided by smart appliances may never be
communicated with a regulated electric utility. But if it is, a regula-
tory agency may have provided guidance about utility practices for
personal information and energy usage data. Consumers do need to
pay close attention to privacy policies for the new devices installed
in homes that have communications capabilities. Understanding the
chain of data custody is critical to recognizing who has access to your
data and what is being done with it.
6
ELECTRIC VEHICLES,
CHARGING STATIONS,
AND PRIVACY
On May 22, 2012, the U.S. White House issued* an Apps for Energ y †
data challenge, with one of the challenges focused on Apps for Vehicles
in 2013.‡ Under the auspices of the Department of Energy, the chal-
lenge’s objectives were to encourage development of applications that
improve safety and fuel eciency of vehicles using vehicle-generated
open data. Data such as engine speed, distance, brake position, and
headlights status are some examples of vehicle-generated data. In the
past, this data was typically only available to auto technicians with
specic diagnostic equipment.
Making this “open” data to vehicle owners means that they will be
able to use this data and share it with authorized third parties or data
managers. is data is called vehicle telematics.§ In some facets, this
initiative to democratize data is similar to the Green Button initiative.
It’s another situation where existing data is now more readily avail-
able and accessible for its data owners, or it is new data being created
because of improved sensor and communications technologies that can
be leveraged to provide value to consumers and other organizations.
Consumers can benet from applications of this data into information
that helps them drive safely or more cost eectively. Our discussion
will focus on the implications of privacy at the intersection with the
Smart Grid, which typically means public or private charging—with
or without electric vehicle supply equipment (EVSE).
* See http://www.whitehouse.gov/blog/2012/05/22/unlocking-power-energy-data.
† See http://appsforenergy.challengepost.com/.
‡ See http://appsforvehicles.challenge.gov.
§ e privacy implications of vehicle telematics apply to traditional internal combus-
tion engine vehicles as well as EVs.
97
98 DATA PRIVACY FOR THE SMART GRID
ere are three levels of charging associated w ith the delivery speed
that can be deployed for EVs. Level 1 is the standard two-prong plug
to handle 120 V. It takes the longest to fully charge an EV. Level 2
is the standard three-prong plug used for dryers and microwaves to
handle 240 V. It is sometimes called AC fast charging, and is faster
than a level 1 charge. Level 3 uses direct current (DC) for charging
instead of alternating current (AC). DC charging delivers the fastest
charging option of the three levels. However, AC is the wiring found
in the vast majority of U.S. buildings today, although this may change
over time.
If you charge directly from a standard two-prong wall outlet, an
EV looks just like another appliance or device on the electrical grid.
Energy usage data is treated exactly like any other device on the other
side of a smart or traditional meter.
However, there are a number of reasons where EV owners will
prefer to use specialized EVSE products for charging purposes. e
majority of those reasons come down to the convenience of having an
infrastructure of charging stations as EVs roam streets and highways.
But there are trade-os with privacy that we’ll explore in this chapter.
At the time of this writing, the EV charging infrastructure was
immature in comparison to the traditional internal combustion
engine fueling infrastructure, which has had a century to work out the
details. ere are some parallels, and these serve to highlight similari-
ties and dierences. One similarity is the point of sale (POS) transac-
tion. Gas tank and pump congurations can be privately owned, and
are particularly common in rural areas and on farms. You won’t have
a POS transaction involving a credit or debit card with these stations
since the owner buys gasoline in bulk and is billed on a periodic basis.
Privately owned charging equipment that is associated with a meter
is similar in operation. e meter functions as the POS device, long
accustomed to a role as a utility cash register.
POS transactions at your corner gas station have more in com-
mon with public charging infrastructure options. ere’s a transaction
that involves a credit or debit card—or a radio frequency identica-
tion (RFID)-enabled card that is read by the charging station and
enables “authorization” to use the charging station. But while a corner
gas station is generally owned by an oil company or a franchisee to
that company, public charging stations can t into several ownership
99
ELECTRIC VEHICLES AND PRIVACY
options. ese ownership options have impacts on the treatment of
energy usage data as well as other data.
Publicly Owned Charging
Policies for EVs, and charging stations in particular, vary between
states. Some states like California prohibit utilities from owning
charging stations. In Texas, utilities can be more directly involved in
setting up charging stations and networks. Some states don’t allow an
entity other than a utility to sell power. erefore, if a charging sta-
tion includes a nancial transaction to pay for that EV charge, then
the entity must be classied as a utility. It’s a confusing patchwork of
rules, and therefore consideration of privacy impacts has to be done on
a state-by-state basis. As a more distributed energy resource (DER)
is deployed across states and as transactive energy concepts translate
into reality, we expect to see these rules change to remove obstacles to
greater prosumer participation.
However, the current situation complicates the picture for privacy.
In one state, a shopping center owner may install a charging station or
two for customer use on a lease arrangement from a charging station
network provider. e shopping center owner pays for the electricity
to encourage shoppers to extend their time at the mall while recharg-
ing their EV or plug-in hybrid EV (PHEV). It also helps the shop-
ping center avoid any issues with being confused with a utility.
In another state, a parking garage installs a number of charging
stations and charges customers for the parking space to recharge
their EVs and PHEVs. e electricity is free, but the EV driver uses
a mobile app supplied by the parking garage to reserve an EV space
via credit card.
Figuring out where the energy usage data goes in these two cases is
fairly easy—it follows the meter that is associated with that charging
station. Financial data follows the banking network that manages any
POS transaction. But EV fueling creates new data, such as charging
station locations and time spent obtaining the charge, as part of a
consumer’s charging history.
Another quick comparison and contrasting to traditional gas sta-
tions is instructive. Most people pay for gas by debit or credit card.
Banks routinely note date, time, location, and total amount paid for
100 DATA PRIVACY FOR THE SMART GRID
gas. In some parts of the United States, you have to enter your zip code
as a means to validate that you are the legitimate owner of the card
used for payment. All this data is transmitted via secure networks.
An EV charging station can perform very similar functions via very
similar technologies and processes, but it may also identify the total
time plugged in to the charging station, carbon credits or greenhouse
gas savings, and alert you when your EV is completely recharged.
e data created and collected about driving and charging patterns
of EVs is of tremendous value to governments and utilities. ere are a
number of good reasons for this interest. First, federal, state, and local
governments can use this data as a gauge of consumer interest in EVs,
their driving patterns, and the most popular charging locations. Such
data helps them understand the impacts of policies and tax implications
as more EVs share roads, but not the gas tax,* of fossil fuel-powered
vehicles. Second, EV charging is equivalent to adding a new home’s
electricity burden on a local grid, so utilities are keenly interested in
learning where EVs are plugging in to their grids. ese charging loca-
tions may need prioritization for upgrades to support the increased
electricity demand. In many of these cases, the interest is in aggregated
data, not data that can be used to identify specic individuals. However,
personal data is automatically involved in billing transactions.
ChargePoint®† is an example of a new public charging infrastruc-
ture business based on new technologies and delivering new busi-
ness to business (B2B) and business to consumer (B2C) services.
ChargePoint consists of software and networks to support public
EVSE. It is targeted to:
• Companies that have EV eets
• Companies that want to oer EV charging as a benet for
employees or customers
• Companies that want to become the service stations of the future
• Utilities that are authorized to oer charging stations
• EV drivers who want organized information about public
charging stations, and charging reports about their use of
ChargePoint-supported EVSE
* e federal gasoline tax funds highway projects.
† See http://www.chargepoint.com/
ELECTRIC VEHICLES AND PRIVACY 101
ChargePoint software gathers data from EV drivers at their charg-
ing stations about how their cars are used (number and distance of
trips), number of charg ing events, number of k i lowat t-hours used, and
how this translates to greenhouse gas savings. e data has value to
a number of stakeholders, as illustrated in the ChargePoint America
example.
In June 2013 the company announced that it had successfully com-
pleted the ChargePoint America project,* a federal- and state-funded
project to deploy 4,600 charging stations at single-family homes,
multifamily housing,and commercial and public locations to support
more than 2,000 EVs registered to participate. e purpose of the
program, which ended in December 2013, was to gather data that was
publicly available to researchers, municipal planners, and policy mak-
ers to help them learn more about EV charging patterns and avoided
CO2 emissions. EV drivers voluntarily participated in this program,
and researchers reviewed the data results to create their summary of
the project.
Whether part of the ChargePoint America program or not,
the typical process that ChargePoint established is that EV driv-
ers register with ChargePoint, which collects personal data (name,
address, email address) as well as nancial data (credit card† or other
payment information) to accommodate those charging stations
that bill for EV charges as well as pay for the ChargePoint cards.
Because there are mobile apps that can provide many of the same
capabilities available by the web, there’s the possibility for collection
of smart phone numbers and addresses for text and email alerts, or
for collection of IP addresses for laptops and other types of mobile
computers using the app. ChargePoint also interfaces with a couple
of navigation solutions, so location-based data could also potentially
be collected.
* See a summary of the project at http://www.plugandgonow.com/wp-content/
uploads/2010/07/ChargePoint-America-Summary.pdf.
† Credit card data protection is governed by standards known as Payment Card
Industry Data Security Standards (PCI-DSS) (https://www.pcisecuritystandards.
org/). ese standards establish the secure communications requirements of sensi-
tive data, encryption of this data, and physical and cyber storage of sensitive data.
Any organization accepting credit card payments must comply with, and be certied
to, the PCI-DSS.
102 DATA PRIVACY FOR THE SMART GRID
Now, let’s reexamine the types of data that are collected by the type
of ChargePoint user with an eye toward personal data.
• Companies that have EV eets: Who is charging, time
and duration of charge, location of charge. Greenhouse gas
(GHG) credits and avoided gallons of gas by vehicle.
• Companies that want to oer EV charging as a benet for
employees or customers: Who is charging, time and duration of
charge, location of charge. Behaviors based on dierent pricing
structures—free versus fee based. Payment information for fee-
based EVSE. GHG credits and avoided gallons of gas by vehicle.
• Companies that want to become the service stations of the
future: Who is charging, time and duration of charge, location
of charge. Payment information. Behaviors based on dierent
pricing structures or oers tailored to dierent customer cat-
egories. GHG credits and avoided gallons of gas by vehicle.
• Utilities that are authorized to oer charging stations: Who
is charging, time and duration of charge, location of charge.
Behaviors based on dierent pricing structures or oers tai-
lored to dierent taris or time of day. GHG credits and
avoided gallons of gas by vehicle.
• EV drivers who want organized information about public charg-
ing stations, and charging reports about their use of ChargePoint-
supported EVSE: Name, address, type of EV, credit card or
other payment information, charging history (location, date,
time), phone number, email address. Other data includes gallons
of avoided gas and reductions in GHG emissions.
One important point: Retailers oer free charging to attract cus-
tomers and have them linger for a couple of hours. ChargePoint and
other similar businesses are set up for retailers to recognize who is
reserving or connecting a charge at their EVSE. e retailer (or other
retailers) can potentially send oers for discounts on products or ser-
vices to the EV owners at those charging stations, to a mobile device,
or possibly to the EV itself (e.g., the EV dashboard).
At the time this book was written, ChargePoint claims to have 65%
of the commercial EVSE market. Other EVSE companies include
CarCharging Group (which acquired Ecotality from bankruptcy)
and Aerovironment. eir business models are similar in terms of
ELECTRIC VEHICLES AND PRIVACY 10 3
how charging station markets are segmented—private versus public
charging with subsegments of each (single family, multiunit residen-
tial, eet, employer, etc.). When there’s the possibility of a credit card
payment, the implementation of the controls required by the Payment
Card Industry Data Security Standards (PCI-DSS) helps to secure
communications and handling of card and owner data. But the pri-
vacy policies for other EV driver data are very immature.
is gets to one of the most important points about EVs, the Smart
Grid, and privacy. Charging stations blur existing privacy policy lines
and the roles of data owner, data custodian, and data manager. Many
EV drivers may assume that all charging stations adhere to the pri-
vacy policy in place for energy usage data enacted by their local utility.
at may be true in some states, but the registered customer of the
meter that is behind the charging station is usually considered to be
the owner of the energy usage data produced by that meter. Charging
stations that support point of sale (POS) transactions are governed by
the privacy policy of the bank for nancial data, and applicable indus-
try regulations. Charging stations that support any form of electronic
authorization without payment are generally governed by the posted
privacy policy of the EVSE owner or sales vendor.
Prior to its bankruptcy and acquisition by CarCharging Group,
Collaboratev, established by Ecotality and ChargePoint, was a new
business entity to encourage interoperability between dierent EVSE
networks for billing and station management. ink of it as a roam-
ing agreement. Today, you can make mobile phone calls at your home
location, and on the other side of the country. You get one bill, because
there’s a signicant amount of work that’s been done to negotiate agree-
ments between dierent wireless carriers. Collaboratev aimed to let EV
drivers plug in to any charging station, just as we can use almost any
bank’s ATM across the country. at’s a great convenience, although
there might be extra fees associated with charging at an EVSE that is
outside of your network. While this arrangement was in limbo at the
time of this writing, agreements like this wil l be inevitable to encourage
the maximum convenience of charging locations for EV owners.
What are the protections for any personal data? e now defunct
Collaboratev website oered this statement: “Driver information secu-
rity is of utmost importance to us. Collaboratev will not have access to
any personal or sensitive information other than your member number
104 DATA PRIVACY FO R THE SMART GRID
and network aliation. e inclusion in the Collaboratev network
will in no way compromise the personal or condential information
of any EV driver.” at sounds promising, but there was an additional
statement in its explanation of solution features: “Collect aggregated
charge spot data and make it available to all industry stakeholders.”
EVSE owners are also promised the benet of “improve protability
through monetization of charge spot data.”
In our near future, if a major department store retailer oers free
charging, the nearby national coee chains may strike up deals to
push oers for discounted beverages—advertising at the EVSE or
pushing a text message to your smart phone. Just like Google collects
web search data in exchange for providing its search services for free
(along with a very nice business of selling advertising based on that
search data), free charging in the future may come at the cost of col-
lection of some personal data. From our perspective, there is no free
lunch, and no free EV charging.
Private Charging
Experts note a trend about charging locations—most people charge
their cars at home, plugging in to a wall outlet or EVSE installed in
their garage or carport. As noted above, if you charge without using an
EVSE, an EV or PHEV is just another electricity-consuming device
on the electrical grid. e meter collects usage data (how much is con-
sumed) and the utility reects that information in billing statements.
Of the three types of charging that can be deployed in residen-
tial settings, the majority are congured for level 1 or level 2 charg-
ing using AC. An EV owner could theoretically plug his or her EV
into an existing wall socket in the garage.* No EVSE installation is
required. Utilities may view EVs as an appliance or device that gets
special treatment in terms of pricing, which is determined by state-
based regulatory decisions.† Because of the load a full charge can
* e amount of electricity drawn for a full EV charge is equivalent to an entire home,
so an electrician should determine if existing electrical equipment (panels and wir-
ing) can handle the additional electricity load.
† e authors make no recommendations about the pros and cons of regulations sur-
rounding EV meter arrangements or charging station ownership, but point out that
these regulations will have impacts on privacy.
ELECTRIC VEHICLES AND PRIVACY 10 5
require from the grid, utilities may also give EVs special treatment in
terms of their short- and long-term distribution grid upgrade plans.
If there are no EV taris that encourage charging at o-peak hours
through cheap electricity rates, then the EV is simply one additional
power-consuming device. Plug in that EV to any available socket and
charge. Utility bills will reect the increased use of electricity. If a
utility oers special EV taris, then there are two options. Option
1 is to install a separate meter and generate a second bill directed to
the person identied with that meter. is option oers the exibility
for an EV owner and utility to agree to use a special electricity rate or
tari for the EV (typically with some restrictions on when charging
can occur, which conforms to o-peak demand hours) and a separate
tari for all other home use. Option 2 is to install a submeter and
generate one bill that has a line item for EV charging versus the rest
of the household electricity use. is option is similar to option 1 from
a billing exibility perspective for both the utility and the EV owner.
In these scenarios, an EV owner is a utility customer with one or
two meters, which would be addressed with the utility’s typical bill-
ing processes. Data about EV charging activity that occurs at home
is governed by the utility’s existing privacy policies and practices, and
any associated laws or regulations, for any appliance or device.
When a charging station is added into the equation, then the
privacy questions harken back to the discussion on public charging.
Understanding who owns the EVSE is important. Ownership of
EVSE can become complicated. Depending on the state, investor-
owned utilities (IOUs), municipal utilities, and rural cooperatives
may own EVSE and have it installed at your home location for you.
Homeowners may own EVSE. Owners of apartment buildings may
purchase EVSE for tenant use. If the EVSE are registered with a net-
work like Ecotality or ChargePoint or another service provider, then
there is the potential for personal data about the users of the EVSE to
be available to EVSE owners.
ere’s one other consideration regarding EVSE for private use. at
concerns the equipment itself. Is it smart—meaning is it communica-
tions enabled? If it is, then there’s a need to understand what data is
transmitted, and who gets that data. e scenario could be as basic
as a traditional direct load control device, similar to the equipment
that is connected to a heating, ventilation, air conditioning (HVAC)
106 DATA PRIVACY FOR THE SMART GRID
unit or pool pump. It simply receives a signal from a utility to suspend
operations until a later point in time in response to peak demand condi-
tions. is would be most likely used when there is a single meter for all
devices—EVSE plus all the typical electrical loads within a dwelling.
If the EVSE is on its own meter or a submeter, it could be enabled
to respond to price signals sent by the utility to the meter, which then
uses ZigBee, HomePlug, or another communications mode to the
EVSE. is scenario would most likely play out in dynamic pricing.
As previously explored in Chapter 4, personally identiable informa-
tion is not transmitted by the smart meters in use at the time of this
writing. erefore, EVSE that is connected to smart meters is sending
consumption information at established intervals of consumption reads
(e.g., once per hour, once every 15 minutes, etc.) and might be receiving
pricing information, if the local utility supports that arrangement.
Utility-Supplied Network Charging
Austin Energy serves as an example of a utility that oers an EV
charging program within its territory. e utility has oers for rebates
for its customers to purchase and install level 2 EVSE. It also oers
a subscription-based program for unlimited charging at a network of
EVSE within the boundaries of the city of Austin. e utility con-
tracts with ChargePoint America to run this charging network. e
state of Texas makes it clear that the customer is the owner for smart
meter data. Is that equally true of EV data that is generated in EV
programs like the one oered by Austin Energy? It’s dicult to dis-
cern from the utility’s website. e lines of demarcation between data
owner, custodian, and manager are not well dened.
Table6.1 shows the status, as of 2014, of state decisions regarding
EV charging and state regulation. It answers a basic question: Do
states exempt electric charging from existing regulation?
Other Privacy Implications with EVs
Our discussion has focused on EV electricity usage for billing purposes
and charging station data collection. ere are other types of data that
may become more important to a variety of stakeholders over time, for
instance, the federal excise tax on gasoline funds road projects across
ELECTRIC VEHICLES AND PRIVACY 10 7
Table6.1 State Utilities Laws and Electric Vehicle Charging Stations
STATE EXEMPT NOTES
Alaska No
Arizona No
Arkansas No
California Yes
Colorado Yes
Connecticut No
Delaware No PSC has chosen not to exercise its authority.
Florida Yes
Georgia No
Hawaii Yes
Idaho No
Illinois Yes
Indiana No
Iowa No
Kansas No
Kentucky No
Louisiana No
Maine No
Maryland Yes
Massachusetts No
Michigan No
Minnesota Yes
Mississippi No
Missouri No
Montana No
Nebraska No
Nevada No
New Hampshire No
New Jersey No
New Mexico No
New York No Open for public comment.
North Carolina No
North Dakota No
Ohio No
Oklahoma No
Oregon Yes
Pennsylvania No
Rhode Island No
South Carolina No
South Dakota No
(continued)
108 DATA PRIVACY FOR THE SMART GRID
Table6.1 State Utilities Laws and Electric Vehicle Charging Stations (continued)
STATE EXEMPT NOTES
Tennessee No
Texas No
Utah No
Vermont No
Virginia Yes
Washington Yes
West Virginia No
Wisconsin No
Wyoming No
District of Columbia Yes
Source: Kendrick Vonderschmitt, Council of State Governments, October 9, 2013, http://knowledge
center.csg.org/kc/content/state-utilities-law-and-electric-vehicle-charging-stations.
the nation. EVs don’t pay this tax, but still enjoy use of the roads.
Governments may wish to learn about total EV miles driven and loca-
tion of those miles to gure out new road infrastructure funding mech-
anisms that fairly allocate costs across all road users.
States that have low carbon fuel standards (LCFSs) or clean fuel
standards (CFSs) would benet from data on the miles that EVs drive
to calculate miles avoided in CO2-spewing vehicles or supply data
for other petroleum displacement programs. For instance, LCFSs are
a key component of California Assembly Bill 32 (AB32), the state’s
signature clean energy and climate law. is type of data could create
credits that accrue to individual EV owners, eet owners, or other
agencies. ese two examples elegantly illustrate the monetization of
data. Accurate collection of data can lead to money in the form of tax
revenues, air quality credits for cap and trade purposes, or other pro-
grams that reward desired behaviors. Although there’s been specula-
tion that this information should be gathered from meters, it seems an
easier collection mechanism is vehicle telematics. Cars already have
odometers, and EVs and gas-powered cars, like smart phones, can
have location-based sensing.
Te le m a t i cs
Vehicle telematics certainly apply to all cars, not just EVs, but because
EVs are new, their manufacturers are eager to collect data about
ELECTRIC VEHICLES AND PRIVACY 10 9
driving habits and charging times as basic market research into what
consumers want and do. For instance, MyFord Mobile* is a smart
phone app that connects drivers with their EVs. App users can check
the status of charging activities, and nd charging stations. A wire-
less service subscription is included with each Ford EV. Ford is now
converging telematics with the connected home realm—it is in a part-
nership with Whirlpool, SunPower, Nest Labs, and Eaton. e ini-
tiative is called MyEnergiLifestyle and combines data from renewable
energy generation with EV charging data and appliance use data to
inform residential prosumers about intelligent energy management.†
General Motors has cracked open its OnStar communications
platform to apps that link Volt c harging to home energy management
systems (HEMSs) and utilities. Its OnStar RemoteLink‡ mobile app
lets users of traditional gas guzzlers or EVs lock or unlock their car
doors from any distance or remotely start their vehicles, among other
capabilities. It also collects mobile and vehicle location data when it
is active. Volt owners also have the ability to connect to social media
applications like Facebook or Twitter to let them share information
about their driving history, energy eciency, and charging details
(which creates other types of privacy risks). GM hosts a website for
Volt owners called MyVolt.com to “access an unprecedented level
of real-time data along with remote vehicle commands and critical
vehicle diagnostics.Ӥ Much of this data has nothing to do with the
Smart Grid, but we highlight it here to emphasize that much of this
data is new or newly available, and may have associated privacy risks.
It no longer exists in containerized settings like car service diagnos-
tics equipment. Event data recorders (EDRs) can now transmit data
to a manufacturer, which is what enables OnStar’s collision detection
service to automatically inform about accidents to expedite emer-
gency responses.
* MyFord Mobile site: https://phev.myfordmobile.com/content/mfm/en_us/site/log in
.html.
† http://www.sustainablebrands.com/news_and_views/info_tech/jennifer-elks/
ford-utilizing-analytics-big-data-guide-sustainability-innova.
‡ GM MyLink site: https://play.google.com/store/apps/details?id=com.gm.onstar.
mobile.mylink&hl=en.
§ https://secure.myvolt.com/web/portal/home;jsessionid=541BBE50549F6E342002
870FA5FC0F86.
110 DATA PRIVACY FOR THE SMART GRID
Privacy policies are an interesting facet of vehicle telematics. For
instance, the GM privacy policy governs its websites, but not OnStar,
and not mobile apps. Mobile apps—both GM and third party—are
governed by separate privacy policies, and GM is explicit in its guid-
ance*: “GM is not responsible for the collection or use of information
by 3rd Party Applications.We recommend that you carefully review
the privacy statement of each 3rdParty Application prior to down-
loading or using them.” We couldn’t agree more.
* GM privacy statement; see mobile applications section: http://www.gm.com/
privacy/.
7
MITIGATING PRIVACY RISKS
Basic Risk Mitigation Strategies
Once privacy risks have been identied, organizations must deter-
mine the best way to mitigate them. Before jumping right into miti-
gation, it is important to rst understand the four basic categories of
risk mitigation.
• Risk avoidance: Risk avoidance consists of the actions taken
to avoid as much exposure to the risk as possible. Risk avoid-
ance is usually the most expensive of all risk mitigation options
because organizations can never eliminate 100%, even though
some will go to great lengths trying to do so. Many organiza-
tions have outsourced processing, collection, or other types of
access to personal information and energy usage and consump-
tion data thinking that will eliminate (thus avoiding) their risks.
However, as explained in Chapter 2, the organization that col-
lected personal information and energy usage and consumption
data will continue to have some obligations and liability for it,
even if the data is sent to another contracted entity.
• Risk limitation: Risk limitation is the most common risk
management strategy used by businesses. Risk mitigation lim-
its an organization’s exposure by taking actions to help protect
against the risk, and reduce the possibility of the risk being
exploited to a level deemed acceptable by the appropriate busi-
ness leaders. An example of limiting the risk of data loss for
energy consumption data would be making regular backups of
the data. e more frequently the backups are created, the less
data that is possible to be lost by a hardware failure. An exam-
ple of mitigating a privacy breach involving customer energy
usage data that is stored on a smart meter would be to encrypt
the data using a strong encryption algorithm.
111
112 DATA PRIVACY FOR THE SMART GRID
• Risk transference: Risk transference involves transferring
the risks to a third party. For example, it is becoming com-
mon for organizations to purchase cyber security insurance to
transfer the cost of information security incidents and privacy
breaches to an insurance company. While this will address
the monetary losses involved with any exploitation of the
associated data risk, the organization must still have appro-
priate safeguards, controls, and privacy protections in place
for legitimate insurers to pay for any incidents that occur.
• Risk acceptance: Risk acceptance is the opposite of risk avoid-
ance. Risk acceptance does not reduce risks, but it is still con-
sidered a valid strategy. Risk acceptance is actually a common
choice whenever the cost of other risk mitigation strategies,
such as avoidance or limitation, outweighs the estimated cost
of the risk impact itself. If a risk does not have a high possibility
of happening, many organizations will simply accept the risk.
Smart Grid Privacy Risks
In general, privacy risks within the Smart Grid fall into one of two
broad categories:
• Type I: Personal information and energy data not previously
readily obtainable.
• Type II: Methods and technologies for obtaining (or manip-
ulating) personal information and energy data that did not
previously exist.
Energy Usage Data Privacy Risks*
roughout this book many dierent types of privacy risks within the
Smart Grid have been described at a high level. Appendix A provides
a table documenting the dierent categories of data that will be found
* is section is an updated version of the corresponding section of NISTIR 7628
Rev.1: Guidelines for Smart Grid Cybersecurity: Volume 2–Privacy and the Smart
Grid; September 2014; http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.
pdf; that was originally created in 2010 by the NIST Smart Grid CSWG Privacy
Group that Rebecca Herold has led since mid-2009, and in which Christine Hertzog
managed the use cases reviews for 3 years.
MITIGATING PRIVACY RISKS 113
within the Smart Grid, and that can be obtained from smart devices,
along with the likelihood that the specic types of data found within
each category will have privacy implications. Also shown are the vari-
ous types of audiences and groups that may have an interest, legitimate
or not, to get access to each type of data. Table7.1 provides a summary
of the primary privacy risks considered at the time of this writing.
