Smart Meter Data: Privacy and Cybersecurity – Congressional Research Report 2012

By Catherine J. Frompovich

In February of 2012, three attorneys with the Congressional Research Service (CRS) issued a lengthy report “Smart Meter Data: Privacy and Cybersecurity,” which addressed many of the same questions consumers have about those high-tech utility meters being forced on to customers’ electric, natural gas and water utility services in every state and globally.  I’ve read the entire report and think consumers ought to know the more significant parts and information regarding your rights to privacy and security.

The CRS is a government agency basically providing background information about certain issues or topics members of Congress or congressional committees want to know more about.

Nothing is a “hot button” privacy and health issue more than AMI Smart Meters, which are retrofitted in place of safe analog meters that have been in exemplary use for decades.  The new AMI SMs have one advantage over the safe analog meters, which probably appeals to the United Nations: AMI SMs spy on the occupants inside the homes to which AMI SMs are retrofitted.  Those personal rights violations are real and should be of valid concern to consumers who know their U.S. Constitutional and State Constitutional rights are being violated and abrogated.

Apparently, those same issues may have been on the minds of some members of Congress, therefore, the request for a Privacy and Cybersecurity Report.

In the Summary of that report, we find

Fueled by stimulus funding in the American Recovery and Reinvestment Act of 2009 (ARRA), electric utilities have accelerated their deployment of smart meters to millions of homes across the United States with help from the Department of Energy’s Smart Grid Investment Grant program. As the meters multiply, so do issues concerning the privacy and security of the data collected by the new technology. This Advanced Metering Infrastructure (AMI) promises to increase energy efficiency, bolster electric power grid reliability, and facilitate demand response, among other benefits. However, to fulfill these ends, smart meters must record near-real time data on consumer electricity usage and transmit the data to utilities over great distances via communications networks that serve the smart grid. Detailed electricity usage data offers a window into the lives of people inside of a home by revealing what individual appliances they are using, and the transmission of the data potentially subjects this information to interception or theft by unauthorized third parties or hackers. [CJF emphasis]

Rather nonchalantly, in this writer’s opinion, the Report’s authors concede:

Unforeseen consequences under federal law may result from the installation of smart meters and the communications technologies that accompany them. This report examines federal privacy and cybersecurity laws that may apply to consumer data collected by residential smart meters. It begins with an examination of the constitutional provisions in the Fourth Amendment that may apply to the data. As we progress into the 21st century, access to personal data, including information generated from smart meters, is a new frontier for police investigations. The Fourth Amendment generally requires police to have probable cause to search an area in which a person has a reasonable expectation of privacy. However, courts have used the third-party doctrine to deny protection to information a customer gives to a business as part of their commercial relationship. This rule is used by police to access bank records, telephone records, and traditional utility records. Nevertheless, there are several core differences between smart meters and the general third-party cases that may cause concerns about its application. These include concerns expressed by the courts and Congress about the ability of technology to potentially erode individuals’ privacy.

If smart meter data and transmissions fall outside of the protection of the Fourth Amendment, they may still be protected from unauthorized disclosure or access under the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and the Electronic Communications Privacy Act (ECPA). These statutes, however, would appear to permit law enforcement to access smart meter data for investigative purposes under procedures provided in the SCA, ECPA, and the Foreign Intelligence Surveillance Act (FISA), subject to certain conditions. Additionally, an electric utility’s privacy and security practices with regard to consumer data may be subject to Section 5 of the Federal Trade Commission Act (FTC Act). The Federal Trade Commission (FTC) has recently focused its consumer protection enforcement on entities that violate their privacy policies or fail to protect data from unauthorized access. This authority could apply to electric utilities in possession of smart meter data, provided that the FTC has statutory jurisdiction over them. General federal privacy safeguards provided under the Federal Privacy Act of 1974 (FPA) protect smart meter data maintained by federal agencies, including data held by federally owned electric utilities. [CJF emphasis]

How come state public utility commissions, their kangaroo courts and utility companies’ attorneys aren’t held accountable to the legitimate seriousness of the above constitutional issues, let alone the escalating adverse health effects from AMI Smart Meter radiofrequencies non-thermal radiation waves that now scientifically have been proven to break DNA bonds?

