Personal Information Concerns Smart Grid Developers

by Teresa Hansen, editor in chief

Because most smart meters collect customer usage data every 15 minutes, the electric utilities deploying them have much information revealing how customers use electricity. When it comes to using this data, utilities have only good intentions. Customers, however, aren’t so sure, and many worry why utilities even have the data and whether third parties will obtain it.

Electricity providers plan to use smart metering data to develop programs that give consumers more control over how and when they use electricity, saving electricity and money.

Smart metering data also will reveal to utilities when a customer gets up in the morning, when he goes to bed, when he does laundry, when he showers and just about everything else that goes on behind closed doors. Most utilities don’t plan to mine the data to this extent right away, but many experts have said that this information will allow utilities, as well as third parties, to develop smart grid applications that can’t be imagined today.

Utilities also are concerned. Many questions must be answered: Who will secure the data? Who will own it? Who will have access? Should customers retain control of it? Must customers give utilities permission to share it, or can data be shared without permission? Will customers trust utilities with energy usage data and participate in smart grid programs? How much data should be collected?

A panel of utility executives addressed smart meter data privacy concerns Sept. 20 and 21 during the Homeland Security for Networked Industries conference in Washington, D.C. Florida Power & Light Co. (FPL) treats data collected from its more than 500,000 smart meters as it treats all other customer data, including credit card and Social Security numbers, said Joel Garmon, the utility’s information security director. What concerns him, Garmon said, is how to treat the data in relation to third parties that want to play in the space. At FPL, customers own the data and the utility is the custodian of it, he said. FPL will share customer data with third parties only if a customer asks FPL to do so, Garmon said.

Xcel Energy Vice President and Chief Information Officer David Harkness also spoke on the panel. Xcel is letting the state public utility commissions (PUCs) fight it out and will follow their decisions, Harkness said.

Robert Shein, a security architect in the enterprise services and energy practices division of Hewlett-Packard, addressed data privacy Jan. 31 during the Electric Light & Power Executive Conference in San Diego.

“As utilities collect more and more data, they are trying to determine what data needs to be protected and then how to protect it,” Shein said. “Utilities want to make sure they understand what data is going to be personal information and what data should concern them.”

Most state PUCs have not ruled on protecting customer smart meter data.

Some time, however, they must establish guidelines and regulations that identify personally identifiable (PI) information and how utilities should protect it, Shein said.

“The problem is PUCs don’t have any better idea than anyone else about PI,” Shein said. “In fact, they probably have less idea than utilities. Utilities have the advantage because they have an earlier indication of what data they have to contend with and what vendor analytic tools are available to help them do so.”

Everyone has a hand in protecting privacy, Shein said. 

Privacy Drift 

In addition to not knowing exactly what will be considered privacy data, a second problem exits: Data not initially considered privacy data inevitably will become privacy data. This phenomenon is called privacy drift. Shein explains privacy drift like this: As the nature of data collected becomes larger and more multifaceted, it can change from just a large set of numbers to PI information. Such data almost never is stored in a privacy-protected architecture to begin with. Not everything can be treated as personal information, he said.

“With privacy drift, data suddenly becomes personal information that must be protected, and it must be protected immediately,” Shein said. “Currently it is utilities’ responsibility to realize when this occurs and determine how to protect data that they didn’t believe was going to become PI.”

The right approach to managing privacy drift, Shein said, is twofold. Utilities must be proactive, but recognize surprises will occur. And utilities must be prepared to react when surprises occur.

Data stores are important to being reactive and managing drift. Utilities must identify what data must be put into data stores and what type of data stores they will implement.

The data stores utilities create and how those data stores are secured will depend on regulations and guidelines, as well as business drivers, Shein said.

“Obviously, from a business standpoint, a 5-terabyte data store will be difficult to move,” he said. 

Analytics, Netflix and AOL 

Utilities also must understand analytics, Shein said.

“It’s one thing to have one or two types of data that are not privacy data, but when you have a lot of data that you think are not privacy-related, you need to be aware that through analytics that data may become privacy-related,” Shein said. “Again, this is the challenge of privacy drift.”

Netflix and AOL learned firsthand how analytics can turn anonymous data into PI.

Netflix wanted a better algorithm to identify additional movies its customers might rent based on what customers previously rented. Netflix created its X Prize contest to allow the public to create new analytical tools that would help it meet its goals. For a short time the online movie store made an anonymized data set available to contest participants without knowing a participant would cross-reference the data set against the IMDB (Internet Movie Database) that includes individuals’ identities. By doing this, the participant identified Netflix customers through the anonymized data, Shein said.

“Netflix is a beloved company,” Shein said. “People like the company and trust it, therefore, they weren’t upset when their data was released to other people.”

Privacy concerns often are related to perception and emotion. If people like a company, they have little problem turning over private information to them. Most have little problem allowing that company to turn over their private information to others because they trust them, Shein said.

AOL also learned how analytics can turn anonymous data into PI information after it made search terms available to researchers. The researchers determined which sets of search terms went together and were able to tie those search terms to individual users.

Like Netflix and AOL, power companies have good intentions. Many customers, however, perceive utilities as wanting their data to make money from it or to manipulate customers’ behavior in some way.

Utilities must improve their reputations with customers and gain customers’ trust. Customers take electricity service for granted, and most have no idea how complex it is for utilities to provide consumers with reliable power 365 days a year, Shein said.

“Power companies need to explain to their consumers what’s required to keep the lights on,” he said. “They must try to make their customers understand how they work and that what they do is not easy.” 

Facing the Unknown 

The environment in which utilities operate is changing rapidly, even faster than a normal information technology rate. Electric utilities, however, are not used to rapid change.

Utilities understand only pieces of the privacy issues. They want data privacy guidance, but they’re not finding much. Often, Shein said, the people speaking up don’t have anything helpful or worthwhile to say.

Mostly they hear “it depends,” Shein said. 

More PowerGrid International Issue Articles
PowerGrid International Articles Archives
View Power Generation Articles on
Previous articleEven an Ironman Needs a Little Support
Next articleSmart Grid Improves Mobile Workforce Efficiencies

No posts to display