A detailed sense of activities within a house or building can be
derived from equipment electricity signatures, individual appliance
usage data, time patterns of usage, and other data. Especially when
collected and analyzed over a period of time, this information can
provide a basis for potentially determining occupant activities and
lifestyle. For example, a forecast may be made about:
• e number of individuals at a premise
• When the location is unoccupied
• Sleep schedules
• Work schedules
• Other personal routines that involve usage of the building’s
electricity grid*
While technology that communicates directly with appliances
and other energy consumption elements and devices already exists,
increased energy usage data may create broader incentives for its use
and provide easier access by interested parties.† Appliances so equipped
may deliver granular energy consumption data to their data owners,
data custodians, and data managers, as well as to outside parties. e
increased collection of and access to granular energy usage data will
create new uses for this data. Some examples include:
• Residential demand response (DR) systems
• Marketing
• Insurance actuarial tables
• Law enforcement
* It is impor tant to emphasize that the activities t hat can be determined, or that are inferred,
must be attached to the electric grid. ere have been some outrageous claims regarding
activities, such as using a traditional battery-powered electric toothbrush, ashlights, or
vibrators can be determined by smart meters; this is simply not true and not possible.
Smart meters and customer-owned home energy management systems and apps cannot
determine the usage of objects that are not even drawing electricity from the grid.
† See Appendix A.
114 DATA PRIVACY FOR THE SMART GRID
Table7.1 Potential Privacy Impacts that Arise from the Collection and Use of Smart Grid Data
TYPE OF DATA
PRIVACY-RELATED INFORMATION
POTENTIALLY REVEALED BY THIS
TYPE OF DATA
PARTIES POTENTIALLY
COLLECTING OR USING
THIS TYPE OF DATA
TYPE OF
POTENTIAL
USEa SPECIFIC POTENTIAL USES OF THIS TYPE OF DATA
Captures detailed
energy usage at a
location, whether in
real time or on a
delayed basis
Personal behavior patterns and
activities inside the home:
Behavioral patterns, habits, and activities
taking place inside the home by monitoring
electricity usage patterns and appliance
use, including activities like sleeping,
eating, showering, and watching TV
Patterns over time to determine number of
people in the household, work schedule,
sleeping habits, vacation, health, affluence,
or other lifestyle details and habits
When specific appliances are being used in
a home, or when industrial equipment is
in use, via granular energy data and
appliance energy consumption profiles
Utilities Primary Load monitoring and forecasting; demand response;
efficiency analysis and monitoring; billing
Consumer direct
servicesb and other
types of entities
obtaining data directly
from energy consumers
Efficiency analysis and monitoring; demand response;
public or limited disclosure to promote conservation;
to access and control home appliances and energy
controls, raise energy awareness, etc. (e.g., posting
energy usage to social media)
Insurance companies Secondary Determine premiums (e.g., specific behavior
patterns, like erratic sleep, that could indicate
health problems)
Marketers Profile for targeted advertisements; to sell personal
information for revenue generation
Real-time surveillance information:
Via real-time energy use data, determine if
anyone is home, what they are doing, and
where they are located in the home
Law enforcement Identify suspicious or illegal activity; investigations;
real-time surveillance to determine if residents are
present and determine current activities inside the
home (e.g., marijuana greenhouses)
Civil litigation Determine when someone is at home or the
estimated number of people present
Landlord/lessor Use tenants’ energy profiles to verify lease compliance
Private investigators Investigations; monitoring for specific events;
provide evidence for divorce proceedings or various
types of lawsuits
The press Public interest in the activities of famous
individuals;c use for political campaigns
Creditors Determine behavior that seems to indicate
creditworthiness or changes in credit risk.d
Criminals and other
unauthorized users
Utilities
Illicit
Primary
Identify the best times for a burglary; determine if
residents are present; identify assets that might be
present; commit fraud; use for identity theft; sell to
other criminals; disrupt service; corporate
espionage—determine confidential processes or
proprietary data; to commit political or social protests
Identifies location/
recharge information
for plug-in electric
vehicles (PEVs) or
other location-aware
appliances
Determine location information:
Historical PEV data, which can be used to
determine range of use since last
recharge
Location of active PEV charging activities,
which can be used to determine the
location of driver
Bill energy consumption to owner of the PEV;
distributed energy resource management;
emergency response
Insurance companies Secondary Determine premiums based on driving habits and
recharge location
Marketers Profile and send targeted marketing communications
based on driving habits and PEV condition
(continued)
MITIGATING PRIVACY RISKS 115
116 DATA PRIVACY FOR THE SMART GRID
Table7.1 Potential Privacy Impacts that Arise from the Collection and Use of Smart Grid Data (continued)
TYPE OF DATA
PRIVACY-RELATED INFORMATION
POTENTIALLY REVEALED BY
THIS TYPE OF DATA
PARTIES POTENTIALLY
COLLECTING OR USING
THIS TYPE OF DATA
TYPE OF
POTENTIAL
USEa SPECIFIC POTENTIAL USES OF THIS TYPE OF DATA
Private investigators/law
enforcement agencies
Investigations; locating or creating tracking
histories for persons of interest; gain evidence to
dispute a legal accusation
Civil litigation Determine when someone was home or at a different
location
PEV lessor Verify a lessee’s compliance regarding the mileage,
car speed, etc., of a lease agreement
Identifies individual
meters or
consumer-owned
equipment and
capabilities
Identify household appliances:
Identifying information (such as a MAC
address); directly reported usage
information provided by smart appliances
Data revealed from compromised smart
meter, HAN, or other appliance
Utilities Primary Load monitoring and forecasting; efficiency analysis
and monitoring; reliability; demand response;
distributed energy resource management;
emergency response
Consumer direct services
and other types of
entities obtaining data
directly from energy
consumers
Efficiency analysis and monitoring; broadcasting
appliance use to social media; smart appliance
remote control via smart phone apps
Insurance companies Secondary Make claim adjustments (e.g., determine if claimant
actually owned appliances that were claimed to
have been destroyed by house fire); determine or
modify premiums based upon the presence of
appliances that might indicate increased risk;
identify activities that might change risk profiles
Marketers Profile for targeted advertisements based upon
owned and unowned appliances or activities
indicated by appliance use
Law enforcement Substantiate energy usage that may indicate illegal
activity; identify activities on premises
Civil litigation Identify property; identify activities on premises
Criminals and other
unauthorized users
Illicit Identify what assets may be present to target for
theft; disrupt operation of appliances or electric
service; introduce a virus or other attack to collect
personal information or disrupt service;
compromise smart meters to steal energy; hack to
obtain data files.e
Primary uses of Smart Grid data are those used to provide direct services to customers that are directly based on those data, including energy generation services or load
djustment or marketing, or to nonbusiness monitoring services. Secondary uses of data are uses that apply Smart Grid data to other business purposes, such as insurance a
purposes, such as government investigations or civil litigation. Illicit uses of data are uses that are never authorized and are often criminal.
the actual generation, transportation, or
vendors with energy management apps
(continued)
Edge services include businesses providing services based directly upon electrical usage but not providing services related to
distribution of electricity. Some examples of edge services would include OPOWER, GE Energy Management, Green Button services,
and tools, smart appliance vendors, and consulting services based upon electricity usage, just to name a few.
a
b
MITIGATING PRIVACY RISKS 11 7
c For example, there were numerous news stories about the amount of electricity used by Al Gore’s Tennessee home. See, e.g., Gore’s High Energy-Use Home Target of Critical
Report, Fox News, February 28, 2007, http://www.foxnews.com/story/0,2933,254908,00.html.
d Sudden changes in when residents are home could indicate the loss of a job. Erratic sleep patterns could indicate possible stress and increased likelihood of job loss. See,
e.g., Charles Duhigg, What Does Your Credit-Card Company Know about You? New York Times Magazine, May 17, 2009, p. MM40, http://www.nytimes.com/2009/05/17/
magazine/17credit-t.html.
e See Matthew Carpenter et al., Advanced Metering Infrastructure Attack Methodology, January 5, 2009, pp. 55–56, http://inguardians.com/pubs/AMI_Attack_Methodology.
pdf (discussing how attackers could manipulate the data reported to utilities); Robert Lemos, Hacking the Smart Grid, Technology Review, April 5, 2010, http://www.tech-
nologyreview.com/printer_friendly_article.aspx?id=24977&channel=energy§ion=.
Source: This is a table updated by the authors that was originally created in 2010 by the NIST Smart Grid CSWG Privacy Group that Rebecca Herold has led since mid-2009,
and in which Christine Hertzog managed the use cases reviews for 3 years. The original table is available in NISTIR 7628 Rev.1: Guidelines for Smart Grid Cybersecurity:
Volume 2–Privacy and the Smart Grid; September 2014; http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf.
118 DATA PRIVACY FOR THE SMART GRID
Table7.1 Potential Privacy Impacts that Arise from the Collection and Use of Smart Grid Data (continued)
MITIGATING PRIVACY RISKS 119
Many of these new uses will be innovative and provide individual and
consumer benets, some will impact privacy, and many will do both.
Such data might be used in ways that raise privacy concerns. Some
examples include:
• Granular energy usage data may allow numerous assumptions
about the health of a dwelling’s resident in which some insur-
ance companies, employers, newspapers (when regarding
public gures), civil litigants, and others could be interested.
• Most directly, specic medical devices may be uniquely iden-
tied through serial numbers or MAC addresses,* or may
have unique electrical signatures; either could indicate that
the resident suers from a particular disease or condition that
requires the device.†
• More generally, inferences might be used to determine behav-
ioral and health patterns and risk. For example, the amount
of time the computer or television is on could be compared to
the amount of time the treadmill is used.‡
• Electricity use could also reveal how much the resident sleeps
and whether he gets up in the middle of the night.§
* A media access control address (MAC address) is a unique identier assigned to
network interfaces to allow for communications on the physical network segment.
MAC addresses are used as network addresses for most IEEE 802 network tech-
nologies. MAC addresses are typically established by the manufacturer of a network
interface controller (NIC) and are programmed within its hardware, such as the
card’s read-only memory or some other rmware mechanism.
† Susan Lyon and John Roche, Smart Grid News, Smart Grid Privacy Tips Part 2:
Anticipate the Unanticipated, February 9, 2010, http://www.SmartGridnews.com/
artman/publish/Business_Policy_Regulation_News/Smart-Grid-Privacy-Tips-
Part-2-Anticipate-the-Unanticipated-1873.html.
‡ Elias Quinn mentions an Alabama tax provision that requires obese state employees
to pay for health insurance unless they work to reduce their body mass index. Elias
Quinn, Privacy and the New Energy Infrastructure (draft), February 2009, p. 31,
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1370731. He suggests that Smart
Grid data could be used to see how often a treadmill was being used in the home.
§ Ann Cavoukian, Jules Polonetsky, and Christopher Wolf, Privacy by Design,
SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of Electricity
Conservation, November 2009, http://www.ipc.on.ca/images/Resources/pbd-smart-
priv-Smart Grid.pdf (describing the types of information that could be gleaned from
combining personal information with granular energy consumption data).
120 DATA PRIVACY FOR THE SMART GRID
• Similarly, appliance usage data could indicate how often meals
are cooked with the microwave, the stove, or not cooked at
all, as well as implying the frequency of meals.*
Energy Production Data Privacy Risks
More consumers are becoming energy prosumers and pumping
electricity into the Smart Grid that is generated from their distrib-
uted energy resources (DERs). is book’s authors live in states that
are leaders in prosumer energy generations. Rebecca lives in Iowa,
which is number 1 in the nation in wind energy production.† Rebecca
is acquainted with many who have wind generators on their land.
Iowa landowners with wind turbines on their land receive more than
$16million annually in lease payments.‡ Christine lives in California,
which just passed SB871, which provides substantial incentives to
photovoltaic (PV) solar system owners, such as full residential tari
credit for their excess daytime power and a 30% investment tax credit
for buying a capital asset that generates long-term tax-free income in
the form of avoided utility bills.§ California leads the United States in
cumulative solar energy production and capacity.¶ ere are privacy
risks that are also related to prosumer energy production data. Some
of the data that is involved in these risks includes:
• Name and address of the prosumer
• Amount of energy produced
• Amount of energy used by the prosumer on-site
• Payments made for the energy sold back to the utility
• Log of electricity generation history
* Ibid., p. 11.
† During 2012, Iowa produced a national record of almost 25% of all the electricity
generated in the state from wind turbines. Iowa is back to rst in the nation in terms
of the percentage of total generation from wind energy. Iowa was also the rst state
in the nation to exceed 20% of total generation coming from wind energ y. Iowa’s
installed wind generators can produce enough power to provide electricity to over
1,500,000 average-sized homes. http://www.iowawindenergy.org/whywind.php
(accessed June 20, 2014).
‡ http://www.iowawindenergy.org/whywind.php (accessed June 20, 2014).
§ Published June 27, 2014, http://www.breitbart.com/Breitbart-California/2014/06/
27/Solar-Power-is-not-Green-it-s-Filthy.
¶ http://www.seia.org/research-resources/solar-industry-data (accessed June 29, 2014).
MITIGATING PRIVACY RISKS 121
Not only are utilities interested in this data (and they have a pri-
mary purpose by logic of maintaining grid stability as well as nancial
settlements), but also many other entities would likely want to know
this information—all creating privacy concerns. Some of these enti-
ties include:
• Neighbors of the prosumers
• Insurance companies
• Government agencies
• Law enforcement
• Smart Grid component vendors
• Marketing agencies
• Ex-partners and ex-spouses
• Criminals
• Politicians
Identifying Risks
e most eective way to identify specic privacy risks, such as those
described in Table7.1, is by doing a privacy impact assessment (PIA).*
A PIA† is a structured and repeatable ty pe of analysis of how informa-
tion relating to or about individuals, or groups of individuals, is han-
dled. A report similar to an audit report is generated to describe the
types of privacy risks discovered based upon each privacy category,
to document the ndings, and then to provide recommendations for
mitigating the privacy risk ndings. Common goals of a PIA include:
1. Determining if the information handling and use within the
identied scope complies with legal, regulatory, and policy
requirements regarding privacy
2. Determining the risks and eects of collecting, maintaining,
and disseminating information in identiable, or clear text,
form in an electronic information system or groups of systems
* For more information about PIAs, along with PIA tools, see http://ww w.privacy-
professor.org.
† is section is updated text originally from Rebecca Herold, e P rivacy Management
Toolkit, Houston: Information Shield, January 2006.
122 DATA PRIVACY FOR THE SMART GRID
3. Examining and evaluating the protections and alternative
processes for handling information to mitigate the identied
potential privacy risks
ere are many times when a PIA can be benecial and should be
conducted by utilities, vendors of products or services, energy services
providers (ESPs), and any other entities that may handle energy usage
data. Here are some of the most important times to conduct a PIA:
1. Conduct an initial PIA before making the decision to deploy
a Smart Grid service, tool, or participate in the Smart Grid.
2. Conduct a PIA following signicant organizational, systems,
applications, or legal changes.
3. Conduct a PIA following privacy breaches and information
security incidents involving personal information.
4. Conduct a PIA as an alternative, or in addition, to an inde-
pendent audit.
5. Conduct a PIA on the designs of any new Smart Grid prod-
uct or service.
6. Conduct a PIA when mergers or acquisitions occur.
7. Conduct a PIA on divestiture plans prior to initiating the
divestiture.
Privacy Risk Mitigation Methods
Once an organization identies privacy risks, appropriate risk mitiga-
tion actions need to be determined. Here are some of the most eec-
tive methods to mitigate privacy risks within the Smart Grid.
1. Adopt existing and recognized privacy principles and frame-
works to guide your organization’s decisions involving per-
sonal information or energy data of all kinds.
When creating or updating a privacy management pro-
gram, organizations should start with existing, comprehen-
sive, well-vetted, and widely accepted privacy standards or
principles. e following are some of the most commonly
used privacy standards and policies:
a. OECD Privacy Framework. On September 23, 1980,
the Organization for Economic Cooperation and
MITIGATING PRIVACY RISKS 123
Development (OECD), whose membership consists of 34
countries, reached a consensus on issues related to the pro-
tection of privacy to promote the free ow of information
across country borders and to prevent legal issues related
to the protection of privacy from creating obstacles to the
development of their economic and social relations. ese
are reected in the eight OECD Privacy Guidelines,
which were most recently updated at the time this book
was written in 2013.*
b.
American Institute of Certied Public Accountants
(AICPA)/Canadian Institute of Cha rtered Accountants
(CICA) Generally Accepted Privacy Principles
(GAPPs). Most commonly known as the AICPA/CICA
GAPPs, these privacy tools include a universal frame-
work for CPAs to conduct risk assessments and provide
criteria to protect the privacy of personal information. e
AICPA/CICA GAPPs’ Security for Privacy Principles
have been mapped to ISO/IEC 27002.†
c. APEC Privacy Framework. Published in 2005, this
framework establishes and promotes an approach to pro-
tecting privacy when sharing information throughout
Asia Pacic Economic Cooperation (APEC) member
countries, with a goal of removing barriers to the free ow
of information.‡
d. European Union (EU) Privacy Framework. e
European Commission has proposed reforms to existing
1995 data protection rules that include a single set of rules
on data protection that include a policy communication,
a regulation setting out a general EU framework for data
protection, and a directive to protect personal data pro-
cessed for judicial activities.§
* See full OECD Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data, http://www.oecd.org/sti/ieconomy/privacy.htm.
† See mor e at http://ww w.aicpa.org/ INTERE STAREAS/ INFOR MATIONTE CH
NOLOGY/RESOURCES/PRIVACY/Pages/default.aspx.
‡ See more at http://ww w.apec.org/Groups/Committee-on-Trade-and-Investment/~/
media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx.
§ See http://ec.europa.eu/justice/data-protection/index_en.htm.
124 DATA PRIVACY FOR THE SMART GRID
e. Fair Information Practice Principles (FIPPs). e
FIPPs are a set of principles based upon the tenets of the
U.S. Privacy Act of 1974. Several slightly dierent ver-
sions are used by various U.S. federal agencies, including
the Department of Homeland Security, the Federal Trade
Commission, and the Department of Commerce. For the
Department of Homeland Security (DHS), the FIPPs are
transparency, individual participation, purpose specica-
tion, data minimization, use limitation, data quality and
integrity, security, and accountability and auditing. For
the Federal Trade Commission (FTC), they are notice/
awareness, choice/consent, access/participation, integrity/
security, and enforcement/redress.
f. ISO/IEC 15944-8 Information Technology. Business
Operational View. Identication of privacy protection
requirements as external constraints on business transac-
tions. Modeling business transactions using scenarios and
scenario components is done by specifying the applicable
constraints on the data content using explicitly stated
rules. External constraints apply to most business transac-
tions. is part of ISO/IEC 15944 describes the business
semantic descriptive techniques needed to support privacy
protection requirements when modeling business trans-
actions using the external constraints of jurisdictional
domains. It was published in April 2012.
g. ISO/IEC 27002: Information Technology—Security
Techniques—Code of Practice for Information
Security Management. Section 15. e International
Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) jointly
issued this international standard, last updated and pub-
lished in December 2005. It is part of a growing family
of ISO/IEC information security management systems
(ISMSs) standards. It is the security compliance standard.
ISO/IEC 27002 provides a security framework. Section
15 covers compliance, including legal requirements; secu-
rity policies and standards and technical compliance; and
MITIGATING PRIVACY RISKS 125
information systems audit considerations. It is part of a
growing family of ISO/IEC ISMSs standards.
h. ISO/IEC 29100: Information Technology—Security
Techniques—Privacy Framework. is international
standard published in December 2011 provides a privacy
framework that species a common privacy terminology;
denes the actors and their roles in processing personal
information; describes privacy safeguarding consider-
ations; and provides references to known privacy princi-
ples for information technology.
i. Privacy by Design (PbD). is is a privacy framework
by Ann Cavoukian, PhD, information and privacy com-
missioner of Ontario. PbD promotes the proactive incor-
poration of privacy as the default and data protections
embedded throughout the entire life cycle of systems and
technologies. e seven foundational principles of PbD
were published in August 2009.*
2. Identify and use privacy standards and guidelines from
authoritative organizations to support privacy eorts.
Many dierent organizations have created privacy stan-
dards and guidelines to support the privacy principles and
frameworks. e following is a good representation of some
of the groups that have established a wide variety of privacy-
related standards and guidelines on various topics that entities
in the Smart Grid can use to help mitigate their privacy risks.
a. In 2011, the North American Energy Standards Board
(NAESB) created a Data Privacy Task Force to develop
model business practices for third-party access to consumer
Smart Grid data. e task force’s goal was to develop model
business practices based on existing reports and laws.† At
the time of this writing, NAESB had published the follow-
ing nonbinding privacy standards for the energy industry:
i. NAESB REQ.22, ird Party Access to Smart Meter
Based Information. Per NAESB, the “document
* See more at http://privacybydesign.ca/.
† See information about the NAESB Data Privacy Task Force activities at http://
www.naesb.org/news.asp.
126 DATA PRIVACY FOR THE SMART GRID
establishes voluntary Model Business Practices for ird
Party access to Smart Meter-based information. ese
business practices are intended only to serve as exible
guidelines rather than requirements, with the onus on
regulatory authorities or similar bodies to establish the
actual requirements.”* NAESB based the privacy recom-
mendations within this standard largely upon the rec-
ommendations provided within NISTIR 7628 Rev. 1.†
After completing the draft of REQ.22, the NIST Smart
Grid CSWG Privacy Group also provided recommen-
dations for how it could add privacy protection improve-
ments to the standard.‡ NAESB subsequently made
updates to the original version of the standard.§
ii.
NAESB REQ.21, Energy Services Provider Interface.¶
Per NAESB, the “purpose of the NAESB Energy
Services Provider Interface (ESPI) standard (REQ.21)
is to create a standardized process and interface for the
exchange of a retail customer’s energy usage informa-
tion between their designated data custodian (i.e.,
distribution company) and an authorized third party
service provider.” REQ.21 includes some recommen-
dations for mitigating the associated privacy risks.
b.
On December 16, 2010, the U.S. Department of
Commerc e National Telec ommunicat ions and In formation
Administration (NTIA) published “Commercial Data
Privacy and Innovation in the Internet Economy: A
Dynamic Policy Framework.”** Because many consider the
Smart Grid to be a new type of telecommunications net-
* See the bac kground and acc ompanying in formation NAESB provid ed about the stan-
dard at http://members.sgip.org/apps/group_public/download.php/2883/NAESB
%20REQ%2022%20Voting%20Package.pdf.
† See http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628v1.pdf
‡ See https://www.naesb.org/pdf4/r12008.doc.
§ See naesb.org/pdf4/naesb_bulletin_vol5_issue3.pdf.
¶ See the text at http://www.naesb.org/ESPI_standards.asp.
** See it at https://ww w.smartgrid.gov/news/doe_addresses_privacy_data_enabled_
smart_grid_technologies_convenes_multistakeholder_process.
MITIGATING PRIVACY RISKS 127
work, utilities and other Smart Grid participants are using
this for their privacy program implementation.
c. On January 31, 2012, the U.S. Department of Energy,
Oce of Electricity Delivery and Energy Reliability (DOE
OE) hosted the Smart Grid Privacy Workshop to facili-
tate a dialog among key industry stakeholders. In response
to workshop ndings and in support of the privacy blue-
print, DOE OE and the Federal Smart Grid Task Force
are facilitating a multistakeholder process to develop a vol-
untary code of conduct (VCC) for utilities and third par-
ties providing consumer energy use services that addresses
privacy related to data enabled by Smart Grid technologies.
e following work groups were created to develop a set of
privacy standards to support this eort:
− Mission Statement Work Group
− Notice/Awareness Work Group
− Choice/Consent Work Group
− Access/Participation Work Group
− Integrity/Security Work Group
− Management/Redress Work Group
− Integration Work Group
− Implementation Work Group
At the time of this writing a wide collection of draft
and nal privacy principles had been created.*
d. In October 2009 the Home-to-Grid Domain Expert
Working Group (H2G DEWG) at NIST published the
“Privacy of Consumer Information and Devices in the
Electric Power Industry.Ӡ e paper outlined:
− e importance of providing consumers ownership of
their associated energy usage data
− Recommended industry privacy policies
* Rebecca Herold also participates in some of these groups. See all the content cre-
ated by the work groups at https://www.smartgrid.gov/news/doe_addresses_pri-
vacy_data_enabled_smart_grid_technologies_convenes_multistakeholder_process.
† is document was written by Rik Drummond and edited by Rebecca Herold and
Dr. Ken Wacks. Also participating in the development of this document were Dr.
Matthew Schneider of Emerson Electric and Larry Silverman of GridPlex, Inc. See
it at http://collaborate.nist.gov/twiki-sggrid/pub/SmartGrid/H2G/Priv-V3.pdf.
128 DATA PRIVACY FOR THE SMART GRID
− Privacy risks of inappropriate energy usage data use
e. In December 2012, the State and Local Energy Eciency
Action Network published “A Regulator’s Privacy Guide to
ird-Part y Data Access for Energy Eciency: Customer
Information and Behavior Working Group.”* is docu-
ment contains a summary of privacy legal requirements
throughout the energy industry, as well as in other indus-
tries. It also includes a long list of references to a wide
variety of privacy standards.
3. Document and implement organizational privacy policies,
procedures, and assigned responsibilities.
Organizations within the Smart Grid sector will mitigate
privacy risks by developing documented privacy policies† to
dene the consumer and premises information, how the infor-
mation will be safeguarded, how that information should be
retained, how information can and cannot be shared with
third parties, and how information will be secured against
breach. e policies should be supported by documented pro-
cedures that are written to support the business environment.
Providing education to employees is critical to the success of
the policies and procedures. All employees should be provided
regular privacy training,‡ which should include clear explana-
tion of each employee’s responsibilities for complying with the
privacy policies. Ongoing awareness communications should
be provided to make sure employees are reminded of the pri-
vacy policies requirements, their personal responsibilities for
privacy, and the privacy procedures that are applicable to them.
Similarly, Smart Grid services consumers and custom-
ers should be provided with a privacy notice that clearly and
* Prepared by M. Dworkin, K. Johnson, D. Kreis, C. Rosser, and J. Voegele, Vermont
Law School; S. Weissman, UC Berkeley; and M. Billingsley and C. Goldman,
Lawrence Berkeley National Laboratory. See http://www1.eere.energy.gov/seeac-
tion/pdfs/cib_regulator_privacy_guide.pdf.
† For privacy policies templates specic to utilities and other Smart Grid entities, see
http://www.privacyprofessor.org.
‡ For guidance on privacy training and awareness programs, see Rebecca Herold,
Manag ing an Inform ation Secur ity and Priv acy Awareness a nd Training Progra m, Boca
Raton: Auerbach, 2010, http://www.crcpress.com/product/isbn/9781439815458.
MITIGATING PRIVACY RISKS 129
succinctly describes the information the organization is col-
lecting and how that information will be used, shared, and
secured. e consumers and customers should also be told
the procedures they need to follow to gain access to their
own applicable information, and their options for submitting
requests to correct information, as well as to delete informa-
tion that is no longer va lid, or no longer needed to support the
service provided by the organization.
4. Utilize privacy use cases to identify where to include privacy
protections and data safeguards.
Develop privacy use cases that track data ows containing
personal information, energy usage data, energy consump-
tion data, or energy production data to address and mitigate
common privacy risks that exist for business processes within
an organization or between organizations. Privacy use cases
help IT and network architects, functional process owners,
and engineers build or specify privacy protections into their
products, processes, and operations to mitigate privacy risks.