On page 2 of that Report, the CRS lawyers say,

General federal privacy safeguards provided under the Federal Privacy Act of 1974 (FPA) protect smart meter data maintained by federal agencies, including data held by federally owned electric utilities. Section 5 of the Federal Trade Commission Act (FTC Act) allows the Federal Trade Commission (FTC) to bring enforcement proceedings against electric utilities that violate their privacy policies or fail to protect meter data from unauthorized access, provided that the FTC has statutory jurisdiction over the utilities.

It is unclear how Fourth Amendment protection from unreasonable search and seizures would apply to smart meter data, due to the lack of cases on this issue. However, depending upon the manner in which smart meter services are presented to consumers, smart meter data may be protected from unauthorized disclosure or unauthorized access under the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and the Electronic Communications Privacy Act (ECPA). If smart meter data is protected by these statutes, law enforcement would still appear to have the ability to access it for investigative purposes under procedures provided in the SCA, ECPA, and the Foreign Intelligence Surveillance Act (FISA). [CJF emphasis]

Page 3 addresses Smart Meter Data: Privacy and Security Concerns

Residential smart meters present privacy and cybersecurity issues 19 that are likely to evolve with the technology.20 In 2010, the National Institute of Standards and Technology (NIST) published a report identifying some of these issues, which fall into two main categories: (1) privacy concerns that smart meters will reveal the activities of people inside of a home by measuring their electricity usage frequently over time;21and (2) fears that inadequate cybersecurity measures surrounding the digital transmission of smart meter data will expose it to misuse by authorized and unauthorized users of the data. [CJF emphasis]

While addressing specific details, the Report claims

Smart meters offer a significantly more detailed illustration of a consumer’s energy usage than regular meters. Traditional meters display data on a consumer’s total electricity usage and are typically read manually once per month.23

In contrast, smart meters can provide near real-time usage data by measuring usage electronically at a much greater frequency, such as once every 15 minutes.24

Current smart meter technology allows utilities to measure usage as frequently as once every minute.25

By examining smart meter data, it is possible to identify which appliances a consumer is using and at what times of the day, because each type of appliance generates a unique electric load “signature.26  [which will tie into the Internet of Things.]

NIST wrote in 2010 that ““research shows that analyzing 15-minute interval aggregate household energy consumption data can by itself pinpoint the use of most major home appliances.”” 27

A report for the Colorado Public Utilities Commission discussed an Italian study that used “artificial neural networks” to identify individual “heavy-load appliance uses” with 90% accuracy using 15-minute interval data from a smart meter.28

Similarly, software-based algorithms would likely allow a person to extract the unique signatures of individual appliances from meter data that has been collected less frequently and is therefore less detailed.29   [One algorithm program is “ONZO” (2).]

By combining appliance usage patterns, an observer could discern the behavior of occupants in a home over a period of time.30 For example, the data could show whether a residence is occupied, how many people live in it, and whether it is “occupied by more people than usual.”31

According to the Department of Energy, smart meters may be able to reveal occupants’ “daily schedules (including times when they are at or away from home or asleep), whether their homes are equipped with alarm systems, whether they own expensive electronic equipment such as plasma TVs, and whether they use certain types of medical equipment.”32

Figure 1, which appears in NIST’s report on smart grid cybersecurity, shows how smart meter data could be used to decipher the activities of a home’s occupants by matching data on their electricity usage with known appliance load signatures. [CJF emphasis]

Here is the part about AMI SMs that really needs to be understood and factored in to the privacy and security paradigm the microwave industry, utility companies and even state public utility commissions, which should know better, are not paying attention to nor dealing with: Potential for Theft or Breach of Data, like we had with the Equifax data breach affecting about half of the country’s consumers.

Increased Potential for Theft or Breach of Data

Smart grid technology relies heavily on two-way communication to increase energy efficiency and reliability, including communication between smart meters and the utility (or other entity) that stores data for the grid.46 Many different technologies will transmit data to the grid, including ““traditional twisted-copper phone lines, cable lines, fiber optic cable, cellular, satellite, microwave, WiMAX, power line carrier, and broadband over power line.””47 Of these communications platforms, wireless technologies are likely to play a ““prominent role”” because they present fewer safety concerns and cost less to implement than wireline technologies.48 According to the Department of Energy, a typical utility network has four “tiers”” that collect and transmit data from the consumer to the utility.49 These include “(1) the core backbone—the primary path to the utility data center; (2) backhaul distribution—the aggregation point for neighborhood data; (3) the access point—typically the smart meter; and, (4) the HAN—the home network.”50 Energy usage data moves from the smart meter,51 and then to an “aggregation point” outside of the residence such as “a substation, a utility pole-mounted device, or a communications tower.””52  [CJF emphasis]

Two U.S. Supreme Court decisions, Kyllo v United States [1] and United States v Karo, have defended “the home as a sacred site at the core of the Fourth Amendment.”

