Humans are moving to cities at an unprecedented rate. Today 55% of the world’s population lives in urban areas with that number expected to grow to 68% by 2050. The trend of urbanization is dramatic enough, but when it is layered with the ubiquitous trend towards technological integration the question that surfaces is, ‘What kind of cities will people be living in by 2050?’ How will they reflect the cyber-physical world taking shape around us, and how will we ensure that they remain safe places to live? How will smart cities protect privacy of its citizens?
The concept of the ‘smart city’ is a recent one, allegedly born from a conversation between the Clinton Foundation and Cisco in 2005. The tech vendor was apparently asked to find ways to use technology to foster greater sustainability in urban areas, and from this the concept of a smarter place to live and work emerged.
We built this city on data
Cities may have foundations of concrete and earth, but smart cities are built on data too. Lots and lots of data. In a smart city every interaction, every touchpoint becomes a potential source of and conduit for data. This includes hardware, household goods, cars, trucks, cameras, smartphones, fridges and even refuse bins. In this cyber-physical matrix the aim is to gather, analyze and apply this data in service of a better life for all citizens. More data, the thinking goes, means better decisions and more efficient ways of being that raise the universal standard of living. It’s a lofty and worthwhile goal, but it needs to be pursued with care to ensure that the data in the system isn’t commandeered for use against the very people who are meant to benefit from it.
When good data turns bad
One doesn’t need to look far to find examples of how the pace of technological development has outstripped cultural development. The zeitgeist of the internet age has seen exponential progress and unbridled innovation, often without much concern for future implications. Unfortunately, security is a major casualty in this relentless march forward – when you’re presented with the glory of the iPhone, why would you want the downer of assessing its risks?
This may be typically human behaviour, but it has already had significant repercussions in the Internet of Things (IoT). Internet-enablement of devices was rushed to market by most manufacturers while security became an afterthought. A good example of this was the Samsung Smart Fridge, which, in 2015, was found to be vulnerable to a Man-in-the-Middle attack. Since then, inherent security issues within IoT devices have resulted in some of the biggest cyberattacks in history, such as the Mirai botnet. And now, vulnerabilities in our Wi-Fi networks such as the Krack attack adds fuel to an already stoked fire. Cyber-kinetic risk, where the digital world penetrates our physical one, is the future playground of hackers. New methodologies for finding and mitigating risks will test security professionals to the limit.
This is particularly true in cities as we get closer to 5G rollout. It is in urban areas that 5G networks will be deployed first, where the limited signal range of 5G antenna can have maximum impact. 5G towers do not cast a wide net so many more of them will be needed than 3G or 4G. However, many more devices can be connected to a single 5G tower than can be associated with any 3G/4G equivalent. In cities, this promises powerful networks on which to grow the IoT. However, more devices also means a larger attack surface available to hackers, so IoT will be more critical than ever before.
In addition to security implications, Internet-enablement and remote data collection pose privacy risks. These include the ‘traditional’ fears of home devices that get hacked – laptop cameras that begin filming us without us knowing, or children’s toys that record our conversations. But it is becoming more personal too. The FDA recently approved pills containing sensors to allow patients’ drug use to be tracked. In hyper-connected cities this is the type of data that could be captured and used by would-be cybercriminals.
Smarter living – smarter risks?
Advances in technology coupled with population rise and urbanization challenges have created a perfect storm for the development of the smart city. Using data wisely is a way to manage increasingly difficult urban situations from traffic congestion to waste management.
Inherent risks, however, exist in moving to smart living. Let’s look at just three smart city areas that have privacy issues:
Autonomous cars, vacuum cleaners, and personal privacy
The benefits of self-driving cars are obvious: better routing, less stress, fewer accidents, lower congestion. In a 5G world of low latency and massive data capacity, a grid of autonomous cars would operate almost like a single organism, with each vehicle aware of the exact location of every other vehicle in real time. Sounds great, but is it really? Would you really want your location and movements to be accessible data?
Closer to home, spying through Internet-enabled devices is a genuine privacy risk. It may seem obvious once someone points out how Amazon Alexa can be used to listen in to your conversations, but what about your vacuum cleaner? Check Point recently found that the LG SmartThinQ app, which uses a camera to operate, could be hacked and used to spy on device owners. Several states in the U.S, are adopting laws around the use of autonomous cars, but the data associated with their use is still nascent.
Drones, satellites, and surveillance
Much has been made of Amazon’s supposed plans to deliver cargo by drone, but regardless of whether or not the Internet giant ever goes ahead with its delivery drone plans, drones are here to stay. For all their many potential benefits in smart city operations, like monitoring transportation and pollution, drones pose a significant privacy risk. Their amazing surveillance capability far outstrips the Google cars that caused an uproar during the company’s worldwide mapping.
Drones that sweep across our skies have obvious privacy implications for individuals, such as civil liberty and freedom of assembly. It isn’t too far-fetched to imagine drones being used for this purpose and this is a concern within the EU’s Article 29 Data Protection Working Party on drones. In another example, Singapore plans to track all cars to allow dynamic management of toll charging and parking. This system monitors by satellite rather than by drone, but the implications around tracking individuals are identical.
Smart waste management in smart cities and impersonal privacy – the issue of re-identification
With explosive population growth, waste management will become an increasingly unpleasant but important concern in the world’s cities as we move further into the 21st Century. The use of data capturing and management in smart cities will have an important role to play in reducing water, noise and air pollution, and optimizing energy conservation. At first glance this data appears to be impersonal, but sophisticated techniques of re-identification can trace seemingly-anonymous data back down to the individual level. Harvard University has shown, via their specialist Data Privacy Lab, just how easy it is to re-identify individuals through supposedly general data. With some creative thinking, Harvard was able to use public news items about hospitalizations alongside a ZIP code to identify an individual. In the smart city, anonymity will be even harder to protect. Even our television viewing can be tracked. Researchers recently discovered that smart meters that track a home’s electricity consumption can enable third parties to detect what a household watches by precisely measuring power consumption. Unfettered, cybercriminals are able to view massive data pools, while also zooming into the focus on an individual drop.
We need to be more protective of our data. Though there is tremendous potential in the generation, collection and analysis of smart city data, there are also important privacy concerns. Data can provide valuable insights to help us manage the complex nature of our growing population and urbanization needs, but we should not, and cannot, allow this need for efficiency to undermine our privacy.
Privacy is sacrosanct and, once lost, hard, if not impossible, to reclaim. As individuals, as organizations, as government bodies, we all need to understand and appreciate what data privacy means. We can make smarter cities, but, in doing so, we must also build technical and legislative structures that defend our rights of autonomy over our own information. Our next big step in human history needs to land on solid ground.
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.