A privacy use case is a description of data ows within a spe-
cic scenario or scope that will help entities to rigorously track
data ows and the privacy implications of collecting and using
data, and will help organizations to address and mitigate the
associated privacy risks within common technical design and
business practices. Privacy use cases reect the electricity value
chain and the impacts that Smart Grid technologies, new poli-
cies, new markets, and new consumer interactions will have on
the privacy of customers and consumers within the Smart Grid.
e privacy use cases can serve as a valuable tool for all types of
Smart Grid entities, including utilities; energy service companies
(ESCOs); vendors of products and services that may include col-
lection, storage, or communication of personal data; and policy
makers, to better understand the implications of Smart Grid
technology changes to existing processes and procedures.
When the general privacy concerns have been identied,
the entities within each part of the Smart Grid sector can
then look at their associated business processes and techni-
cal components to determine the privacy concerns that exist
within their scope of use and participation. Privacy use cases
130 DATA PRIVACY FOR THE SMART GRID
may be utilized to represent generalizations of specic scenar-
ios that require interoperability between systems and partici-
pants in support of business processes and workow. rough
structured and repeatable analysis, business use cases can be
elaborated upon as interoperability/technical privacy use cases
to be implemented by the associated entities. e resulting
details will allow those responsible for creating, implement-
ing, and managing the controls that impact privacy to do so
more eectively and consistently.
Table7.2 is one of the 44 privacy use cases within NISTIR
7628 Rev. 1.* is provides an example of a privacy use case
format that can be used by Smart Grid entities to establish
their own Smart Grid privacy use cases for their own spe-
cic services and products they are creating for Smart Grid
use. Developers of Smart Grid applications, systems, and
operational processes can employ a more comprehensive set of
privacy use cases to create architectures that build in privacy
protections to mitigate identied privacy risks.
5. Use data aggregation, de-identication, and other similar
techniques, where appropriate and eective, to protect privacy.
roughout hundreds of Smart Grid meetings the authors
have attended over the years, one of the most common meth-
ods touted to protect privacy is to use aggregated data so that
individual energy consumers and prosumers and their asso-
ciated activities and personal information are not able to be
revealed. However, there are real concerns with how well
aggregation and de-identication methods work, and the lack
* e privacy use cases in NISTIR 7628 Rev. 1 were created by a subteam of the NIST
Smart Grid CSWG Privacy Group. e subteam was led by Christine Hertzog and
the team included Rebecca Herold, Tanya Brewer (NIST), Sarah Cortes (Inman
Technologies), and Brandon Robinson (Balch & Bingham). Marianne Swanson,
who was the senior advisor, Information Systems Security, Information Technology
Laboratory, and leader of the NIST CSWG groups at the time, was also a strong
supporter of the eorts of the subteam to create the privacy use cases. e subteam
created the privacy use cases by expanding the collection of CSWG use cases to
cover all Smart Grid value chain participants, in addition to utilities (regulated or
not) that will oer Smart Grid-related products and services. See the full set of 44
privacy use cases in Appendix E of NISTIR 7628 Rev. 1; see http://nvlpubs.nist.
gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf.
Category: AMI Privacy use case 1
Scenario: Meter sends information
CATEGORY DESCRIPTION
Advanced metering infrastructure (AMI) systems consist of the hardware, software, and associated system and data management applications that create a communications
network between end systems at customer premises (including meters, gateways, and other equipment) and diverse business and operational systems of utilities and third
parties. AMI systems provide the technology to allow the exchange of information between customer end systems and those other utility and third-party systems. In order to
protect this critical infrastructure, end-to-end security must be provided across the AMI systems, encompassing the customer end systems as well as the utility and
third-party systems that are interfaced to the AMI systems.
SCENARIO DESCRIPTION
A meter sends automated energy usage information to the utility (e.g., meter read (usage data)). The automated send of energy usage information is initiated by the meter
and is sent to the advanced metering infrastructure (AMI) head end system (HES). The head end system message flows to the meter reading and control (MRC). The MRC
evaluates the message. The MRC archives the automated energy usage information and forwards the information to the meter data management systems (MDMSs).
• Meter configuration information
• Periodic meter reading
• On-demand meter reading
Net metering for distributed energy resources (DERs) and plug-in electric vehicle (PEV)
SMART GRID CHARACTERISTICS CYBER SECURITY OBJECTIVES/REQUIREMENTS POTENTIAL STAKEHOLDER ISSUES
• Enables active participation by consumers • Confidentiality (privacy) of customer metering • Customer data privacy and security
• Enables new products, services, and data over the AMI system, metering database, • Third party or party acting as an agent of the utility
markets and billing database to avoid serious breaches has access to energy usage information for market or
• Optimizes asset utilization and operates of privacy and potential legal repercussions consumer services
efficiently • Integrity of meter data is important, but the • Third party or party acting on behalf of the utility has
impact of incorrect data is not large reliable data
• Availability of meter data is not critical in real time • Customer data access
• Reliable data for billing
Table7.2 Example Privacy Use Case
(continued)
MITIGATING PRIVACY RISKS 131
Table7.2 Example Privacy Use Case (continued)
1.1 DATA PRIVACY RECOMMENDATIONS
Any individually negotiated purchase agreement that contains or is associated with personally identifiable customer data should be subject to the same privacy
and security applications as personally identifiable data.
1.2 Meter read data should be evaluated to determine if they should be protected data regardless of type of service or tariff or scheduled meter read frequency, and
the same policy notice can apply. Similarly, the same choice and consent information can be used across all scenarios noted above, with the caveat that if any
contracted agents are involved, the individual has been notified and consented to the contracted agent’s access to the data identified as necessary for that
activity. This notice may happen within the initial privacy notice given at account setup.
1.3 Customer access to data in real time or near real time, particularly for net metering/feed-in tariff (FiT) data, is important for many customers to optimize
performance of assets that generate or store electricity. This access should be limited to the consumer associated with the meter, the utility for operational and
billing purposes or its authorized agent, and consumer-authorized third parties. (The OECD principle for access indicates that individuals should have access
to data associated with them.)
1.4 Meter reading is an ongoing activity, so it is important that utilities create a monitoring and enforcement process that ensures compliance on a continuous
basis.
1.5 Utility-authorized agents or third parties may be given access to meter reading data for various customer peer performance/comparison purposes. These agents
or third parties should also conform and comply with utility privacy policies, and customers should consent to the disclosure of their information to these
agents or third parties.
AICPA PRINCIPLE APPLIES: X NOTES
1.6 Management principle X An individual, team, or department should be assigned responsibility for ensuring policies and
procedures exist that cover the situations involved within this use case scenario.
1.7 Notice principle X Should be provided for all meter reading, regular consumption, and net metering scenarios.
132 DATA PRIVACY FOR THE SMART GRID
1.8 Choice and consent principle X Ensures that when customers sign up for service that this choice and consent requirement is met.
1.9 Collection principle X Over time, data collection may change as new applications, technologies, or correlations of data are
made available. Utility policy should indicate that collection purposes may change over time, and that
utilities will notify customers of any proposed changes that may impact collection in order to secure an
updated choice and consent.
1.10 Use and retention principle X Retention may be impacted by time frames to record and compensate for net metering scenarios. Data
retention may also be impacted by local, state, or federal laws/regulations/requirements outside of
utility operational needs.
1.11 Access principle X Access to the meter usage data, and any associated data that could reveal personal data, should be
limited to only those who need such access to perform their job activities.
1.12 Disclosure to third parties principle X Utility net metering payments to customers may be considered revenue or income, and thus subject to
tax laws, or garnishments for child support, legal claims, etc. Requests may come from law
enforcement agencies or other entities that make requests for information from utilities. Some of the
legal implications may not require implicit or explicit consent.
1.13 Security for privacy principle X Safeguards should be applied as appropriate to mitigate associated risks to an acceptable level.a (For
more discussion on security particulars, please see NISTIR 7628 Volume 3 Revision 1 on high-level
security requirements.)
1.14 Quality principle X Controls should be established to ensure meter usage is as accurate as necessary for the purposes for
which they are being collected.
1.15 Monitoring and enforcement principle X This should not be just a once and done audit on a yearly basis since meter reading is an ongoing
activity. Utilities should create a practice of regular compliance monitoring on a rolling basis to
completely cover the customer records on a several times a year frequency.
MITIGATING PRIVACY RISKS 133
134 DATA PRIVACY FOR THE SMART GRID
of control over each aggregated or de-identied data set once
it has been created. Here are just a couple of the problems:
a. For one de-identication risk example, it may not be possible
to reidentify individuals from a single de-identied data set.
However, if other data is combined with a de-identied data
set, use of a variety of dierent types of algorithms may be
used to achieve reidentication. Reidentication refers to
the ability to use methodologies to determine specic indi-
viduals that were removed from de-identied data sets.
b. As an example of an aggregation risk example, disaggre-
gation refers to a set of statistical approaches for extract-
ing end use or appliance-level data from an aggregated
energy signal from a meter or other specialized device.*
Disaggregation technologies can be used on energy usage
data to analyze the frequency and durations for use of the
studied appliances. See Figures7.1 and 7.2 for examples of
the details disaggregation can reveal.
e possibility of disaggregation of anonymized data and
reidentication is not just theory; it has been demonstrated
multiple times in recent years.† e interest in disaggrega-
tion continues to increase, as demonstrated in 2013 when
Belkin Energy had a disaggregation competition to advance
* For a discussion of disaggregation, see Energy Policy, 52, 213–234, 2013, Special
Section: Transition Pathways to a Low Carbon Economy, http://ww w.science
direct.com/science/article/pii/S0301421512007446.
† As described in Klaus Kursawe, How to Have the C ake and Eat It, Too: Protecting Privacy
and Energy Eciency in the Smart Grid, Institute for Computing and Information
Science, Radboud University, Nijmegen, e Netherlands:
at th is kind of re-identi cation is p ossible has been show n in past studies, e.g., on
Netix move preference data [NaSh08]. In all those cases, data that was anonymised
(such as movie preferences, or anonymised health data) could be de-anonymised with
a surprising eciency. It is therefore no longer possible to cleanly separate between
personal identiable data and harmless data, as each additional data item makes iden-
tication a little bit easier. Due to the wealth of data that can be derived in smart grid
readings, there is a clear indication that the approach of simply separating identiable
and anonymous data is a good start, but will quick ly reach its limits.
As a more concrete example, grid data may reveal that a person always stays up
late when a particular TV show is on, which in return may give some demographic
data. It also can be linked with some semi-public data (e.g., people who ‘like’ this
show on social networks) to assist in the de-anonymisation. Additional data mining
may give information about my occupation, holiday schedule, religious preference,
etc, which all narrow down the anonymity.
Power (W)
3500
Oven
3000 Fridge
Dishwasher
Kitchen outlets 1
2500 Kitchen outlets 2
Kitchen outlets 3
Kitchen outlets 4
2000 Lights 1
Lights 2
1500 Lights 3
Washing machine
Microwave
1000 Bathroom GFI
Electric heater
Stove
500
0
00:00 01:00 02:00 03:00 04:00 05:00 06:00 07:00
Time
MITIGATING PRIVACY RISKS 135
Figure 7.1 Examples of the details disaggregation can reveal. (From O. Parson et al., Non-
Intrusive Load Monitoring Using Prior Models of General Appliance Types, presented at 1st
International Workshop on Non-Intrusive Load Monitoring, Pittsburgh, PA, 2012.)
Figure 7.2 Examples of the details disaggregation can reveal. (From Sidhant Gupta et al.,
ElectriSense: Single-Point Sensing Using EMI for Electrical Event Detection and Classification in the
Home Best Paper Award, November 2012, http://homes.cs.washing ton.edu/~sidhant/research.html.
See accompanying video at https://www.youtube.com/watch?v=dcPI1Cp0VZI.)
136 DATA PRIVACY FOR THE SMART GRID
the use of disaggregation as a way to improve energy usage.*
erefore, if an entity is going to use anonymization of aggre-
gated data or de-identication as a privacy mitigation tool, it
needs to establish well-dened rules to govern the use of such
data.† ese rules should include at least the following:
i. Establish documented policies and supporting proce-
dures. e rules for when, where, why, and how aggre-
gated and de-identied data should be used need to be
established within policies. Procedures with specic
steps for how to comply with those policies also need to
be documented within each department that wants to
create, use, or share such de-identied and aggregated
data. Having these policies and procedures clearly doc-
umented will enable the organization to perform such
activities in a consistent way, and also make clear that
other methods are not approved for use.
ii. Use an aggregation protocol that has been demon-
strated to be eective for preserving privacy. Too many
ineective de-identication and aggregation methods
are used by organizations, using simplistic methods
that provide little to no privacy protections. For exam-
ple, throughout her work with many energy industry
organizations over the past decade, one of the authors
(Rebecca Herold) found that many organizations sim-
ply removed the name or address from a data set and
called it de-identied. Two examples of proven eec-
tive aggregation methods include the Die–Hellman-
based private aggregation (DiPA) protocol and the
low-overhead private aggregation (LoPA) protocol.‡
* See https://ww w.kaggle.com/c/belkin-energy-disaggregation-competition.
† For in-depth discussion of the need for de-identied data controls, see Daniel
C. Barth-Jones, e ‘Re-Identication’ of Governor William Weld’s Medical
Information: A Critical Re-Examination of Health Data Identication Risks and
Privacy Protections, en and Now, June 4, 2012, http://ssrn.com/abstract=2076397
or http://dx.doi.org/10.2139/ssrn.2076397.
‡ See a good explanation of these protocols within Klaus Kursawe, How to Have the Cake
and Eat It, Too: Protecting Privacy and Energy Eciency in the Smart Grid, Institute for
Computing and Information Science, Radboud University, Nijmegen, e Netherlands.
MITIGATING PRIVACY RISKS 137
iii. Establish data minimization requirements for de-iden-
tied and aggregated data. Besides removing the more
obvious personal information items, all other items
that are not necessary for the purposes for which the
aggregated data is being used should also be removed.
e less data that remains, but still supports the de-
identication and aggregation purposes, the less pri-
vacy risk there will be.
iv. Do not combine aggregated or de-identied data sets
with other data sets that contain the types of data that
have been removed, or new types of data that were not
in the original data set. is applies to other aggregated
and de-identied data sets. Whenever additional types
of data items are introduced to an aggregated or de-
identied data set, this will pollute the integrity of the
data set and increase the risk that those additional items
may have allowed for reidentication or disaggregation.
Clearly documented policies and procedures need to be
in place for this issue.
v. Require any employee, contractor, or other third party
that wants to include new data elements (which might
add quasi-identiers and thus increase reidentication
risks) with de-identied or aggregated data to provide
legitimate validation that the data remain de-identi-
ed or aggregated following the introduction of the
new data elements.
vi. Prohibit attempts to reidentify or disaggregate data if
statisticians with expertise in reidentication and disag-
gregation indicate a valid risk exists that such activities
could reveal individuals and their relatives, family, or
household members. As indicated earlier, many orga-
nizations are actively are using such disaggregation
methods, so it is important for the privacy, information
security, and legal oces to discuss the needs for such
actions and balance the approved activities with privacy
risk mitigation actions.
vii. Specify that de-identication status no longer applies
if, at any time, the data contains data elements that can
now be used to identify an individual in some manner.
viii. Formally document within policies and procedures a
requirement for data recipients and users of statistically
de-identied and aggregated data to always comply
with any time limits, data use restrictions, qualica-
tions, or conditions established within the statistical de-
identication determination associated with the data.
ix. Establish policies and procedures to require others
to protect the data to prevent unauthorized access.
Require that those holding and using de-identied
and aggregated data implement and maintain appro-
priate data security and privacy policies, procedures,
and associated physical, technical, and administrative
safeguards as appropriate to ensure the data is accessed
and used only by personnel or parties who have agreed
to these same restrictions and conditions. Also require
that the data will remain de-identied and aggregated,
and that reidentication and disaggregation attempts
are prohibited. It is important to note that extensive
safeguards and associated security controls may not
be necessary for data that has statistically been deter-
mined to have a low probability of reidentication.
However, for data sets with mid to high likelihood,
safeguards and security controls need to ensure risks of
reidentication and disaggregation attempts are con-
trolled and kept acceptably low.
x. Require those transferring de-identied or aggregated
data to third parties to enter into data use agreements
and contracts that require the data recipients to also
comply with the previously described actions and
requirements. is will enable the important chain of
custody* data stewardship principle to be maintained
for the accompanying de-identied or aggregated data
throughout its uses.
138 DATA PRIVACY FOR THE SMART GRID
* See Chapter 4 for more information on the chain of custody concept.
6. Build privacy controls into smart meters and other smart devices.
Use the results of research and the privacy use cases to build
privacy controls into smart meters and other smart devices.
Some eective controls to consider include*:
a. Encrypt the meter data in storage locations and while
being transmitted through networks.
b. Provide the associated smart meter, or other type of smart
device, and consumer the ability to control the levels of
aggregation and de-identication within the smart device,
to the level that still allows for the utility or smart device
supplier to be able to obtain the necessary business value.
c. Collect the minimum amount possible of personal infor-
mation from the individuals using smart meters and smart
devices without lessening the range and quality of services
provided.
d. Retain data within the smart device for only the amount
of time necessary to provide the associated service.
e. Provide methods for consumers to have choices and con-
trol over how the associated data from smart devices is
used and shared.
f. Securely dispose of personal information and energy data
when they are no longer needed for the purpose for which
they were originally collected.
g. Obtain consent whenever possible prior to collecting per-
sonal information and energy data.
h. Implement data integrity methods and tools.
i. Implement technical logs to record each entity or individual
that has accessed personal information and energy data.
For more details about security safeguards to use, see
NISTIR 7628 Volume 1 Revision 1 and NISTIR 7628
Volume 3 Revision 1.
MITIGATING PRIVACY RISKS 139
* For a detailed paper discussing how to build some of these privacy controls into smart
meters, in addition to others, see Future of Privacy Forum and Dr. Ann Cavouk ian,
SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of Electricity
Conservation, In formation and Privac y Commissioner, Ontario, Canada, November
2009, http://www.ipc.on.ca/images/Resources/pbd-smartpriv-smartgrid.pdf.
7. Obtain cyber security and breach insurance.
It is becoming common, and indeed a basic expected busi-
ness practice, to obtain cyber security and breach insurance
in many industries, such as the nancial and retail sectors. It
is also a good idea for entities within the Smart Grid sector
to obtain cyber security and breach insurance given the many
risks that are involved within this vast new converged grid and
network.* Such insurance will be a way to transfer some of the
liability risk to another entity in the event of a security incident
or privacy breach; it does not replace the need to implement a
comprehensive information security and privacy program.
Of paramount importance is getting valuable insurance,
and not simply purchasing the rst cyber insurance that may
pop up in an online search. Look for insurance that covers the
following:
a. Privacy breaches and the associated costs. Look for poli-
cies that provide discounts for implementing a compre-
hensive privacy program (as described in this book).
b. Information security incidents and associated costs, includ-
ing the downtime and any associated nancial losses.
c. Cost of lawyers and related court costs in the event of
lawsuits.
d. Fines and penalties applied by regulatory oversight agen-
cies, if not expressly forbidden by any applicable laws or
regulations.
e. Insurance that assigns a value to both tangible and intan-
gible assets, such as customer information and energy data.
f. Physical damage to the network components, includ-
ing smart meters and smart appliances, as applicable.
Many cyber security insurance policies don’t cover physi-
cal damage, so it is important to be sure and check on
this. Many cyber security policies also exclude physical
* For a full discussion of the need for cyber security insurance, including consider-
ations for utilities and others within the Smart Grid, see Cybersecurity Insurance
Workshop Readout Report, National Protection and Programs Directorate, U.S.
Department of Homeland Security, November 2012, https://www.dhs.gov/sites/
default/les/publications/cybersecurity-insurance-read-out-report.pdf.
140 DATA PRIVACY FOR THE SMART GRID
MITIGATING PRIVACY RISKS 141
damage from supervisory control and data acquisition
(SCADA) system attacks.
g. Incidents and breaches that are caused by insiders (employ-
ees and contracted entities).
h. Reputational risk provisions that protect corporate boards
of directors are built in to many cyber security insurance
policies. ese are designed to reward companies that
adopt information security and privacy policies, stan-
dards, practices, and controls that restore their operations
(and reputations) quickly.
i. Provisions for guaranteed service and backup operations,
as available and possible.
It is to be expected that the more these coverages include,
the higher the premium will be. Each entity needs to deter-
mine the risks that apply to it, and then choose coverage to
mitigate the possible costs of those risks, if they would be
exploited, that it wants to transfer to the insurer.
8. Include privacy provisions within vendor contracts.
As mentioned within the de-identication and aggrega-
tion controls, other individuals and entities that are given
access to the data must be contractually bound to protect
that data. A high-level listing of requirements to include in
outsourced vendor contracts when personal information or
energy data is shared with them, or if they have access to it
any way, follows*:
a. Privacy notices. Require contractors and other third
parties to provide a privacy notice to energy customers
prior to sharing personal information or energy data with
another party, and also when a signicant change in orga-
nizational structure, such as merger, bankruptcy, or out-
sourcing, occurs.
b. Customer authorization for disclosures. Require con-
tractors and other third parties to seek customer authori-
zation prior to disclosing personal information or energy
* See the full details for each of these requirements within NIST IR 7628 Rev.1 at ht tp://
nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf. Also see NAESB REQ.22
http://www.naesb.org/retail_request.asp.
142 DATA PRIVACY FOR THE SMART GRID
data to other parties unless the service for which the data
disclosure is necessary has been previously authorized by
the customer.
c. Data disclosure and minimization. Require contrac-
tors and other third parties to not collect more personal
information and energy data than is required to fulll the
agreed upon service, and to obtain a separate authoriza-
tion before personal information or energy data is used in
a dierent manner.
d. Customer education and awareness. Require contractors
and other third parties to educate their employees, and
customers as appropriate, about their privacy protection
policies and practices, including the steps the contractor
or other type of third party is taking to protect privacy.
e. Data quality. Require contractors and other third parties
to implement processes and technologies, as necessary, to
ensure data is kept as accurate and complete as possible.
f. Data security. Require contractors and other third parties
to have clearly documented security policies and support-
ing procedures that are periodically reviewed and updated
as necessary.
g. Privacy impact assessment. Require contractors and
other third parties to perform periodic privacy impact
assessments (PIAs) in accordance with the recommenda-
tions earlier in this chapter.
h. Data retention and disposal. Require contractors and
other third parties to have clearly documented policies and
procedures establishing how long data will be retained, as
well as when and how personal information and energy
data will be disposed of. is should be detailed in the
privacy notice given to the customer.
i. Data breaches. Require contractors and other third par-
ties to be aware of and comply with any laws or require-
ments governing data breaches. is applies not just to the
third party, but also to its contracted agents.
j. Employee training. Require contractors and other third
parties to provide employees and their contracted agents
MITIGATING PRIVACY RISKS 143
security and privacy training regularly so they know how
to protect customer personal information and energy data.
k. Audits. Require contractors and other third parties to
have independent third-party audits of security and pri-
vacy practices performed, and also to provide the orga-
nization a copy of their documented information security
and privacy policies, and any other supporting documen-
tation, upon request.
9. Comply with privacy laws and regulations.
Be sure to know and comply with all your applicable data
protection laws,* regulations, and industry standards. And
don’t forget to ensure you will also comply with all your con-
tracts that include requirements for protecting personal infor-
mation and energy data.
* In the United States, a good source of information about state-level Smart Grid
laws and rules is http://www.ncsl.org/research/energy/smart-grid-state-action-
update.aspx.
8
HOW TO TAKE CHARGE
OF YOUR PRIVACY
Roles and Responsibilities
It is important to consider the primary roles that exist for the asso-
ciated privacy responsibilities for energy usage and production data
and who has control over that data. ere are terms used in the pri-
vacy profession* for those that have responsibilities for protecting
privacy. ere are sometimes dierent terms used to describe data
or data relationships within the energy industry. In order to have
those in the privacy professions better understand the terminologies
used within the energy professions, and vice versa, it is instructive to
relate the privacy roles to the data owner/custodian/manager roles
identied in Chapter 2. is will also help the professionals from
dierent areas of expertise to communicate with each other more
successfully. erefore, within this chapter we are going to take a
departure from our other chapters and use both the roles and respon-
sibilities terms from the privacy profession and the Smart Grid sector
to help establish a better understanding and linkage between the two
sets of terms.
* e privacy responsibility categories/terms used in this chapter are the ones used
not only by privacy professionals throughout the world, but also by those who are
certied for various categories of privacy expertise by the International Association
of Privacy Professionals (IAPP), eectively validating and promoting the use of
these terms by privacy professionals and experts throughout the world. One of the
authors, Rebecca Herold, holds three of the certications, CIPT, CIPP/US, and
CIPM, and teaches the corresponding certication classes for the IAPP. For more
information about the IAPP, see http://ww w.privacyassociation.org.
145
146 DATA PRIVACY FOR THE SMART GRID
• Data subject.* In the privacy profession, the data subject is
considered to be a person who can be identied, directly or
indirectly, by reference to an identication number or to one
or more factors specic to his or her physical, physiological,
mental, economic, cultural, or social identity, or by the char-
acteristics of the person’s activities.
When considering privacy within the Smart Grid, the data
subject is the individual about whom energy usage or produc-
tion data applies and is processed, along with any associated
personal information items, such as name, address, account
number, and so on. As discussed in Chapter 2, the energy
consumer or prosumer, or as it relates to privacy terms, the
data subject, is legally considered to be the data owner in
increasing numbers of states, as well as in some countries out-
side of the United States. is chapter will look at the ways
in which the data owner, which we will recognize here as the
data subject, can exercise control of his or her associated data,
and the responsibilities he or she has for protecting his or her
own privacy.
• Data controller.† In the privacy profession, this is the orga-
nization or individual that collected (or in some situations
created, such as when a doctor creates the vital signs for a
patient with tools used during the provision of care) the per-
sonal information from the data subject. e data controller
has the obligation to decide how and why information about
data subjects will be processed within the bounds of legal
requirements and existing privacy risks, and has the responsi-
bility to appropriately safeguard the data throughout the time
that he or she is a custodian of the data.
In the Smart Grid sector, the data controller is the data
custodian, and is generally one of two types of entities:
* is is the denition provided during IAPP training for the CIPP Foundations
course, and within the CIPP Foundations Textbook. It closely aligns with the
description provided for the EU Data Protection Directive at http://ico.org.uk/
for_organisations/data_protection/the_guide/key_denitions. e OECD Privacy
Framework also use these terms; see http://ww w.oecd.org/sti/ieconomy/oecd_
privacy_framework.pdf.
† Ibid.
1. e utility that collects from the consumers’ or prosumers’
energy usage data from the smart meter and the energy
production data from the energy production devices
2. e third parties that directly collect data from energy
consumers or prosumers that is not used by or has any
oversight from a utility. ese would be organizations
such as energy service providers (ESPs), smart appliance
vendors, and energy app creators.
As discussed in Chapter 2, the data custodian, or data con-
troller, is responsible for establishing the controls to ensure
the secure transmission, handling, and storage of energy data
and the associated personal information of the consumers.
is chapter will look at the ways in which the data custo-
dian or data controller can implement privacy protections and
security controls for the energy data and associated personal
information that he or she has collected, and for which he or
she is responsible.
• Data processor.* In the privacy profession this is an organi-
zation or individual that processes data on behalf of the data
controller. e employees of data controllers with access to
the data are considered to be data processors. e outsourced
entities hired by the data controllers to do any type of storage,
processing, or transmission, or have access of any kind to the
data, are also considered to be data processors.
In the Smart Grid sector, the data processor is typically
referenced as the data manager. e following types of enti-
ties are data managers in handling energy data and associated
personal information:
1. Utilit y employees with access to energy data or the associ-
ated personal information. As indicated in Chapter 2, data
custodians can be data managers. To be more specic, the
employees of the data custodians are the data managers
(data processors) because they are the ones within the data
HOW TO TAKE CHARGE OF YOUR PRIVACY 147
* Ibid.
