Ensuring the security and privacy of data generated by residents and internet-connected devices will allow cities to reap the benefits of innovation.
Calling fears about privacy abuses related to smart city data overblown, a new report states that the key to building and sustaining smart cities is balance.
“Data collection is what makes cities and communities ‘smart.’ It can generate cost and time savings, increased productivity, and public health and safety,” according to “Balancing Privacy and Innovation in Smart Cities and Communities,” a March 6 report from the Information Technology and Innovation Foundation. “But smart cities’ data collection is also the source of privacy concerns when the data collection involves personally identifiable information. Smart city technologies that collect data about residents, particularly sensitive data—such as personal information that could be used for identity theft—make attractive targets for cybercriminals.”
Key to balancing privacy and innovation is understanding that many cities are already collecting data with little threat to individuals’ privacy, the report states. For instance, smart grid technologies embedded in the energy system—think smart meters, buildings and appliances—provide real-time data on energy consumption that allows for dynamic pricing and demand response, which can reduce emissions.
“Most smart city applications are built around the Internet of Things (IoT): physical objects embedded with sensors or actuators and network connectivity to enable them to send, receive, and act on data,” the report states. “Other enabling smart city technologies include wired and wireless broadband networks, analytics tools to process data coming from sensor networks, and autonomous systems.”
Examples include smart trash cans that can alert the sanitation department when they are full, preventing litter from overflowing and serving as Wi-Fi hotspots; smart water monitoring that can alert officials to pollutants and leaks; intelligent traffic signals that can improve the flow of vehicles and reduce accidents; and gunshot detection, which can help first responders reach the scene of a shooting faster.
But privacy advocates and smart city opponents say government entities may sell the data those devices collect to offset tech costs or use it for surveillance. Plus “every Internet-connected device involved in collecting, transmitting or receiving smart city data is a potential security vulnerability,” according to the report.
Security concerns are well-founded. Data breaches often result in the exposure of personal data and significant economic loss, the report notes, adding that the average cost of a public-sector data breach in 2022 was more than $2 million.
What’s more, local governments are big targets because of their large attack surface. Even though they control critical infrastructure, they “often fail to prioritize cybersecurity,” the report adds. “Effectively addressing this concern will require local governments to increase their investment in cybersecurity, follow cybersecurity best practices, update IT systems, require their private partners to follow the same practices, and exercise caution in procuring smart city technologies.”
Commercial use of data is another worry of privacy advocates. It often happens in two ways: a city or community could make a deal with a company to provide smart city tech and in turn will give that vendor access to the data collected, or it could sell localized advertisements.
“To better protect residents’ privacy when sharing their data, smart cities and communities can set rules for their private-sector partners’ use of smart city data, and follow up to ensure continual compliance,” the report states.
Surveillance is a third concern that privacy advocates cite because although most of the data collected is of low risk to individual privacy, in aggregate, it could “build detailed profiles of residents’ behavior,” the report states. But “the United States has many laws, including those enumerated in the Constitution and Bill of Rights, that restrict governments at every level from engaging in this type of surveillance.”
The report offers six recommendations for balancing the benefits of smart city operations with privacy worries. First, cities and communities should prioritize cybersecurity when using smart city technologies. This includes encrypting data, using cloud computing and conducting threat and risk assessments.
Second, Congress should pass legislation requiring opt-in consent for data use by commercial entities and transparency rules to ensure the public understands how data is collected and used.
The final three recommendations relate to surveillance. State lawmakers should regulate data collection by law enforcement, such as limiting how long agencies can retain data unrelated to criminal evidence. Additionally, “cities and communities should anonymize any personal data they collect via smart city technologies …[and] delete stored personal data after a certain period of time when the data is no longer useful for its intended function,” the report states.
Lastly, local agencies should not be required to share sensitive personal data about users in order to use the technology, but they could share anonymized or other nonsensitive data.
“Data collection powers smart cities and communities, yet privacy issues continue to stall progress,” Ashley Johnson, a senior policy analyst at ITIF and the author of the report said in a statement. “Cities and communities need to balance the cybersecurity risks, commercial use of data, and potential government surveillance against other more prevalent concerns like public safety, sustainability, the beneficial uses of data, and cost.”