Kyllo and Karo demonstrate that the Supreme Court “has defended the home as a sacred site at the ‘core of the Fourth Amendment.’””169 Although neither the Supreme Court nor any lower federal court has ruled on the use of smart meters, a few propositions can be deduced from Kyllo and Karo bearing on this question. Because smart meters allow law enforcement to access information regarding intimate details occurring inside the home, a highly invasive investigation that could not otherwise be performed without intrusion into the home, a court may require a warrant to access this data. In Kyllo, the police merely obtained the relative temperatures of a house,170 and in Karo the police only generally located the beeper in the house.171 Although this information was limited, the Court nonetheless prohibited such investigatory techniques. Smart meters have the potential to produce significantly more information than that derived in Kyllo and Karo, including what individual appliances we are using; whether our house is empty or occupied; and when we take our daily shower or bath.172 Further, a look at Figure 1, supra, makes it clear that this level of information is much more intimate than prior technologies used by law enforcement. This depth of intrusion suggests that customers may have a reasonable expectation of privacy in smart meter data. [CJF emphasis]

The CRS lawyers thought there is/was Statutory Protection of Smart Meter Data!

Question: Which law school courses did they take that utility company lawyers and public utility commissions judges somehow missed during law school?

This section discusses federal statutory protections that may be applicable to the contents of communications sent by a smart meter, independent of the Fourth Amendment, while they are either stored within the smart meter prior to transmission, during transmission, or after they have been delivered to the utility. Three federal laws, the Electronic Communications Privacy Act (ECPA),199 the Stored Communications Act (SCA),200 and the Computer Fraud and Abuse Act (CFAA)201 may be applicable to these situations and are discussed in more detail below. [CJF emphasis]

How come public utility commission administrative law judges don’t recognize those federal laws, enforce them from the bench and in their decisions by automatically ruling in favor of consumers who reject AMI SMs?  Good question?

Since AMI SMs basically are sophisticated computers that will have to be replaced every five to six years with updated meters, the Computer Fraud and Abuse Act may be applied to AMI SMs privacy issues:

The Computer Fraud and Abuse Act (CFAA)

The Computer Fraud and Abuse Act (CFAA) prohibits intentionally accessing and obtaining information from a computer used in or affecting interstate commerce, without authorization or in excess of a granted authorization.246 The definition of a computer for purposes of the CFAA is “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device” excluding “an automated typewriter or typesetter, a portable hand held calculator, or other similar device….””247

The servers on a utility’s network would likely fall squarely within the definition of a computer under the CFAA. Similarly, smart meters themselves also appear to meet the definition of a computer, insofar as they store customers’ energy usage data and also perform logical operations by routing transmissions across the utility’s network. Additionally, in light of the significant role that energy utilities play in the modern economy, the smart meter network would also likely be considered to have an effect on interstate commerce, even if they operate entirely within one state. Therefore, intentionally gaining access to the utility’s servers or smart meters to obtain customer data would likely constitute a violation of the CFAA if done without the utility’s authorization or in excess of an authorization granted by the utility. [CJF emphasis]

Here’s a nice part about the CFAA: the fines, which should be incentive enough for everyone to file complaints against utility companies with their state Attorney General or state public utility commission:

The criminal penalties for violating the unauthorized access provisions of the CFAA have a three tier sentencing structure. Simple violations are punished as misdemeanors, imprisonment for not more than one year and/or a fine of not more than $100,000 ($200,000 for organizations).248

Another law that comes into play is Section 5 of the Federal Trade Commission Act.

Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce”251 and gives the Federal Trade Commission (FTC) jurisdiction to bring enforcement actions against “persons, partnerships, or corporations” that engage in these practices.252 In the past, the FTC has used its authority under Section 5 to take action against businesses that violate their own privacy policies or that fail to adequately safeguard a consumer’s personal information.253 Although there do not appear to be any cases in which the FTC has taken action against an electric utility for failing to protect consumer smart meter data, the Commission would have authority to enforce Section 5 against a utility that fell within its statutory jurisdiction.