148 DATA PRIVACY FOR THE SMART GRID
custodian’s (data controller’s) enterprise with direct access*
to the energy data or personal information.
2. Contracted workers with direct access to the energy data
or personal information are also the data managers (data
processors) of the data custodians (data controllers).
3. e employees of third parties that directly collect data
from energy consumers that is not used by or has any over-
sight from a utility are data managers (data processors) of
the third-party data custodian (data controller).
Data managers/data processors are responsible for know-
ing, understanding, and complying with the data custodian’s
(data controller’s) internal information security and privacy
policies to protect energy data and personal information.
• Data protection authority. In the privacy profession, this is
the term used to indicate the supervisory entity chartered to
enforce privacy or data protection laws and regulations. Some
countries have one centralized data protection authority
(DPA) to oversee compliance for all the country’s data pro-
tection laws and regulations. As a few examples:
• e UK has the Information Commissioner’s Oce (ICO).†
• Canada has the Privacy Commissioner.‡
• Germany has the Federal Data Protection Commissioner.§
• Hong Kong has the Oce of the Privacy Commissioner.
¶
In contrast, the United States does not have a single central-
ized DPA. ere are multiple groups, sometimes determined by
industry consensus or through legislation, that function as a DPA
for a specied scope of responsibility. Some of these include:
* If an individual or entity has access of any kind to energ y usage data or personal
information to fulll his or her job responsibilities or a contractual requirement, this
is considered to be direct access. Direct access would include viewing energy data
or personal information on a computer screen, handling hard copy documents that
contain energ y data or personal information, maintaining, manipulating, and stor-
ing data in cloud-based services, or any other way in which the individual can see or
access data as an integral part of his or her job responsibilities and activities.
† See http://ico.org.uk/.
‡ See https://www.priv.gc.ca.
§ See htt p s://w ww.ldi.nrw.de/LDI _ En gl ishC or ner/mai n menu _ D ata Protec t ion / Inh a lt 2 /
authorities/authorities.php.
¶ See http://www.pcpd.org.hk/.
HOW TO TAKE CHARGE OF YOUR PRIVACY 149
• Federal Trade Commission (FTC)
• State Attorneys General oces
• Federal nancial regulators
• Payment Card Industry Data Security Standards
(PCI-DSS)
When considering privacy within the Smart Grid, state
public utility commissions (PUCs), the Department of
Commerce (DOC), and a wide range of other regulatory
agencies and energy industry standards groups can be consid-
ered DPAs. It is important to point out that the FTC also has
DPA authority over utilities and other Smart Grid entities
with regard to the posted privacy notices and the corporate
privacy policies of those entities.
Table 8.1 maps the relationships between the Smart Grid sector
terms and the privacy profession’s terms.
Privacy Possibilities and Responsibilities for the Data Subject
Energy consumers and prosumers, as data subjects/data owners,
can proactively take a variety of actions to protect their own pri-
vacy by safeguarding their own energy usage and production data
and personal information that they provide to Smart Grid entities.
Additionally, there are actions they can take to ensure the utilities
and third parties to whom they provide their energy data and per-
sonal information have appropriate safeguards and policies in place
to protect their privacy.
Table8.1 Relationship Map for Privacy Terms and Smart Grid Terms
PRIVACY PROFESSION SMART GRID SECTOR
Data subject Is the same as Data owner
Data protection authority Is the same as Energy or privacy rule-making authority
Data controller Is the same as Data custodian
Data processor Is the same as Data manager
150 DATA PRIVACY FOR THE SMART GRID
Table8.2 Recommended Information for a Data Custodian’s Privacy Noticea
• The purpose for which energy usage and production data and personal information are being collected
• A high-level description of the security controls that have been implemented
• The ways in which data is kept accurate
• The ways in which the data is used
• How data subjects can make choices about how their data is used and shared
• Individual access to corresponding data, and rights to make corrections to the data
• How notifications will be made when the privacy policy changes
• Contact information for questions about the privacy policy
a These are based upon the OECD Privacy Framework; see http://www.oecd.org/sti/ieconomy/oecd_
privacy_framework.pdf. These principles are the basis of many other privacy standards and
frameworks.
Here are a few of the actions energy consumers and prosumers
should consider taking to help protect their privacy:
1. Read the privacy notices* posted on the websites and in the
contracts provided by the data custodians (e.g., utilities,
energy service providers (ESPs)—traditional or new entrants
such as broadband or mobile carriers, smart appliance ven-
dors, and mobile app-based energy management services).
2. Before a data custodian collects your energy data or personal
information, ask him or her for a copy of his or her privacy notice
if he or she does not have one posted. Make sure it describes
how the custodian secures the data and information he or she
collects, and the rights data subjects have over their data. If the
data custodian does not have one, that is a red ag. See Table8.2
for content recommendations for a good privacy notice.
3. If you do not understand some of the information within the
not ices or contracts, or if some of the information concerns you,
contact the data custodian and ask for clarication. If energy
data or personal information is collected by a utility, the utility
is the custodian, but if the data is not collected by a utility, then
the custodian is the entity that collected the data.
* Some organizations call privacy notices, which describe the privacy promises made
to the public and to customers, their privacy policies. However, in the information
security and privacy professions, the term policy is used to refer to the business’s
rules that employees must follow.
4. If the terms described within the posted privacy notice are too
invasive,* and you have not received a satisfactory explanation
from the data custodian, nd another data custodian, if
possible. If not possible, contact the data custodian’s privacy
ocer. If the data custodian takes privacy seriously, he or she
will have a privacy ocer, or at least some position that has
been assigned to address privacy issues. If he or she does not
have a privacy ocer or someone with privacy responsibilities,
that is a red ag in and of itself.
5. If you call or send a message to a utility or third-party cus-
tomer service agent with a privacy question or concern, and he
or she cannot provide an answer or he or she avoids answering
your question directly, that is a red ag. You should then get
in touch with the privacy ocer or identied privacy contact.
6. Understand the chain of custody for energy data to identify
the organizations (data custodian and associated data proces-
sors) that have access to your energy data and personal infor-
mation and their roles.
7. Know the DPAs that establish the privacy protections for your
energy usage and production data and personal information,
and how to get in touch with them if you have any concerns
about the privacy protections for your data.
8. Ensure the data custodian has a documented information
security and privacy breach plan in place.
9. Determine the recourse process to follow if you suspect or
know your privacy has been compromised.
10. Occasionally do an online search to see if the data custodian
has had a privacy breach, or any type of information security
incident or privacy breach.†
HOW TO TAKE CHARGE OF YOUR PRIVACY 151
* For example, if the notice contains a blanket statement that they may share any data
collected from you with any others for any reason they determine to be appropriate,
that would be a statement that is overly broad that you would want to obtain clari-
cation about.
† At the time of this writing, 51 U.S. states and territories had laws requiring busi-
nesses to disclose data breaches to aected data owners or subjects. See the list at
http://ww w.ncsl.org/research/telecommunications-and-information-technology/
security-breach-notication-laws.aspx.
152 DATA PRIVACY FOR THE SMART GRID
Why take the time and trouble of doing these actions? Because you
cannot expect the data custodians that collect your energy data and
personal information to always have all the safeguards in place neces-
sary to lessen privacy risks.
Bottom line: With so much data being generated and shared, it is
important for consumers to not just assume the data custodians that
collect their energy data and personal information are appropriately
protecting their privacy and eectively safeguarding their data.*
Data Subject Privacy Use Case Example
Privacy use cases† are valuable to use to break down specic scenarios
involving access to energy usage and production data and personal
information. e data custodians and data processors that obtain and
access your energy data and personal information rely on privacy use
cases to identify where risks exist and document the best controls to
mitigate the identied risks.
As an example, let’s consider the privacy issues involved with using
electric vehicles (EVs). Consumers can use a privacy use case to help
determine the privacy issues that they should be aware of for situa-
tions where their energy data and personal information are involved.
Table8.3 shows one of the EV privacy use cases from NISTIR 7628
Rev. 1,‡ updated by the authors to reect how a consumer privacy use
case can be created by a data custodian and provided to consumers as
an awareness-raising document, in addition to the privacy notice.
* For more advice and tools to help consumers to protect their privacy and eectively
secure their energy usage and production data personal information, see Rebecca’s
site: http://www.privacyprofessor.org.
† As described within NISTIR 7628 Rev.1: “A Privacy Use Case is a method of look-
ing at data ows that will help entities within the Smart Grid to rigorously track data
ows and the privacy implications of collecting and using data, and will help organi-
zations to address and mitigate the associated privacy risks within common technical
design and business practices. Use cases can help Smart Grid architects and engineers
build privacy protections into the Smart Grid.” See http://nvlpubs.nist.gov/nistpubs/
ir/2014/NIST.IR.7628r1.pdf.
‡ See all 44 Smart Grid privacy uses in NISTIR 7628 Rev. 1; http://nvlpubs.nist.gov/
nistpubs/ir/2014/NIST.IR.7628r1.pdf.
Category: Demand response Privacy use case 12
Scenario: Mobile plug-in electric vehicle (PEV) functions
CATEGORY DESCRIPTION
Demand response is a general capability that could be implemented in many different ways. The
primary focus is to provide prosumers with pricing information for current or future time periods so
they may respond by modifying their demand. This may entail just decreasing load or may involve
shifting load by increasing demand during lower-priced time periods so that they can decrease
demand during higher-priced time periods. The pricing periods may be real time based or tariff
based, while the prices may also be operationally based or fixed, or some combination. Real-time
pricing inherently requires computer-based responses, while the fixed time-of-use pricing may be
manually handled once the prosumer is aware of the time periods and the pricing.
SCENARIO DESCRIPTION
• In addition to prosumers with PEVs participating in their home-based demand response
functions, they will have additional requirements for managing the charging and discharging
of their mobile PEVs in other locations:
• Prosumer connects PEV at another home
• Prosumer connects PEV outside home territory
• Prosumer connects PEV at public location
POTENTIAL DATA OWNER/DATA SUBJECT PRIVACY ISSUES
• Privacy and security controls for the PEV energy usage data and personal information about
the PEV owner/operator
• Retail electric supplier (utility or charging service providers (CSPs)) access to the energy
usage data and personal information about the PEV owner/operator
• Unauthorized access to the energy usage data and personal information about the PEV owner/
operator by those in the vicinity of the retail electric supplier charging station
• Retail electric supplier (nonutility) access to the energy usage data and personal information
about the PEV owner/operator that the utility possesses
• Security and privacy controls for the energy usage data and personal information about the
PEV owner/operator under the control of the retail electric supplier (utility or CSP)
• Prosumer access to, and ability to correct, their corresponding energy usage data and
personal information about the PEV owner/operator
DATA PRIVACY RECOMMENDATIONS FOCUSED ON THE DATA OWNER/DATA SUBJECT
This use case presumes a single residential (one owner/car) situation. (There are other scenarios
as well, but for simplicity’s sake we limit our discussion to one scenario per use case.) There are
three possible grid interfaces considered here:
• Basic 120 or 240 V plug for electricity downloads connected to a dumb or smart meter
• A meter that is capable of running backwards for download and upload of electricity (net
metering)
• Charging stations that can charge/discharge electricity to and from the grid
1. From the perspective of the prosumer, utilities are involved in the first two interfaces in terms
of owning the meter at the time this book was written, but the third scenario may involve third
parties that own the meters connected to charging stations and interact directly with
prosumers without utility intervention. It is important for prosumers to understand the chain
of custody in scenario C.
HOW TO TAKE CHARGE OF YOUR PRIVACY 153
Table 8.3 Privacy Use Case for Consumer Use
(continued)
2. Look for privacy notices from the utilities and third parties such as CSPs that clearly delineate all
responsibilities and collection processes and uses for energy usage data and personal information.
3. When utilities are the data custodian, look for statements in their privacy notices that describe
when there are situations where EV energy consumption data (or other data) could be handled by
third parties like CSPs, and if these third parties must comply with utility privacy policies.
4. Utilities and CSPs may have personal data such as name, credit card/debit card, phone
number, and address for billing for any roaming charge programs that they manage. Look for
descriptions of security safeguards in privacy notices or contracts, which should include
information about monitoring and security responsibilities by data custodians.
5. Prosumers may have an electronic payment arrangement, so the utility or CSP would also have
sensitive financial data and perhaps authorized access to deposit funds in cases of payments to
prosumers for participation in demand response (DR) programs or other smart charging situations.
For instance, California investor-owned utilities (IOUs) are not allowed to provide charging stations,
so all charging stations will be owned by third-party CSPs, energy service providers, property owners,
municipal entities, or businesses. However, these utilities may still have smart charging agreements
in place with specific cars or charging stations and will require this information. Appropriate security
controls need to be in place here. Prosumers should also carefully examine statements about if any
data is sold to other parties and who those parties are.
6. For charging or discharging that occurs away from the consumer’s home address, but is billed
back to a utility account, utilities will need to determine what nonhome address location
information is necessary to collect for billing/payment purposes, and what should be
displayed on paper or electronic bills. There should be the minimum necessary information
about charge time, date, and location on electric bills provided to the utility.
7. CSPs or other contracted agents who act as utility agents may have access to personal data
for billing purposes. The utility should provide clear, simple identification of all entities
involved, or provide a formal statement to document the data chain of custody that may be in
place based on their relationships with the utility, authorized third parties, and CSPs.
8. Note: The collection of location information creates special privacy concerns regarding EVs. It
creates special safety and security concerns as well. This is pertinent for charging information
that occurs at the consumer’s home, not just away from home. This is because EV charging at
home could establish vehicle location for a given date and time if the EV is plugged in and
actively charging or discharging.
154 DATA PRIVACY FOR THE SMART GRID
Table 8.3 Privacy Use Case for Consumer Use (continued)
Information Security Controls to Support Privacy Protection
Table8.4 lists some of the types of information security controls the
data controllers and data processors should be using to eectively
secure energy data and personal information. If data subjects have
concerns after asking the questions previously listed, they can ask
their data controller about these information security controls as well.
ere are also situations where the data subject should be implement-
ing his or her own information security controls within his or her own
home or property where electricity service is provided to help protect
his or her privacy, particularly when he or she is sharing energy usage
CAN BE USED CAN BE APPLIED BY
BYDATA DATA SUBJECTS FOR
CONTROLLERS THE SYSTEMS AND
AND DATA ACTIONS UNDER
INFORMATION SECURITY CONTROLS PROCESSORS? THEIR CONTROL?
TECHNICAL INFORMATION SECURITY CONTROLS
The following are just some of the technical security controls that can be used. In the 25+
years one author (Rebecca) has been an information security and privacy practitioner and
professor, she has found these to be the necessary technical controls for organizations,
throughout all industries, as well as individuals on their personal computing systems.a
• Password protection: Use strong passwords. Use Yes Yes
passwords to log in to computing devices as well
as to access networks and communications
networks.
• Network security controls: Use firewalls, intrusion Yes Yes, if the third-
prevention systems (IPSs), intrusion detection party solutions
systems (IDSs), and log monitoring. support them
• Encryption: Use for data in storage as well as for Yes Yes, if the third-
data in transit (passing through the public and party solutions
privacy networks). support them
• Wireless data security controls: When wireless Yes Yes, if the third-
networks are used, ensure the transmissions are party solutions
encrypted, and that strong passwords are used. support them, and if
Avoid public networks that do not use encryption. within the data
subject’s own
network
• Antimalware software and systems: Use Yes Yes
comprehensive antimalware software and systems
to protect against viruses, Trojan horses, key
loggers, and other types of malicious code.
ADMINISTRATIVE AND BEHAVIORAL INFORMATION SECURITY CONTROLS
The following are some of the administrative security controls that can be used, and have been
found by Rebecca to be the most important and effective for generally all organizations and
individuals.b
• Security and privacy responsibility: Assign a role
Yes Not applicable
to have primary responsibility for information
security and privacy throughout the organization,
as well as include privacy responsibilities to
specific positions.
HOW TO TAKE CHARGE OF YOUR PRIVACY 155
Table8.4 Effective Information Security Controls
(continued)
INFORMATION SECURITY CONTROLS
• Privacy impact assessment (PIAs) and risk
assessments (RAs): Perform PIAs and RAs to
identify where risks exist throughout the
organization. Use the results to determine actions
to appropriately mitigate the risks.
CAN BE USED
BYDATA
CONTROLLERS
AND DATA
PROCESSORS?
Yes
CAN BE APPLIED BY
DATA SUBJECTS FOR
THE SYSTEMS AND
ACTIONS UNDER
THEIR CONTROL?
Generally not
applicable
• Privacy and information security policies and
procedures: Establish documented information
security and privacy policies and supporting
procedures to appropriately mitigate risks, as well
as to meet existing legal requirements.
• Provide regular training, with attendance
required, as well as provide ongoing awareness
communications: Ensure all data processors
understand and comply with privacy policies.
• Enforce compliance: Enforce compliance with
internal privacy policies and supporting
procedures. Ensure sanctions are defined and
applied appropriately and consistently for
noncompliance with information security and
privacy policies.
• Audits: Perform regular privacy and information
security audits.
Yes
Yes
Yes
Yes
Data subjects
should review the
data controller’s
privacy notice to
ensure he or she
has established
internal policies for
the data managers
to follow
Data subjects need
to stay aware of new
privacy threats; they
will usually need to
do this on their own;
some data
controllers are also
providing this type of
awareness
information to their
customers, so this is
a possibility as well
Data subjects
should understand
how they can raise
privacy concerns
that could warn of
potential
noncompliance
Review data
controller privacy
notices to ensure
audits are
conducted
156 DATA PRIVACY FOR THE SMART GRID
Table8.4 Effective Information Security Controls (continued)
(continued)
CAN BE USED CAN BE APPLIED BY
BYDATA DATA SUBJECTS FOR
CONTROLLERS THE SYSTEMS AND
AND DATA ACTIONS UNDER
INFORMATION SECURITY CONTROLS PROCESSORS? THEIR CONTROL?
PHYSICAL INFORMATION SECURITY POSSIBILITIES
The following are some of the physical security controls that can be used, and have been found
to be effective for generally all types of organizations.c
• Protect against loss and theft: Establish controls Ye s Yes
to help prevent loss and theft of computing and
digital storage devices and hard copy
information. Use device tracking tools. Implement
remote data wipe tools. Encrypt data on mobile
storage devices to protect them in the event the
devices are lost orstolen.
• Disposal controls: Establish controls to help prevent Ye s Yes
disposal of readable or otherwise accessible data on
digital storage devices and hard copy.
• Don’t post sensitive information: Do not write down Ye s Yes
passwords and post in work areas, or anywhere else
for that matter. Do not leave confidential information
on whiteboards or in meeting areas. Do not include
sensitive information within photos or videos.d
• Establish effective physical security perimeters: Install Yes Ye s
walls, card-controlled entry gates, manned reception
desks, fences, door locks, etc., as appropriate to
mitigate risks around facilities that contain
information and information processing facilities.
• Entry controls: Secure areas should be protected by Ye s Ye s
appropriate entry controls to ensure that only
authorized personnel are allowed access.
• Protect against external and environmental Yes Ye s
threats: Install physical protection to data storage
and collection devices against damage from fire,
flood, earthquake, explosion, civil unrest, and other
forms of natural or man-made disasters.
• Secure work areas: Implement physical protection Ye s Yes
and guidelines for working in secure areas. This
includes when working in the field, within vehicles
used for servicing, within home offices, etc.
HOW TO TAKE CHARGE OF YOUR PRIVACY 157
Table8.4 Effective Information Security Controls (continued)
(continued)
c
INFORMATION SECURITY CONTROLS
• Environmental protections: Protect data collection,
transmission, and processing equipment from
environmental threats and hazards.
CAN BE USED
BYDATA
CONTROLLERS
AND DATA
PROCESSORS?
Yes
CAN BE APPLIED BY
DATA SUBJECTS FOR
THE SYSTEMS AND
ACTIONS UNDER
THEIR CONTROL?
Yes
a More detailed descriptions of technical security controls can be found in ISO/IEC 27002:2013; see
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54533. NIST
also has good resources available in multiple publications in the Computer Security Resource
Center: http://csrc.nist.gov/.)
b Ibid.
Ibid.
d This happens much too often. For example, see https://twitter.com/GarethDEdwards/status/
197403763152138240/photo/1.
158 DATA PRIVACY FOR THE SMART GRID
Table8.4 Effective Information Security Controls (continued)
data and personal information directly with data processors such as
third parties, or with data controllers that oer energy management
services without any involvement of utilities. Such instances are indi-
cated within the table.
Privacy Responsibilities for the Data Controller/Data
Custodian and the Data Processor/Data Manager*
Data custodians, as well as their data processors, need to have all the
appropriate security and privacy controls implemented that are listed
in the “Privacy Possibilities and Responsibilities for the Data Subject”
section, as necessary to reduce their privacy risks to an acceptable
level. is means you should rst perform a privacy impact assess-
ment (PIA) to determine your risks.†
Table8.5 shows the same privacy use case as in Table8.3, which
showed the data subject point of view for the privacy issues involved
with using plug-in electric vehicles (PEVs). Table 8.5 is the same
* ere may be scenarios where the data controller has a dierent use case than the
use case the data processor should use. However, for the purposes of illustrating
privacy use cases here, we’ve combined the two since they would both have the same
responsibilities for this particular privacy use case.
† An example PIA report is in NISTIR 7628 Rev. 1; see http://nvlpubs.nist.gov/nist-
pubs/ir/2014/NIST.IR.7628r1.pdf. For tools and additional information on how to
do PIAs, see http://hipaaprivacy.org/product/privacy-impact-assessment-training.
Category: Demand response Privacy use case 12
Scenario: Mobile plug-in electric vehicle functions
CATEGORY DESCRIPTION
Demand response is a general capability that could be implemented in many different ways. The
primary focus is to provide prosumers with pricing information for current or future time periods so
they may respond by modifying their demand. This may entail just decreasing load or may involve
shifting load by increasing demand during lower-priced time periods so that they can decrease
demand during higher-priced time periods. The pricing periods may be real time based or tariff
based, while the prices may also be operationally based or fixed, or some combination. Real-time
pricing inherently requires computer-based responses, while the fixed time-of-use pricing may be
manually handled once the prosumer is aware of the time periods and the pricing.
SCENARIO DESCRIPTION
In addition to customers with PEVs participating in their home-based demand response
functions, prosumers will have additional requirements for managing the charging and
discharging of their mobile PEVs in other locations:
• Prosumer connects PEV at another home
• Prosumer connects PEV outside home territory
• Prosumer connects PEV at public location
SMART GRID CYBER SECURITY POTENTIAL STAKEHOLDER
CHARACTERISTICS OBJECTIVES/REQUIREMENTS ISSUES
• Enables active • Integrity is not critical, • Prosumer data privacy
participation by since feed-in tariff and security
prosumers pricing is fixed for long • Retail electric supplier
• Accommodates all periods and is generally access
generation and storage not transmitted • Prosumer data access
options electronically
• Enables new products, • Availability is not an
services, and markets issue
• Confidentiality is not an
issue, except with
respect to meter reading
12.1 DATA PRIVACY RECOMMENDATIONS
This use case presumes residential (one owner/car) situations, but DR may also be
used with EV fleets that are common to governmental entities and other businesses.
These recommendations address residential situations only. There are three possible
grid interfaces considered here: basic 120 or 240 V plug for electricity downloads
connected to a dumb or smart meter; a meter that is capable of running backwards
for download and upload of electricity (net metering); and charging stations that can
charge/discharge electricity to and from the grid. From the perspective of the
prosumer relationship, utilities are involved in the first two interfaces in terms of
owning the meter, but the third scenario may involve third parties that intermediate
the utility-consumer relationship with ownership of charging stations. This would be
similar to the situation in which old pay telephones were owned by a number of
different vendors, not just the phone company. Consumers may not always be aware of
HOW TO TAKE CHARGE OF YOUR PRIVACY 159
Table8.5 Privacy Use Case for Data Custodian Use
(continued)
160 DATA PRIVACY FOR THE SMART GRID
Table8.5 Privacy Use Case for Data Custodian Use (continued)
the ownership of the charging point and may assume that the privacy policies and
practices the utility adopts apply in all scenarios. Utilities may wish to add a
statement in their general privacy policies that serves to educate prosumers that
there are select situations where EV energy consumption data (or other data) could be
handled by third parties that are not required to abide by utility privacy policies.
12.2 Roaming models for AC charge billing purposes are developing around the world. DC or
fast charging appears to follow the familiar gas station analogy of credit/debit/cash
payments, although these charging stations may be installed for private use too.
Credit cards or mobile phones will be the common payment mechanism for roaming
charging, and may entirely bypass utilities as data custodians—other than the
supply of electricity to the meter connected to the charging station equipment.
However, here are some other scenarios to consider:
Utilities may have personal prosumer data such as name, credit card/debit card, phone
number, and address for billing for any roaming charge programs that they manage.
In addition, customers may have opted for an electronic payment arrangement, so the
utility would also have sensitive financial data and perhaps authorized access to
deposit funds in cases of payments to consumers. For instance, California IOUs are
not allowed to provide charging stations, so all charging stations will be owned by
third-party energy service providers, property owners, municipal entities, or
businesses. However, these utilities may still have smart charging agreements in
place with specific cars or charging stations and will require this information. The
AICPA security safeguard principle has specific application here.
For charging or discharging that occurs away from the prosumer’s home address but is
billed back to a utility account, utilities will need to determine what nonhome address
location information is necessary to collect for billing/payment purposes, and what
should be displayed on paper or electronic bills. Consider the amount of identification
that appears on a bank statement if a consumer uses an ATM, or the level of detail on
credit card statements for gas purchases to develop policies. Consider the minimum
necessary information about charge time, date, and location on electric bills. The
AICPA purpose specification and accountability principles apply here.
Charging service providers (CSPs) or other contracted agents who act as utility agents
may have access to personal data for billing purposes. Prosumers may not be aware
of all the entities involved when they plug in to a charging station. The utility should
consider clear, simple identification of all entities or some formal statement of the
data management principle to help educate consumers as to the “data chain” that
may be in place based on their relationships with utility, authorized contracted
agents, and CSPs. The notice principle applies here.
Note: The collection of location information creates special privacy concerns regarding
EVs. It creates special safety and security concerns as well. This is pertinent for
charging information that occurs at the consumer’s home, not just away from home.
This is because EV charging at home could establish vehicle location for a given date
and time if the EV is plugged in and actively charging or discharging.
AICPA PRINCIPLE APPLIES: X NOTES
12.3 Management X This use case covers mobile or roaming charge/
principle discharge.
At home, charging/discharging information related to
(continued)
AICPA PRINCIPLE APPLIES: X NOTES
PEVs provides motoring range and habit information
that can endanger a person’s safety and freedom.
This requires special privacy protection.
When using a third-party charging station, there is a
need to determine how all principles apply, and how
consumers are educated is important. It may not be
appropriate for a utility to address this issue, but it
could still be a smart grid issue. Consumers will
appreciate education from a trusted source to
understand what personal data may be collected,
used, and retained by various entities in mobile
charging scenarios.
Utilities will need to determine and assign
responsibility for how EVs are incorporated into DR
programs, and then develop appropriate privacy
policies regarding any personal data that would
accompany the reporting, billing, and management
of these DR programs.
12.4 Notice principle X Notice may be challenging when it is a charging
station owned by a third party as discussed in 12.1.
Special efforts must be required of third parties through
the contracts between the third parties, utility-
authorized contracted agents, and utilities. Utilities
should ensure that authorized contracted agents
adhere to the privacy policies and practices enacted
by the utility to protect personal information and
energy consumption data. For unrelated third parties,
utilities lack immediate or ongoing opportunities to
inform consumers that different privacy policies may
be in effect. Utilities may wish to add a statement to
their general privacy policies that addresses EV
charging devices that are “in their control” or “out of
their control,” and the consumers must be made
aware of the risk of disclosure of this information.
