Skip to content
Naked Security Naked Security

Using smart meter data constitutes a search, but court allows them anyway

US cities using smart meters narrowly escaped a legal problem this month when a court decided that the benefits of these IoT devices outweighed the privacy issues created by collecting detailed home energy data.

US cities using smart meters narrowly escaped a legal problem this month when a court decided that the benefits of these IoT devices outweighed the privacy issues created by collecting detailed home energy data.
The US Court of Appeals for the Seventh Circuit, a federal court that oversees appeals for Illinois, Indiana and Wisconsin, ruled against a privacy advocacy group called Naperville Smart Meter Awareness (NSMA). The group had sued the Illinois City of Naperville over its smart meter program, arguing that the devices give up too much information about residents.
Utilities have been busy installing smart meters across the US for several years now. The US Energy Information Administration counted 70,833,000 in the US in 2016, of which 88% were residential.
While traditional electricity meters gather energy consumption data in a single figure on a monthly basis, smart meters are far more granular. They collect thousands of readings per month, which provide a clearer profile of when and how residents are using electricity. This lets utilities manage their energy flow and improve grid reliability.
However, this increased visibility brings its own concerns for privacy-conscious consumers. Each home appliance has its own energy load signature, which creates a unique fingerprint for it and enables those collecting the energy to understand what people are doing at home.
The data collection creates a privacy issue, said the NSMA. Naperville’s meters read energy usage data every 15 minutes and store it for up to three years. Privacy advocates argued that people with access to that information could tell when a home is vacant, when people eat and sleep, and what appliances are in the home. It might even be possible to check electric vehicle charging times to find out about people’s travel patterns, it said.
These concerns led the NSMA to claim that smart meter data collection violated the Fourth Amendment of the US Constitution, which prohibits unreasonable searches and seizures.
That data collection isn’t something that people can opt out of. In its decision, filed last week, the court said:

While some cities have allowed residents to decide whether to adopt smart meters, Naperville’s residents have little choice. If they want electricity in their homes, they must buy it from the city’s public utility. And they cannot opt out of the smart-meter program.

It’s a search, but is it fair?

The court asked two questions in assessing NSMA’s appeal: is the collection of data from smart meters a search, and is it reasonable?
It ruled that using technology to peek in detail at goings-on inside peoples’ homes every 15 minutes does constitute a search, but decided that the search was reasonable.
US law decides whether a search is reasonable by balancing its intrusion on Fourth Amendment rights against how much it serves the government’s interests, the court said. It decided that smart meter data collection is not very intrusive because the data isn’t used to prosecute people.
Conversely, because the collection of smart meter data allows utilities to reduce costs, provide cheaper power to consumers, encourage energy efficiency and increase grid stability, it is very much in the government’s interest and can be allowed.
The court had a caveat, though, and warned the City that the balance could change. It concluded:

We caution, however, that our holding depends on the particular circumstances of this case. Were a city to collect the data at shorter intervals, our conclusion could change. Likewise, our conclusion might change if the data was more easily accessible to law enforcement or other city officials outside the utility.


16 Comments

They have missed the point about how monitoring usage data can enable suppliers to introduce granular energy pricing, so the cost per unit varies upon time of day and amount being used on an hourly, or less, basis. That is already being suggested in the UK, which is why so may are refusing to have the meters. Further, they do not reduce consumption, only monitoring it. Users reduce their consumption by monitoring what the meter is showing in terms of cost per period. The menters also allo suppliers to turn off the supply if they decide the usage is not in their best interests – irrespective of the consumers needs.
I will never have one fitted.

One major benefit of smart meters that we’ve seen in the US, is that electricity rates can be varied in low demand periods. Making certain activities like charging your car at night more effective. Among others.

Though if a provider wanted to offer variable pricing without needing to take samples from everyone’s meters, surely it could?
(I live in the UK and have a really old-fashioned electricity meter, but it’s still able to bill me different rates at different times, and I’m able to take advantage of the cheap rates by having appliances – my water heater, for instance – that turn off automatically when the price is high. Ironically, that meter can write to itself, but not read itself back in. I have to read off the numbers myself and upload or phone in my usage every so often if I want to get charged the right price.)
The power company knows when usage is high/rising/falling/low, and it could tell you that with a write-only connection to your meter.

