EFF Comments Smart Grid

EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


!"##$%&'(")(&*$((
$+$!&,"%-!(.,-/0!1(-%)",#0&-"%(!$%&$,(
234567(89(
(
PRIvACYACTIvISN
PRIvACY RIuBTS CLEARINuB00SE
LIBERTY C0ALITI0N
ELECTR0NIC FR0NTIER F00NBATI0N
u0vERNNENT ACC00NTABILITY PR0IECT
0.S. BILL 0F RIuBTS F00NBATI0N
CENTER F0R NEBIA ANB BEN0CRACY
CYBER SEC0RITY PR0IECT
TBE R0TBERF0RB INSTIT0TE
W0RLB PRIvACY F0R0N
CENTER F0R FINANCIAL PRIvACY ANB B0NAN RIuBTS
ANERICAN CIvIL LIBERTIES 0NI0N
C0NS0NER ACTI0N
ANERICAN LIBRARY ASS0CIATI0N

.:4;<=9(<57('6=>:4?9($@A6:?B(

Biuce Schneiei
Chiistophei Wolf
Pablo Nolina
Piof. Belen Nissenbaum
Beboiah Builey
Philip Fiieuman
Euwaiu u. viltz
Chiis Laisen
Stefan Bianus

to
TBE NATI0NAL INSTIT0TE 0F STANBARBS ANB TECBN0L0uY
on
B0CKET N0. u9u9Su1S29-91SS2-u1

"Biaft NIST Inteiagency Repoit (NISTIR) 7628, Smait uiiu Cybei Secuiity Stiategy anu
Requiiements: Request foi Comments"

Becembei 1, 2uu9


TABLE 0F C0NTENTS
!" #$%&'()*+,-$+,-./'+$0)(/12 """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3
!!" 4(/5$%6-$+,-071-.8$(0-9(/, """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" :
$" ;1</+/+'-4(/5$%6-$+,-071-.8$(0-9(/,"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""":
=" >22122/+'-.8$(0-9(/,2-$+,-4(/5$%6"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 33
%" 4(/5$%6-?7(1$02 """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3@
i. Iuentity Theft.......................................................................................................................................................... 1S
ii. Peisonal Suiveillance ........................................................................................................................................ 16
iii. Eneigy 0se Suiveillance.................................................................................................................................. 18
iv. Physical Bangeis................................................................................................................................................. 22
v. Nisuse of Bata....................................................................................................................................................... 2S
!!!" A4!B-C1%)881+,$0/)+2-)+-D)E-0)-F$&1-071-.8$(0-9(/,-4(/5$%6-.8$(0"""""""""""""" G:
$" H!.?!CI2->JJ()$%7-!2-!+2*<</%/1+0 """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" G:
=" >,)J0-K$/(-!+<)(8$0/)+-4($%0/%12""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" GL
%" A20$=M/27-!+,1J1+,1+0-4(/5$%6-N51(2/'70"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" GO
," >=$+,)+-071-H)0/%1-$+,-B)+21+0-F),1M""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" P3
1" !8J)21-F$+,$0)(6-C120(/%0/)+2-)+-Q21-$+,-C101+0/)+-)<-;$0$"""""""""""""""""""""""""""""""""""""""""""" PR
<" S1(/<6-?1%7+/T*12-<)(->+)+68/U$0/)+-)<-;$0$ """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" P:
'" A20$=M/27-C)=*20-B(6J0)'($J7/%-.0$+,$(,2""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" PL
!S" B)+%M*2/)+""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" PO




EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


1

I. BACKuR00NB ANB SIuNAT0RIES
By notice publisheu in the Feueial Registei on 0ctobei 9, 2uu9, the National
Institute of Stanuaius anu Technology (NIST) announceu
1
it seeks public comment on the
Smait uiiu Cybei Secuiity Stiategy anu Requiiements uocument.
2

The Electionic Piivacy Infoimation Centei (EPIC) is a public inteiest ieseaich centei
in Washington, BC. EPIC was establisheu in 1994 to focus public attention on emeiging civil
libeities issues anu to piotect piivacy, the Fiist Amenument anu constitutional values. EPIC
has a long-stanuing inteiest in piivacy anu technology issues.
S
EPIC has a specializeu aiea
of expeitise iegaiuing uigital communication technologies anu piivacy policy.
4
EPIC has a
paiticulai inteiest in the piivacy implications of the Smait uiiu stanuaius, as we anticipate
that this change in the eneigy infiastiuctuie will have significant piivacy implications foi
Ameiican consumeis.
S
In othei similai aieas, EPIC has consistently uigeu feueial agencies
to minimize the collection of peisonally iuentifiable infoimation (PII) anu to establish
piivacy obligations when PII is gatheieu. http:¡¡epic.oig¡
Piivacy Activism is a nonpiofit oiganization whose goal is to enable people to make
well-infoimeu uecisions about the impoitance of piivacy on both a peisonal anu societal
level. A key goal of ouis is to infoim the public about the impoitance of piivacy iights anu

1
Smait uiiu Cybei Secuiity Stiategy anu Requiiements, 74 Feu. Reg. S2,18S-84 (0ctobei 9,
2uu9).
2
National Institute foi Stanuaius anu Technology, Smait uiiu Cybei Secuiity Stiategy anu
Requiiements S (2uu9) |heieinaftei Cybei Secuiity Stiategy].
3
EPIC, Electronic Privacy Information Center, http://www.epic.org (last visited Dec. 1, 2009).
4
EPIC, Privacy, http://www.epic.org/privacy/default.html (last visited Dec. 1, 2009).
5
EPIC, The Smart Grid and Privacy, http://epic.org/privacy/smartgrid/smartgrid.html (last
visited Dec. 1, 2009).


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


2

the shoit- anu long-teim consequences of losing them - eithei inauveitently, oi by
explicitly tiauing them away foi peiceiveu oi ill-unueistoou notions of secuiity anu
convenience. http:¡¡www.piivacyactivism.oig.
Piivacy Rights Cleaiinghouse (PRC) is a nonpiofit consumei oiganization with a two-
pait mission -- consumei infoimation anu consumei auvocacy. It was establisheu in 1992
anu is baseu in San Biego, Califoinia. It is piimaiily giant-suppoiteu anu seives inuiviuuals
nationwiue. http:¡¡www.piivacyiights.oig¡
The Electionic Fiontiei Founuation (EFF) is a non-piofit, membei-suppoiteu civil
libeities oiganization baseu in San Fiancisco, Califoinia, that woiks to piotect iights in the
uigital woilu. Because Smait uiiu technology can gathei uetaileu infoimation about
inuiviuual anu family activities at home, piivacy is a ciucial concein: law enfoicement
touay uses utility iecoius, anu the expecteu inciease in amount anu uetail of infoimation
available thiough utilities with the Smait uiiu will fuel uemanu foi uata about home
activities that shoulu only be available to goveinment with a waiiant. Piivacy of the home
can only be auequately piotecteu in the Smait uiiu if it is analyzeu togethei with Smait
uiiu policy anu aichitectuie. Cleai stanuaius aie neeueu as to what infoimation (anu how
much anu how uetaileu) is tiansmitteu oi available to utilities. System aichitectuie (e.g.
centialization vs. uecentialization, netwoik noual stiuctuie) may peimit significant
minimization of uata anu uetail: if homes anu neighboihoous have significant computing
capacity in local uevices anu netwoiks, much monitoiing, calculation anu analysis of eneigy


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


S

usage can be uone locally, obviating utility uata collection in the fiist place.
http:¡¡www.eff.oig¡
The Libeity Coalition woiks to help oiganize, suppoit anu cooiuinate tians-paitisan
public policy activities ielateu to civil libeities anu basic iights. We woik in conjunction
with gioups of paitnei oiganizations that aie inteiesteu in pieseiving the Bill of Rights,
peisonal autonomy anu inuiviuual piivacy. http:¡¡www.libeitycoalition.net¡
The 0. S. Bill of Rights Founuation is a non-paitisan public inteiest law policy
uevelopment anu auvocacy oiganization seeking iemeuies at law anu public policy
impiovements on taigeteu issues that contiavene the Bill of Rights anu ielateu
Constitutional law. The Founuation implements stiategies to combat violations of
inuiviuual iights anu civil libeities thiough Congiessional anu legal liaisons, coalition
builuing, mission uevelopment, pioject planning & piepaiation, tactical integiation with
othei suppoiting entities anu the filings of amicus cuiiae biiefs in litigateu matteis.
http:¡¡usboi.netboots.net¡
The Cybei Piivacy Pioject (CPP) auuiesses conceins anu issues about piivacy iaiseu
in touay's netwoikeu woilu. In upholuing the belief that piivacy is essential to uemociatic
goveinment, the Cybei Piivacy Pioject anchois its appioach in iealizing the beneficial
potential of the Constitution, laws anu policies of the 0niteu States. CPP calls foi
implementation of piivacy piotections baseu on Fiist Amenument iights of piivacy anu
anonymity, Fouith Amenument iights against unieasonable seaiches anu seizuies, the


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


4

Fifth anu Fouiteenth Amenument iights to uue piocess anu piotection of libeity, anu Ninth
Amenument implieu iights to piivacy. http:¡¡www.cybeipiivacypioject.oig¡
The Rutheifoiu Institute, a nonpiofit legal anu euucational civil libeities oiganization,
pioviues legal assistance at no chaige to inuiviuuals whose constitutional iights have been
thieateneu oi been violateu. The Institute has emeigeu as one of the nation's leauing
auvocates of civil libeities anu human iights, litigating in the couits anu euucating the
public on a wiue spectium of issues affecting inuiviuual fieeuom in the 0niteu States anu
aiounu the woilu. http:¡¡www.iutheifoiu.oig¡
The Woilu Piivacy Foium is a nonpiofit, non-paitisan Su1 (C) (S) public inteiest
ieseaich gioup. The oiganization is focuseu on conuucting in-uepth ieseaich, analysis anu
consumei euucation in the aiea of piivacy. It is the only piivacy-focuseu public inteiest
ieseaich gioup conuucting inuepenuent, longituuinal woik. The Woilu Piivacy Foium has
hau notable successes with its ieseaich, which has been giounubieaking anu consistently
aheau of tienus. Woilu Piivacy Foium iepoits have uocumenteu impoitant new aieas,
incluuing meuical iuentity theft. Aieas of focus foi the Woilu Piivacy Foium incluue health
caie, technology anu the financial sectoi. The Foium was founueu in 2uuS anu woiks both
nationally anu inteinationally. http:¡¡www.woilupiivacyfoium.oig¡
The Centei foi Financial Piivacy anu Buman Rights was founueu in 2uuS to uefenu
piivacy, civil libeities anu maiket economics anu is pait of the Libeity anu Piivacy
Netwoik, a Washington, BC-baseu Su1(c)(S) oiganization. http:¡¡financialpiivacy.oig¡


