NorCAL Torch Fires; How the Firestorms Were Created

Dark Emitting Diodes used for Cloaking

Design Considerations for Indoor Wireless Transmission between a Body-Worn Physiological Monitoring Device and a Gateway in a Home Environment

Smart Meter Data: Privacy and Cybersecurity – Congressional Research Report 2012

Fueled by stimulus funding in the American Recovery and Reinvestment Act of 2009 (ARRA), electric utilities have accelerated their deployment of smart meters to millions of homes across the United States with help from the Department of Energy’s Smart Grid Investment Grant program. As the meters multiply, so do issues concerning the privacy and security of the data collected by the new technology. This Advanced Metering Infrastructure (AMI) promises to increase energy efficiency, bolster electric power grid reliability, and facilitate demand response, among other benefits. However, to fulfill these ends, smart meters must record near-real time data on consumer electricity usage and transmit the data to utilities over great distances via communications networks that serve the smart grid. Detailed electricity usage data offers a window into the lives of people inside of a home by revealing what individual appliances they are using, and the transmission of the data potentially subjects this information to interception or theft by unauthorized third parties or hackers. [CJF emphasis]

Unforeseen consequences under federal law may result from the installation of smart meters and the communications technologies that accompany them. This report examines federal privacy and cybersecurity laws that may apply to consumer data collected by residential smart meters. It begins with an examination of the constitutional provisions in the Fourth Amendment that may apply to the data. As we progress into the 21^st century, access to personal data, including information generated from smart meters, is a new frontier for police investigations. The Fourth Amendment generally requires police to have probable cause to search an area in which a person has a reasonable expectation of privacy. However, courts have used the third-party doctrine to deny protection to information a customer gives to a business as part of their commercial relationship. This rule is used by police to access bank records, telephone records, and traditional utility records. Nevertheless, there are several core differences between smart meters and the general third-party cases that may cause concerns about its application. These include concerns expressed by the courts and Congress about the ability of technology to potentially erode individuals’ privacy.
If smart meter data and transmissions fall outside of the protection of the Fourth Amendment, they may still be protected from unauthorized disclosure or access under the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and the Electronic Communications Privacy Act (ECPA). These statutes, however, would appear to permit law enforcement to access smart meter data for investigative purposes under procedures provided in the SCA, ECPA, and the Foreign Intelligence Surveillance Act (FISA), subject to certain conditions. Additionally, an electric utility’s privacy and security practices with regard to consumer data may be subject to Section 5 of the Federal Trade Commission Act (FTC Act). The Federal Trade Commission (FTC) has recently focused its consumer protection enforcement on entities that violate their privacy policies or fail to protect data from unauthorized access. This authority could apply to electric utilities in possession of smart meter data, provided that the FTC has statutory jurisdiction over them. General federal privacy safeguards provided under the Federal Privacy Act of 1974 (FPA) protect smart meter data maintained by federal agencies, including data held by federally owned electric utilities. [CJF emphasis]

General federal privacy safeguards provided under the Federal Privacy Act of 1974 (FPA) protect smart meter data maintained by federal agencies, including data held by federally owned electric utilities. Section 5 of the Federal Trade Commission Act (FTC Act) allows the Federal Trade Commission (FTC) to bring enforcement proceedings against electric utilities that violate their privacy policies or fail to protect meter data from unauthorized access, provided that the FTC has statutory jurisdiction over the utilities.
It is unclear how Fourth Amendment protection from unreasonable search and seizures would apply to smart meter data, due to the lack of cases on this issue. However, depending upon the manner in which smart meter services are presented to consumers, smart meter data may be protected from unauthorized disclosure or unauthorized access under the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and the Electronic Communications Privacy Act (ECPA). If smart meter data is protected by these statutes, law enforcement would still appear to have the ability to access it for investigative purposes under procedures provided in the SCA, ECPA, and the Foreign Intelligence Surveillance Act (FISA). [CJF emphasis]

