Watcher - from Bethesda Software's Elder Scrolls Online

TL;DR: Nobody should be allowed to attach a computer to someone else's person or property without consent.

Seattle City Light's apparent noncompliance with ordinances.

On Feb 16th 2018 I learned that Seattle City Light is replacing electric meters on homes with digital meters that record and transmit electrical usage data at 15-minute intervals. This level of detail can be used to determine a variety of things about people and their activities that might normally be considered private. For example, by matching electrical usage pattern details to known holidays and observances, it should be possible to identify practicing Muslim or Jewish households. I see no reason why Fourth Amendment protections should not apply to this level of data collection and I question whether it is legal or ethical to deploy a means of capturing people's activities in their homes without consent.

SCL does appear to be aware of the legal and informational weight of what is being collected in that it requires a subpoena or warrant to release the data to other goverment entities. That led me to wonder why a subpeona or warrant is not required to collect the data in the first place, and given that the digital meters "may deliberately or inadvertently capture activities of individuals on public or private property" and are not exempted as monitoring utility infrastructure (like reservoir cameras) whether SCL obtained City Council approval prior to acquisition of the equipment in accordance with Seattle's March 2013 ordinance 124142's SMC 14.18.10, 14.18.20, and 14.18.30.

SCL is collecting data that can reveal whether people go to church, and if anybody's home during the day. With neural net training, it should be possible to identify things like when a household had a baby or households with latchkey kids. SCL's response to this concern was that someone could park a car outside of a house to determine the same thing, but that misses the point: data analysis would effectively allow someone to park cars outside of four hundred thousand houses all at once from the beginning of the data collection, not to mention be able to determine much more than would be seen from the street. The sophistication of data mining, machine learning, and behavior identification algorithms has risen tremendously over the past decade. These techniques are the bread and butter of companies like Facebook, Doubleclick, Youtube, Amazon, and in an extreme case, Cambridge Analytica which makes no secret about vacuuming up everything they can from people's online posts to how much they pay for electricity or anything else in order to build "psychometric profiles" tied to individual names and addresses. We live in an era where data gatherers must concern themselves not only with privacy issues that arise from the face value of the data they are gathering, but with what can be determined from it by an entity that is skilled at data mining; at analyzing and correlating that data with other things.

We also live in an era where data gatherers should proceed under the assumption that whatever they store will eventually be stolen. The list of companies and government entities that believed they were secure, claimed to be secure, and had hundreds of thousands or hundreds of millions of individual's private data records copied out of their databases is long and will continue to grow. A personal anecdote is that not two weeks after my concerns about passing sensitive company internal documents around using Google Docs were refuted with the notion that Google's army of IT professionals surely made Google more secure than our company would ever be, Google announced that they had been penetrated by an email phishing attack originating from China. Equifax just announced the loss of millions of records - again. Major data breaches occur on a continuous basis. Seattle City Light has no special immunity from having its data stolen. Like many others who have been and will be breached, their data is stored in a networked database and their employees use email.

If I had constructed an electrical generation and distribution grid, detailed consumption data would be valuable to me. I would gather that data from distribution points a hop away from people's homes. That would eliminate privacy concerns by aggregating households in the raw data while still giving me enough detail to accomplish my stated goals. There would be no Fourth Amendment issues, no ordinance issues, and if the data were stolen, no individuals would be compromised.

If I had already deployed equipment that gathered privacy and security sensitive data from individual homes without consent, I would turn the gathering off until I had individual consent. I would tier my rates so that individuals who wanted to participate in smoothing out consumption curves (by, for example, doing their laundry during off-peak times) could actually lower their electricity bill by doing so and I would offer that as an incentive to give consent to resume gathering detailed individual data. I would still aggregate the stored data as quickly as possible in anticipation of a future data breach.

Finally, I would continuously evaluate my activities in the broader contexts of technology, society, politics, law, and crime. That is the responsibility of any data-gatherer today, who can easily do far more inadvertent damage to people's privacy than they realize.

I've been in communication with Seattle City Light nonstop since I found out about this trying to get them to not attach a surveillance device to the side of my house and asking them to clarify their position on the Fourth Amendment question, along with a few other questions about security. It's not going well. That makes it pretty hard to stop thinking about the whole thing. I downloaded some histories of 15-minute interval electricity usage to start looking at.

The data looks highly minable. Just looking at the raw numbers with your eyes and your head is fascinating. There are big-amplitude swings clearly related to seasonal weather. You can see cold snaps and heat waves lasting days. You can see hour-long spikes in the mornings and evenings that might be water heaters recovering from a shower. You can see all sorts of much smaller-amplitude events occuring in the midst of all that, some that look cyclic and machine-made and some more random. It's reminiscent of radio noise. FFTs and filters might apply.

On the deep end is neural net training to recognize things like when occupants have babies or whether the household has latchkey kids. That's within my abilities but there's a lot I don't know and it'd take me a fair bit of time to get somewhere real with it. On the shallow end is coming up with a set of easily calculable metrics like average daily time of peak usage and sliding windows of averages and standard deviations to see if people are home or not and to detect changes in the more random or possibly human-caused events that can be matched to specific dates and times. That shouldn't be hard, and a quick search returns some ACM and IEEE articles showing that others have done some of that already for the purpose of detecting building occupancy from usage data.

After repeated attempts, Seattle City Light has not answered a number of pertinant questions such as whether SCL submitted a data management policy document as required by the March 2013 ordinance 124142 in place at the time of acquisition and deployment, and why consent, a subpoena, or a warrant shouldn't be required to collect the data since they are required to give it out. SCL does claim that it won't surveil someone if they pay them $125 plus $180 a year, but a digital meter is still installed so SCL is not in fact offering any means to opt out. Aside from the potential illegality of holding privacy for ransom, we all have a revulsion to paying someone money not to harm us.