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


S

Consumei Action is a non-piofit, membeiship-baseu oiganization that was founueu in
San Fiancisco in 1971. Buiing its moie than thiee uecaues, Consumei Action has continueu
to seive consumeis nationwiue by auvancing consumei iights, iefeiiing consumeis to
complaint-hanuling agencies thiough oui fiee hotline, publishing euucational mateiials in
Chinese, English, Koiean, Spanish, vietnamese anu othei languages, auvocating foi
consumeis in the meuia anu befoie lawmakeis, anu compaiing piices on cieuit caius, bank
accounts anu long uistance seivices. http:¡¡www.consumei-action.oig¡
The Ameiican Civil Libeities 0nion (ACL0) is oui nation's guaiuian of libeity,
woiking uaily in couits, legislatuies anu communities to uefenu anu pieseive the
inuiviuual iights anu libeities that the Constitution anu laws of the 0niteu States guaiantee
eveiyone in this countiy.
The ACL0 also woiks to extenu iights to segments of oui population that have
tiauitionally been uenieu theii iights, incluuing people of coloi: women: lesbians, gay men,
bisexuals anu tiansgenuei people: piisoneis: anu people with uisabilities.
http:¡¡www.aclu.oig¡
The Ameiican Libiaiy Association (ALA) stiives to pioviue leaueiship foi the
uevelopment, piomotion, anu impiovement of libiaiy anu infoimation seivices anu the
piofession of libiaiianship in oiuei to enhance leaining anu ensuie access to infoimation
foi all. In 1998 the ALA Council voteu commitment to five Key Action Aieas as guiuing
piinciples foi uiiecting the Association's eneigies anu iesouices: Biveisity, Equity of


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


6

Access, Euucation anu Continuous Leaining, Intellectual Fieeuom anu 21st Centuiy
Liteiacy. http:¡¡www.alawash.oig¡
II. PRIvACY ANB TBE SNART uRIB
a. BEFININu PRIvACY ANB TBE SNART uRIB
Piivacy is one of the most funuamental anu basic of human iights. Without it, many
othei iights, such as the fieeuoms of speech, assembly, ieligion anu the sanctity of the
home, woulu be jeopaiuizeu. Although most countiies aiounu the woilu incluue explicit
piotection of a iight to piivacy in theii constitutions, it iemains one of the moie uifficult
teims to uefine.
The focus foi piotecting piivacy of infoimation stoieu on computeis oi exchangeu
on computing netwoiks is whethei uata is oi is not peisonally iuentifiable infoimation
(PII). This is infoimation that can locate oi iuentify a peison, oi can be useu in conjunction
with othei infoimation to uniquely iuentify an inuiviuual. Bistoiically, PII woulu incluue
name, social secuiity numbei, auuiess, phone numbei, oi uate of biith. In the Inteinet Age
the list of PII has giown to incluue e-mail auuiesses, IP auuiesses, social netwoiking pages,
seaich engine iequests, log iecoius anu passwoius.
If infoimation is PII, oui legal system has long iecognizeu anu piotecteu the iight of
peisonal piivacy in that infoimation. The uiafteis of the Constitution "confeiieu, as against
the uoveinment, the iight to be let alone÷the most compiehensive of iights anu the iight
most valueu by civilizeu man. To piotect that iight, eveiy unjustifiable intiusion by the
uoveinment upon the piivacy of the inuiviuual, whatevei the means employeu, must be


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


7

ueemeu a violation" of constitutional piinciples.
6
As the Supieme Couit noteu, the
constitutional iight of piivacy piotects two uistinct inteiests: "one is the inuiviuual inteiest
in avoiuing uisclosuie of peisonal matteis, anu anothei is the inteiest in inuepenuence in
making ceitain kinus of impoitant uecisions."
7
Noieovei, public opinion polls consistently
finu stiong suppoit among Ameiicans foi piivacy iights in law to piotect theii peisonal
infoimation fiom goveinment anu commeicial entities.
8

Noie iecently, the Supieme Couit in !"##$%&'%()*+,-%.+/+,0
1
auuiesseu the piivacy
implications of the monitoiing of electiical use in the home. Aftei ieviewing pieceuent, the
Couit founu that a seaich waiiant must be obtaineu befoie the goveinment may use new
technology to monitoi the use of uevices that geneiate heat in the home:
|I]n the case of the seaich of the inteiioi of homes-the piototypical anu
hence most commonly litigateu aiea of piotecteu piivacy-theie is a ieauy
ciiteiion, with ioots ueep in the common law, of the minimal expectation of
piivacy that exists, anu that is acknowleugeu to be ieasonable. To withuiaw
piotection of this minimum expectation woulu be to peimit police
technology to eioue the piivacy guaianteeu by the Fouith Amenument.
1u

The Couit founu that even the most minute uetails of a home aie intimate: "|i]n the
home, oui cases show, all uetails aie intimate uetails, because the entiie aiea is helu safe
fiom piying goveinment eyes."
11
Thus, the Couit helu that the police coulu not use theimal
imaging equipment, which was not in geneial public use, "to exploie uetails of the home

6
Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting).
7
23/#,)%&'%4$,, 429 0.S. S89, S99-6uu (1977).
8
See generally EPIC, Public Opinion on Privacy, http://epic.org/privacy/survey (last visited Dec.
1, 2009).
9
533 U.S. 27 (2001).
10
Id. at 34.
11
Id. at 37.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


8

that woulu pieviously have been unknowable without physical intiusion," without fiist
obtaining a seaich waiiant.
12

The well-establisheu inteiest in piivacy of powei consumption in the home begins
the uiscussion. Noie bioauly, "faii infoimation piactices," which set out the essential
fiamewoik foi the collection anu use of peisonal infoimation foi any seivice piovision,
have been iecognizeu in oui legal system foi yeais, beginning with the magisteiial iepoit of
the 0.S. Bep't. of Bealth, Euucation anu Welfaie (BEW) entitleu 4,5$6-07%8$9:;+,607%/)-%+3,%
4*<3+0%$=%8*+*>,)0.
1S
In that publication, the BEW Auvisoiy Committee on Automateu
Peisonal Bata Systems set out a Coue of Faii Infoimation Piactices (FIPs), baseu on five
piinciples:
(1) Theie must be no peisonal uata iecoiu-keeping systems whose veiy
existence is seciet. (2) Theie must be a way foi a peison to finu out what
infoimation about the peison is in a iecoiu anu how it is useu. (S) Theie
must be a way foi a peison to pievent infoimation about the peison that was
obtaineu foi one puipose fiom being useu oi maue available foi othei
puiposes without the peison's consent. (4) Theie must be a way foi a peison
to coiiect oi amenu a iecoiu of iuentifiable infoimation about the peison. (S)
Any oiganization cieating, maintaining, using, oi uisseminating iecoius of
iuentifiable peisonal uata must assuie the ieliability of the uata foi theii
intenueu use anu must take piecautions to pievent misuses of the uata.
14

The ?@2%4,:$6+%also iecommenueu enfoicement mechanisms to ensuie auheience
to the piinciples:
(1) The Coue shoulu uefine 'faii infoimation piactice' as auheience to
specifieu safeguaiu iequiiements: (2) The Coue shoulu piohibit violation of

12
Id. at 40.
1S
Bep't. of Bealth, Euuc. anu Welfaie, .,56,+/6"A0%B-&*0$6"%8$99'%$)%B;+$9/+,-%C,60$)/#%
D/+/%."0+,907%4,5$6-07%8$9:;+,607%/)-%+3,%4*<3+0%$=%8*+*>,)0%(uoveinment Piinting 0ffice
197S) |heieinaftei "?@2%4,:$6+"].
14
E-' at xx-xxi.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


9

any safeguaiu iequiiements as an "unfaii infoimation piactice": (S) The Coue
shoulu pioviue that an unfaii infoimation piactice be subject to both civil
anu ciiminal penalties: (4) The Coue shoulu pioviue foi injunctions to
pievent violation of any safeguaiu iequiiement: (S) The Coue shoulu give
inuiviuuals the iight to biing suits foi unfaii infoimation piactices to iecovei
actual, liquiuateu, anu punitive uamages, in inuiviuual oi class actions. It
shoulu also pioviue foi iecoveiy of ieasonable attoineys' fees anu othei
costs of litigation incuiieu by inuiviuuals who biing successful suits.
%FG

This appioach to piivacy piotection, which places obligations on those entities that
collect peisonal infoimation anu pioviues iights to inuiviuuals whose peisonal uata is
collecteu, unueigiius most of mouein piivacy law. In fact, it pioviues the fiamewoik foi the
Piivacy Act of 1974
16
anu uozens of state anu feueial laws.
17

The inteinational community has also iecognizeu the impoitance of iobust faii
infoimation piactices: in 198u, the Inteinational 0iganization of Economic Coopeiation
anu Bevelopment (0ECB) couifieu its uuiuelines on the Piotection of Piivacy anu
Tiansboiuei Flows of Peisonal Bata.
18
The 0ECB Piivacy uuiuelines offei impoitant
inteinational consensus on anu guiuelines foi piivacy piotection anu establish eight
piinciples foi uata piotection that aie wiuely useu as the benchmaik foi assessing piivacy
policies anu legislation:

1S
E-' at xxiii.
16
Privacy Act of 1974 , 5 U.S.C. § 552a (2008).
17
See, e.g., Fair Credit Reporting Act of 1970, 15 U.S.C. §§ 1681-1681u (2008); Right to
Financial Privacy Act of 1978, 12 U.S.C. §§ 3401-22 (2008); Fair Information Practices Act,
Mass Ann. Laws ch. 66A §§ 1-3 (2008); Insurance Information and Privacy Protection Act, Me.
Rev. Stat. Ann. tit. 24-A, §§ 2201-20 (2008).
18
See OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
(1980), http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html
[hereinafter OECD Privacy Guidelines], reprinted in The Privacy Law Sourcebook 395-423
(Marc Rotenberg ed., 2004).