12.5 Choice and X There may be choices available at the charging
consent stations/points. If not, then the charging station
principle should clearly indicate the data being collected,
how they will be used, shared, and retained, and
then obtain consent to use the data as a
consequence of charging at that location.
12.6 Collection X This principle applies for any entity that is delivering
principle power or maintaining a financial transaction. Only the
data necessary for the customer to obtain the
electricity charge, and then for the charging company
to be financially reimbursed, should be collected.
(continued)
HOW TO TAKE CHARGE OF YOUR PRIVACY 161
Table8.5 Privacy Use Case for Data Custodian Use (continued)
162 DATA PRIVACY FOR THE SMART GRID
Table8.5 Privacy Use Case for Data Custodian Use (continued)
AICPA PRINCIPLE APPLIES: X NOTES
12.7 Use and retention X Data collected from PEV charging stations should be
principle used only for the purposes of supporting the
associated payments, and then irreversibly deleted
after they are no longer needed for business
purposes. If data is intended for planning,
balancing, or operational purposes, the utility
should adopt privacy-enhancing technologies and
practice to anonymize this data and de-identify it.
12.8 Access principle X Since charging stations may be owned by a number
of entities, it may be difficult for individuals to
know who to contact to gain access to their
personal data. PEV charging stations need to
ensure customers can get access to their
associated PEV charging data, and access to this
data within related businesses should be limited to
only those with a business need to know.
12.9 Disclosure to X Since charging stations may be owned by a number
third parties of entities, it may be challenging to obtain implicit
principle or explicit consent before sharing data. Even if
consent is not feasible, consumers should be told
the ways in which the data is used.
12.10 Security for X Applies with special regard to any financial
privacy principle transactions. Applies with special regard to
location-based information. All personal data
collected and created during these activities must
be appropriately safeguarded to ensure
unauthorized access to the data does not occur, to
preserve integrity of the data, and to allow for
appropriate availability.
12.11 Quality principle X PEV charging data must be accurate, and controls
need to be incorporated to ensure this.
12.12 Monitoring and X Develop and maintain audit policies to ensure that
enforcement procedures are consistently applied with regard to
principle personal data.
privacy use case, but now with the focus on data custodians. Data
custodians and data processors can use privacy use cases to help deter-
mine the privacy risks and then identify the most appropriate con-
trols to mitigate the risks. e privacy use cases within NISTIR 7628
Rev.1 use the American Institute of Certied Public Accountants
HOW TO TAKE CHARGE OF YOUR PRIVACY 163
(AICPA) Generally Accepted Privacy Principles (GAPPs).* ese are
commonly used by auditors, and so make a practical tool to also use
for privacy use cases.
Other Helpful Privacy and Information Security Resources
is chapter provides an excellent foundation for resources with pri-
vacy responsibilities to identify privacy and information security risks,
and a description of some of the controls to implement to mitigate
those risks. Here are some additional resources, in addition to the
other resources listed in the footnotes throughout the book, that the
authors recommend to energy data custodians, data processors, data
subjects, and DPAs to protect privacy.
From the authors:
• Christine Hertzog’s Smart Grid blog posts: http://www.
smartgridlibrary.com/home-2/blog/
• SGL Partners consulting services: http://www.smartgrid
library.com/consulting-services/
• Rebecca Herold’s blog posts: http://www.privacyguidance.
com/blog
• Rebecca Herold’s Smart Grid privacy and informa-
tion security tools and services: http://hipaaprivacy.org/
product-category/energy-smart-grid-privacy/
From government and industry:
• National Institute of Standards and Technology (NIST):
http://www.nist.gov/smartgrid/
• Federal government initiatives: https://www.smartgrid.
gov/federal_initiatives/featured_initiatives
• Department of Energy: http://energy.gov/oe/services/
technology-development/smart-grid
• National Conference of State Legislatures (NCSL):
http://www.ncsl.org/research/energy/smart-grid-state-
action-update.aspx
* See http://www.aicpa.org/INTERESTAREAS/INFOR MATIONTECHNOL
OGY/R ESOURCES/ PRIVACY/GENER ALLYACCEP T EDPR I VACY
PRINCIPLES/Pages/default.aspx.
9
TRANSACTIVE ENERGY
We introduced the term transactive energy* as the future evolution of
the Smart Grid in Chapter 2. Transactive energy is an evolving con-
cept, as initial pilots are testing the capacities of existing technologies,
policies, processes, and business models.† e Department of Energy,
Pacic Northwest National Lab, and utilities including Bonneville
Power Administration and Portland General Electric are participat-
ing in a pilot discussed later in this chapter.
Transactive energy proponents envision an organized marketplace
where prosumers can buy or sell electricity with condence that trans-
actions are managed through enforceable rules that apply to all. is
marketplace is managed in coordination with utility grid operations to
ensure a safe and reliable supply of power for consumers. But the con-
cept of transactive energy also encourages grid resiliency—the abil-
ity to recover from man-made and natural disruptions—and reduces
some of the grid fragility that we currently experience. Technologies
such as renewables coupled with energy storage, inexpensive sensors
coupled with wireless networks, and analytics coupled with cost-eec-
tive data storage can support distributed energy resources (generation,
demand response, energy eciency, and storage) with highly distrib-
uted intelligence. All this helps grid managers operate with enhanced
situational awareness, and that increases grid resiliency.
Transactive energy requires a convergence of technologies, policies,
and nancial drivers in an active prosumer market—where prosum-
ers are buildings, electric vehicles (EVs), microgrids, or distributed
* From the Smart Grid Dictionary, 6th edition: “Transactive energy is a business model
that enables market participation for distributed energy resources (DER) supplying
negawatts or kilowatts to an interconnected grid to support the delivery of safe,
clean, resilient, reliable and cost-eective electricity.”
† An early pilot or demonstration is occurring in the U.S. Pacic Northwest. e
Pacic Northwest Smart Grid Demonstration Project publishes an annual report
with the latest details at it website: http://www.pnwsmartgrid.org.
165
166 DATA PRIVACY FOR THE SMART GRID
energy resources (DERs) assets like solar panels, wind generators,
or energy storage. In other words, the current market that exists at
the wholesale electricity level for large-scale energy transactions will
be mirrored at the distribution grid for smaller-scale transactions.
Transactive energy democratizes the currently closed electricity mar-
ket. However, this market will have to be much more exible, robust,
and scalable to support millions of participants instead of hundreds
to thousands of participants. It is a challenge, but Wall Street has
managed stock markets with participation by large funds as well as
individual investors.
We’ll briey examine the three main drivers before exploring the
privacy considerations in the evolution from today’s grid to a Smart
Grid that includes transactive energy.
Te c h no l og y
e Smart Grid technologies of remote monitoring and control,
advanced analytics, and robust communications networks enable the
transition to transactive energy at every point in the value chain from
generation to consumption and prosumption. e growth of competi-
tive, cost-eective solutions for co-generation, energy storage, and
microgrids will accelerate partial to full self-suciency on the part
of critical infrastructure (i.e., rst responder command centers and
stations) at state, city, and county levels. Such initiatives are already
under way in some states spurred by the experiences of Superstorm
Sandy.* However, private enterprise, particularly commercial entities
that place a high valuation on “uptime” of grids, can’t tolerate the
service disruptions that cost the American economy billions of dol-
lars annually, as noted in Chapter 2. Businesses will invest in DERs
and include sales of excess energy back to the grid in their return
on investment (ROI) calculations. is practice already occurs when
businesses consider the value of payments oered by utilities or energy
services providers (ESPs) for demand response (DR) participation.
Many buildings may already participate in utility or third-party
DR programs and voluntarily reduce electricity (or gas) consumption
* One example is the state of Connecticut. For more information, see http://www.
governor.ct.gov/malloy/cwp/view.asp?A=4010&Q=528770.
TRANSACTIVE ENERGY 167
during peak times of demand. Transactive markets envision the
expansion of DR programs through automated demand response
(ADR) technologies. We’ll discuss an initiative called OpenADR
later in this chapter.
Some large commercial buildings already deploy various build-
ing automation systems* (BASs) and energy management systems
†
(EMSs). ese systems remotely monitor and control HVAC, light-
ing, and other signicant usages of electricity in buildings and may
collect and conduct data analysis to identify potential reductions in
energy use. e most sophisticated EMS solutions engage in continu-
ous commissioning‡ through data accumulated from heating, ventila-
tion, air conditioning (HVAC) sensors, occupant activities, and other
sources, like weather reports.
EMS and ADR technologies help infuse buildings with much
more intelligence—also known as smart buildings. ese technolo-
gies help position buildings as participants in transactive energy. For
example, buildings can now automatically respond to price signals or
utility grid management requests to alter consumption for specic
time durations. Transactive energy extends this functionality to kilo-
watt production or generation, so that buildings can automatically
respond to grid requests for energy.
* From the Smart Grid Dictionary: “Software and hardware deployed in buildings
to automatically manage refrigeration, HVAC, lighting and other building energy
usage on a continuous basis. ese control systems are the integrating components
to fans, pumps, heating/cooling equipment, dampers, mixing boxes, and thermo-
stats. Monitoring and optimizing temperature, pressure, humidity, and ow rates
are key functions of modern building control systems. Many are designed to operate
a single system, like refrigeration or HVAC. Sometimes known as EMCS (Energy
Management and Control Systems) or Energy Management Systems (EMS), these
systems integrate more control functions such as lighting as well as HVAC.”
† From the Smart Grid Dictionary: “ese control systems integrate HVAC, light-
ing, and other high-energy uses to eectively manage commercial and multifamily
building energy consumption. e objective is to deliver optimal occupant comfort
while minimizing energy use. Also known as EMCS (Energy Management and
Control Systems).”
‡ From the Smart Grid Dictionary: “A combination of processes, hardware, and soft-
ware to ensure that buildings are operating at peak energy eciency to reduce
overall energy costs and carbon emissions and optimize performance of building
HVAC gear.”
168 DATA PRIVACY FOR THE SMART GRID
Buildings can also become “hardened” nodes in the grid—meaning
they can provide some or all of their own energy as more renewable
generation, co-generation, and energy storage options are introduced
to the market. It’s a small but growing trend to use Smart Grid tech-
nologies for generation of kilowatts and not just negawatts.
Microgrids
One of the most disruptive technologies in terms of altering today’s
power grids will be microgrids. A microgrid is a small power sys-
tem that integrates self-contained generation, distribution, sensors,
energy storage, and energy management software with a seamless
and synchronized connection to a utility power system, and can oper-
ate independently as an island from that system. Generation includes
renewable energy sources and the ability to sell back excess capacity
to a utility. On-site microgrid management software includes controls
for the power generation, utility connect/disconnect, distribution, and
energy storage equipment along with building energy management
applications for commercial and industrial (C&I) or home use.*
Microgrids reduce the reliance on a utility to deliver electricity.
Industry research rms are optimistic about microgrid market
potential, with market projections that include $6 billion in 2020
or $17 billion by 2017. In the United States, microgrids can provide
energy surety for their owners.† Even when the surrounding grid is
experiencing an outage, a microgrid can provide at least a percentage
of power for the most important uses within its boundaries. For
example, a college campus that operates a microgrid may prioritize
occupied dormitories and critical research facilities over unoccupied
classroom buildings to receive power from a microgrid when utility-
supplied power is disrupted. Today, operational and safety standards
require that any microgrid connected (or grid-tied) to the utility
grid has to shut down if the larger grid experiences an outage. ere
* From the Smart Grid Dictionary, 6th edition.
† In developing economies, microgrids hold signicant promise to eliminate energy
poverty that aicts over 1 billion humans, according to the International Energy
Agency (IEA).
TRANSACTIVE ENERGY 169
are standards bodies working to change this without compromising
worker safety, which is of paramount concern for everyone.
Microgrids will be attractive rst to critica l infrast ructure and l arge
commercial customers with the highest utility bills to seek to reduce
their operating costs and gain more control over their energy surety.
Over time, as more cost eective solutions are available, smaller com-
mercial customers and even residential customers will adopt microgrid
technologies for some or all of their electricity. Smart Grid technolo-
gies are evolutionary drivers enabling transitions to transactive energy.
Leveraging these technologies will help build grid resiliency and open
the electricity market participation by prosumers.
Regulatory Policy
Regulatory policy is a revolutionary driver for transactive energy.
e increase in severe storms, ranging from Superstorm Sandy to the
polar vortex, is the causative factor for legislative actions and regula-
tory policies that encourage utilities to invest in grid resiliency with
deployments of DERs and microgrids. is is one of the anticipated
outcomes of the previously referenced “Reforming the Energy Vision”
report from the New York Public Service Commission and the
California Public Utilities Commission’s energy storage mandates to
its regulated investor-owned utilities (IOUs).
Historically, regulated utilities were encouraged to build reliable
grids with the expectations of downtime. e real costs of outages
were not factored in to regulatory decisions, but that practice has lost
its luster and more utility commissions now encourage grid designs
and deployments that build resiliency. However, there’s growing
acknowledgment that utilities cannot create more resilient grids on
their own. e Interstate Renewable Energy Council (IREC) pub-
lished a white paper that should be read by every utility regulator
and state legislator interested in grid modernization involving DER
deployments. “e Integrated Distribution Planning Concept Paper”*
oers practical suggestions that help build the foundation for transac-
tive energy by leveraging private investments.
* Available at http://www.irecusa.org/2013/05/new-proactive-planning-strategy-
proposed-for-distributed-generation/.
170 DATA PRIVACY FOR THE SMART GRID
IREC focuses on regulatory policy innovations to enable deploy-
ment and interconnection of clean energy like solar in the distribution
grid. Interconnection from the distribution grid perspective refers to
the utility processes that ensure that interconnection of DERs like
solar occur in a timely manner with safe, reliable, and high-quality
electricity ow. It’s sorely needed. Grid-connected solar photovol-
taic capacity jumped 4,000% from 2005 to 2012, according to IREC
research. at’s a good indicator that DER deployments won’t wait
for state or local policies when and where investors and owners can
make favorable business cases now.
Interconnection requests might require utility upgrades of grid
equipment. Utility planners have to consider the local circuit design
and the type, size, and location of the DER asset on that circuit.
Since distribution grids were designed for a one-way power ow
from generators to consumers, not the new Smart Grid value chain
that includes prosumers enabled to supplement/substitute/sell power,
there’s a good chance that some grid investment is required.
e paper described interconnection processes in California,
Hawaii, Massachusetts, and PEPCO, a utility with a footprint in New
Jersey, Delaware, and Maryland. ese entities have demonstrated
leadership in regulatory policies to address the explosive growth of
DER interconnection requests. Creative policies identied in the
paper include development of new utility plans that incorporate DERs
into grid modernization initiatives. California’s policy requires utilities
to consider how generation assets in the distribution grid can “defer
transformer and transmission line upgrades, extend equipment main-
tenance intervals, reduce electrical line, losses, and improve distribu-
tion system reliability, all with cost savings to utilities.” is policy
statement is signicant because it determines that assets that are not
owned by a utility can have a quantiable value to the utility, and there-
fore helps create the policy foundation for a transactive energy market.
e paper’s approach, called integrated distribution planning
(IDP), determines the status (particularly capacity) of the exist-
ing distribution equipment and identies potential upgrades that
may be needed to accommodate anticipated distributed generation
(DG) growth in a ve-step process. With adoption of the poli-
cies and practices as promulgated in IREC’s paper, utilities can
identify distribution grid points where independently owned DER
TRANSACTIVE ENERGY 171
assets can engineer resiliency into the local grid or defer expensive
capacity upgrades. Potential DER asset owners—commercial and
residential—could be nancially motivated to take on these types
of projects with reduced risks because utilities could think about
these assets in newly useful ways.
ese regulatory policies are signicant and new, making policy
a revolutionary driver in building an electricity value chain based on
transactive energy concepts.
Finance
ere is growing innovation in the types of nancial tools available for
utility and nonutility investments in generation, creating new sources
of capital that bring down the costs of funding. It’s a complicated topic
because nancing mechanisms for residential purposes are sometimes
quite dierent than commercial or utility-scale funding options. On
top of that, nancing tools and considerations may dier for genera-
tion of kilowatts (such as solar production) versus generation of nega-
watts (like energy eciency projects).
Finance drivers are often closely intertwined with policy drivers,
and those synergies are quite apparent here. We’ll start at the federal
level and work down to local initiatives, and then briey discuss pri-
vate enterprise activity in innovative nancial mechanisms that have
ramications for the Smart Grid and transactive energy.
A master limited partnership (MLP) is a publicly traded part-
nership for an energy asset. First launched in 1981, today’s MLPs
are traded on public stock exchanges, oering individual as well as
institutional investors the necessary structures to buy and sell shares
in gas/oil/coal extraction and pipeline projects. In 2008, Congress
expanded the denitions of MLP projects to include ethanol, biodie-
sel, and other alternative fuels projects. ere are two primary benets
of MLPs. First, they operate on a pass-through tax structure,* which
lowers the cost of capital. Second, they allow companies to build and
operate energy-producing assets and oer a sucient rate of return
that is appealing to investors.
* A pass-through means that the MLP does not pay tax, just the shareholders (typi-
cally called unit holders).
172 DATA PRIVACY FOR THE SMART GRID
In 2012, traditional MLPs attracted $23 billion for projects, for
a total of about $325 billion in market capital. Imagine what a simi-
lar pool of money could do for investments in clean generation from
solar, wind, and geothermal as well as energy storage. is amount of
capital dwarfs the $4 billion spent on the Smart Grid in the American
Recovery and Reinvestment Act (ARRA) or Stimulus Fund of 2009.
Were a similar pool of capital available for renewable energy and
energy storage projects, it would give investors opportunities to be
green with their money and make a steady income return on their
investments. MLPs could be a game changer for utilities and corpora-
tions seeking sources of capital for large-scale renewables and energy
storage projects. ere’s a proposed bipartisan U.S. Senate bill* to
extend MLP structures to renewables and energy storage, but as this
book was written, it faces an uncertain future.
Residential and commercial property assessed clean energy (PACE)
programs are another promising strategy to nance DER projects.
To date, 28 states and Washington, D.C., have approved PACE pro-
grams for residential use. Two states, California and Colorado, have
approved commercial PACE programs. ese programs rely on bonds
whose proceeds are used by borrowers (building owners) to fund
renewable or energy eciency projects. PACE loans remove the sub-
stantial up-front costs of projects and enable owners to save on energy
costs and create local jobs during the deployment phases of those proj-
ects. By some industry estimates, the market for commercial PACE
projects could exceed $180 billion.
ere are other interesting state initiatives to encourage invest-
ment in DER assets. Voter initiatives like California’s Proposition 39,
enacted in 2013, closed a corporate tax loophole and mandated that
50% of the newly recovered tax revenues for the next 5 years ($500
million/year) be spent on renewable and energy eciency projects in
California public schools. e California Energy Commission calcu-
lates that the state’s schools (excluding colleges and universities) spend
$132 in energy costs per student each year. at’s an annual bill of
$700 million. A projected average of 30% savings for energy eciency
* e Master Limited Partnerships Parity Act (S. 795) introduced by Sen. Chris
Coons. For more information, see http://www.bna.com/expanding-master-limited-
n17179876658/.
TRANSACTIVE ENERGY 173
initiatives alone would result in $240 million per year that could go to
textbooks and teacher salaries.
Green Bank initiatives are another innovative funding mechanism
for grid modernization. New York is the third state to launch a Green
Bankto fund clean energy projects. Seeded w ith $210 million to start,
it intends to attract enough private capital to fund $1 billion in proj-
ects. e Green Bank addresses signicant barriers for development
and deployment of clean energy and DER projects. ese are the lack
of funding for cost-eective loans and for loan loss reserves, and the
lack of securitization for such projects. Investment criteria will be
aligned with the state’s Public Service Commission’s clean energy and
system resiliency program goals. While the state of Connecticut gets
the distinction for having the rst Green Bank, New York has the
largest fund to date.*
At the private enterprise level, one of the most intriguing nan-
cial innovations uses crowd-sourced funds to encourage retail inves-
tors to participate in renewable energy-generation projects—not just
large institutional investors. As the Smart Grid enables consumers of
electricity to become producers of electricity (prosumers), the Internet
democratizes the investment marketplace—much as transactive
energy democratizes the electricity marketplace.
One of these services is oered by a company called Mosaic.† e
company nds and qualies solar projects and connects investors to
them. Investment minimums are $25, opening the market to moti-
vated investors eager to join renewable energy markets. Residents of
New York and California can participate by virtue of their location.
People in other states must be accredited investors. Every solar project
is fully subscribed—some in as little as 24 hours. It is an innovative
approach that addresses a signicant unmet need for investors who
wish to participate in DER deployments but lack opportunities. Some
of those reasons include tenants who cannot put solar on the rooftops
of their rental homes or apartments, and their landlords who derive
no nancial benets from deploying such systems on their rental
* Hawaii is the third Green Bank state, and California is organizing a similar initia-
tive. New Jersey has proposed creation of an Energy Resilience Bank, which also
relies on deployment of DERs.
† https://joinmosaic.com.
174 DATA PRIVACY FOR THE SMART GRID
properties. It will be interesting to see if this same program can be
applied to energy storage projects in the future.
From a landlord’s perspective, real estate values are often higher for
green buildings with Leadership in Energy and Environmental Design
(LEED) recognition. Tenants are willing to pay a premium for the status
of living or working in energy-ecient and carbon-reduced buildings.
In the future, buildings that are grid hardened or energy self-sucient
may also command premium prices because they preserve comfort and
safety of occupants regardless of utility grid status. It is a compelling
new variable in value propositions for property owners as they seek com-
petitive dierentiators from other rental properties. It is also a sign of
the times about how nancial motivations can serve as drivers for DER
investments, and create more participants in transactive energy markets.
ese innovative nancing mechanisms drive grid transformation
investments along the entire value chain, from generation to consump-
tion. In the process, we increase grid resiliency through distributed
renewables generation, reduce our carbon footprints, and allocate prof-
its and cost savings into local economies. Financial innovations also
open up energy markets for prosumers and small investors. As a Smart
Grid driver, nance is revolutionary and can accelerate investments
in DERs and microgrids, help democratize the market, and deliver a
broader range of Smart Grid benets to a wider pool of participants.
As noted earlier, these transactive energy drivers portend signi-
cant changes from today’s electricity markets, which are only avail-
able to qualied suppliers able to trade in large quantities (megawatts
and negawatts) of electricity. e U.S. stock market oers some good
analogies. e large institutional traders like pension funds would be
the equivalent of qualied suppliers of electricity, buying or selling
huge blocks of stock. Prosumers at the distribution grid level would be
the equivalent of individuals managing their 401(k) stock portfolios
and buying or selling electricity at preferred price points.
So what does this chapter have to do with privacy? Most of our
discussion about privacy has so far focused on energy usage data.
Transactive energy expands the discussion to energy production data.
Transactive energy means new varieties of data coming from many
market participants and sector players, with data velocities that rival
those of existing stock markets. It will also mean new volumes of
data that will present challenges for existing utility communications
TRANSACTIVE ENERGY 175
networks. And nally, the need for absolute condence in the data to
accurately settle, buy, and sell transactions based on dynamic pricing
will put an emphasis on data veracity.
e transactive energy market will evolve over time, and we’ll
examine the initial steps with commentary on the energy production
data that is created. Let’s rst dene energy production data and its
value. Energy production data is data that identies the ow of elec-
tricity for a device that generates or discharges electricity.* Energy
production data describes how much energy is produced by a genera-
tion device so it can be used for operational or nancial purposes. If
it’s a smart device (and most of them are), it will have communication
capabilities and could be enabled for remote monitoring and control.
Various stakeholders will have dierent interests in this data, and we
group them into four categories: prosumers, governments, utilities,
and vendors.
Prosumersare the owners of DER assets. ey can be individuals
or businesses. Prosumers will want data that details the performance
of their assets. is data would help answer questions such as:
• How much electricity is the asset producing?
• Is the device operating at optimal levels?
• How much electricity is used on-site versus sold back to the grid?
• What is the price of electricity at buy/sell transaction points?
• How much money has been saved, oset, or earned?
Obviously, there is other data that is combined with energy pro-
duction data to answer these questions. As noted before, the accurate
measurement of the electricity sold back to the grid would come from
a utility-supplied meter—the ultimate cash register for buying and
selling. Pricing data would not reside in a generation device, but an
energy management system that controls it would most likely have
programmed instructions regarding the price points for buy and sell
transactions. Prosumers may not want others to know how much
energy they are producing from their solar panels or wind generators,
or how much electricity their EV sells back to the grid. e bottom
line is that nancial information is sensitive information, and there-
fore establishing privacy controls for this data is important.
* From the Smart Grid Dictionary, 6th edition.
176 DATA PRIVACY FOR THE SMART GRID
Governments range from local to federal entities and regulatory
agencies. ey may want to track overall production from DER assets
and microgrids to measure the success of policies that encourage these
investments to build grid resiliency. Given that this is a new area with
many research interests and more questions than answers, we could
see similar pilot programs like the ChargeAmerica project, with vol-
unteers who consent to provide energy production data. Governments
would be interested in data that answered the same questions prosum-
ers would have, but at an aggregated scale. is data could be anony-
mized to protect asset owner privacy. From another perspective, there
may also be interest in identifying electricity production that seems
oversized to site needs.
Utilities need energy production data to appropriately plan for
ongoing or backstop load requirements for interconnected DERs and
microgrids. By virtue of their meter ownership, they already have an
established “primary purpose” right to energy usage data for billing
and operational purposes. Without a doubt, they would want the same
arrangement for energy production data. In a transactive energy sce-
nario, they may manage DER assets on behalf of the asset owners (pri-
vate individuals or businesses) and would need all performance data,
along with remote monitoring and control capabilities of those DER
assets. is data would be necessary to provide safe grid operations
and accurate settlement reports (think of stock sales and purchases).
Utility treatment of energy production data should be governed by
the same privacy policies in place for energy usage data, but special
consideration needs to be given to situations where third parties are
involved. e scenarios previously discussed for Green Button data—
in which some vendors are covered entities and bound by utility poli-
cies, while others are not—would need to be documented in use cases
to fully understand the chain of data custody.
Vendors have a number of interests in energy production data.
For example, if solar panel vendors and installers have access to
energy production data for the solar panels on your roof, perhaps
they could determine if your selected product produced the solar
eciency claimed by a competitor. ey could certainly use produc-
tion data to spot trends in performance degradation and pitch their
upgrade or maintenance services. Interesting distinctions arise around
the relationship that an ESP or product vendor has with the asset
Number of net-metered customers
thousands
180
160 non-residential
140 residential
120
100
80
60
40
20
0
2003 2004 2005 2006 2007 2008 2009 2010
TRANSACTIVE ENERGY 177
owner—presumably the owner of the energy production data. is is
similar to the distinctions made between third parties that are cov-
ered entities or have some aliation with the utility or with the asset
owner and those that do not have a relationship. A comprehensive
portfolio of use cases can fully detail the data ownership and resulting
privacy risk mitigation strategies.
Now that we’ve described energy production data and some of its
potential values, let’s explore the evolutionary transition to transac-
tive energy and the role of energy production data. Net metering isn’t
often thought of in transactive energy terms, but it is an illuminating
rst evolutionary step.
Net metering is the capability for residential and commercial and
industrial (C&I) customers to generate electricity and sell back excess
power to the utility.* Net metering uses either a single, bidirectional
electric meter or two meters to separately measure production and
consumption electricity ows at a prosumer’s location. Net metering
is currently implemented on a state-by-state basis with signicant
variation between states and utilities. Some net metering setups use
smart meters; others rely on traditional electromechanical meters. Net
metering has experienced signicant growth in the United States, as
tracked by the Energy Information Administration in Figure9.1.
