Watcher - from Bethesda Software's Elder Scrolls Online

TL;DR: Nobody should be allowed to attach a computer to someone else's person or property without consent.

Seattle City Light's apparent noncompliance with ordinances.

On Feb 16th 2018 I learned that Seattle City Light is replacing electric meters on homes with digital meters that record and transmit electrical usage data at 15-minute intervals. This level of detail can be used to determine a variety of things about people and their activities that might normally be considered private. For example, by matching electrical usage pattern details to known holidays and observances, it should be possible to identify practicing Muslim or Jewish households. I see no reason why Fourth Amendment protections should not apply to this level of data collection and I question whether it is legal or ethical to deploy a means of capturing people's activities in their homes without consent.

SCL does appear to be aware of the legal and informational weight of what is being collected in that it requires a subpoena or warrant to release the data to other goverment entities. That led me to wonder why a subpeona or warrant is not required to collect the data in the first place, and given that the digital meters "may deliberately or inadvertently capture activities of individuals on public or private property" and are not exempted as monitoring utility infrastructure (like reservoir cameras) whether SCL obtained City Council approval prior to acquisition of the equipment in accordance with Seattle's March 2013 ordinance 124142's SMC 14.18.10, 14.18.20, and 14.18.30.

SCL is collecting data that can reveal whether people go to church, and if anybody's home during the day. With neural net training, it should be possible to identify things like when a household had a baby or households with latchkey kids. SCL's response to this concern was that someone could park a car outside of a house to determine the same thing, but that misses the point: data analysis would effectively allow someone to park cars outside of four hundred thousand houses all at once from the beginning of the data collection, not to mention be able to determine much more than would be seen from the street. The sophistication of data mining, machine learning, and behavior identification algorithms has risen tremendously over the past decade. These techniques are the bread and butter of companies like Facebook, Doubleclick, Youtube, Amazon, and in an extreme case, Cambridge Analytica which makes no secret about vacuuming up everything they can from people's online posts to how much they pay for electricity or anything else in order to build "psychometric profiles" tied to individual names and addresses. We live in an era where data gatherers must concern themselves not only with privacy issues that arise from the face value of the data they are gathering, but with what can be determined from it by an entity that is skilled at data mining; at analyzing and correlating that data with other things.

We also live in an era where data gatherers should proceed under the assumption that whatever they store will eventually be stolen. The list of companies and government entities that believed they were secure, claimed to be secure, and had hundreds of thousands or hundreds of millions of individual's private data records copied out of their databases is long and will continue to grow. A personal anecdote is that not two weeks after my concerns about passing sensitive company internal documents around using Google Docs were refuted with the notion that Google's army of IT professionals surely made Google more secure than our company would ever be, Google announced that they had been penetrated by an email phishing attack originating from China. Equifax just announced the loss of millions of records - again. Major data breaches occur on a continuous basis. Seattle City Light has no special immunity from having its data stolen. Like many others who have been and will be breached, their data is stored in a networked database and their employees use email.

If I had constructed an electrical generation and distribution grid, detailed consumption data would be valuable to me. I would gather that data from distribution points a hop away from people's homes. That would eliminate privacy concerns by aggregating households in the raw data while still giving me enough detail to accomplish my stated goals. There would be no Fourth Amendment issues, no ordinance issues, and if the data were stolen, no individuals would be compromised.

If I had already deployed equipment that gathered privacy and security sensitive data from individual homes without consent, I would turn the gathering off until I had individual consent. I would tier my rates so that individuals who wanted to participate in smoothing out consumption curves (by, for example, doing their laundry during off-peak times) could actually lower their electricity bill by doing so and I would offer that as an incentive to give consent to resume gathering detailed individual data. I would still aggregate the stored data as quickly as possible in anticipation of a future data breach.

Finally, I would continuously evaluate my activities in the broader contexts of technology, society, politics, law, and crime. That is the responsibility of any data-gatherer today, who can easily do far more inadvertent damage to people's privacy than they realize.

I've been in communication with Seattle City Light nonstop since I found out about this trying to get them to not attach a surveillance device to the side of my house and asking them to clarify their position on the Fourth Amendment question, along with a few other questions about security. It's not going well. That makes it pretty hard to stop thinking about the whole thing. I downloaded some histories of 15-minute interval electricity usage to start looking at.

The data looks highly minable. Just looking at the raw numbers with your eyes and your head is fascinating. There are big-amplitude swings clearly related to seasonal weather. You can see cold snaps and heat waves lasting days. You can see hour-long spikes in the mornings and evenings that might be water heaters recovering from a shower. You can see all sorts of much smaller-amplitude events occuring in the midst of all that, some that look cyclic and machine-made and some more random. It's reminiscent of radio noise. FFTs and filters might apply.