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


1u

1. Collection Limitation Piinciple - Theie shoulu be limits to the collection of
peisonal uata: any such uata collecteu shoulu be obtaineu by lawful means
anu with the consent of the uata subject, wheie appiopiiate.
2. Bata 0uality Piinciple - Collecteu uata shoulu be ielevant to a specific
puipose, anu be accuiate, complete, anu up-to-uate.
S. Puipose Specification Piinciple - The puipose foi collecting uata shoulu be
settleu at the outset.
4. 0se Limitation Piinciple - The use of peisonal uata ought be limiteu to
specifieu puiposes, anu that uata acquiieu foi one puipose ought not be
useu foi otheis.
S. Secuiity Safeguaius Piinciple - Bata must be collecteu anu stoieu in a way
ieasonably calculateu to pievent its loss, theft, oi mouification.
6. 0penness Piinciple - Theie shoulu be a geneial position of tianspaiency
with iespect to the piactices of hanuling uata.
7. Inuiviuual Paiticipation Piinciple - Inuiviuuals shoulu have the iight to
access, confiim, anu uemanu coiiection of theii peisonal uata.
8. Accountability Piinciple - Those in chaige of hanuling uata shoulu be
iesponsible foi complying with the piinciples of the piivacy guiuelines.
19

Repiesentatives fiom Noith Ameiica, Euiope anu Asia uiafteu the oiiginal 0ECB
Piivacy uuiuelines. Countiies aiounu the woilu, with vaiying cultuies anu systems of
goveinance, have auopteu ioughly similai appioaches to piivacy piotection with iespect to
the 0ECB Piivacy uuiuelines. The 0ECB Piivacy uuiuelines ieflect a bioau consensus about
how to safeguaiu the contiol anu use of peisonal infoimation. Theiefoie, they pioviue a
well thought-out solution to challenging questions about inteinational consensus on
piivacy anu uata piotection that uiiectly implicate Smait uiiu policies anu piactices. Thus,

19
Id. at 398-99.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


11

faii infoimation piactices, as uefineu by the BEW Repoit anu the 0ECB uuiuelines, pioviue
the essential staiting point foi analyzing the piivacy implications of the Smait uiiu.
b. ASSESSINu SNART uRIBS ANB PRIvACY
The Smait uiiu implicates piivacy at a funuamental level, as it can best be
unueistoou as a poweiful uigital communication netwoik. Inueeu, communications giant
Cisco foiesees the Smait uiiu netwoik being "1uu oi 1,uuu times laigei than the
Inteinet."
2u
The Smait uiiu woulu allow the unpieceuenteu flow of infoimation between
powei pioviueis anu powei consumeis, anu its potential benefits to eneigy efficiency,
gianulai contiol ovei powei usage, anu the enviionment aie immense. Bowevei, like any
analogous communications netwoik, such as the Inteinet, the Smait uiiu also aumits the
possibility of new anu pioblematic thieats to piivacy in the foim of incieaseu uata
collection, ietention, shaiing anu use.
21
As NIST acknowleuges, "|t]he majoi benefit
pioviueu by the Smait uiiu, i.e. the ability to get iichei uata to anu fiom customei meteis
anu othei electiic uevices, is also its Achilles' heel fiom a piivacy viewpoint."
22


20
Martin LaMonica, Cisco: Smart Grid Will Eclipse Size of Internet, CNET, May 18, 2009,
http://news.cnet.com/8301-11128_3-10241102-54.html.
21
See Ann Cavoukian, Jules Polonetsky & Christopher Wolf, Privacy by Design, SmartPrivacy
for the Smart Grid: Embedding Privacy into the Design of Electricity Conservation 8 (Nov.
2009), http://www.ipc.on.ca/images/Resources/pbd-smartpriv-smartgrid.pdf (“Modernization of
the current electrical grid will involve end-user components and activities that will tend to
increase the collection, use and disclosure of personal information by utility providers, as well
as, perhaps, third parties.”) [hereinafter Privacy by Design].
22
National Institute foi Stanuaius anu Technology, NIST Fiamewoik anu Roaumap foi
Smait uiiu Inteiopeiability Stanuaius Release 1.u (Biaft) 84 (2uu9) |heieinaftei Biaft
Fiamewoik].


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


12

The basic aichitectuie of the Smait uiiu piesents seveial thoiny piivacy issues. The
fiist wiuely uistiibuteu smait giiu application is the smait metei.
2S
Smait meteis monitoi
anu iepoit on customei electiicity consumption to the utility seivice pioviuei. Expeits
estimate that 0.S. investment in smait meteis coulu total $4u to $Su billion, anu ioughly
1uu million smait meteis coulu be installeu ovei the next five yeais.
24
Smait meteis, like
tiauitional meteis, will be associateu with a unique auuiess, which makes it PII.
2S
The
metei seiial numbei, as well as the electionic infoimation associateu with the uevice woulu
compiise PII foi those associateu with the auuiess. Smait meteis will inciease the
fiequency of communication fiom the home to the utility seivice pioviuei oi the thiiu
paity application usei. Tiauitional metei ieauing took place once a month, by the visit of a
peison who was affiliateu with the electiicity seivice pioviuei oi billing company, wheieas
smait meteis will inciease the fiequency anu access to the uata collecteu.
Smait meteis coulu be uesigneu oi configuieu to iepoit electiicity consumption
once a month, oi weekly, oi uaily. Bowevei, pioposals foi smait meteis uiscuss "ieal-time"
iepoiting of usage uata.
26
The uesign specification is not foi that electiicity consumption
infoimation to iemain in the home oi metei location, which coulu only be accesseu easily

23
See Stan Mark Kaplan, Congressional Research Service, Electric Power Transmission:
Background and Policy Issues 23 (2009), available at
http://opencrs.com/document/R40511/2009-04-14/download/1013 (discussing basic functions of
smart meters); U.S. Dep’t of Energy, Smart Grid System Report 38 (July 2009) [hereinafter
“Smart Grid System Report] (“The use of smart meters, a driving force behind being able to
evaluate grid load and support pricing conditions, has been increasing significantly, almost
tripling between 2006 and 2008 to 19 million meters. . . .”).
24
Draft Framework, supra note 22, at 21-22.
25
See Cyber Security Strategy, supra note 2, at 33 (flow chart detailing Smart Grid
communication links between consumers and providers).
26
See, e.g., Draft Framework, supra note 22, at 56.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


1S

by the utility usei. Rathei, the plan as suggesteu in the Cybei Secuiity Stiategy is to shaie
the infoimation with the utility company oi otheis. If, as the uocument suggests, the
infoimation will allow customeis to make bettei eneigy consumption uecisions then only
the customei shoulu have access to that infoimation. This is one of many instances in
which the uesign of a Smait uiiu application can favoi piivacy oi ignoie it.
Anothei aichitectuial point that iaises piivacy implications is the use of wiieless
communications to tiansmit Smait uiiu uata.
27
The Biaft Fiamewoik pioposeu to assess
"the capabilities anu weaknesses of specific wiieless technologies."
28
Although it mentions
secuiity as a chaiacteiistic of wiieless technology that may be ielevant to that assessment,
it uoes not mention piivacy. Any wiieless technology that woulu be useu to tiansmit usei
uata must piotect peisonal piivacy. Wiieless sensois anu netwoiks aie susceptible to
secuiity bieaches unless piopeily secuieu,
29
anu bieaches of wiieless technology coulu
expose useis' peisonal uata.
Su
Similaily, the potential tiansmission of Smait uiiu uata
thiough "bioaubanu ovei powei line" (BPL) implicates useis' piivacy:
A BPL noue coulu communicate with any uevice pluggeu into an electiical
socket. Captuie of a substation noue woulu pioviue contiol ovei messages
going to smait appliances oi computing systems in homes anu offices. A

27
See Draft Framework, supra note 22, at 65.
28
Id.
29
See, e.g., Mark F. Foley, Data Privacy and Security Issues for Advanced Metering Systems
(Part 2), available at
http://www.smartgridnews.com/artman/publish/industry/Data_Privacy_and_Security_Issues_for
_Advanced_Metering_Systems_Part_2.html (“Wireless sensor networks, for example, are
subject to the general security problems of computer networks, ordinary wireless networks, and
ad-hoc networks).
30
See id. (breaches could “result in denial of service to customers or utilities (e.g., access to
billing information or energy usage), payment avoidance, system overload, reduced quality of
service, and violation of power control protocols”).


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


14

utility may also offei customeis BPL as a sepaiate ievenue stieam. This
cieates iisks that |auvanceu metei] uata coulu be ieau oi mouifieu ovei the
inteinet oi that common inteinet attacks coulu be biought against the
electiical giiu oi inuiviuual customeis.
S1

Noieovei, wiieless communication is especially pioblematic in light of the past
exploitation of wiieless systems by thieves who use techniques known as "wai uiiving" to
seek out unpiotecteu oi insufficiently piotecteu wiieless communication poitals.
S2
Signals
fiom wiieless uevices aie uetectable by otheis using easily acquiieu mateiials with little
expeitise to pick-up valuable infoimation on systems using wiieless technology.
Wiieless woulu not only pioviue a significant challenge to piivacy of useis, but may
also pose economic as well as secuiity thieats. Iuentity theft, thiiu paity monitoiing of
utility use, home invasions, uomestic abuse anu pieuatoiy use of home electiicity
consumption infoimation stiips home owneis of the piotection fiom piying eyes pioviueu
by the walls of theii home.
A final aichitectuial pioblem with the pioposeu Smait uiiu is the inteiaction
between the Smait uiiu anu with plug-in electiic vehicles (PEv). It is possible that the
Smait uiiu woulu peimit utility companies to use PEvs anu othei souices of stoieu eneigy
"as a giiu-integiateu opeiational asset,"
SS
*','7%uiain the eneigy stoieu in the PEvs when
neeueu to supply othei useis. This application of the Smait uiiu is paiticulaily tioubling. If
piivacy is, as the Supieme Couit has saiu, the "inteiest in inuepenuence in making ceitain

31
Id.
32
See, e.g., Patrick S. Ryan, War, Peace, or Stalemate: Wargames, Wardialing, Wardriving, and
the Emerging Market for Hacker Ethics, 9 Va. J.L. & Tech. 7 (2004).
33
Draft Framework, supra note 22, at 67.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