Note: e chart counts the number of net metering custom-
ers and does not indicate the generator size or amount of genera-
tion. Nonresidential includes the commercial and industrial sectors;
Figure 9.1 Growth of net metering in the USA. (Courtesy of the U.S. Energy Information
Administration, Electric Power Annual.)
* Ibid.
178 DATA PRIVACY FOR THE SMART GRID
net-metered generators in these sectors are typically larger than resi-
dential generators.
Net metering essentially is self-generation structured in organized
transactions with a utility. Pricing is xed by utility taris, so unlike a
true transactive energy market, there’s no dynamism in prices. It does
serve as the rst step to transactive energy, since many utilities have
long-term plans to switch from xed pricing to time of use pricing
or dynamic pricing. In today’s net metering scenarios, the utility still
owns the meters, and all the existing meter data privacy guidelines
apply to the energy production data. Could this change in transac-
tive energy? Possibly. We see similarities to the scenario for energy
usage data. If the state or utility policy holds that the prosumer owns
his or her meter data, then production data should be handled just
like usage data. If the status of ownership of meter data is not well
dened, or if the position is the utility owns the data, that would trig-
ger real concerns about the privacy of energy production data. From a
future transactive energy perspective, if an ESP is aggregating power
generated from a number of locations and selling it back to utilities
(much like they do with DR aggregation today), then the situation
is even more complicated. It will be important to consider the entire
data chain of custody through use cases to develop appropriate privacy
policies and practices.
OpenADR
e OpenADR* initiative is focused on standardizing, automating,
and simplifying DR programs and technologies. It’s the most compre-
hensive and widely used Internet Protocol (IP)-based communications
standard for electricity providers and system operators to exchange
DR signals with buildings and equipment within buildings. Existing
ADR technologies are based on competing standards and incompat-
ible protocols, and when coupled with a similar variety in building
energy management systems, they create dicult and expensive inte-
gration challenges. OpenADR aims to resolve much of that overhead
complexity, and thus accelerate the participation rates of buildings
into DR programs and negawatt production. OpenADR is the de facto
* For more information, visit http://www.openadr.org.
TRANSACTIVE ENERGY 179
standard for the state of California’s building code,* which mandates
that all new buildings must support a standards-based DR signal.
As described before, for building owners and managers, participa-
tion delivers payments for reductions in electricity use or lower rates
throughout the year—nice impacts to their operating costs. e
OpenADR Alliance is currently piloting an oer of LEED credits for
participation in ADR, which means that buildings will receive sustain-
ability recognition too. at reinforces the premium value that prop-
erty owners can charge to tenants in buildings participating in ADR.
However, the alliance has a very ambitious goal—to be the “last mile”
of transactive energy. In fact, there is a prole held in reserve (2.0c) that
will have features supportive of the transactive energy model.
From a privacy perspective, there are important distinctions to note
between commercial buildings and residential buildings, which can be
subcategorized into multifamily and single-family dwellings. ere is
an incredible amount of energy usage data that is created, transmitted,
and analyzed to manage commercial buildings. In the future, this data
would include energy production data regarding measured electricity
from devices, performance alarms and status updates for those devices,
as well as nancial transaction data such as buy and sell details. is data
may have signicant value in delivering detailed knowledge of building
operations, but it may not reveal any useful personal information since the
meter may be assigned to a corporation rather than an individual.
For residential scenarios, energy production data would have the same
sensitivities as energy usage data, or the data produced in net metering sce-
narios. However, with the exception of multifamily residential properties,
many residential OpenADR participants may have a relationship with
an ESP who serves as an intermediary to the local utility. Multifamily
residential properties may have a similar arrangement, or be large enough
to have a facilities manager who coordinates directly with a utility.
Going Forward
e Pacic Northwest Smart Grid Demonstration Project† is a
multiyear initiative that is now testing transactive controls as key
* Title 24 of the California Energy Code went into eect January 1, 2014.
† For more detailed descriptions of the pilot, go to http://www.pnwsmartgrid.org.
Figure 9.2 The Pacific Northwest Smart Grid Demonstration Project territory. (From http://www.
pnwsmartgrid.org.)
180 DATA PRIVACY FOR THE SMART GRID
components to transactive energy markets. e project denes trans-
active control as a distributed system that uses signals communicating
the current and expected state of the grid, so that electricity users
and energy resources can adapt to time-granular changes in grid
supply and demand. DER assets such as solar panels, smart appli-
ances, energy storage units, plug-in hybrid electric vehicles (PHEVs),
and backup generators are participating in this demonstration. e
project is collecting data from 60,000 metered customers who have
a variety of voluntary participation options through the 11 utilities
throughout ve states, shown in Figure9.2, that are also part of the
demonstration.
ese customers cover residential and C&I categories, and are
engaged in programs through the utilities that make up this pilot.
Participation for the most part consists of negawatt production,
although two utilities installed solar panels for distributed genera-
tion with volunteers from their customer base, and one utility had
a commercial enterprise with an existing solar installation share
its energy production data. ere is no single overarching privacy
policy that covers all participants of this pilot, although this simply
reects the fragmented nature of our electricity sector as well as our
privacy legislation. Given the research mission of this pilot, data
TRANSACTIVE ENERGY 181
collection is extremely important to gain knowledge and insights
to apply to future transactive energy operations and market models.
All pilot participants’ privacy needs must be carefully documented
to ensure that the appropriate policies and procedures are in place to
protect privacy.
Transactive energy creates new data—energy production data. In
many scenarios, its treatment should not vary from the privacy protec-
tions for energy usage data. However, if energy usage data has weak
privacy protections, the expansion into energy production data oers
an excellent opportunity to update and enhance privacy protections
for all data. Development of scenarios or use cases that reect the
coming transactive energy changes and identify the data chain of cus-
tody can help prepare regulators and legislators, utilities, vendors, and
consumer agencies to ensure that the proper privacy protections are
in place.
10
ADDRESSING COMMON
PRIVACY CLAIMS
ere are many individuals and groups that are taking bits of truth
with regard to Smart Grid privacy risks and blowing them up into
unsubstantiated, and often completely ctional, claims to spread fear,
uncertainty, and doubt (FUD). Such alarmists are found quickly via
an Internet search. Many are using scare tactics to encourage indi-
viduals to remove smart meters themselves from their homes, a very
physically dangerous thing to do!
Here are some facts, pointing out what is possible and what is not,
to address some of the most common unsubstantiated claims made by
groups or individuals with regard to Smart Grid privacy.
Claim 1: Data from smart meters goes directly to government
agencies through the Smart Grid transmission lines.
No, in the United States, data from smart meters does not
go directly to government agencies. Smart meter data goes to
the utilities that use them for billing purposes. If a govern-
ment agency wants smart meter data, it must bring a subpoena
or other appropriate documentation to the utility, and list the
specic types of data it needs (e.g., from a specic address for
a specic range of time). e utility will then give it only the
specied data, as required by law and energy standards. is
process has been in place for decades, and is not becoming less
strenuous because of smart meters.
ere may be some types of smart meters that homeowners
have connected directly to their home area networks (HANs)
or home energy management systems (HEMSs). In this case,
it would be possible for the homeowner to purposefully and
knowingly send his or her energy usage data to others. And, if
he or she did not set up his or her HAN or HEMS securely,
183
184 DATA PRIVACY FOR THE SMART GRID
he or she may leave it vulnerable for unauthorized access.
However, those situations are under the control of the resi-
dents, are not made from the smart meter, and are not some-
thing the utility can control.
Claim 2: e utilities share all smart meter data with third
parties, including mail houses, debt collectors, and data
processing analysts.
No, in the United States the utilities are not sharing energy
usage data with third parties without consumer consent with
two exceptions:
1. Data may be shared with a company under contract to
a utility to provide a service necessary to the delivery of
electricity, such as meter repairs.
2. Data may be shared if there is a state-level legal reason to
do so. For instance, a public utility commission may order
data to be shared for energy eciency studies.
Most U.S. utilities are regulated at the state level, by pub-
lic utilities commissions or public service commissions. ese
state regulations govern when, why, and with whom data may
be shared. ere are typically nes for breaking these regula-
tions. ese regulations have been in place for decades, and
are not becoming more lenient because of smart meters.
Municipal utilities and rural electric member cooperatives
(coops) answer to their city governments or utility boards and
their electricity customers serving as owners and voters. ese
categories of utilities are governed by existing state and local
privacy laws and often follow the policy lead of the regulated,
investor-owned utilities (IOUs). In some states, the commis-
sions that regulate IOUs also have jurisdiction over munici-
pals and cooperatives.
At the time of this writing, outside the United States, there
was a wide range of protections, and often no protections,
governing energy usage data. Possibly the most guidance and
rules have been established within the European Union.*
* See more about EU Smart Grid rules and recommendations at http://ec.europa.eu/
energy/gas_electricity/smartgrids/smartgrids_en.htm.
ADDRESSING COMMON PRIVACY CLAIMS 185
Claim 3: Smart meters are not optional. e U.S. government
is forcing them on the public to spy on them!
e U.S. government does not govern the use of smart
meters, or any other hardware components used at the energy
consumers’ residence, to provision the delivery of energy ser-
vices. Requirements for consumer hardware necessary for
energy delivery services are governed at the state level. Many
states have begun oering an opt-out capability with regard
to smart meters. However, this opt-out option often comes
with an extra fee to cover the additional work of reading an
analog meter. is also means a customer would not gain any
benets of a smart meter, such as faster repair times following
a service disruption.
Claim 4: e utilities and U.S. government will now be able
to control every appliance within each consumer’s home,
shutting o energy supply without warning.
U.S. regulations* do not allow utilities to modify the work-
ing of any appliance or electronics within a customer’s home
without rst gaining customer approval. Also, an energy-con-
suming device has to be correctly enabled, usually by setting a
special device on appliances or electronics, in order to be con-
trolled by a utility. is function, commonly known as demand
response, has been around for many years. Regulations are not
becoming less stringent because of smart meters.
Related to this, it is important for energy consumers to be
aware of the access they are providing directly to third parties
as a result of using smart appliances, HANs, and HEMSs.
Energy consumers must perform their own due diligence to
ensure these third parties have appropriate privacy protec-
tions and security controls implemented.
Claim 5: Utilities will be able to use smart meters to know
your in-home activities based upon detailed energy usage,
down to the appliance level.
* See the primary U.S. federal regulations governing utilities at http://energy.gov/
NODE/11611.
186 DATA PRIVACY FOR THE SMART GRID
Using nonintrusive appliance load monitoring (NALM)
techniques,* interval energy usage at dierent time periods
can be used to infer individual appliances’ portions of energy
usage by comparison to libraries of known patterns matched
to individual appliances. However, studies have shown that
individual appliance inference or patterns of appliance usage
are not truly possible unless the usage data is gathered more
frequently than every 15 minutes. Many utilities in the United
States are only gathering usage data once per hour or less fre-
quently.† It is important to keep in mind that such analysis
has already been shown to be possible with an analog meter‡
as well, so this capability is not new with smart meters.
Disaggregation technologies§ can provide this level of
detail, but require consumer consent and active participation
in order to develop it.
Claim 6: Smart meters transmit personal information.
In the United States, at the time of this writing, no tradi-
tional personal information (e.g., name, address, phone num-
ber, etc.) was being transmitted by smart meters. ere is a
unique code associated with each smart meter to ensure billing
accuracy that is part of the ANSI C12.19 standards for meter
data that is sent with the energy usage data transmission.
* From NISTIR 7628 Rev.1: “Using nonintrusive appliance load monitoring
(NALM) techniques, interval energy usage at dierent time periods can be used
to infer individual appliances’ portions of energy usage by comparison to librar-
ies of known patterns matched to individual appliances. NALM techniques have
many benecial uses for managing energy usage and demand, including pinpointing
loads for purposes of load balancing or increasing energy eciency. However, such
detailed information about appliance use has the potential to indicate whether a
building is occupied or vacant, show residency patterns over time, and potentially
reect intimate details of people’s lives and activities inside their homes.”
† Per information gathered from utilities during NIST Smart Grid CSWG Working
Group research, which occurred between July 2009 and the publication of this book.
Also per a representative from the Utility Analytics Institute.
‡ is is demonstrated in the famous research study by Elias Leake Quinn, Smart
Metering and Privacy: Existing Law and Competing Policies, Spring 2009, p. 3,
http://www.dora.state.co.us/puc/DocketsDecisions/DocketFilings/09I-593EG/
09I-593EG_Spring2009Report-Smart GridPrivacy.pdf. Note: A hob heater is a
top-of-stove cooking surface.
§ Discussed in Chapters 5 and 7 of this book.
ADDRESSING COMMON PRIVACY CLAIMS 187
is unique identier for the smart meter does not explicitly
indicate name, address, or other traditional types of personal
information. It is important to establish safeguards for those
smart meter codes used for billing to ensure they cannot be
accessed by others who are not authorized.
Claim 7: Smart meters can tell when people are at home or
when the home is empty, so burglars will have an easy time
nding targets.
e answer depends upon the security controls imple-
mented within the smart meter. is claim is most likely cor-
rect if, for example, everyone is away from a home and if a
burglar had access to this smart meter information. e abil-
ity for bad guys to have access to smart meter data is deter-
mined by the security and encryption of data at the meter,
during transmissions, and in utility networks and computer
systems. Utilities do need to ensure that they exercise appro-
priate security precautions.
When considering the actions that energy customers take
related to this, it is important to point out that energy custom-
ers using HANs and HEMSs need to also have the appropri-
ate security controls established to keep such burglars, or any
others for that matter, from being able to access this data to
determine whether or not the home is empty.
And, outside of the Smart Grid, everyone must ensure they
do not communicate on online social media sites or other places
when they are away from their homes. Growing numbers of
burglars are nding targets by reading Facebook pages.*
Claim 8: Smart meters can determine how you spend your
time.
is is a true statement about your use of electrically
run devices if the smart meter is used with technology that
* Many news stories over the years support this. For example, see Most Burglars Using
Facebook and Twitter to Target Victims, Survey Suggests, http://www.telegraph.
co.uk/technology/news/8789538/Most-burglars-using-Facebook-and-Twitter-to-
target-victims-survey-suggests.html and Going on Summer Vacation? Don’t Tip
O Criminals on Social Media, http://blogs.ndlaw.com/blotter/2014/06/going-
on-summer-vacation-dont-tip-o-criminals-on-social-media.html.
188 DATA PRIVACY FOR THE SMART GRID
disaggregates* electricity signatures, or if the data is subse-
quently obtained and analyzed with a disaggregation method.
However, without disaggregation, a meter transmission on an
hourly basis would not be able to distinguish any dierence
in kWh consumed plus the other measurements, like voltage
and current, that would be able to provide a clear picture of
how time was being spent within the home.
Claim 9: Smart meters can be used to identify medical equip-
ment and give insurance companies information that
aects your premiums.
is is possible only if the electricity usage data is disag-
gregated and unique signatures of electricity used by devices
and appliances are identied, and if the data is subsequently
provided to insurance companies. At the time of this writing,
within the United States, and possibly in other countries as
well, there are no laws, regulations, or agreements giving any
other entity beyond the utility and its contracted third parties
access to smart meter data.
is points to the need for any entity with legitimate and
authorized access to or possession of the data to have strong
security controls to protect the energy usage data, in addition
to having dened organizational privacy policies governing
the use and sharing of the data.
It is important to note that other methods exist for insur-
ance companies to suss this out, such as buying your credit
card history to examine purchases of medical services, or buy-
ing search history data from Google.
* See the Chapters 5 and 7 for more thorough discussions of disaggregation technolo-
gies and associated risks.
11
BEYOND THE SMART GRID:
THE MONETIZATION OF DATA
e Smart Grid sector made and continues to make signicant invest-
ments in machine-to-machine (M2M) communications and appli-
cations that rely on sensors to collect data from connected devices.
Depending on sensor functionalities, data collection can include:
• Measurements of ow: Voltage, current, phase angle, watts
produced or used.
• Performance: Para meters like temperatu re, vibration, or pressu re.
• Date and time stamps.
• Geographic information: Latitude and longitude.
• Identication/authentication of user.
Smart Grid technologies create greater volumes of data and new
sources of data—almost exclusively structured data* since it is obtained
from devices like smart meters or other sensored machines and com-
ponents. But the electricity sector is not the only sector to confront
challenges and opportunities with this new data. e transformations
that are occurring now in the electricity sector are also causing disrup-
tions in other sectors, such as transportation and the growth of vehicle
telematics,† as well as healthcare medical devices and the adoption of
personal monitoring devices.‡ Data has signicant promise to change
* Structured data is data that is organized according to a consistent standard. Much
of it is generated by devices in the form of events (such as a change in a temperature
measurement or a detection of motion), but it also includes data input by humans,
such as name, address, gender, age, etc.
† Telematics is the equivalent of Smart Grid technologies embedded in a car—it
includes sensors, communications technologies, and onboard and remote analytics
applications, and it can improve operational performance as well as human interac-
tions with a vehicle.
‡ Google’s plans for tracking health data: http://spectrum.ieee.org/tech-talk/biomed-
ical/devices/google-t-wants-to-rule-all-your-wearable-health-tness-devices.
189
190 DATA PRIVACY FOR THE SMART GRID
how we do business, how we conduct our lives, and how we see the
world. It is important to remember, though, that with more data and
more capabilities to make such changes also come more privacy risks
that must be addressed and appropriately mitigated.
e Internet of ings (IOT) includes the Smart Grid plus a grow-
ing array of M2M applications that leverage sophisticated sensors. e
newest buzzword, the Internet of Everything (IOE), converges human
interactions with device networks. e IOE correlates machine-gen-
erated data with human-generated data for action and insights.
Sensor Proliferation
A quick digression is needed about sensors, because sensors have been
around for a long time, but now are rapidly proliferating in both tradi-
tional and innovative new applications. Sensors require power to operate,
and in many cases, these sensors require batteries for power. Batteries
expire, making it impractical to consider replacing power supplies in
mass quantities of sensors on a periodic basis. Technology advances on
many fronts, ranging from materials science discoveries to continued
improvements in microprocessors, and has led to a veritable explosion
of much more exible sensors that require much less power to function,
or now have embedded capabilities to produce their own power.* For
instance, it is now not only technically but also practically feasible to
deploy sensors for applications that would benet from remote moni-
toring capabilities. For instance, a solution called Waspmote† can be
deployed in forests for early re detection. Researchers in South Korea
announced the development of a prototype sensor the size of a post-
age stamp that detects goose bumps on skin to monitor physical and
emotional responses in humans.‡ Sensors will continue to proliferate
in every imaginable business sector and generate new varieties of data.
* Energy harvesting advances are announced with some regularity, eliminating the
need for batteries in many sensors, and thus dramatically increasing the possibilities
for what can be monitored. See http://electronicdesign.com/power/energy-harvest-
ing-and-wireless-sensor-networks-drive-industrial-applications and http://newsof-
ce.mit.edu/2010/energy-harvesting for some examples.
† http://www.libelium.com/products/waspmote/.
‡ http://spectrum.ieee.org/tech-talk/biomedical/diagnostics/goose-bump-
detector-senses-your-skin-crawling.
BEYOND THE SMART GRID 191
Social media participation and electronic production and consumption
of content are increasing too—and creating daily terabytes and pet-
abytes* and more of unstructured data. Sensors create big data.
e ability to digest this big data as its variety, volume, velocity, and
veracity grow presents signicant challenges. Data analytics, leverag-
ing impressive computing power, is the main tool to make sense of all
this data. Data analytics has a sense of time and function. Analytics
can be descriptive, predictive, or prescriptive. Descriptive is by far
the most common. e energy management systems described ear-
lier typically use descriptive analytics to provide a summary of what
happened or what is happening, usually directed to a smart phone
or computer. A car’s dashboard reects descriptive data analytics as
well as some predictive analytics, such as messages regarding main-
tenance. At the time of this writing, utilities were in the early stages
of deploying more sophisticated analytics for predictive purposes,
particularly to model anticipated electricity demand or the condition
of grid components to determine best repair or replacement times.
†
Predictive analytics combines historical and real-time data from any
number of sources to forecast the probabilities of an outcome, such as
a malfunctioning transformer. For many retailers, predictive analytics
create suggestions for purchases to shoppers visiting their websites.‡
Prescriptive analytics is the latest evolution of data analytics, and it
narrows down multiple probabilities to one action, which may be
automatically enacted. Google’s self-driving or autonomous car§ is an
example of an application that relies on prescriptive analytics.
* A Terabyte is 1000 Gigabytes, a Petabyte is 1000 Terabytes, using the simpler des-
ignation that identies a Kilobyte as 1000 bytes. For the purists out there, it’s 1024
Gigabytes to a Terabyte and 1024 Terabytes to a Petabyte. e successive designa-
tions are Exa, Zetta, Yotta, and Bronto. Bronto! Dinosaurs are extinct, but they still
live on.
† Traditional utility practice was to run to failure or when the equipment failed, but
the advent of sensors for remote monitoring and control enables a transition to more
proactive grid management.
‡ For example , see Amaz on Knows W hat You Want Before You Buy It, January 27, 2014,
http://www.predictiveanalyticsworld.com/patimes/amazon-knows-what-you-
want-before-you-buy-it/.
§ For example, see A Self-Driving Car Will Create 1 Gigabyte of Data per Second:
New Big Data Opportunity? July 22, 2013, http://www.predictiveanalyticsworld.
com/patimes/a-self-driving-car-will-create-1-gigabyte-of-data-per-second-new-
big-data-opportunity/.
192 DATA PRIVACY FOR THE SMART GRID
Data
Information
Knowledge
Wisdom
Figure 11.1 The value of data.
Applications of advanced analytics are the value multiplier for
data—big or otherwise. e ads that you see on the side of a search
engine screen are based on your search history plus demographic
data and countless other variables from multiple data brokers melded
together to detect patterns and predict your probabilities of interest in
products and services. Figure11.1 illustrates the foundational value of
data, and how analytics begets information, information coupled with
human insights produces knowledge, and knowledge coupled with
thoughtful human experience leads to wisdom. (is is not to say that
if you have a lot of data you are wise.)
ere are important privacy questions regarding the treatment of
all these new sources of data, but there are also very serious questions
about the monetary value of data. Monetization of the data can create
privacy issues.
For instance, an appliance manufacturer may be interested in col-
lecting data about how many times the cold water wash setting is used
versus a hot water wash setting for a smart clothes washer. at data
has value if it aids a diagnosis of a performance issue like a failing
rubber gasket. It would reduce downtime and inconvenience for the
BEYOND THE SMART GRID 193
owner of that asset, while the manufacturer would enjoy improved
productivity on the part of its service resources and have evidence
of malfunctioning components. e benets of this data are shared
between the appliance owner and manufacturer or service center.
Similarly, if your refrigerator could alert you to a water leak or pend-
ing failure that would defrost all the contents in the freezer, getting an
urgent text message on your smart phone would be timely actionable
information. Maybe the refrigerator would automatically schedule a
repair request with your designated maintenance center. You might be
willing to pay extra for that data and service.
But advertisers want this data too, and as we already know, they
are willing to pay handsomely for it.* ey might send mobile ads pro-
moting a replacement refrigerator or telemarket repair services. Is this
really valuable for consumers? Maybe, maybe not. Did the refrigerator
owner derive any nancial benet from the sales of the data created
by his or her refrigerator that was collected by the manufacturer and
sold by the said manufacturer to the advertiser? ere is no universal
“the consumer owns his or her data” statement applicable to this data
in the United States. To date we are unaware of this type of statement
anywhere in the world.
CVS pharmacy, a nationwide retailer, created a program where
shoppers can opt in to receive a loyalty card. eir ExtraCare pro-
gram has 70 million active members.† In exchange for some personal
information like name, contact details, gender, age, and household
data, this company rewards cardholders with discounts on purchases
that are not available to noncardholders buying the same items. Of
course, loyalty cards track purchase details for future use and cre-
ate more personalized experiences‡ in the form of targeted oers and
coupons. However, consumers can choose to share their purchase data
in exchange for price reductions—an exchange of value for this volun-
tary sharing of data.
In some cases, lawmakers have legislated privacy protections for
data. For instance, health data has federal-level privacy protections
* Ninety-ve percent of Google’s revenue is attributed to advertising as reported here:
https://investor.google.com/nancial/tables.html.
† From article on CVS loyalty program at http://www.colloquy.com/article_view.asp?
xd=11417.
‡ Ibid.
194 DATA PRIVACY FOR THE SMART GRID
dened in the Health Insurance Portability and Accountability Act
(HIPAA). e same is true for nancial data via the Gramm–Leach–
Bliley federal law. Energy usage, consumption, and production data
has some laws and regulations at the state level, but they are not con-
sistently protected in the same fashion across all 50 states. Vehicle
telematics did not have any existing federal protections when this
book was written.
Wearable technol ogy data is in an a mbi guous sit uat ion w ith debat es
about the agencies responsible for privacy protection of the associated
health data. Under HIPAA, if that health data is collected on behalf
of a healthcare covered entity (healthcare provider, healthcare insurer,
or healthcare clearinghouse) and used for treatment, payment, or
operations, then that data would be subject to HIPAA requirements.
However, if that data is collected and used on one of the growing
types of personal health information data vaults, then the Federal
Trade Commission (FTC) would generally have oversight of it under
the HITECH Act. In yet a third scenario, if the data being generated
is being collected and used solely by the individual with the device,
or being shared with or sent to a cloud service or social media site
that does not meet the denition of a health vault, then there is much
argument about whether or not that data is protected by any existing
law or regulation. Laws and regulations generally lag new technology,
leaving the individuals using those technologies, and the technology
manufacturers, with no clear guidance about what they must do to
protect or use new varieties of data.
Vehicle telematics serves as an interesting example of how new data
is monetized and can be used for shared benet or not. e quid pro
quo structure that exists with card loyalty programs seems to be the
basis for the initial auto insurance industry’s introduction of usage-
based insurance* (UBI) programs. e rst programs† had only been
operating for a couple of years at the time this book was written, so
we suspend any judgments until we have more data. e initial results
and feedback from consumers may be encouraging, since insurance
* Usage-based insurance leverages in-vehicle or mobile apps to collect driving data to
determine insurance premiums. In the United States, existing programs are opt-in
and oer discounts for participation.
† Progressive, State Farm Insurance, and American Family are three insurance com-
panies with forms of UBI.
BEYOND THE SMART GRID 195
companies are now bundling additional services to increase the
incentives, as well as increase their revenue streams beyond insur-
ance payments. ese services include roadside assistance and vehicle
diagnostic reports. ese arrangements provide value back to the
consumer for the data that they agree to share on a voluntary or opt-
in basis. However, other stakeholders* are focused on the value that
vehicle telematics provides to car manufacturers and their original
equipment manufacturers (OEMs). Reading between the lines, it
seems that while auto insurance companies recognize the importance
of socializing the value of data with the vehicle data creators (drivers
as owners or operators), other stakeholders believe they have a right to
the data whether or not the driver of the vehicle consents to share it.
What does your structured and unstructured data reveal about you?
Much more than you may realize, and chances are you are not sharing
in the monetization of most of that data. e Smart Grid has received
lots of attention, but as our chapter illuminates, there are other busi-
ness sectors that may have as many or more privacy concerns, as well
as more issues about who owns the data and what entities have the
right to access or sell it. What are the privacy and security responsi-
bilities assigned to all this new data being generated? What are the
penalties for misuse or abuse of data that results in a loss of privacy?
ere are more questions than answers. We’re overdue for a serious
discussion of how we want to treat the growth of new types of data
as we continue to transition to the Smart Grid and other sectors also
transform to the IOT and the IOE. One encouraging sign is that the
leading newspaper for Silicon Valley, home to Google and Facebook,
published an editorial calling for a Bill of Rights on data and personal
information.† e White House published a Consumer Privacy Bill of
Rights in February 2012,‡ so perhaps the consciousness is raised on
the value of data in the IOT and the IOE.