Paul you bring up a good point – that these meters should only be able to give data, not receive it. As surely if they could, someone would figure out how to shut people off and just drive around broadcasting that command.

Receiving or saving data isn’t bad (for example, the utility company might want to update the on-peak/off-peak time bands stored in the meter).
I was merely commenting on the suggestion that the utility company needs to monitor your usage in 15 minute bands (or something similar) if it is going to offer demand-based pricing.
You might be able to get keener deals if you do give them access to details about how you consume power, but I get a basic level of demand-based pricing even with my not-very-smart-at-all meter…so there’s my “existence proof”.

Incorrect, at least in Minnesota. The meters are only used to throttle home users during peak periods. I used to have one of the early one, and never again.

When they installed mine a few years ago, no choice if I wanted water. (water meter).
However – someone could always wrap copper foil around it, and pull it off for monthly readings if asked.

Another attack by a “concerned group” on law enforcement ability to police their communities and prevent the spread of crime. The information being gathered is not private, it belongs to the utility and they can do with it what they like, provided you agree to it.
Additionally, law enforcement has used this type of information for years. Now that it’s more granular it’s all of a sudden a search? Sounds like the problem people have is with law enforcement being too effective.

Typically, I strongly support law enforcement (LE), even going so far as to favor LE over privacy (to a much higher degree than most posters here).
I don’t even have any problem with LE getting this data, but I DO have a problem with it being owned by the city. Governments are legendary in their ability to allow hackers into their “secure” systems. Goodness, I myself reported an open wireless network at the state lottery building. It is possible that I could have used it to win the lottery; who knows? But, I didn’t.
Would your average criminal do the same? I don’t think so.
I don’t say this to toot my own horn. No, I say it to show one example of extremely poor security practices in one small area of government.
I definitely have no problem with LE having the data. But, I have big problems with how they get it, and what happens to the data along the way.

My views aren’t identical but my concerns are similar. It doesn’t seem to matter whether I trust LE or not – it’s whether I trust the lock on the giant cupboard that my “collected just in case” data is being stuffed into in the indistinct hope that it might be useful to someone later on. Why would I need to worry about what LE _might_ do to me when I can worry about what I know cybercrooks _will_ do to me if the cupboard suddenly bursts open? And how can I convince myself that the cupboard won’t burst open? The historical record so far seems to suggest that a ruptured cupboard is not merely likely but inevitable.
We have this weird tension in the EU (at least in the UK part of the EU, anyway) right now where one part of the public service is making enormous and IMO creditable efforts to get us all to collect less data and safeguard what we do collect more strongly, whilst another part of the public sector is making equally vigorous efforts to ensure we collect more and more, and to insist that we safeguard it less. Ironically, both groups claim that their approach will improve our collective resilience to crime and criminality.

Disappointed the court thinks 15 minutes is unintrusive. The rationale seems too focused on constitutional taking in the government’s interest, like a right of way for the people’s benefit. Yet the evidence of benefits fail to consider availability and reasonable pursuit of less intrusive options for improved power grid management.

I think the court’s position is that it’s “reasonable”, not “unintrusive”. It’s definitely intrusive, but this court said it’s not intrusive ENOUGH to block it.
But, 15 minutes seems awfully granular to me. Coupled with the personally identifiable information, it seems TOO granular to me.
IMO, it should be aggregated down to geographic areas, and only transmitted or stored in that form.

Seems to me the NSMA is just another acronym for the ACLU. If I’ve got no reason to hide what I’m doing (i.e. it’s not illegal or potentially embarrassing), why should I care what data’s collected? Don’t get me wrong, I personally don’t think anybody should be sticking their noses into my business, and I take the normal, not-quite-paranoid steps necessary, but if I’ve got nothing to hide, why hide? It just makes people suspicious. I think groups like this (NSMA) are bamboozled by other groups like the ACLU into thinking that these are normal privacy issues, when in fact they’re really protecting a certain criminal element.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?