On page 40 of the Report, the lawyers mention another issue that can be relevant:

“Unfair” Failure to Secure Consumer Data

Failure to Protect Against Common Technology Threats or Unauthorized Access

The FTC may consider it an “unfair” practice when an electric utility fails to safeguard smart meter data from well-known technology threats as the data travels across the utility’s communications networks. [CJF emphasis]

Furthermore and even more importantly, all parties involved in the AMI SM legal debacles must realize what the CRS lawyers have to say about AMI SM data protection:

Smart Meter Data as a Protected “Record”

The Privacy Act protects the type of electricity usage data gathered by smart meters, provided that the data pertains to U.S. citizens or permanent residents, is personally identifiable, and is retrievable by the individual’s name or another personal identifier. The Privacy Act “governs the collection, use, and dissemination of a ‘record’ about an ‘individual’ maintained by federal agencies in a ‘system of records.’””368 Under the statute, a “record” is “any item, collection, or grouping of information about an individual that is maintained by an agency … that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.””369

An “individual” is defined as “a citizen of the United States or an alien lawfully admitted for permanent residence.””370 A “system of records” is “a group of any records under the control of any agency from which information is retrieved by the name of the individual” or other personal identifier “assigned to the individual.”371

Smart meter data held by an agency certainly fits within the broad definition of a “record” because it is a grouping of information about an individual, namely, data on that individual’s electricity usage. The data is typically stored along with a consumer’s account information, which usually includes a consumer’s name, social security number, or other “identifying particular.”372 Thus, smart meter data would constitute a protected “record” under the Privacy Act, assuming that it pertains to a citizen of the United States or lawful permanent resident and is retrievable by a personal identifier such as a consumer’s name or account number. [CJF emphasis]

All the above only confirms why The Energy Policy Act of 2005 (Public Law 109-58) Section 1252 Smart Metering does not mandate or make AMI Smart Meters mandatory.  That would be unconstitutional, yet public utility commissions don’t respect the foremost law of the land, the U.S. Constitution.

Apparently, there is a copy of a Member of Congress letter circulating on the Internet wherein that Congressperson says “As you may know, provisions within the 2005 Energy Policy Act allow for consumers to opt out of smart meter programs that are run at the state level.”

This Writer’s Comment:

Since the Equifax credit bureau hacking ‘tragedy’, plus other numerous privacy, security and identity theft problems with computers, credit card companies and corporations that manage them, one would think state agencies, in particular, should be determined to protect consumers’ constitutional rights to privacy and personal data, and not provide opportunities for personal data to be compromised from cyberattacks, especially since utility companies definitely will not be sending consumers’ data over secure networks!

References:

[1] https://www.casebriefs.com/blog/law/criminal-procedure/criminal-procedure-keyed-to-weinreb/electronic-surveillance-agents-and-informers-and-entrapment/kyllo-v-united-states-4/
[2] http://www.prnewswire.com/news-releases/onzo-announces-major-enhancements-to-customer-insights-data-analytics-solution-568136871.html

Catherine J Frompovich (website) is a retired natural nutritionist who earned advanced degrees in Nutrition and Holistic Health Sciences, Certification in Orthomolecular Theory and Practice plus Paralegal Studies. Her work has been published in national and airline magazines since the early 1980s. Catherine authored numerous books on health issues along with co-authoring papers and monographs with physicians, nurses, and holistic healthcare professionals. She has been a consumer healthcare researcher 35 years and counting.

Catherine’s latest book, published October 4, 2013, is Vaccination Voodoo, What YOU Don’t Know About Vaccines, available on Amazon.com.

Her 2012 book A Cancer Answer, Holistic BREAST Cancer Management, A Guide to Effective & Non-Toxic Treatments, is available on Amazon.com and as a Kindle eBook.

Two of Catherine’s more recent books on Amazon.com are Our Chemical Lives And The Hijacking Of Our DNA, A Probe Into What’s Probably Making Us Sick (2009) and Lord, How Can I Make It Through Grieving My Loss, An Inspirational Guide Through the Grieving Process (2008)

Catherine’s NEW book: Eat To Beat Disease, Foods Medicinal Qualities ©2016 Catherine J Frompovich is now available


Activist Post Daily Newsletter

Subscription is FREE and CONFIDENTIAL
Free Report: How To Survive The Job Automation Apocalypse with subscription