What should be the future for all the data generated? We look for-
ward to continuing that conversation with you.
* Telematics Update, September 2013 and October 2013 issues: http://analysis.tele-
maticsupdate.com/infotainment/telematics-and-value-big-data-part-i and http://
analysis.telematicsupdate.com/infotainment/telematics-and-value-big-data-part-ii.
† Editorial in reaction to Facebook’s 2012 psychological experiment on almost
700,000 users, San Jose Mercury News, July 3, 2014.
‡ See http://www.whitehouse.gov/sites/default/les/privacy-nal.pdf.
Appendix A
Smart Grid Categories and
Associated Privacy Risks
is spreadsheet was created in 2010 by a subteam, led by Rebecca
Herold, of the National Institute of Standards and Technology (NIST)
Smart Grid Cyber Security Working Group (CSWG) Privacy Group.*
* See the NIST Smart Grid CSWG Privacy Group work from that time period at
http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/CSCTGPrivacy.
197
Note: See purpose of matrix and definitions by scrolling to the bottom.
Legend: X = likely privacy risks, P = possible privacy risks, — = no anticipated privacy risks, Ph = physical privacy risks, Ad = administrative privacy risks, Te = technical privacy risks, PD = privacy-impacting
data is involved.
ENTITIES WITH INTERESTS IN SMART GRID DATA
THIRD PARTIES
(RESEARCHERS, CONTRACTED
VENDORS, AGENTS (ENTITIES
SERVICE THAT UTILITIES
PROVIDERS, HAVE CONTRACTED
REGULATORS, TO DO WORK ON
COMMERCIAL/ MARKETERS, ETC., THEIR BEHALF AND
COMMERCIAL/ NONINSTITUTIONAL WHO ARE NOT MUST ABIDE BY
INSTITUTIONAL (OFFICE UNDER THE SAME THE SAME LEGAL
CONSUMERS (APARTMENTS, BUILDINGS, RETAIL INDUSTRIAL LEGAL AND AND LAW
(EXPANDING UPON HOSPITALS,
STORES, DATA (STEEL MILLS, CONTRACTUAL CONTRACTUAL ENFORCEMENT
SMART GRID CATEGORIES WITH VERSION 1 OF DORMITORIES, CENTERS, CAR AUTO ASSEMBLY OBLIGATIONS AS OBLIGATIONS AS AND
POTENTIAL PRIVACY ISSUES NISTIR 7628) ETC.) RENTALS, ETC.) PLANTS, ETC.) THE UTILITIES) UTILITIES THE UTILITY) INVESTIGATIONS
Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD
SMART METERS
Energy usage XXXXXXXX—PPP—PPPXXXXXXXXXXXX——XX
Pricing data XXXXXXXX—PPP—PPPXXXXXXXXXXXX——XX
Smart device data X X X X X X X X — P P P — P P P X X X X X X X X X X X X — — X X
PEVs
Private charging station X X X X X X X X — P P P — P P P X X X X X X X X X X X X — X X X
Energy usage XXXXXXXX—PPP—PPPXXXXXXXXXXXX—XXX
Pricing data XXXXXXXX—PPP—PPPXXXXXXXXXXXX—XXX
PEV—related data X X X X X X X X — P P P — P P P X X X X X X X X X X X X — X X X
198 A PPENDIX A
APPENDIX A 199
Public charging station P P P P P P — P — P P P — P P P X X X X X X X X X X X X — X X X
PEV—related data P P P P P P — P — P P P — P P P X X X X X X X X X X X X — X X X
Servicing XXXXPPPP—PPP—PPPXXXXXXXXXXXX—XXX
OTHER TYPES OF PRIVATELY OWNED MOBILE DEVICES OR REMOTE APPLICATIONS THAT CONNECT TO THE SMART GRID
Mobile devices: smart phones X X X X X X X X — X X X — — — — — X X X — P P P — P P P X X X X
and laptops, apps, etc.
Servicing for mobile devices X X X X X X X X X X X X — — — — X X X X — P P P — P P P X X X X
HOME AREA NETWORK (AKA HAN, METER TO UTILITY)
HAN WITH EMS
Energy production X X X X — — — — — — — — — — — — X X X X P X X X P X X X P P P P
Energy use X X X X P X P X — — — — — — — — X X X X X X X X X X X X X X X X
HAN WITHOUT EMS
Energy production P P P P — — — — — — — — — — — — P P P P P X X X P X X X P P P P
Energy use P X X X P X P X — — — — — — — — P X X X X X X X X X X X P X X X
Smart appliances/end points P X X X P X X X — — — — — — — — P X X X P X X X P X X X P X X X
BUSINESS AREA NETWORK (BAN)
Business area network (BAN), i.e., ————————————————————————————————
sensitive devices
FIELD AREA NETWORK (FAN)
Field area network (aka FAN,
meter to utility, neighborhood X X X X X X X X — P P P — P P P — — — — X X X X X X X X — — P X
area network)
WIDE-AREA NETWORK
Wide-area network (backhaul) X X X X X X X X — P P P — P P P — — — — X X X X X X X X — — P X
(continued)
ENTITIES WITH INTERESTS IN SMART GRID DATA
THIRD PARTIES
(RESEARCHERS, CONTRACTED
VENDORS, AGENTS (ENTITIES
SERVICE THAT UTILITIES
PROVIDERS, HAVE CONTRACTED
REGULATORS, TO DO WORK ON
COMMERCIAL/ MARKETERS, ETC., THEIR BEHALF AND
COMMERCIAL/ NONINSTITUTIONAL WHO ARE NOT MUST ABIDE BY
INSTITUTIONAL (OFFICE UNDER THE SAME THE SAME LEGAL
CONSUMERS (APARTMENTS, BUILDINGS, RETAIL INDUSTRIAL LEGAL AND AND LAW
(EXPANDING UPON HOSPITALS, STORES, DATA (STEEL MILLS, CONTRACTUAL CONTRACTUAL ENFORCEMENT
SMART GRID CATEGORIES WITH VERSION 1 OF DORMITORIES, CENTERS, CAR AUTO ASSEMBLY OBLIGATIONS AS OBLIGATIONS AS AND
POTENTIAL PRIVACY ISSUES NISTIR 7628) ETC.) RENTALS, ETC.) PLANTS, ETC.) THE UTILITIES) UTILITIES THE UTILITY) INVESTIGATIONS
Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD Ph Ad Te PD
COMMUNICATIONS PROCESSORS
Communications processors X X X X X X X X — P P P — P P P — — — — X X X X P P P P — — P X
(head end)
BACK OFFICE SYSTEMS AND APPLICATIONS
Back office systems and applications X X X X X X X X — P P P — P P P — — — — X X X X P P P P — — P X
THIRD-PARTY APPLICATIONS
Third-party applications (including cloud apps)
Selected by consumer X X X X X X X X — P P P — P P P X X X X X X X X P P P P — — P X
Selected by utility X X X X X X X X — P P P — P P P P P P P X X X X X X X X — — P X
200 APPENDIX A
APPENDIX A 201
MARKETING
Use of consumer data X X X X X X X X P P P P — — — — X X X X P P P P P P P P ————
Sharing consumer data X X X X X X X X P P P P — — — — X X X X P P P P P P P P ————
RESEARCH
Use of consumer data X X X X X X X X P P P P — — — — X X X X P P P P P P P P ————
Sharing consumer data X X X X X X X X P P P P — — — — X X X X P P P P P P P P ————
ENERGY GENERATION (E.G., WIND, SOLAR, ETC.)
Energy plants/utilities ————————————————————————————————
Consumer location generation P P P P P P P P — — — — — — — — P P P P P P P P P P P P P P P P
NSTIC AND TRUSTED IDS
NSTIC and trusted IDs PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
RFID ISSUES/RISKS
RFID issues P P P P P P P P — — — — — — — — P P P P P P P P P P P P P P P P
GOVERNMENT ACTIVITIES
U.S.local PXXXPXXX————————PXXXPXXXPXXXXXXX
U.S. state P X X X P X X X — — — — — — — — P X X X P X X X P X X X X X X X
U.S. federal P X X X P X X X — — — — — — — — P X X X P X X X P X X X X X X X
International P X X X P X X X — — — — — — — — P X X X P X X X P X X X X X X X
CONSUMER AND PERSONNEL ISSUES
CONSUMER AND PERSONNEL ACTIVITIES
Posting data on websites X X X X P X X X — P P P — — — — X X X X X X X X X X X X P X X X
Sharing with third parties P X X X P X X X — P P P — — — — P X X X X X X X X X X X P X X X
(continued)
Purpose of matrix: The physical issues would The administrative issues would The technical issues would NSTIC and trusted IDs:
Provide a comprehensive way to include physical access to the include the following (add to this include the following (add to this How would trusted IDs impact privacy in
identify and prioritize the areas following (add to this list as list as necessary): list as necessary): the Smart Grid? For example, trusted
for the NIST Smart Grid privacy necessary): Policies Home area networks (HANs) and privacy IDs as a means of providing individual
subgroup work going forward. Smart meters Procedures networks (wireless and hardwired) choice to share/not/rescind sharing of
As a result of continuing work, Smart appliances Breach identification and response Intranets and corporate networks (LANs) PI or sensitive PI; could they lead to
provide recommended privacy PEVs Training and awareness (wireless and hardwired) privacy incidents, etc.?
guidelines for energy data, as Power plants Opt in/opt out/rescind opt in or out Field area networks (FANs and
well as identifying Utilities facilities Consent and rescind consent (totally or neighborhood area networks) (wireless
responsibilities for entities with Data storage devices by various collection, usage, sharing, and hardwired)
access to energy data. transborder, and retention Wide-area networks (WANs and
preferences) backhaul)
Giving access to individuals Public networks (Internet)
Data ownership Encryption
Responsibility and accountability Access controls
Purposes for collecting Authentication
Limiting collection to only that which is Authorization
necessary Anonymization, de-identification, and
Limiting use of data aggregation
Disclosure and sharing Malware
Data retention Data storage and backups
Data accuracy
Ensuring appropriate safeguards
Giving notice, openness, and
transparency
Correcting and updating data
Laws, regulations, and standards
Accounting for disclosures of energy
data
202 APPENDIX A
Appendix B:
Example of One State’s Actions
for Smart Grid Privacy
ere were many states that were considering rules to establish for
Smart Grid privacy at the time this book was written. California
is also frequently cited in this book for its privacy laws and poli-
cies regarding energy usage data since one of the authors, Christine
Hertzog, resides in that state.
e actions of California could provide a good overview of the
types of laws and rulings that other states may subsequently imple-
ment as a result of these precedents.
Here is a brief compilation of the most important California pri-
vacy rulings and laws impacting not only energy usage and produc-
tion data, but also general privacy protections for all types of personal
information, at the time of this writing.
California State Constitution. Article 1, Declaration of
Rights, Section 1. “All people are by nature free and inde-
pendent and have inalienable rights. Among these are enjoy-
ing and defending life and liberty, acquiring, possessing,
203
204 APPENDIX B
and protecting property, and pursuing and obtaining safety,
happiness, and privacy.” (Note: Nine other state constitutions
explicitly mention privacy.*)
A ss em bl y B il l ( A B) 12 74 . Privacy: customer electrical or natural
gas usage data. is California law was approved on October
5, 2013, to address the role of businesses such as energy
service providers (ESPs) as data managers. e bill aims to
“prohibit a business from sharing, disclosing, or otherwise
making accessible to any 3rd party a customer’s electrical or
natural gas usage data without obtaining the express consent
of the customer and conspicuously disclosing to whom the
disclosure will be made and how the data will be used. e
bill would require a business and a nonaliated 3rd party,
pursuant to a contract, to implement and maintain reason-
able security procedures and practices to protect the data from
unauthorized disclosure.Ӡ It also provides for a civil penalty
for violations.
Senate Bill (SB) 1476. Public utilities: customer privacy:
advanced metering infrastructure. is law was approved on
September 29, 2010, and addresses consumer rights to their
electricity usage data, and applies this law to IOUs and pub-
licly owned utilities such as municipal and rural cooperatives.‡
Assembly Bill 1103. Nonresidential Building Energy Use
Disclosure Program. is California law was approved on
October 12, 2007, to provide whole building information
about energy use.§ e California Energy Commission was
conducting hearings at the time this book was written about
how to implement this legislation, including guidance for
utilities to comply with requests for building data.
¶
* http://ww w.ncsl.org/research/telecommunications-and-information-technology/
privacy-protections-in-state-constitutions.aspx.
† http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320
140 AB12 74.
‡ http://www.leginfo.ca.gov/pub/09-10/bill/sen/sb_1451-1500/sb_1476_bill_201
00929_chaptered.html.
§ http://ww w.energy.ca.gov/ab1103/documents/ab_1103_bill_20071012_chaptered.
pdf.
¶ http://www.energy.ca.gov/ab1103/.
APPENDIX B 205
Assembly Bill 531. is law was approved on October 11, 2009,
to clarify the role of the State Energy Resources Conservation
and Development Commission in setting a schedule for
compliance in supplying the required building benchmark-
ing data.*
Senate Bill 1386. Personal information: Privacy. is law was
approved on September 25, 2002, and required businesses to
disclose any breach of personal information (name) in com-
bination with a variety of other data elements, such as social
security number, credit card number, or driver’s license or
California ID number.† It also identies that any breaches are
civil code violations and can result in penalties.
D14-05-016. is CPUC decision issued rules regarding access
to energy usage and usage-related data with safeguards for
privacy of personal data. It provides for the availability of
aggregated and anonymized data for research purposes to
academic institutions and local governments.‡
D12-08-045. is CPUC decision extended the privacy and
security directives for electricity usage data to natural gas data.§
D11-07-056. is CPUC decision issued directives regarding
privacy and security of customer electricity usage data.¶ It
aligned its privacy rules with the Fair Information Practice
Principles (FIPPs), and dened approval mechanisms for
utilities to share this data with third parties.
* http://www.energy.ca.gov/ab1103/documents/2011-09-12_workshop/2011-09-12_
Assembly_Bill_531.pdf.
† http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_
bill_20020926_chaptered.html.
‡ http://docs.cpuc.ca.gov/PublishedDocs/Published/G000/M090/K845/90845985.
PDF.
§ http://docs.cpuc.ca.gov/PublishedDocs/Published/G000/M026/K531/26531585.
PDF.
¶ http://docs.cpuc.ca.gov/WORD_PDF/FINAL_DECISION/140369.pdf.
A
access control systems, 7
accuracy, big data, 9
actuators, 24
adoption, HEMS, 80–81
ADR, see Automated demand
response
Advanced Encryption Standard
(AES) 128, 65
advanced metering infrastructure
(AMI), 71–73
advance scheduling, lack of, 17
Aerovironment, 102
AES, see Advanced Encryption
Standard 128
age of infrastructure, 16, 22
aggregation and de-identication, s
also Disaggregation
academic research, 71
overview, 7
risk examples, 134–138
agile grid, 41
agreements, see Contracts and
agreements
ee
agricultural consumers
buildings as prosumers, 24
microgrids, 26
overview, 15
role as prosumer, 26
AICPA, see American Institute
of Certied Public
Accountants
alarm companies, 78
American Institute of Certied
Public Accountants
(AICPA), 123, 158
American National Standards
Institute (ANSI), 60, 186
American Recovery and
Reinvestment Act
(ARRA), 32, 172
AMI, see Advanced metering
infrastructure
AMR, see Automated meter reading
Android system, 91, 95
anonymization, 71
ANSI, see American National
Standards Institute
Index
207
B
baby monitors, 8–9, 90
banks, 2–3, see also Green Bank
initiatives
BAS, see Building automation
systems
Belkin Energy, 134, 136
Bell, Alexander Graham, 16
BEMS, see Building energy
management systems
Best Data Company, 69
bidirectionality
AMI networks, 72
smart appliances, 91
traditional vs. Smart Grid, 18–19
big data, 9–10
bil ling, 6, 186–187
blackouts
complaints, 18
criminal market manipulations,
17
Northeast (August 2003), 13,
18, 31
Blogs, 162–163
Bluebonnet Electric Cooperative, 13
Blue Button program, 66
bodily privacy, 44
Bonneville Power Administration,
13, 165
Brandeis, Louis, 43
breaches
insurance, 140–141
ownership of data, 34–35
vendor contracts, 142
broadband service providers, 78–79
Brownie camera, 43
building automation systems
(BASs), 167
building energy management
systems (BEMSs), 79
building privacy controls into
devices, 139
208 INDEX
APEC, see Asia Pacic Economic
Cooperation
Apple, 73, 95, see also Mobile device
appliances, 192–193, see also Smart
appliances
Apps for Energy, 97
Apps for Vehicles, 97
area network, risks, 36–37
“A Regulator’s Privacy Guide to
ird-Party Data Access
for Energy Eciency:
Customer Information and
Behavior Working Group,
128
ARRA, see American Recovery and
Reinvestment Act
Arrayent appliances, 93–95
Asia Pacic Economic Cooperation
(APEC), 123
Assembly Bill 32 (California), 108
Assembly Bill 531 (California), 205
Assembly Bill 1103 (California), 20
Assembly Bill 1274 (California), 20
AT&T
communication options, 78
gateways, 73
prosumers, 21
attacks, supply chain vulnerabilities
17
audits, 74, 143
Austin Energy, 106
automated demand response (ADR
see also Demand response
buildings as prosumers, 24
market and regulatory
perspective, 25–26
technology, 167
automated meter reading (AMR), 5
automation of homes, see Connecte
homes
awareness communications, 5
”
,
),
d
s
4
4
7
INDEX 209
buildings, see also Commercial
buildings
area network risk, 36–37
hardened nodes, 168
microgrids, 26
privacy risk examples, 36–37
as prosumers, 23–25
role as prosumer, 26
burglary targets, 187
business model transformations, 3–
Business Operational View standar
124
buyer beware, 35
C
California
actions example, 203–205
Assembly Bills, 108, 204–205
building code, 179
Decisions, 205
interconnection processes, 170
ownership of charging stations,
99
ownership of data, 33–35
PACE program, 172
Proposition 39, 172
Senate Bills, 204–205
state constitution, 203–204
usage data, academic research, 7
California Energy Commission, 17
California Public Utilities
Commission (CPUC)
Decision 13-09-025, 69–71
electricity consumers, 15
Green Button program, 69–71
ownership of data, 34
privacy law, 6
regulatory policy, 169
Canadian Institute of Chartered
Accountants (CICA), 123
capital, see Finance
CarCharging Group, 102, 103
4
d,
1
2
car example, 18
case examples and studies
data subject, 152
organizational privacy standards,
129–130
case law, see Laws, regulations,
standards
categories of privacy, 44–45
caveat emptor, 35
CCTV, see Closed-circuit television
surveillance systems
CenterPoint Energy, 65
CFS, see Clean fuel standards
(CFSs)
chain of custody
access to data, 96
consumer education, 70
consumer to prosumer
transformation, 39
understanding, 151
use cases, 178
challenges, privacy
big data, 9–10
Internet of ings, 8–9
overview, 8
changes, from traditional energy
delivery, 1–2
ChargeAmerica, 176
ChargePoint, 100 –103, 105–106
charging stations, see Electric
vehicles and charging
stations
chicken-and-egg dilemma, 72
chips, 78
CICA, see Canadian Institute of
Chartered Accountants
CIS, see Customer information
system
claims, unsubstantiated
burglary targets, 187
data sharing, 184
data to government, 183–184
210 INDEX
government control of home
appliances, 185
how we spend our time, 187–18
in-home activities, 185–186
insurance companies and
premiums, 188
medical equipment, 188
not optional, spying, 185
overview, 183
personal information, transmitt
186–187
classication of utilities, 13–14
clean fuel standards (CFSs), 108
closed-circuit television (CCTV)
surveillance systems, 90
clothing, 9
Code of Practice for Information
Security Management,
124–125
Collaboratev, 103–104
college campus microgrid, 168
Colorado, PACE program, 172
Comcast
communication options, 78
data encryption and privacy
policies, 85
gateways, 73
home area networks, 84
prosumers, 21
ComEd Power, 13
commercial consumers and
buildings, see also Buildin
buildings as prosumers, 24–25
home energy management
systems, 87–88
microgrids, 168
net metering, 177–178
overview, 15
PACE program, 172
privacy risks, 37, 87–88
technology, 29, 167
8
al,
gs
“Commercial Data Privacy and
Innovation in the Internet
Economy: A Dynamic
Policy Framework,” 126
communications
big data, 9
capabilities, smart meters, 61–62
gateway devices, 84–85
new privacy challenges, 8
options, home area networks,
78–79
privacy, 44–45
complaints, outages, 18, 72
compliance, 143
computer-enabled cars, 8
concerns about privacy, 49–51
connected homes, see also Residential
consumers and buildings
adoption, 80–81
commercial and industrial sites,
87–88
communications gateway devices,
84–85
communications options, 78–79
delivering connectivity, 91–92
demand response programs,
93–96
disaggregation technologies,
88–90
employee privacy risks, 87–88
home area networks, 75–79,
84–85
home energy management
systems, 79–84, 87–88
leased spaces, privacy risks, 85–87
overview, 75
privacy risks, 38
rentals, privacy risks, 85–87
smart appliances, 90–91
Smart Grid communications,
81–84
smart meters unnecessary, 84
Connecticut, 173
INDEX 211
connectivity, delivering to homes,
91–92
conservation voltage reduction
(CVR), 61
constitutional protections and issue
6, 203–204
Consumer Privacy Bill of Rights, 1
consumers
chain of custody, 70
Green Button Connect, 69
overview, 15–16
prosumer transformation, 38–39
consumption
market and regulatory
perspective, 35–36
revolution, 33
time of use, 21–22
contracts and agreements, 6–7
cooperative utilities
classication, 13, 14
unsubstantiated claims, 184
costs of disruption, 18
CPUC, see California Public
Utilities Commission
credit/debit cards and data
detailed information from, 3
Green Button program, 68
point of sale transactions, 98
protection, 6, 87
credit score, 9
CRM, see Customer relationship
management
crockpots, 92
CSWG, see Cyber Security Worki
Group Privacy Group
customer authorization for
disclosures, 141
customer education and awareness,
142
customer information system (CIS)
74
customer relationship management
(CRM), 74
s,
95
ng
,
CVS Pharmacy, 193
cyber attacks, 17
cyber security and breach insurance,
112, 14 0 –141
Cyber Security Working Group
(CSWG) Privacy Group,
197
D
data, see also Ownership of data;
Smart data
aggregation and de-identication,
130, 134–138
analytics, 191–192
breaches, vendor contracts, 142
communications, privacy
concerns, 51–53
concentrators, 9
disclosure and minimization, 142
granularity, 63–65
missing currently, 64–65
owners, custodians, managers,
33–35, 37, 52
quality, 142
retention and disposal, 142
security, 142
smart meters read frequency, 63
specic protections, 6
types, 47–48
volumes within, 32–33
data controllers, 146–147, 158
Datapalooza, 9–10
data processors, 147–148, 158
data protection authority (DPA),
148 –149
data subjects, 146, 149–152
D11-07-056 decision (California),
205
D12-08-045 decision (California),
205
D13-09-025 decision (California),
70
212 INDEX
D14-05-016 decision (California),
205
deal spiral, 22–23
decoupled utility, 25
de-identication, see Aggregation
and de-identication
Delaware, 170
demand response (DR), see also
Automated demand respons
buildings as prosumers, 24–25
connected homes, 93–96
Smart Grid communications,
82–83
technology, 166
Department of Commerce, 149
Department of Energy, 163, 165
Department of Homeland Security, 8
DER, see Distributed energy
resources (DERs)
Die-Hellman-based private
aggregation (DiPA), 136
DiPA, see Die-Hellman-based
private aggregation
disaggregation, see also Aggregation
and de-identication
consumer consent and active
participation, 186
data granularity, 64
hardware, 88–89
overview, 88
software, 89–90
disruptions
caused by adoption, 19
costs of, 166
Smart Grid technologies, 41
distributed energy resources (DERs
energy storage, 29–30
future directions, 28
Green Bank, 173
Green Button program, 67
ownership of assets, 175
publicly owned charging, 99
technology, 166
e
5
)
distribution grids, weakest link, 17
District of Columbia, 15
DLMS/COSEM, 60–61
documented privacy policies, 128–129
doubt, see Fear, uncertainty, and
doubt (FUD)
DPA, see Data protection authority
DR, see Demand response
Duke Energy, 13
E
Eaton, 109
Ecotality, 102, 103, 105
Edison, omas, 16
EDR, see Event data recorders
electricity
consumers, 15–16
costs of disruption, 18
gas and water comparison, 2
open market, 12–13
supply chain vulnerabilities,
17–18
technology, 16–17
traded like commodity, 15
unique qualities, 1
Electric Power Board of
Chattanooga, 13
electric vehicles and charging
stations
Internet of ings, 9
levels of charging, 98, 104–105
overview, 97–99
privacy implications, 106, 108
privacy risk examples, 37–38
private charging, 104–106
prosumers, 21
publicly owned charging, 99–104
telematics, 108–110
utility-supplied network
charging, 106
electric vehicle supply equipment
(EVSE), 97, 105
INDEX 213
Electronic Privacy Information
Center (EPIC), 163
electrons, 32
embedded intelligence, 24
emerging privacy risks, 4–5
employee privacy risks, 87–88
employee training, 142
EMS, see Energy management
systems (EMSs)
encoding data, see Encryption
encryption
meters, 65–66
privacy-enhancing technologies,
risk limitation, 111
energy eciency, 23–25
Energy Information Administratio
177
Energy Information Standards (EI
Alliance, 80–81
energy management displays, 9
energy management systems
(EMSs), see also Home
energy management
systems (HEMSs)
commercial buildings, 167
home area networks, 77
privacy risk examples, 36–37
energy production data, 120–121,
174–178
energy regulation, 39, see also Laws
regulations, standards
energy savings initiatives, 66
Energy Services Provider Interface,
126
energy storage
changes, 19
market and regulatory
perspective, 29–30
new privacy challenges, 8
Smart Grid technologies, 41
energy usage data, 112–120
EPIC, see Electronic Privacy
Information Center
7
n,
S)
,
equal protection, 6
European Union privacy framework
123
event data recorders (EDRs), 109
EVSE, see Electric vehicle supply
,
equipment (EVSE)
ExtraCare program, 193
F
Facebook, 109, 187, 195
Fair Information Practice (FIP)
requirements, 6
Fair Information Practice Principles
(FIPPs), 124
fear, uncertainty, and doubt (FUD),
183
federal excise tax, 106, 108
Federal Smart Grid Task Force, 127
Federal Trade Commission (FTC),
149, 194
federal utilities, classication, 13
feed-in-taris (FiTs), 20
nance, 171–178
ngerprint usage, 48
FIP, Fair Information Practice
requirements
FIPPs, see Fair Information Practice
Principles
First Amendment, 6
FiT, see Feed-in-tar is (FiTs)
Florida Power & Light (FPL), 65
Forbes, 84
Ford electric vehicles, 109
forecasts, 113
Fourteenth Amendment, 6
Fourth Amendment, 6
FPL, see Florida Power & Light
free charging, 102, 104
freedom of speech, 6
FTC, see Federal Trade Commission
FUD, see Fear, uncertainty, and
doubt (FUD)
214 INDEX
functions, outsourcing, 74
future directions
business model, 4, 23
market and regulatory
perspective, 28
Open ADR, 179
Smart Grid communications,
83–84
Future of Privacy Forum, 70
G
Galvin Electricity Initiative, 16
GAPPs, see Generally Accepted
Privacy Principles
gas and water
deregulation, 15
electricity comparison, 2, 55
meter readers, 57
gateway devices
communications, 84–85
connected homes, 79
Generally Accepted Privacy
Principles (GAPPs), 123
158
General Motors, 109–110
geo-fencing, 96
Good Housekeeping seal of
approval, 70