1S

kinus of impoitant uecisions,"
S4
then this pioposeu application coulu seveiely uamages
both piivacy inteiests anu consumei iights.
c. PRIvACY TBREATS
In auuition to the aichitectuial weaknesses of the pioposeu Smait uiiu, the
application anu use of the uiiu thieatens piivacy in many uiffeient ways. NIST shoulu
establish compiehensive piivacy iegulations that limit the collection anu use of consumei
uata. 0nly by builuing piivacy piotection into the Smait uiiu fiom the outset can NIST
uefenu the iobust piivacy inteiests long piotecteu by oui legal system. The following
paiagiaphs iuentify many of the piivacy inteiests thieateneu by the Smait uiiu.
i. IBENTITY TBEFT
Iuentity theft victimizes millions of people each yeai.
SS
The FTC estimateu that 8.S
million people uiscoveieu that they weie victims of iuentity theft in 2uuS, with total
iepoiteu losses exceeuing $1S billion.
S6
Accoiuing to the Piivacy Rights Cleaiinghouse,
moie than S4u million iecoius containing sensitive peisonal infoimation have been
involveu in secuiity bieaches since Ianuaiy 2uuS.
S7

Petei Neumann, an expeit on piivacy anu secuiity (anu a membei of the EPIC
Auvisoiy Boaiu), testifieu to Congiess in 2uu7 about secuiity anu piivacy, anu concluueu
that the uesign of infoimation systems aie subject to many pitfalls, anu that theie is "|a]

34
Whalen v. Roe, 429 U.S. 589, 599-600 (1977).
35
See generally EPIC, Identity Theft, http://epic.org/privacy/idtheft (last visited Dec. 1, 2009).
36
Fed. Trade Comm’n, 2006 Identity Theft Survey Report 4, 9 (2007) [hereinafter “FTC Survey
Report”].
37
Privacy Rights Clearinghouse, Chronology of Data Breaches, Nov. 23, 2009,
http://www.privacyrights.org/ar/ChronDataBreaches.htm.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


16

common tenuency to place excessive faith in the infallibility of iuentification,
authentication, anu access contiols to ensuie secuiity anu piivacy."
S8

The faith placeu in the capacity of the Smait uiiu to safeguaiu sensitive peisonal
infoimation is similaily unfounueu. As an employee foi Ition, a manufactuiei of automateu
meteis, aumitteu, "Any netwoik can be hackeu."
S9
Similaily, some expeits aigue that "an
attackei with $Suu of equipment anu mateiials anu a backgiounu in electionics anu
softwaie engineeiing coulu 'take commanu anu contiol of the |auvanceu metei
infiastiuctuie] allowing foi the en masse manipulation of seivice to homes anu
businesses.'"
4u
Thus, it is possible that "just as iuentities, cieuit anu uebit caiu numbeis,
anu othei financial infoimation aie ioutinely haivesteu anu put up foi sale on the Inteinet,
so will be Smait uiiu iuentifieis anu ielateu infoimation."
41
Alteinatively, iuentity thieves
coulu use PII obtaineu elsewheie to impeisonate utility customeis, which poses the iisk of
fiauuulent utility use anu potential impact on cieuit iepoits.
42

ii. PERS0NAL S0RvEILLANCE

38
Security and Privacy in the Employment Eligibility Verification System (EEVS) and Related
Systems: Hearing Before the H. Comm. On Ways and Means Subcomm. On Social Security,
110th Cong. 9 (2007) (statement of Peter G. Neumann, Principal Scientist, Computer Science
Lab, SRI International).
39
Jeanne Meserve, 'Smart Grid' May Be Vulnerable To Hackers, CNN, March 21, 2009,
http://www.cnn.com/2009/TECH/03/20/smartgrid.vulnerability.
40
Id.
41
Eric Breisach & H. Russell Frisby, Energy Identity Theft: We’re Way Beyond Plugging in the
Meter Upside Down, Smartgridnews.com, April 9, 2008,
http://www.smartgridnews.com/artman/publish/article_425.html.
42
See Rebecca Herold, SmartGrid Privacy Concerns, available at
http://www.privacyguidance.com/files/SmartGridPrivacyConcernsTableHeroldSept_2009.pdf
[hereinafter Privacy Concerns].


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


17

The Smait uiiu coulu also ieveal sensitive peisonal behavioi patteins. The
pioposeu Smait uiiu will be able to cooiuinate powei supply in ieal time, baseu on the
powei neeus of useis anu the availability of powei.
4S
Foi instance,"|e]neigy use in
builuings can be ieuuceu if builuing-system opeiations aie cooiuinateu with the scheuules
of the occupants."
44
Bowevei, cooiuinating scheuules in this mannei poses seiious piivacy
iisks to consumeis. Infoimation about a powei consumei's scheuule can ieveal intimate,
peisonal uetails about theii lives, such as theii meuical neeus, inteiactions with otheis anu
peisonal habits: "highly uetaileu infoimation about activities caiiieu on H*+3*)%+3,%=$;6%
H/##0%$=%+3,%3$9,%will soon be ieauily available foi millions of householus nationwiue."
4S

"Foi example, ieseaich has uelineateu the uiffeiences in availability at home foi vaiious
social types of electiicity consumeis incluuing woiking auults, senioi citizens, house wives
anu chiluien of school age."
46
Similaily, the uata coulu ieveal the type of activity that the
consumei is engaging in, uiffeientiating between, foi example, housewoik anu peisonal
hygiene, oi even ievealing that a consumei has a seiious meuical conuition anu uses
meuical equipment eveiy night, oi that he lives alone anu leaves the house vacant all uay.
47


43
Biaft Fiamewoik, 0;:6/ note 22, at S1.
44
Id. at 52.
45
Elias Leake Quinn, Privacy and the New Energy Infrastructure 28 (2009), available at
http://ssrn.com/abstract=1370731 (emphasis in original) [hereinafter Privacy and the New
Energy Infrastructure]; see Privacy Concerns, supra note 42.
46
Privacy and the New Energy Infrastructure at 26-27; see A. Capasso et al., Probabilistic
Processing of Survey Collected Data in a Residential Load Area for Hourly Demand Profile
Estimation, 2 Athens Power Tech 866, 868 (1993).
47
Privacy and the New Energy Infrastructure, supra note 45, at 27 (“differences in consumption
vary with the type of activity, and profiles of energy uses that differentiate between activities can
be constructed for things like leisure time, housework, cooking, personal hygiene”); see Capasso,
supra note 46, at 869.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


18

iii. ENERuY 0SE S0RvEILLANCE
Smait uiiu metei uata may also be able to tiack the use of specific appliances within
useis' homes.
48
These "smait appliances" woulu be able to communicate with the Smait
uiiu, tiansmitting uetaileu eneigy-use infoimation anu iesponuing uynamically to piice
fluctuations anu powei availability. A smait watei heatei, foi example, coulu engage in
"uynamic piicing" by equipping it with "a uevice that cooiuinates with a facility's eneigy-
management system to aujust tempeiatuie contiols, within speciñeu limits, baseu on
eneigy piices."
49
As othei uevices become commeicially available that aie uesigneu to senu
consumption uata ovei the Smait uiiu, the collection of peisonal uata coulu inciease. Foi
example, the monitoiing of electiicity consumption may iequiie the iegistiation of items
within a home foi monitoiing by the utility company oi a thiiu paity seivice pioviuei.
Smait uiiu enableu appliances such as washeis, uiyeis, aii conuitioneis, cential heating
systems, watei heateis, stoves, iefiigeiatoi, fieezeis, swimming pools anu Iacuzzis
consume laige amounts of electiicity, anu may be associateu with a fixeu auuiess such as a
home. Each of these items may have a unique piouuct manufactuiei uesignation (e.g.
Whiilpool, ueneial Electiic, etc.), piouuct seiial numbei, anu the puichase histoiy of the
item woulu incluue the puichasei's name. Nonitoiing the function anu opeiation of these
items woulu be physically associateu with an auuiess, which is peisonally iuentifiable
infoimation foi those occupying the iesiuence.

48
See, e.g., Privacy by Design, supra note 21, at 8-9.
49
Smart Grid System Report, supra note 23, at 34.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


19

Fuithei, it can be anticipateu that the Smait uiiu coulu tiack even smallei electiicity
usage. Smait plugs oi outlets might iepoit in ieal-time when a lighting fixtuie, lamp,
computei, television, gaming system, music uevice, oi exeicise machine is opeiating anu
foi how long.
0ne scholai foicefully aigues that the ability to monitoi electiicity use at such a
gianulai level poses a seiious thieat to piivacy:
This, moie than any othei pait of the smait metei stoiy, paiallels Shelley's
fable of Fiankenstein: while ieseaicheis uo not cuiiently have the ability to
iuentify eveiy appliance event fiom within an inuiviuual's electiicity piofile,
the uiiection of the ieseaich as a whole anu the suiiounuing context anu
motivations foi such ieseaich point uiiectly to ueveloping moie anu moie
sophisticateu tools foi iesolving the pictuie of home life that can be gleaneu
fiom an inuiviuual's electiicity piofile. Befoie the switch is thiown anu the
infoimation unleasheu upon the woilu foi whatevei uses willeu, it may be
piuuent to look into uata piotections lest the unfoieseen consequences come
back to haunt us.
Su

Inueeu, the potential amount of peisonal infoimation that coulu be gleaneu fiom
smait appliances is colossal:
Foi example, it is suggesteu that the following infoimation coulu be gleaneu
with the intiouuction of enu-usei components . . . : Whethei inuiviuuals tenu
to cook miciowavable meals oi meals on the stove: whethei they have
bieakfast: the time at which inuiviuuals aie at home: whethei a house has an
alaim system anu how often it is activateu: when occupants usually showei:
when the Tv anu¡oi computei is on: whethei appliances aie in goou
conuition: the numbei of gaugets in the home: if the home has a washei anu
uiyei anu how often they aie useu: whethei lights anu appliances aie useu at
ouu houis, such as in the miuule of the night: whethei anu how often exeicise
equipment such as a tieaumill is useu.
S1


50
Privacy and the New Energy Infrastructure, supra note 45, at 28.
51
Privacy by Design, supra note 21, at 11.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


2u

Peihaps moie pioblematic, much of the peisonal infoimation that coulu be gleaneu
fiom smait appliances woulu not otheiwise be available to outsiuei obseiveis: "With the
whole of a peison's home activities laiu to baie, |appliance-usage tiacking] pioviues a
bettei look into home activities than woulu peeiing thiough the blinus at that house."
S2

Not only coulu that infoimation be useu to extiact even moie intimate infoimation
fiom the usage uata, but that infoimation coulu also be useu in ways that impact the usei in
tangential aieas of theii lives.
SS
Foi instance, appliance usage uata coulu be tiansfeiieu to
appliance manufactuieis to iesponu to waiianty claims. 0i, the uata coulu be tiansfeiieu
to insuiance companies that may want the infoimation as pait of an investigation into an
insuiance claim.
S4
Lanuloius coulu tiack the eneigy use anu behavioi patteins of
ienteis¡leaseis. The uata coulu even be useu to impinge on civil libeities by facilitating
censoiship oi limitation of activities baseu on eneigy consumption patteins.
SS
Foi instance,
"metei uata coulu ieveal iesiuent activities oi uses that utility companies may then
subsequently ueciue aie inappiopiiate oi shoulu not be alloweu."
S6
0i moie geneially,
eneigy seivice pioviueis in possession of consumei uata may simply choose to use the uata
foi maiketing puiposes oi to sell it on the open maiket.

