Smart cities offer the exciting prospect of creating an environment that is easy to live in, quick to navigate and adaptive to changing circumstances. Information on citizens’ behaviour and the environment in which they live in is central to the operation of this plan. Including personal identity in the data will personalise the user experience. Therefore, data security in smart city applications is paramount, as it underpins the integrity and trust in their operation.
Examples of smart applications that require this data include dynamic car sharing programs, waste management initiatives and micro-grids for power generation. All of these have the potential to dramatically improve the lives of citizens and their city ecosystem.
The data required to operate these applications needs a large range of sensors. These would track the movement of people and cars, and monitor energy consumption and generation for each building. Brought together these give information on how the city is performing, but the amount of data generated will be huge as people and objects are tracked across the networks.
Small scale trials of technology in this field has largely operated with only the implied trust of the public. Networks of sensors that use Bluetooth tracking of vehicles to monitor traffic flow have been available for years. These have run without personal information with measures being taken to anonymise the data and thus far the implied trust model has worked.
Smart city applications have a much larger scale of data acquisition and there is a potential perception of invasion of personal privacy. To progress this agenda, I believe a wider public debate is required to achieve explicit consent of the people.
The public trust in government bodies handling personal data is already low. A recent YouGov ODI survey “Attitudes towards data sharing” recorded the percentage of citizens who trust the government to hold private data being between 37% and 44% and private organisations scored much lower. Asked whether ‘data is useful when governments use it to understand and better serve society with improved public services’, only 51% of respondents agreed. Personal location data and journey information was particularly sensitive with only 33% agreeing to its use. Clearly work is required to gain public acceptance of smart city applications and trust can only be gained if robust measures and controls can be demonstrated.
Public confidence would evaporate if there was any perception that this valuable data was misused for malicious intent. For example, fictitious vehicle movements sent to roadside sensors could induce gridlock as traffic controls adapt to false information, or if smart city data was accessed to reveal the location of a person, this would be a severe invasion of personal privacy.
The complexity of protecting this data shouldn’t be underestimated. It will move quickly across different applications and cloud providers; artificial intelligence solutions will be required to make sense of the vast amount of data. The traditional approach to modelling risk by devices and networks will not adapt well to this data centric world. The three pillars of information security, Confidentiality, Data Integrity and System Availability are insufficient as Non-Repudiation and Authentication of data are equally important. Smart city applications depend on sharing and moving data for different purposes, so they need to be considered together. As such, data usage is central to any risk, architecture or management planning and understanding how your data behaves provides a better position for response to changes in regulation.
You must ensure correct design and security controls are used to protect against induced malfunction and uphold privacy of the people. Demonstration of these measures is fundamental to establish public trust.
Mike Pannell is from BT