On the deep end is neural net training to recognize things like when occupants have babies or whether the household has latchkey kids. That's within my abilities but there's a lot I don't know and it'd take me a fair bit of time to get somewhere real with it. On the shallow end is coming up with a set of easily calculable metrics like average daily time of peak usage and sliding windows of averages and standard deviations to see if people are home or not and to detect changes in the more random or possibly human-caused events that can be matched to specific dates and times. That shouldn't be hard, and a quick search returns some ACM and IEEE articles showing that others have done some of that already for the purpose of detecting building occupancy from usage data.

After repeated attempts, Seattle City Light has not answered a number of pertinant questions such as whether SCL submitted a data management policy document as required by the March 2013 ordinance 124142 in place at the time of acquisition and deployment, and why consent, a subpoena, or a warrant shouldn't be required to collect the data since they are required to give it out. SCL does claim that it won't surveil someone if they pay them $125 plus $180 a year, but a digital meter is still installed so SCL is not in fact offering any means to opt out. Aside from the potential illegality of holding privacy for ransom, we all have a revulsion to paying someone money not to harm us.

These meters do not measure electrical usage over time. Instead, they take "instantaneous" readings and then perform arithmetic calculations to attempt to estimate electrical usage over time. I am both hopeful and confident that they do a better job at that than Seattle City Light's recent billing software did, but the billing software is worth mentioning because what is being done in the meters is conceptually the same as what the billing software was trying to do: generate estimates in the absence of data. The difference is the time scale. The time scale is in fractions of seconds, which is coalesced to a larger amount of time, which is in turn coalesced to a larger amount of time. Some models of electrical meters store usage data in estimated 5-minute intervals, which are transmitted in blocks or read out of an infrared port to a handheld reader and turned into 15 minute, 30 minute, etc. intervals up to a month. There are plenty of opportunities for errors in programming to be made when implementing this kind of averaging. As a computer programmer, I want to know what the exact algorithm of data coalescing being performed is because I want to know that if my water heater thermostat shuts the heating elements off for 4 minutes between two values that are 5-minutes apart, that an accurate accounting is being performed, not an inaccurate accounting masked over time by a statistically roughly equal number of errors in the opposite direction. Analog meters don't have that issue.

It is important to understand that these meters, like the majority of embedded-computer devices, are reprogrammable. They contain flash memory that stores a bootloader, an operating system, and software that handles data management and I/O, whether that I/O be in the form of wireless connections or communication with the infrared port. The software can be replaced. In the case of the wireless version, it can be replaced remotely. Described capabilities and limitations need to be interpreted with the understanding that those only apply to the device in its current form. The behaviour and in some cases capabilities of these devices can be modified without physical changes to the device. This is true of both versions of meters.

It is my understanding that Seattle City Light uses a third party to process and deliver data collected from these meters. Landis-Gyr employees that develop, maintain, and administer the system that processes collected data have unknown levels of access. What exactly is being trasmitted to Landis-Gyr and at what interval detail? "Five or six times a day" does not necessarily mean 4-hour intervals. One transfer might consist of a block of data containing a number of measurements coalesced into five minute intervals. If someone offers money to a Landis-Gyr employee or sends a faxed official-looking request for a collection of records, what measures are in place to prevent such an attack from succeeding? If Landis-Gyr is broken into by a sophisticated attacker, what prevents a firmware modification from being issued to an installed meter? The real answer to these kinds of questions is that with this many moving parts, it's not possible to defend against everything that could go wrong. Because we have precedent real-world examples of what can go wrong in these kinds of situations happening, with millions upon millions of records being stolen on an ongoing basis from every industry that uses databases connected to the Internet, the appropriate thing to do is to allow people to opt out. Bear in mind that it's going to be a small minority. Just as plenty of people will eagerly upload all sorts of personal data to Facebook, plenty of people will happily allow these meters to be installed on their houses. Just as we shouldn't mandate the posting of private data to Facebook, we shouldn't mandate the attachment of data-gathering computers to people's houses.

The Landis-Gyr SaaS system is proprietary. If Seattle City Light is going to be using it to process data for citizens of Seattle, it should be publically auditable. Electrical meters are a bit like voting machines, only they're counting our watt hours and taking our money instead of counting our votes. The public needs to be able to examine how they work.

People should be able to opt out of this. The Landis-Gyr meter offered as the opt-out option collects and stores data in the same way as the networked meter. Claiming that another data- collecting meter satisfies an opt-out option is a bit like the NSA claiming that they're not collecting data because it's the phone companies that are collecting it on their behest.