52
Id. at 25.
53
See Privacy Concerns, supra note 42; Mark F. Foley, The Dangers of Meter Data (Part 1),
available at
http://www.smartgridnews.com/artman/publish/industry/The_Dangers_of_Meter_Data_Part_1.ht
ml [hereinafter “Dangers (Part I)”].
54
See Dangers (Part I), supra note 53.
55
See Privacy Concerns, supra note 42.
56
Id.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


21

The possibility that the appliances coulu inteiface with the Smait uiiu thiough IP-
baseu netwoiks fuithei exaceibates the piivacy issues. The Biaft Fiamewoik iaises
inuiiectly the piivacy iisk that woulu aiise in an IP-baseu powei netwoik: "An analysis
neeus to be peifoimeu foi each set of Smait uiiu iequiiements to ueteimine whethei IP is
appiopiiate anu whethei cybei secuiity can be assuieu."
S7
The effect of IP-baseu netwoiks
on piivacy must be pait of that analysis, as IPv6 anu the "Inteinet of Things" iaise new
piivacy consiueiations. Foi instance, the IP auuiesses associateu with appliances oi othei
uevices "coulu be useu to tiack activities of a uevice (anu an associateu inuiviuual),"
theieby ievealing an inuiviuual's health conuition, uaily activities, anu othei sensitive anu
piivate infoimation.
S8
Noieovei, allowing the uevices access to the Inteinet will make them
moie vulneiable, incieasing the likelihoou of secuiity bieaches anu loss of peisonal
piivacy: "All of these |Smait uiiu] communication links intiouuce vulneiabilities, especially
if they can be accesseu ovei the Inteinet."
S9
The invasiveness of extiacting appliance usage
uata fiom Smait uiiu uata, paiticulaily fiom IP-enableu appliances, cannot be oveistateu
as IP auuiessing in an IPv6 enviionment will make possible the unique iuentification of
eveiy single uevice in the home that ieceives electiic powei.

57
Draft Framework, supra note 22, at 29.
58
SANS Institute, The Next Internet Privacy in Internet Protocol 5 (2004); see Commission To
the European Parliament, the Council, the European Economic and Social Committee and the
Committee of the Regions, Internet of Things — An Action Plan for Europe 5-6 (2009) (Social
acceptance of [Internet of Things] will be strongly intertwined with respect for privacy and the
protection of personal data, two fundamental rights of the EU.”).
S9
.,,%N. uiangei Noigan, et. al., Cainegie Nellon 0niveisity Bepaitment of Engineeiing
anu Public Policy, The Nany Neanings of "Smait uiiu" S (2uu9), /&/*#/I#,%/+
http:¡¡www.epp.cmu.euu¡Publications¡Policy_Biief_Smait_uiiu_Iuly_u9.puf.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


22

iv. PBYSICAL BANuERS
Bata coulu be useu by ciiminals, such as buiglais oi vanuals, who coulu monitoi
ieal-time uata in oiuei to ueteimine when the house is vacant.
6u
As one Cainegie Nellon
0niveisity ieseaichei aigueu, "|w]e shoulu not builu a powei system in which a hackei
woiking foi a buiglai can tell when you aie home by monitoiing youi contiol
systems. . . ."
61

Similaily, the Smait uiiu affects the inteiaction between piivacy anu uomestic
violence¡stalkeis.
62
Stalking, uomestic violence anu intimate paitnei abuse aie also the
taigets of evolving state anu feueial policy.
6S
0vei the yeais this policy has incieasingly
incluueu the piotection of the piivacy of stalking anu uomestic violence suivivois.
64
As
EPIC has iepeateuly aigueu, uomestic violence victims often have uigent neeus foi piivacy,
as they may neeu to keep uata fiom theii abuseis. This abuse can also involve piivacy
violations such as suiveillance, monitoiing, oi othei stalking. Foi a uomestic violence
victim, the neeu foi piivacy is a neeu foi physical safety. Bowevei, the Smait uiiu coulu
pioviue abuseis with anothei methou foi tiacking anu monitoiing theii victims. Foi
instance, an abusei coulu tiack his victim's uaily activities in oiuei to exeicise gieatei

60
See Privacy and the New Energy Infrastructure, supra note 45, at 30; Privacy Concerns, supra
note 42; Dangers (Part I), supra note 53.
61
Morgan, et. al, supra note 59, at 5.
62
See generally EPIC, Domestic Violence and Privacy, http://epic.org/privacy/dv (last visited
Dec. 1, 2009).
63
See, e.g., Violence Against Women and Department of Justice Reauthorization Act of 2005,
Pub. L. No. 109-162, 119 Stat. 2960 (2005).
64
See EPIC, Violence Against Women Act and Privacy, http://epic.org/privacy/dv/vawa.html
(last visited Dec. 1, 2009).


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


2S

contiol ovei hei ability to contact the authoiities oi othei aiu. Similaily, the capabilities of
the Smait uiiu coulu affect even emancipateu uomestic abuse victims, as theii foimei
abuseis may be able to ielocate the victims using peisonal infoimation tiansmitteu
thiough the Smait uiiu.
v. NIS0SE 0F BATA
The massive amounts of uata piouuceu by the Smait uiiu can potentially be
misuseu by a numbei of paities÷the powei utilities themselves, authoiizeu thiiu paities
such as maiketing fiims, oi unauthoiizeu thiiu-paities such as iuentity thieves.
Powei utilities themselves will likely be inteiesteu in conuucting complex uata
mining analysis of Smait uiiu uata in oiuei to make powei uistiibution uecisions. Foi
instance, at the Tennessee valley Authoiity (TvA), auministiatois estimate that they will
have 4u teiabytes of uata by the enu of 2u1u, anu that S yeais of uata will amount to
ioughly half a petabyte.
6S
The TvA auministiatois aie actively woiking to impiove theii
ability to analyze the uata, incluuing thiough "complex uata mining techniques."
66
Bata
mining of sensitive peisonal infoimation iaises seiious piivacy conceins.
67
Foi example,
Total Infoimation Awaieness (TIA), uevelopeu by the Befense Auvanceu Reseaich Piojects
Agency (BARPA), pioposeu to uata mine wiue swaths of infoimation in oiuei to uetect

65
Josh Patterson, Cloudera, The Smart Grid and Big Data: Hadoop at the Tennessee Valley
Authority (TVA), June 2, 2009, http://www.cloudera.com/blog/2009/06/02/smart-grid-big-data-
hadoop-tennessee-valley-authority-tva.
66
Id.
67
See EPIC, Terrorism (Total) Information Awareness, http://epic.org/privacy/profiling/tia
(discussing government data mining of citizens’ personal information) (last visited Dec. 1,
2009).


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


24

teiioiists.
68
Bowevei, piivacy conceins leu Congiess to eliminate funuing foi the pioject,
anu the Technology anu Piivacy Auvisoiy Committee of the Bepaitment of Befense issueu a
iepoit
69
iecommenuing that Congiess pass laws to piotect civil libeities when the
goveinment sifts thiough computei uatabases containing peisonal infoimation. The uata
mining of sensitive peisonal infoimation tiansmitteu thiough the Smait uiiu iaises similai
piivacy conceins. Noieovei, the TvA has exploieu using clouu computing iesouices to
analyze anu uata mine the uata, which iaises a sepaiate set of piivacy conceins.
7u

Authoiizeu thiiu-paities may also be inteiesteu in using uata collecteu thiough the
Smait uiiu. The ieal-time uata stieaming capabilities of the Smait uiiu, in paiticulai,
implicate a sepaiate gioup of piivacy iisks. Iust as appliance manufactuieis anu insuiance
companies may want access to appliance usage uata, maiketing anu auveitising fiims may
want access to the uata÷paiticulaily ieal-time uata÷in oiuei to taiget maiketing moie
piecisely.
71
Bowevei, powei usage uata, as uiscusseu, can ieveal intimate behavioial
infoimation: pioviuing that infoimation to thiiu-paity maiketing anu auveitising fiims
suiieptitiously woulu be a iepugnant invasion of piivacy.
The misuse of Smait uiiu uata is fuithei exaceibateu by the possibility of combining
Smait uiiu uata with othei uata souices. Foi example, uoogle PoweiNetei collects uata on

68
See id.
69
Department of Defense, Safeguarding Privacy in the Fight Against Terrorism (2004),
available at http://www.epic.org/privacy/profiling/tia/tapac_report.pdf.
70
See EPIC, Cloud Computing, http://epic.org/privacy/cloudcomputing (last visited Dec. 1,
2009).
71
See Privacy and the New Energy Infrastructure, supra note 45, at 45; Privacy Concerns, supra
note 42; Dangers (Part I), supra note 53.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


2S

home eneigy consumption.
72
This technology iaises the obvious possibility that uoogle will
combine consumei infoimation about powei consumption with uoogle's pieexisting ability
to iecoiu, analyze, tiack anu piofile the activities of Inteinet useis.
7S
Such new business
mouels also iaise significant antitiust conceins.
74