Google, 73, 195
government control of home
appliances, 185
Gramm-Leach-Bliley Act, 6
granularity, 63
Green Bank initiatives, 173, see al
Banks
Green Button Connect, 69–71
Green Button initiative
home energy management
systems, 79, 95
overview, 66–69
smart meters, 73, 176
grocery store example, 2
,
so
H
hairdryers, 91
HAN, see Home area networks
hardened nodes, 168
hardware, disaggregation, 88–89
Harvard Law Review, 43
Hawaii, 170
Health Insurance Portability
and Accountability Act
(HIPAA), 6, 194
health privacy concerns, 119,
193–194, see also Medical
equipment
HEMS, see Home energy
management systems
high-rise apartments, 26
HIPAA, see Health Insurance
Portability and
Accountability Act
historical data analysis, 32–33
HITECH Act, 194
home appliances, 8
home area networks (HANs)
communications gateway devices,
84–85
communications options, 78–79
overview, 75–78
privacy risks and concerns, 37, 51
Smart Grid communications,
81–84
smart meter communications
capability, 62
smart meter protocols, 60
smart meters unnecessary, 84
unsubstantiated claims, 183, 185,
187
home energy management systems
(HEMSs), see also Energy
management systems
adoption, 80–81
commercial and industrial sites,
87–88
INDEX 215
employee privacy risks, 87–88
overview, 79–80
privacy risks and concerns, 37,
Smart Grid communications,
81–84
unsubstantiated claims, 183, 1
187
HomeKit, 95
HomePlug, 60, 106
homes, see Connected homes
Home-to-Grid Domain Expect
Working Group, 127
Honeywell, 37
hot tubs, 90
how we spend our time, 187–188
I
IBM, 37
ICO, see Information
Commissioner’s Oce
identication of risks, 121–122
IDP, see Integrated distribution
planning
independent system operators
(ISOs), 12, 15
industrial consumers and buildin
buildings as prosumers, 24
home energy management
systems, 87–88
microgrids, 26, 168
overview, 15
privacy risks, 37
role as prosumer, 26
Information Commissioner’s O
(ICO), 149
information privacy, 44
information security controls, 15
154–157
information theory, 65–66
in-home activities, 185–188
in-home energy management
displays, 9
51
85,
gs
ce
2,
insurance
organizational privacy standards,
140–141
unsubstantiated privacy claims,
188
usage-based insurance, 194
integrated distribution planning
(IDP), 170
interconnection, 5, 170
intermediation, 21, 23
Internet of ings (IOT), 8–9, 53
Interstate Renewable Energy
Council (IREC), 169–170
investor-owned utilities (IOUs)
classication, 13
energy regulation, 39
Green Button program, 68–69
operating as monopolies, 14
ownership of data, 34
regulatory policy, 169
unsubstantiated claims, 184
iOS system, 91, 95
IOT, see Internet of ings
IOU, see Investor-owned utilities
(IOUs)
IREC, see Interstate Renewable
Energy Council
ISO-IEC 15944-8 Information
Technology, 124
ISO-IEC 27002 Information
Technology, 124–125
ISO-IEC 29100 Information
Technology, 125
ISOs, see Independent system
operators (ISOs)
J
Johnson Controls, 37
K
keystroke loggers, 8
216 INDEX
kilowatts, lack of reservation, 17
Kirtley, James, 56–57
Kotting, Chris, 70
L
LA Department of Water and
Power, 13
landlords, see Rentals
laptops, 8
“last gasp” message, 72
“last mile,” 179
laws, regulations, standards, 5–7
LBS, see Location-based services
LCFS, see Low carbon fuel
standards
Leadership in Energy and
Environmental Design
(LEED)
credits, ADR participation, 25
microgrids, 26
real estate values, 174
leased spaces, see Rentals
LEED, see Leadership in Energy
and Environmental Desi
levels of charging, 98, 104–105
liability, 34–35
load control switches, 9
location-based services (LBSs), 96
locks, smart devices, 92
LoPA, see Low-overhead private
aggregation
low carbon fuel standards (LCFSs
108
low-overhead private aggregation
(LoPA), 136
M
machine-to-machine (M2M)
applications
energy regulation, 39
home area networks, 77
gn
),
monetization of data, 189–190
new privacy challenges, 8
overview, 53
malicious email, 8
mapping, 74
market and regulatory perspective
automatic demand response,
25–26
buildings as prosumers, 23–25
classication of utilities, 13–14
data owners, custodians,
managers, 33–35
data volumes within, 32–33
electricity consumers, 15–16
electricity open market, 12–13
electricity supply chain
vulnerabilities, 17–18
electricity technology, 16–17
energy consumption, 35–36
energy storage, 29–30
future developments, 28
market changes in, 19–23
microgrids, 26–27
OpenADR Initiative, 25–26
prosumer evolution, 21
rate-making process, 14–15
technology changes, 28–29
traditional electricity business
sector, 11–12
transmission grids, 30–32
market changes, 19–23
Maryland, 170
Massachusetts, 170
Massachusetts Institute of
Technology (MIT), 56–57
master limited partnership (MLP),
171–172
MDMS, see Meter data
management systems
medical equipment, see also Health
privacy concerns
Internet of ings, 8
unique identication, 119
INDEX 217
unsubstantiated privacy claims,
188
meter comparisons, 55–57
meter data management systems
(MDMSs), 73
meter readers, 56
microgrids
market and regulatory
perspective, 26–27
transactive energy, 168–169
migration initiatives, lack of, 16
Minnesota state regulators, 86
misuse
Smart Grid information, 49–51
technologies, 3
MIT, see Massachusetts Institute of
Te ch no lo g y
mitigation, privacy risks
adopting standards, 122–125
American Institute of Certied
Public Accountants, 123
APEC privacy framework, 123
“A Regulator’s Privacy Guide to
ird-Party Data Access
for Energy Eciency:
Customer Information and
Behavior Working Group,”
128
audits, 143
basic strategies, 111–112
building privacy controls into
devices, 139
Canadian Institute of Chartered
Accountants, 123
“Commercial Data Privacy and
Innovation in the Internet
Economy: A Dynamic
Policy Framework,” 126
compliance, 143
customer authorization for
disclosures, 141
customer education and
awareness, 142
cyber security and breach
insurance, 140–141
data aggregation and
de-identication, 130,
134–138
data breaches, 142
data disclosure and minimization,
142
data quality, 142
data retention and disposal, 142
data security, 142
documented privacy policies,
128–129
employee training, 142
energy production data, 120–121
Energy Services Provider
Interface, 126
energy usage data, 112–120
European Union privacy
framework, 123
Fair Information Practice
Principles, 124
Generally Accepted Privacy
Principles, 123
Home-to-Grid Domain Expect
Working Group, 127
identifying risks, 121–122
insurance, 140–141
ISO/IEC 15944-8 Information
Technology, 124
ISO-IEC 27002 Information
Technology, 124–125
ISO-IEC 29100 Information
Technology, 125
methods, 122–143
North American Energy
Standards Board, 125–126
OECD privacy framework,
122–123
organizational privacy standards,
125–143
Privacy by Design, 125
privacy case studies, 129–130
218 INDEX
privacy impact assessment, 142
privacy notices, 141
“Privacy of Consumer
Information and Devices
in the Electric Power
Industry,” 127–128
risk acceptance, 112
risk avoidance, 111
risk limitation, 111
risk transference, 112
Smart Grid Privacy Workshop,
127
Smart Grid risks, 112
standards adoption, 122–125
State and Local Energy Eciency
Action Network, 128
ird Party Access to Smart
Meter-Based Information,
125–126
vendor contrac ts, 141–143
MLP, see Master limited partnership
(MLP)
M2M, see Machine-to-machine
(M2M) applications
mobile devices, see also specic device
emerging risks, 5
home energy management, 95–96
new privacy challenges, 8
monetization of data, 189–195
Moniz, Ernest, 9–10
monopoly environment, 12, 14–15
Mosaic, 173
multifamily housing, see Rentals
municipal utilities
classication, 13, 14
unsubstantiated claims, 184
MyFord Mobile, 109
MyVolt website, 109
N
NAESB, see North American
Energy Standards Board
NALM, see Noninstrusive appliance
load monitoring
NASPI, see North American
SynchroPhasor Initiative
National Conference State
Legislatures (NCSL), 163
National Institute of Standards and
Technology (NIST), 87,
163, 197
National Telecommunications and
Information Administration
(NTIA), 126
NCSL, see National Conference
State Legislatures
negawatts
buildings as prosumers, 24–25
DR programs, 30, 38
electricity open market, 12
market changes, 20
vs. kilowatt generation, 168, 171
NERC, see North American Electric
Reliability Corporation
(NERC)
Nest Labs, 109
Netherlands, 66
net metering, 177–178
networks, emerging risks, 5
New Jersey, 170
New York, 173
New York Department of Public
Service, 4, 23, 169
NIST, see National Institute of
Standards and Technology
NISTIR 7628 standard, 130,
131–133, 139, 152
nonautonomous car example, 18
noninstrusive appliance load
monitoring (NALM), 186
North American Electric Reliability,
12
North American Energy Standards
Board (NAESB), 125–126
INDEX 219
North American SynchroPhasor
Initiative (NASPI), 31
Northeast blackout (August 2003),
13, 18, 31
O
OASIS, see Organization for the
Advancement of Structure
Information Standards
OECD, see Organization for
Economic Cooperation an
Development
Oce of Privacy Commissioner, 14
Oce of Ratepayer Advocates
(ORA), 15
on/o agreement, 80–81
OnStar communications, 109–110
OpenADR
market and regulatory
perspective, 25–26
overview, 93
transactive energy, 178–179
opt-out options, 185
ORA, see Oce of Ratepayer
Advocates
organizational privacy standards
“A Regulator’s Privacy Guide to
ird-Party Data Access
for Energy Eciency:
Customer Information and
Behavior Working Group,
128
audits, 143
building privacy controls into
devices, 139
“Commercial Data Privacy and
Innovation in the Internet
Economy: A Dynamic
Policy Framework,” 126
compliance, 143
customer authorization for
disclosures, 141
d
d
8
”
customer education and
awareness, 142
cyber security and breach
insurance, 140–141
data aggregation and
de-identication, 130,
134–138
data breaches, 142
data disclosure and minimization,
142
data quality, 142
data retention and disposal, 142
data security, 142
documented privacy policies,
128–129
employee training, 142
Energy Services Provider
Interface, 126
Home-to-Grid Domain Expect
Working Group, 127
insurance, 140–141
North American Energy
Standards Board, 125–126
privacy case studies, 129–130
privacy impact assessment, 142
privacy notices, 141
“Privacy of Consumer
Information and Devices
in the Electric Power
Industry,” 127–128
Smart Grid Privacy Workshop,
127
State and Local Energy Eciency
Action Network, 128
ird Party Access to Smart
Meter-Based Information,
125–126
vendor contrac ts, 141–143
Organization for Economic
Cooperation and
Development (OECD),
122–123
220 INDEX
Organization for the Advancement
of Structured Information
Standards (OASIS), 163
outages, see also Blackouts
complaints, 18
costs, 169
real-time detection, 72
outsourcing functions, 74
ownership of data
DER assets, 175
DR programs, 94–95
Green Button program, 68
lack of dened, 178
overview, 33–35, 42
privacy risks, 37
utility-supplied network
charging, 106
P
PACE, see Property assessed clean
energy programs
Pacic Gas & Electric (PG&E), 65
Pacic Northwest National
Laboratory, 165
Pacic Northwest Smart Grid
Demonstration Project,
179–181
passwords, 84–85
Payment Card Industry Data
Security Standards (PCI-
DSS), 103, 149
PCI-DSS, see Payment Card
Industry Data Security
Standards
PCT, see Programmable thermostats
Pennsylvania, 15
PEPCO, 170
personal communications and
activities, 6
personal information, transmittal,
186–187
PET, see Privacy-enhancing
technologies
PEV, see Plug-in electric vehicles
PG&E, see Pacic Gas & Electric
phasors, 32
PHEV, see Plug-in hybrid electric
vehicles
PHI, see Protected health
information
phishing messages, 8
photovoltaics, see Solar photovoltaic
(PV) systems
physical attacks and damage, 17,
140–141
PIA, see Privacy impact assessment
(PIA)
pilot program, see Pacic Northwest
Smart Grid Demonstration
Project
PLC, see Power line carrier
technology
plug-in electric vehicles (PEVs)
data owners, custodians,
managers, 158, 159–162
employee privacy risks, 88
plug-in hybrid electric vehicles
(PHEVs), 99
point of sale (POS) transactions, 98,
103
polar vortex, 169, see also Weather
events and reports
policies, need, 5, see also Laws,
regulations, standards
polyphase meters, 62
Portland General Electric, 165
possibilities, Smart Grid, 2–3
potential privacy impacts, 113,
114–116
power line carrier (PLC) technology,
62
predictive analytics, 191–192
price-based systems, 93
“prices to devices” scenario, 72
INDEX 221
privacy
big data, 9–10
bodily privacy, 44
case studies, 129–130
categories, 44–45
challenges, 8–10
communications privacy, 44–45
concerns, 49–51
data communications privacy
concerns, 51–53
data types, 47–48
dened, 43–44
electric vehicles and charging
stations, 106, 108
emerging risks, 4–5
information privacy, 44
Internet of ings, 8–9
laws, regulations, standards, 5–7
notices, vendors, 141
policy need, 5
responsibility, blurred, 4
security comparison, 45–47
smart data privacy implications,
49–51
territorial privacy, 44–45
website seals, 7
privacy, risk examples
consumer to prosumer
transformation, 38–39
electric vehicles and charging
stations, 37–38
energy management systems and
area networks for buildings,
36–37
energy regulation, 39
smart appliances, 38
privacy, taking charge of
data controllers, 146–147, 158
data processors, 147–148, 158
data protection authority,
148 –149
data subjects, 146, 149–152
information security controls,
152, 154–157
overview, 145
possibility and responsibilities,
149–151
resources, 158, 162–163
roles and responsibilities, 145–149
use case example, 152
privacy, unsubstantiated claims
burglary targets, 187
data sharing, 184
data to government, 183–184
government control of home
appliances, 185
how we spend our time, 187–188
in-home activities, 185–186
insurance companies and
premiums, 188
medical equipment, 188
not optional, spying, 185
overview, 183
personal information, transmittal,
186–187
Privacy by Design, 125
Privacy Commissioner, 148
privacy-enhancing technologies
(PETs), 7–8
Privacy Framework standard, 125
privacy impact assessment (PIA)
data owners, custodians,
managers, 158
identifying risks, 121–122
situational risks, 52
vendor contracts, 142
“Privacy of Consumer Information
and Devices in the Electric
Power Industr y,” 127–128
private charging, 104–106
programmable thermostats
home area networks, 77
home energy management
systems, 79
smart devices, 92
222 INDE X
property assessed clean energy
(PACE) programs, 172
prosumers
buildings as, 23–25
consumption revolution, 33
dened, 2
evolution, 21
market changes, 19–20
owners of DER assets, 175
privacy risk examples, 38–39
protected health information (PHI),
46
publicly owned charging, 99–104
public schools, 172
public utilities commissions (PUCs),
see also specic PUC
data protection authority, 149
energy regulation, 39
Green Button program, 69
PUC, see Public utilities
commissions
PV, see Solar photovoltaic (PV)
systems
Q
quantiable value, 170
Quinn, Elias Leak, 63
R
radio frequency identication
(RFID) card, 98
rate-making process, 14–15
real estate values, 174
Reforming the Energy Vision, 4, 23,
169
refrigerator examples, 83–84, 193
regional transmission operators
(RTOs), 12, 15
regulation, 39
regulatory laws and policies,
169–171, see also Laws,
regulations, standards
relationships, 41–42, 74, 149
renewable energy generation, 19, 38
rentals, 85–87, 173–174
reputational risk provisions, 141
reservation of kilowatts, lack of, 17
residential consumers and buildings,
see also Connected homes
energy production data, 179
net metering, 177–178
overview, 15
PACE program, 172
single-phase meters, 62
technology changes, 29
return on investment (ROI), 166
reusable canvas bag example, 2
RFID, see Radio frequency
identication card
risks
acceptance, 112
avoidance, 111
emerging, 4–5
limitation, 111
Smart Grid categories, 197–202
transference, 112
risks, mitigation
adopting standards, 122–125
American Institute of Certied
Public Accountants, 123
APEC privacy framework, 123
“A Regulator’s Privacy Guide to
ird-Party Data Access
for Energy Eciency:
Customer Information and
Behavior Working Group,”
128
audits, 143
basic strategies, 111–112
building privacy controls into
devices, 139
INDEX 223
Canadian Institute of Chartere
Accountants, 123
“Commercial Data Privacy and
Innovation in the Interne
Economy: A Dynamic
Policy Framework,” 126
compliance, 143
customer authorization for
disclosures, 141
customer education and
awareness, 142
cyber security and breach
insurance, 140–141
data aggregation and
de-identication, 130,
134–138
data breaches, 142
data disclosure and minimizati
142
data quality, 142
data retention and disposal, 14
data security, 142
documented privacy policies,
128–129
employee training, 142
energy production data, 120–1
Energy Services Provider
Interface, 126
energy usage data, 112–120
European Union privacy
framework, 123
Fair Information Practice
Principles, 124
Generally Accepted Privacy
Principles, 123
Home-to-Grid Domain Expec
Working Group, 127
identifying risks, 121–122
insurance, 140–141
ISO/IEC 15944-8 Information
Technology, 124
ISO-IEC 27002 Information
Technology, 124–125
d
t
on,
2
21
t
ISO-IEC 29100 Information
Technology, 125
methods, 122–143
North American Energy
Standards Board, 125–126
OECD privacy framework,
122–123
organizational privacy standards,
125–143
Privacy by Design, 125
privacy case studies, 129–130
privacy impact assessment, 142
privacy notices, 141
“Privacy of Consumer
Information and Devices
in the Electric Power
Industry,” 127–128
Smart Grid Privacy Workshop,
127
Smart Grid risks, 112
standards adoption, 122–125
State and Local Energy Eciency
Action Network, 128
ird Party Access to Smart
Meter-Based Information,
125–126
vendor contrac ts, 141–143
ROI, see Return on investment
“rolling blackouts,” 17
rooftop PV systems, see Solar
photovoltaic (PV) systems
RTO, see Regional transmission
operators (RTOs)
“run to failure” mindset, 16
S
San Diego Gas and Electric
(SDG&E)
energy storage, 29
Green Button Connect, 70
microgrids, 27
savings initiatives, 66
224 INDE X
Sawnee Electric Membership
Cooperative, 13
SCADA, see Supervisory control
and data acquisition
schools, 172
Schweppe, Fred, 56
scrambling data, see Encryption
SDG&E, see San Diego Gas and
Electric
seals for websites, 7
search and seizure, 6
security and privacy comparison,
45–47
Senate Bill 1386 (California), 205
Senate Bill 1476 (California), 204
sensors
big data, 9
buildings as prosumers, 24
new privacy challenges, 8
proliferation, monetization of
data, 190–195
Smart Grid technologies, 41
smart meters, 62
transmission grids, 31
service diagnostics equipment, 109
“set and forget,” 83
SGL Partners consulting services,
162
Shannon, Claude, 65–66
Siemens, 37
signaling types, 60–61
single-phase meters, 62
sinusoidal waveforms, 32
situational awareness
energy consumption, 36
traditional vs. Smart Grid, 18–1
transmission grids, 31
6th Sense Live appliances, 38, 93–9
sleep patterns, 119
smart appliances
connected homes, 90–91
consumer to prosumer
transformation, 38
9
4
Internet of ings, 8
privacy risk examples, 38
smart data, 49–51, see also Data
smart devices, 8–9
Smart Grid
big data, 9–10
business model transformations,
3–4
categories and privacy risks, 87,
112–113, 197–202
changes from traditional energy
delivery, 1–2
dened, 1
emerging privacy risks, 4–5
graphic visualization, 19–20
home energy management
systems, 81–84
Internet of ings, 8–9
market and regulatory
perspective, 11–36
new privacy challenges, 8–10
overview, 11, 18–19
possibilities, 2–3
privacy-enhancing technologies,
7–8
privacy laws, regulations,
standards, 5–7
privacy policy need, 5
privacy risk examples, 36–39
risk mitigation, 112
smart infrastructure, 39–41
technologies, key points, 41–42
Smart Grid Cyber Security Working
Group (CSWG) Privacy
Group, 197
Smart Grid Privacy Workshop, 127
smart home, see Connected homes
Smart Infrastructure, 39–41
smart meters
communications capabilities,
61–62
data gathered, 59–60
data granularity, 63–65
INDEX 225
data read frequency, 63
data sharing, 184
data to government, 183–184
home area networks, 84
Internet of ings, 9
meter comparisons, 55–57
not optional, spying, 185
overview, 58–60
signaling types, 60–61
unique identication, 65
usage ngerprint, 48
smart meters, data and privacy
advanced metering infrastructur
71–73
automated meter reading, 57
energy savings initiatives, 66
Green Button Connect, 69–71
Green Button initiative, 66–69
summary, 73–74
smart parking, 40
smart phones, see also Mobile device
emerging risks, 5
home energy management, 95–9
Internet of ings, 8–9
universal home controller, 81
smart streetlights, 40
smart tracking, 96
smoke alarms, 90
social media, 109, 187, 191
social security numbers (SSNs), 6,
87
software, disaggregation, 89–90
Solar City, 21
solar photovoltaic (PV) systems
consumer to prosumer
transformation, 38
energy storage, 29
Green Button program, 67
growth, 15–16, 170
technology changes, 28–29
sources of capital, see Finance
Southern California Edison, 13
South Korea, 190
e,
s
6
spam lters, 8
SSN, see Social security numbers
(SSNs)
standards, see also Laws, regulations,
standards
American Institute of Certied
Public Accountants, 123
APEC privacy framework, 123
Canadian Institute of Chartered
Accountants, 123
European Union privacy
framework, 123
Fair Information Practice
Principles, 124
Generally Accepted Privacy
Principles, 123
ISO/IEC 15944-8 Information
Technology, 124
ISO-IEC 27002 Information
Technology, 124–125
ISO-IEC 29100 Information
Technology, 125
OECD privacy framework,
122–123
Privacy by Design, 125
State and Local Energy Eciency
Action Network, 128
State Attorneys General oces, 149
state constitution, California,
203–204
statutory law, see Laws, regulations,
standards
steganography, 7
Sterling, omas, 56–57
Stimulus Act, 32
stock market, 15, 166, 174
stoplights, 9, 40
storage
changes, 19
market and regulatory
perspective, 29–30
new privacy challenges, 8
Smart Grid technologies, 41
226 INDEX
streetlights, 40
students, 172
SunPower, 109
Superstorm Sandy, 166, 169, see als
Weather events and repor
supervisory control and data
acquisition (SCADA)
system attacks, 141
supply chain
electricity supply, 12
just-in-time operation, 16–17
Smart Grid impact, 1–2
transmission grids, 30
vulnerabilities, 17–18
surveillance systems, 90
T
tablets, 8, 95
taking charge of privacy
data controllers, 146–147, 158
data processors, 147–148, 158
data protection authority,
148 –149
data subjects, 146, 149–152
information security controls,
152, 154–157
overview, 145
possibility and responsibilities,
149–151
resources, 158, 162–163
roles and responsibilities, 145–1
use case example, 152
tampering detection, 61
taris
avoidance of investments, 26
electric vehicles, 105
market changes, 20
pricing, 178
rate-setting process, 14–15
technologies
changes, 28–29
incorrect use, 3
o
ts
49
key points, Smart Grid, 41–42
privacy-enhancing, 7–8
specic protections, 6
transactive energy, 166–168
telematics, 97, 108–110, 194, see also
Vehic le s
televisions, 90
tenants, see Rentals
Tennessee Valley Authority, 13
territorial privacy, 44–45
Tesl a, 21
Texas
market deregulation, 15
ownership of charging stations,
99
utility-supplied charging, 106
“e Integrated Distribution
Planning Concept Paper,”
169
“e Right to Privacy,” 43
thermostats, 9, see also
Programmable thermostats
ird Party Access to Smart
Meter-Based Information,
125–126
third-party validation, privacy seals,
7
time, see In-home activities
time of use (TOU), 21–22
time-stamped data, 3
toaster ovens, 91
toothbrushes, smart devices, 92
TOU, see Time of use (TOU)
traditional electricity business sector,
11–12
traditional energy delivery, 1–2, 18
trac lights and cameras, 9, 40
training, 142
transactive energy
nance, 171–178
future directions, 28, 179–181
market participants, 41
microgrids, 168–169
INDEX 227
OpenADR , 178 –179
overview, 165–166
price-based systems, 93
regulatory policy, 169–171
technology, 166–168
time of use, 22
transformer age, 16
transmission grids
market and regulatory
perspective, 30–32
weakest link, 17
Transportation Security
Administration (TSA),
trash cans, 9
TRUSTed Smart Grid Privacy
Program, 70
TSA, see Transportation Security
Administration
Tw i t ter, 10 9
U
UBI, see Usage-based insurance
(UBI)
UL, see Underwriters Laboratorie
uncertainty, see Fear, uncertainty,
and doubt (FUD)
Underwriters Laboratories (UL),
unique meter identication, 65
United States, see also Laws,
regulations, standards
approaches to privacy law, 5–7
focus on, 11
unsolicited email, 8
unsubstantiated privacy claims
burglary targets, 187
data sharing, 184
data to government, 183–184
government control of home
appliances, 185
how we spend our time, 187–1
in-home activities, 185–186
4
s
7
8
4
0
8
insurance companies and
premiums, 188
medical equipment, 188
not optional, spying, 185
overview, 183
personal information, transmittal,
186–187
usage-based insurance (UBI), 194
usage of data
customer-specic information, 6
ngerprint, 48
potential privacy impacts, 113,
114–116
smart meter communications
capability, 62
use case example, 152, 153–154
utilities, classication of, 13–14
utility deal spiral, 22–23
utility-supplied network charging,
106
V
validation, estimation, and editing
(VEE), 73
variety, big data, 9
VEE, see Validation, estimation, and
editing
vehicles, see also Telematics
computer-enabled, 8
computer-enabled cars, 8
example, 18
velocity, big data, 9
vendors
audits, 143
customer authorization for
disclosures, 141
customer education and
awareness, 142
data breaches, 142
data disclosure and minimization,
142
data quality, 142
228 INDE X
data retention and disposal, 142
data security, 142
employee training, 142
energy production data, 176
on/o agreement, 81
overview, 141
privacy impact assessment, 142
privacy notices, 141
veracity, big data, 9
Verizon, 78, 84
vertically integrated utilities, 11–12
visibility, 19
voltage regulators, 9
voltage sags/surges, 17
Volt vehicle, 109
volume, big data, 9
voluntary reductions, 82–83, 166–16
W
Wall Street, see Stock market
Warren, Samuel, 43
Waspmote, 190
water treatments, 8, see also Gas and
water
7
wearable devices, 9
weather events and reports, 17, 167,
see also Superstorm Sandy
website seals, 7
Whirpool
DR programs, 93–95
smart appliances privacy risks, 38
telematics, 109
White House Energy Datapalooza,
9–10
Wi-Fi and Wi-Fi router
connecting home appliances, 91
crockpots, 92
Internet of ings, 9
wind generation, 28–29
wireless communications networks, 8
X
Xcel Energy, 86
Z
ZigBee, 60, 106
Z-Wave, 60