0nauthoiizeu thiiu-paities will likely also be inteiesteu in misusing Smait uiiu uata,
foi many of ieasons alieauy uiscusseu, such as iuentity theft oi buiglaiy. Inueeu, those
iisks iemain if even iesiuual uata is stoieu on Smait uiiu meteis. If uata on Smait uiiu
meteis aie not piopeily iemoveu, iesiuual uata coulu ieveal infoimation iegaiuing the
activities of the pievious useis of the metei.
7S
Thus, the Smait uiiu shoulu be uesigneu to
avoiu the unnecessaiy ietention of PII. Noieovei, the piospect of iemote access to Smait
uiiu uata coulu leau to unauthoiizeu access anu misuse of the uata. Nany companies anu
goveinment agencies pioviue employees anu contiactois with iemote access to theii
netwoiks thiough oiganization-issueu computing uevices. Remote access to Smait uiiu
customei infoimation oi utility usage uata shoulu be piohibiteu except foi seivice
piovision anu maintenance. The misuse of Smait uiiu uata coulu also haim consumeis'
ieputations in many uiffeient ways. The collection anu shaiing of Smait uiiu uata coulu
cause unwanteu publicity anu¡oi embaiiassment. Noieovei, public aggiegateu seaiches of

72
Google PowerMeter, http://www.google.org/powermeter (last visited Dec. 1, 2009).
73
See generally EPIC, Privacy? Proposed Google/DoubleClick Merger,
http://epic.org/privacy/ftc/google (last visited Dec. 1, 2009).
74
Cf. Statement of Interest of the United States of America Regarding Proposed Class
Settlement, The Author’s Guild, Inc., et al. v. Google, Inc., No. 05 Civ. 8136 (DC), at 16-26
(S.D.N.Y. Sep. 28, 2009) (Department of Justice arguing that the proposed settlement regarding
Google Books “may be inconsistent with antitrust law”). See generally EPIC, Google Books
Settlement and Privacy, http://epic.org/privacy/googlebooks (last visited Dec. 1, 2009).
75
See Privacy Concerns, supra note 42.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


26

Smait uiiu uata coulu ieveal inuiviuual behaviois. Finally, the afoiementioneu uata
aggiegation anu uata mining activity coulu peimit publicizeu piivacy invasions. Thus, NIST
must be of the potential ieputational haims piesenteu by the Smait uiiu.
III. EPIC REC0NNENBATI0NS 0N B0W T0 NAKE TBE SNART uRIB PRIvACY SNART
a. NIST'S APPR0ACB IS INS0FFICIENT
NIST's Cybei Secuiity Stiategy iepoit piopeily iecognizes that one of the iisks
poseu by the Smait uiiu is the "|p]otential foi compiomise of uata confiuentiality, incluue
the bieach of customei piivacy."
76
Within the iubiic of potential iisks to customei piivacy,
NIST conuucteu a Piivacy Impact Assessment, examining the "piivacy implications anu
ielateu infoimation secuiity safeguaius within the planneu 0.S. Smait uiiu, paiticulaily
issues involveu with consumei-to-utility uata items collecteu anu how they aie useu."
77

NIST concluueu that "|t]he iesults of a high-level PIA of the consumei-to-utility
meteiing uata shaiing poition of the Smait uiiu ieveal that significant aieas of concein
must be auuiesseu-within each localizeu iegion of the Smait uiiu."
78
Noie specifically, NIST
founu that the "lack of consistent anu compiehensive piivacy policies, stanuaius anu
suppoiting pioceuuies thioughout the states, goveinment agencies, utility companies anu
suppoiting entities that will be involveu with Smait uiiu management anu infoimation
collection anu use cieates a piivacy iisk that neeus to be auuiesseu."
79


76
Cyber Security Strategy, supra note 2, at 2.
77
Id. at 8.
78
Id.
79
Id.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


27

NIST then iuentifieu ten piinciples "as a staiting point foi the uevelopment of
appiopiiate piotections foi PII collecteu anu¡oi useu within the Smait uiiu."
8u
Bowevei,
seveial of the piinciples aie flaweu, anu NIST ielies too heavily on the uiscieuiteu notice
anu consent mouel of piivacy piotection. This comment pioposes ways to stiengthen
NIST's iecommenuations foi piivacy piotection in the Smait uiiu enviionment.
b. AB0PT FAIR INF0RNATI0N PRACTICES
PII activity shoulu, as mentioneu, be limiteu to a peimitteu anu specifieu puipose.
EPIC agiees that "only the minimum amount of uata necessaiy foi the utility companies to
use foi eneigy management anu billing shoulu be collecteu."
81
EPIC also agiees that
tieatment of infoimation must confoim to faii infoimation piactices. Bowevei, NIST
shoulu specify that those piactices match the piactices iuentifieu in the ?@2%4,:$6+
82
%anu
the 0ECB Piivacy uuiuelines.
8S
As uiscusseu, the ?@2%4,:$6+%establisheu faii infoimation
piactices, baseu on five piinciples:
(1) Theie must be no peisonal uata iecoiu-keeping systems whose veiy
existence is seciet. (2) Theie must be a way foi a peison to finu out what
infoimation about the peison is in a iecoiu anu how it is useu. (S) Theie
must be a way foi a peison to pievent infoimation about the peison that was
obtaineu foi one puipose fiom being useu oi maue available foi othei
puiposes without the peison's consent. (4) Theie must be a way foi a peison
to coiiect oi amenu a iecoiu of iuentifiable infoimation about the peison. (S)
Any oiganization cieating, maintaining, using, oi uisseminating iecoius of

80
Id. at 9.
81
Id. at 12.
82
?@2%4,:$6+, 0;:6/ note 1S.
83
OECD Privacy Guidelines, supra note 18.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


28

iuentifiable peisonal uata must assuie the ieliability of the uata foi theii
intenueu use anu must take piecautions to pievent misuses of the uata.
84

Similaily, the 0ECB Piivacy uuiuelines establisheu eight piinciples foi uata
piotection that aie wiuely useu as the benchmaik foi assessing piivacy policies anu
legislation: Collection Limitation: Bata 0uality: Puipose Specification: 0se Limitation:
Secuiity Safeguaius: 0penness: Inuiviuual Paiticipation: anu Accountability.
8S
The
tieatment of Smait uiiu infoimation shoulu confoim to those piactices in the following
mannei:
NAB;-4(/5$%6-4(/+%/JM1 B)((12J)+,/+'-.8$(0-9(/,-4(/+%/JM1-
Collection Limitation:
Theie shoulu be limits to the collection of
peisonal uata: any such uata collecteu
shoulu be obtaineu by lawful means anu
with the consent of the uata subject, wheie
appiopiiate.
Smait uiiu seivice pioviueis shoulu limit
collection of consumeis' peisonal uata: any
such uata collecteu shoulu be obtaineu by
lawful means anu with the consent of the
consumei, wheie appiopiiate.
86

Bata 0uality:
Collecteu uata shoulu be ielevant to a
specific puipose, anu be accuiate, complete,
anu up-to-uate.
Bata collecteu by Smait uiiu seivice
pioviueis shoulu be ielevant to a specific
puipose, anu be accuiate, complete, anu up-
to-uate.
Puipose Specification:
The puipose foi collecting uata shoulu be
settleu at the outset.
The puipose foi collecting Smait uiiu uata
shoulu be settleu at the outset.
0se Limitation:
The use of peisonal uata ought be limiteu to
specifieu puiposes, anu uata acquiieu foi
one puipose ought not be useu foi otheis.
The use of Smait uiiu peisonal uata ought
be limiteu to specifieu puiposes, anu uata
acquiieu foi one puipose ought not be useu
foi otheis.
Secuiity Safeguaius: Smait uiiu uata must be collecteu anu

84
?@2%4,:$6+, 0;:6/ note 1S, at xx-xxi.
85
OECD Privacy Guidelines, supra note 18.
86
“Consent” is widely understood as “any freely given specific and informed indication of a data
subject’s wishes by which the data subject signifies his agreement to personal data relating to
him being processed.” European Union Data Protection Directive, reprinted in The Privacy Law
Sourcebook 450 (Marc Rotenberg ed., 2004).


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


29

Bata must be collecteu anu stoieu in a way
ieasonably calculateu to pievent its loss,
theft, oi mouification.
stoieu in a way ieasonably calculateu to
pievent its loss, theft, oi mouification.
0penness:
Theie shoulu be a geneial position of
tianspaiency with iespect to the piactices of
hanuling uata.
Theie shoulu be a geneial position of
tianspaiency with iespect to the piactices of
hanuling Smait uiiu uata.
Inuiviuual Paiticipation:
Inuiviuuals shoulu have the iight to access,
confiim, anu uemanu coiiection of theii
peisonal uata.
Smait uiiu consumeis shoulu have the iight
to access, confiim, anu uemanu coiiection of
theii peisonal uata.
Accountability:
Those in chaige of hanuling uata shoulu be
iesponsible foi complying with the
piinciples of the piivacy guiuelines.
Those in chaige of hanuling Smait uiiu uata
shoulu be iesponsible foi complying with
the piinciples of the piivacy guiuelines.

Noieovei, NIST shoulu iequiie enfoicement of the guiuelines in accoiuance with
the ?@2%4,:$6+.
%JK
%NIST shoulu iecommenu enfoicement mechanisms, such as civil anu
ciiminal penalties, injunctions anu piivate iights of action. By specifying the paiameteis
anu enfoicement of the faii infoimation piactices, NIST can iequiie actual confoimance,
iathei than loosely iequiiing tieatment to "confoim."
Seveial of the piinciples pioposeu by NIST ieflect the FIPs containeu in the ?@2%
4,:$6+ anu the 0ECB Piivacy uuiuelines, which is commenuable. Bowevei, the NIST
guiuelines also piopose othei piinciples that coulu be stiengtheneu oi impioveu upon.
c. ESTABLISB INBEPENBENT PRIvACY 0vERSIuBT
The Cybei Secuiity Stiategy pioposes that "|a]n oiganization shoulu foimally
appoint peisonnel to ensuie that infoimation secuiity anu piivacy policies anu piactices
exist anu aie followeu. Bocumenteu iequiiements foi iegulai tiaining anu ongoing

87
?@2%4,:$6+, 0;:6/ note 1S, at xxiii.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


Su

awaieness activities shoulu exist anu be followeu. Auuit functions shoulu be piesent to
monitoi all uata accesses anu mouifications."
88

It is essential to ensuie that infoimation secuiity anu piivacy policies anu piactices
exist anu aie followeu. NIST pioposes that "|u]ocumenteu iequiiements foi iegulai
piivacy tiaining anu ongoing awaieness activities foi all utilities, venuois anu othei
entities with management iesponsibilities thioughout the Smait uiiu shoulu be cieateu
implementeu, anu compliance enfoiceu." Bowevei, it may be insufficient foi oiganizations
to simply pioviue piivacy tiaining to theii employees oi even to appoint ueuicateu piivacy
officeis with auuit functions.
Foi example, in an analogous situation, uespite the tiaining anu auuit authoiity
confeiieu to the Chief Piivacy 0ffice of the Bepaitment of Bomelanu Secuiity, that office
has pioven to be impotent, poweiless to effectively piotect piivacy. 0n a iange of issues,
fiom whole bouy imaging to suspicionless electionic boiuei seaiches, the Chief Piivacy
0fficei foi BBS has faileu to fulfill hei statutoiy obligations.
89
Accoiuingly, EPIC anu othei
piivacy anu civil libeities gioups have calleu foi Congiess to consiuei the establishment of
alteinative oveisight mechanisms, incluuing the cieation of an inuepenuent office.
9u

Without such an inuepenuent office,
91
it woulu be impossible to ensuie the piopei

88
Cyber Security Strategy, supra note 2, at 9.
89
.,,%EPIC7%Bepaitment of Bomelanu Secuiity Chief Piivacy 0ffice anu Piivacy,
http:¡¡epic.oig¡piivacy¡uhs-cpo.html (last visiteu Bec. 1, 2uu9).-
90
Letter from EPIC, et al., to Representatives Bennie G. Thompson and Peter T. King (Oct. 23,
2009), available at http://epic.org/security/DHS_CPO_Priv_Coal_Letter.pdf.
91
.,,, ,'<'7 Euiopean Commission, Bata Piotection - National Commissioneis,
http:¡¡ec.euiopa.eu¡justice_home¡fsj¡piivacy¡nationalcomm¡inuex_en.htm (last visiteu


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


S1

piotection of piivacy iights, because the uecisions of the Chief Piivacy 0fficei woulu
continue to be subject to the oveisight of the Secietaiy anu the iest of the Executive
bianch.
Similaily, foi Smait uiiu oiganizations to appoint piivacy peisonnel oi simply tiain
existing peisonnel woulu be an ineffective solution that woulu only seive to piecluue the
possibility of cieating an inuepenuent position with actual authoiity to piotect piivacy. The
bettei solution is simple - NIST shoulu iecommenu that an inuepenuent Piivacy 0ffice,
with completely inuepenuent authoiity be establisheu, with powei ovei all entities
associateu with the Smait uiiu.
u. ABANB0N TBE N0TICE ANB C0NSENT N0BEL
The NIST piinciples iely heavily on the notice anu consent mouel:
A cleaily-specifieu notice shoulu exist to uesciibe the puipose foi the
collection, use, ietention, anu shaiing of PII. Bata subjects shoulu be tolu this
infoimation at oi befoie the time of collection. . . .
The oiganization shoulu uesciibe the choices available to inuiviuuals
anu obtain explicit consent if possible, oi implieu consent when this is not
feasible, with iespect to the collection, use, anu uisclosuie of theii PII.
92

As a thiesholu mattei, the puiposes foi which PII can be collecteu, useu, ietaineu, oi
shaieu shoulu be seveiely iestiicteu. The puiposes foi which PII can be collecteu, useu,
ietaineu, oi shaieu shoulu be seveiely iestiicteu. It is insufficient to simply iequiie

Bec. 1, 2uu9): 0ffice of the Piivacy Commissionei of Canaua,
http:¡¡www.piiv.gc.ca¡inuex_e.cfm (last visiteu Bec. 1, 2uu9): 0ffice of the Piivacy
Commissionei foi Peisonal Bata, Bong Kong, http:¡¡www.pcpu.oig.hk (last visiteu Bec. 1,
2uu9).
92
Cyber Security Strategy, supra note 2, at 9.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


S2

authoiities oi oiganizations to have a nebulous "puipose," as anything fiom "impioveu
maiketing" to "goveinment suiveillance" coulu qualify. NIST shoulu iecommenu that a
foimal iulemaking be establisheu so that seivice pioviueis establish a conciete set of
appioveu puiposes foi which PII activity is peimitteu. That list of appioveu puiposes
shoulu be veiy limiteu, anu only puiposes essential to the functioning of the Smait uiiu
shoulu be peimitteu.
0nce peimissible puiposes aie establisheu, uata subjects shoulu always be infoimeu
of the puipose of any collection, use, ietention, oi shaiing of any PII. Bowevei, the "notice
anu consent" mouel is funuamentally flaweu anu shoulu not be ielieu upon to excuse oi
justify any PII activity. As Baviu vlaueck, Biiectoi of the Buieau of Consumei Piotection at
the Feueial Tiaue Commission, iecently acknowleugeu, the mouel simply uoes not function
as intenueu:
|The notice anu consent mouel] may have maue sense in the past wheie it
was cleai to consumeis what they weie consenting to, that consent was
timely, anu wheie theie woulu be a single use oi a cleai use of the uata.
That's not the case touay. Bisclosuies aie now as long as tieatises, they aie
wiitten by lawyeis - - tiaineu in uetail anu piecision, not claiity - - so they
even sounu like tieatises, anu like some tieatises, they aie uifficult to
compiehenu, if they aie ieau at all. It is not cleai that consent touay actually
ieflects a conscious choice by consumeis. It is not cleai that consent touay
actually ieflects a conscious choice by consumeis.
9S

Inueeu, in EPIC's testimony befoie the 0niteu States Senate Committee on
Commeice, Science anu Tianspoitation, Naic Rotenbeig aigueu that "|s]olutions which

93
David Vladeck, Privacy: Where do we go from here?, Speech to the International Conference
of Data Protection and Privacy Commissioners, Nov. 6, 2009, available at
http://www.ftc.gov/speeches/vladeck/091106dataprotection.pdf.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


SS

iely on simple notice anu consent will not auequately piotect useis."
94
In an analogous
context - notice anu consent in online agieements, the failuies of the mouel become moie
obvious. A iecent suivey of Califoinia consumeis showeu that they funuamentally
misunueistanu theii online piivacy iights.
9S
In two sepaiate suiveys almost 6u% of
consumeis incoiiectly believeu that the piesence of "piivacy policy" meant that theii
piivacy was piotecteu.
96
In a uiffeient suivey, SS% of paiticipants incoiiectly believeu that
the piesence of a piivacy policy meant that websites coulu not sell theii auuiess anu
puichase infoimation.
0seis also ioutinely click thiough notices. The Pew Inteinet anu Ameiican Life
Pioject founu that 7S% of useis uo not always ieau agieements, piivacy statements oi
othei uisclaimeis befoie uownloauing oi installing piogiams.
97
In such an enviionment,
meiely giving notice to useis befoie collecting theii sensitive infoimation fails to
auequately piotect piivacy in the way consumeis expect.
Consumei uata shoulu insteau ieceive substantive anu ongoing piotection.
Especially because of the peivasiveness of the pioposeu nation-wiue Smait uiiu, choice
anu consent of inuiviuuals' is seveiely iestiicteu. In all likelihoou, inuiviuuals who wish to

94
Impact and Policy Implications of Spyware on Consumers and Businesses: Hearing Before the
S. Comm. on Commerce, Science, and Transportation, 110th Cong. (2008) (statement of Marc
Rotenberg, President, EPIC).
95
Joseph Turow, et al., Consumers Fundamentally Misunderstand the Online Advertising
Marketplace (Oct. 2007), available at
http://groups.ischool.berkeley.edu/samuelsonclinic/files/annenberg_samuelson_advertising.pdf.
96
Id. at 1.
97
Pew Internet & American Life Project, Spyware: The Threat of Unwanted Software Programs
isChanging the way People use the Internet, 6 (July 2005), available at
http://pewinternet.org/pdfs/PIP_Spyware_Report_July_05.pdf.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


S4

ieceive electiicity will have little oi no choice but to comply with policies that iequiie the
uisclosuie of PII. Foi authoiities oi oiganizations to obtain the consent of inuiviuuals
woulu be neaily meaningless, as the powei uynamic is fatally skeweu. Infoimation shoulu
be kept secuiely, anu useis shoulu have the ability to know what uata about them is being
kept, who it has been shaieu with, anu to withuiaw consent foi the holuing of this uata.
Fuithei, uata shoulu only be collecteu anu kept foi specifieu puiposes. Authoiities anu
oiganizations must limit the collection, use, ietention anu shaiing of PII in the fiist
instance, iathei than ielying on hollow consents to justify moie uata collecting activity.
e. INP0SE NANBAT0RY RESTRICTI0NS 0N 0SE ANB RETENTI0N 0F BATA
NIST must ensuie that iestiictions on the use anu ietention of uata is manuatoiy,
not aspiiational. The NIST guiuelines piopose that: "Infoimation shoulu only be useu oi
uiscloseu foi the puipose foi which it was collecteu, anu shoulu only be uivulgeu to those
paities authoiizeu to ieceive it. . . .PII shoulu only be kept as long as is necessaiy to fulfill
the puiposes foi which it was collecteu."
98

It is insufficient to simply say that infoimation 03$;#- be useu oi uiscloseu only foi a
peimitteu puipose. Insteau, NIST must 6,L;*6, oiganizations to follow those policies, anu
must pioviue the authoiities with the powei to enfoice them.
Fuitheimoie, it is inauequate to peimit PII to be ietaineu "as long as is necessaiy to
fulfill the puiposes foi which it was collecteu." That stanuaiu is entiiely too lenient, anu it
woulu peimit oiganizations too much leeway to ietain infoimation whenevei they ueem it

98
Cyber Security Strategy, supra note 2, at 12.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


SS

necessaiy. Insteau, NIST shoulu set expiiation uates on PII so that PII can be ietaineu only
foi a ceitain peiiou of time.
99
The length of time coulu vaiy baseu on the type of PII anu the
puipose foi which it was collecteu. A conciete expiiation uate woulu make the system
moie tianspaient foi consumeis, as they woulu be moie awaie of the lifespan of theii uata.
NIST shoulu also implement iole-baseu access contiol to Smait uiiu uata. NIST has
uone significant woik on the topic of iole-baseu access contiol to computei iecoius anu
systems. In this context, iole-baseu access contiol piotocols shoulu stiictly manage when,
wheie, who anu how PII in Smait uiiu uata is accesseu. Access to PII, incluuing electiicity
usage, shoulu be limiteu to the function of the position an inuiviuual fills within the Smait
uiiu seivice ueliveiy anu billing ielationship. uiauuateu levels of access shoulu be baseu on
iesponsibilities foi pioviuing Smait uiiu FIPs anu seivice piovision puiposes. Access
shoulu be monitoieu by log files anu auuiting of access use anu iesolution of issues ielateu
to customei seivice anu piopei opeiation of the Smait uiiu.
Finally, NIST shoulu explicitly auuiess law enfoicement access to Smait uiiu uata
anu shoulu ensuie that theii access complies with the stiictuies of the Fouith Amenument.
As uiscusseu,
1uu
the Supieme Couit in !"##$%&'%()*+,-%.+/+,0 auuiesseu the inteiaction
between the Fouith Amenument anu the monitoiing of electiical use, holuing that the
police coulu not use theimal imaging equipment, which was not in geneial public use, "to
exploie uetails of the home that woulu pieviously have been unknowable without physical

99
See Viktor Mayer-Schönberger, Delete: the virtue of forgetting in the digital age (2009)
(arguing that digital information should have expiration dates, which will enable people to both
control the sharing of information with others, as well as be more aware of the “finiteness of
information).
100
See supra, notes 9-12.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


S6

intiusion," without fiist obtaining a seaich waiiant.
1u1
As the Couit iecognizeu, "'At the
veiy coie' of the Fouith Amenument 'stanus the iight of a man to ietieat into his own home
anu theie be fiee fiom unieasonable goveinmental intiusion.'"
1u2
Similaily, in the Smait
uiiu context, NIST shoulu make cleai that the Fouith Amenument piotects the infoimation
of Smait uiiu consumeis, anu that law enfoicement must fiist obtain a seaich waiiant
befoie gaining access to the infoimation.
f. vERIFY TECBNI00ES F0R AN0NYNIZATI0N 0F BATA
The piivacy iisks associateu with the use anu ietention of "anonymizeu uata" aie
significant because such uata may not be tiuly anonymous. 0uasi-iuentifieis can be useu
foi ie-iuentification because they can be linkeu to exteinal uatabases that contain
iuentifying vaiiables. This methou, iecoiu linkage, occuis when two oi moie uatabases aie
joineu. Such infoimation can be obtaineu thiough public iecoius, such as biith anu ueath
ceitificates.
1uS
0sing iecoiu linkage, ue-iuentifieu uata can also be easily ie-iuentifieu. Foi
example, by utilizing uate of biith, genuei anu zip coue infoimation foi membeis of the
public, a ieseaichei was able to uniquely iuentify 87% of the 0S population.
1u4

Similaily, accoiuing to the uA0, complete SSNs may be ieconstiucteu fiom
tiuncateu uigits by simply compaiing tiuncateu SSNs in feueially geneiateu public iecoius,

101
533 U.S. 27, 40 (2001).
102
Id. at 31 (quoting Silverman v. United States, 365 U.S. 505, 511 (1961)).
103
See Salvador Ochoa et al., Re-identification of Individuals in Chicago’s Homicide Database:
A Technical and Legal Study, Massachusetts Institute of Technology (2001) (utilizing the Social
Security Death Index and de-identified information about Chicago homicide victims, the
researchers were able to re-identify 35% of the victims).
104
Latanya Sweeney, Weaving Technology and Policy Together to Maintain Confidentiality, 25
J. Law, Med., & Ethics 98, 98–99 (1997).


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


S7

which pioviue only the final foui uigits, to tiuncateu SSNs pioviueu by many infoimation
ieselleis, which pioviue only the fiist five uigits.
1uS
Thus, by simply compaiing the two
iecoius, a complete SSN can be ieconstiucteu.
1u6

Noieovei, in a stuuy publisheu in Iuly 2uu9, two ieseaicheis at Cainegie Nellon
0niveisity founu that an inuiviuual's entiie SSN often coulu be pieuicteu fiom publicly
available biith infoimation.
1u7
Noieovei, the fiist five uigits of an inuiviuual's SSN coulu be
pieuicteu with an even gieatei uegiee of accuiacy. The accuiacy of the ieseaicheis'
pieuictions was even gieatei when pieuicting the numbeis of inuiviuuals boin in spaisely-
populateu states like Nontana, anu the ieseaicheis anticipate that theii pieuictions will
become incieasingly accuiate ovei time. This ieseaich uemonstiates the ineffectiveness of
attempting to piotect piivacy by "anonymyzing" oi "ue-iuentifying" uata.
Techniques foi anonymizing uata shoulu be puisueu, but it is vitally impoitant to
ensuie that such methous aie iobust, piovable anu tianspaient, Any technique pioposeu to
anonymize uata shoulu be maue public anu available to ieseaicheis to examine anu
evaluate. 0nuei no ciicumstance shoulu a company be able to iepiesent, without
inuepenuent veiification, that it hau anonymizeu uata. 0ntil such techniques aie
establisheu anu safeguaius aie put in place, the piimaiy objective shoulu be to minimize
the collection of PII in the fiist instance.
g. ESTABLISB R0B0ST CRYPT0uRAPBIC STANBARBS

105
U.S. Gen. Accounting Office, Identity Fraud Survey Report: Consumer Version 2-3 (2009).
106
Id. at 3.
107
See Alessandro Acquisiti & Ralph Gross, Predicting Social Security Numbers from Public
Data, 106 Proceedings of the National Academy of Sciences 10975.


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


S8

Stiong ciyptogiaphy shoulu be applieu to secuie all electionic communications
fiom a Smait uiiu application oi uevice. Thieats to auuiess incluue injection of false
infoimation: ueletion of infoimation, uenial of seivice attacks, billing iuentity theft, seivice
iuentity theft, malicious softwaie, cybei attacks, pianks anu vaiious types of
suiveillance.
1u8


"?71-#/MM/)+V;)MM$(-#*'-Smait meteis aie extiemely attiactive taigets foi
malicious hackeis, laigely because vulneiabilities can easily be monetizeu. Backeis
who compiomise a metei can immeuiately manipulate theii eneigy costs oi
fabiicate geneiateu eneigy metei ieauings."

Foi this ieason, theie shoulu be an open call foi uesigns that seek to maximize both
uata secuiity anu piivacy of the home as well as of enteipiises. It is well known in the
ciyptogiaphic community, foi instance, that so-calleu "blinu signatuies" can allow ultia-
secuie iepoiting of eneigy usage statistics without ievealing the piecise appliance anu
timings involveu.
1u9

Sounu ciyptogiaphic techniques uo not iely upon hiuing the ciyptogiaphic piocess,
often iefeiieu to as an algoiithm, fiom public ieview. Sounu ciyptogiaphic piocesses aie
maue so by the iigois imposeu by public uisclosuie anu testing of algoiithms, anu peihaps
even moie significantly, by the enviionment in which the ciyptogiaphy is implementeu.
11u


108
Patrick McDaniel & Stephen McLaughlin, Security and Privacy Challenges in the Smart
Grid, IEEE Security and Privacy, May/June 2009, 75-77.
109
David Chaum, Achieving Electronic Privacy, Scientific America, Aug. 1992, at 96-101,
available at http://chaum.com/articles/Achieving_Electronic_Privacy.htm.
110
Bruce Schneier, Applied Cryptography 21-46 (2d ed. 1996).


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


S9

Placing the stiongest ciyptogiaphy in an opeiating system oi application that can easily be
subveiteu by insiueis, oi compiomiseu exteinally by penetiation anu malwaie can ienuei
the ciyptogiaphy ineffective.
111
Foi this ieason, it is impeiative that all ciyptogiaphic
algoiithms useu to secuie Smait uiiu technology anu electionic technology useu to
facilitate Smait uiiu optimization anu opeiations be open foi public inspection anu testing
anu that the finuings be maue public, incluuing the entiie systems in which the
ciyptogiaphy is useu. Fuithei, enciyption anu ueciyption keys that aie useu to secuie
infoimation stoieu oi tiansmitteu on the Smait uiiu shoulu be of sufficient complexity that
they cannot be easily ueuuceu oi bioken.
It is uisconceiting that a uocument piepaieu by the National Institute of Stanuaius
anu Technology on what will be the most significant leap foiwaiu in uigital communication
capability in thiity yeais hau so little to say about ciyptogiaphy. The uocument mentioneu
"ciyptogiaphy" anu "enciyption" only twice, anu both times weie in a table on stanuaius
anu applications.
Iv. C0NCL0SI0N
Piivacy piotection is essential to the successful implementation of the Smait uiiu,
anu failuie to uevelop a iobust policy fiamewoik to safeguaiu consumei piivacy coulu
have uiie consequences. EPIC uiges NIST to take these iecommenuations into
consiueiation in ueciuing the stiuctuie anu capabilities of the Smait uiiu. EPIC is willing
anu able to contiibute to the fuithei uevelopment of Smait uiiu policy that woulu help

111
Peter Neumann, Computer Related Risks 132-180 (1995).


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


4u

encouiage iobust piivacy piotection while allowing the Smait uiiu to accomplish
impoitant policy objectives.
Respectfully submitteu,

¡s¡
Naic Rotenbeig
Executive Biiectoi
EPIC
1718 Connecticut Avenue, NW
Suite 2uu
Washington, BC 2uuu9

Lillie Coney
Associate Biiectoi
EPIC

Natthew Phillips
Appellate Piivacy Fellow
EPIC

Beboiah Pieice
Executive Biiectoi
Piivacyactivism

Beth uivens, Biiectoi
Piivacy Rights Cleaiinghouse

Nichael 0stiolenk
Libeity Coalition

Lee Tien
Electionic Fiontiei Founuation

Naik P. Cohen, Esq.
Executive Biiectoi
uoveinment Accountability Pioject

Bane vonBieicheniuchaiut,
Piesiuent


EPIC Comments NIST
Bec. 1, 2uu9 Smait uiiu Stanuaius


41

0.S. Bill of Rights Founuation

Lisa uiaves
Executive Biiectoi
Centei foi Neuia anu Bemociacy

Richaiu Sobel,
Cybei Secuiity Pioject

Iohn W. Whiteheau
Piesiuent
The Rutheifoiu Institute

Pam Bixon
Executive Biiectoi
Woilu Piivacy Foium

I. Biauley Iansen
Biiectoi
Centei foi Financial Piivacy anu
Buman Rights

Nichael Nacleou-Ball
Acting Biiectoi
Ameiican Civil Libeities 0nion

Linua Sheiiy
Biiectoi, National Piioiities
Consumei Action

Lynne E. Biauley,
Biiectoi, 0ffice of uoveinment
Relations
Ameiican Libiaiy Association