Residential smart meters present privacy and cybersecurity issues 19 that are likely to evolve with the technology.20 In 2010, the National Institute of Standards and Technology (NIST) published a report identifying some of these issues, which fall into two main categories: (1) privacy concerns that smart meters will reveal the activities of people inside of a home by measuring their electricity usage frequently over time;21and (2) fears that inadequate cybersecurity measures surrounding the digital transmission of smart meter data will expose it to misuse by authorized and unauthorized users of the data. [CJF emphasis]

Smart meters offer a significantly more detailed illustration of a consumer’s energy usage than regular meters. Traditional meters display data on a consumer’s total electricity usage and are typically read manually once per month.23
In contrast, smart meters can provide near real-time usage data by measuring usage electronically at a much greater frequency, such as once every 15 minutes.24
Current smart meter technology allows utilities to measure usage as frequently as once every minute.25
By examining smart meter data, it is possible to identify which appliances a consumer is using and at what times of the day, because each type of appliance generates a unique electric load “signature.”26  [which will tie into the Internet of Things.]
NIST wrote in 2010 that ““research shows that analyzing 15-minute interval aggregate household energy consumption data can by itself pinpoint the use of most major home appliances.”” 27
A report for the Colorado Public Utilities Commission discussed an Italian study that used “artificial neural networks” to identify individual “heavy-load appliance uses” with 90% accuracy using 15-minute interval data from a smart meter.28
Similarly, software-based algorithms would likely allow a person to extract the unique signatures of individual appliances from meter data that has been collected less frequently and is therefore less detailed.29   [One algorithm program is “ONZO” (2).]
By combining appliance usage patterns, an observer could discern the behavior of occupants in a home over a period of time.30 For example, the data could show whether a residence is occupied, how many people live in it, and whether it is “occupied by more people than usual.”31
According to the Department of Energy, smart meters may be able to reveal occupants’ “daily schedules (including times when they are at or away from home or asleep), whether their homes are equipped with alarm systems, whether they own expensive electronic equipment such as plasma TVs, and whether they use certain types of medical equipment.”32
Figure 1, which appears in NIST’s report on smart grid cybersecurity, shows how smart meter data could be used to decipher the activities of a home’s occupants by matching data on their electricity usage with known appliance load signatures. [CJF emphasis]

Increased Potential for Theft or Breach of Data
Smart grid technology relies heavily on two-way communication to increase energy efficiency and reliability, including communication between smart meters and the utility (or other entity) that stores data for the grid.46 Many different technologies will transmit data to the grid, including ““traditional twisted-copper phone lines, cable lines, fiber optic cable, cellular, satellite, microwave, WiMAX, power line carrier, and broadband over power line.””47 Of these communications platforms, wireless technologies are likely to play a ““prominent role”” because they present fewer safety concerns and cost less to implement than wireline technologies.48 According to the Department of Energy, a typical utility network has four “tiers”” that collect and transmit data from the consumer to the utility.49 These include “(1) the core backbone—the primary path to the utility data center; (2) backhaul distribution—the aggregation point for neighborhood data; (3) the access point—typically the smart meter; and, (4) the HAN—the home network.”50 Energy usage data moves from the smart meter,51 and then to an “aggregation point” outside of the residence such as “a substation, a utility pole-mounted device, or a communications tower.””52  [CJF emphasis]

Kyllo and Karo demonstrate that the Supreme Court “has defended the home as a sacred site at the ‘core of the Fourth Amendment.’””169 Although neither the Supreme Court nor any lower federal court has ruled on the use of smart meters, a few propositions can be deduced from Kyllo and Karo bearing on this question. Because smart meters allow law enforcement to access information regarding intimate details occurring inside the home, a highly invasive investigation that could not otherwise be performed without intrusion into the home, a court may require a warrant to access this data. In Kyllo, the police merely obtained the relative temperatures of a house,170 and in Karo the police only generally located the beeper in the house.171 Although this information was limited, the Court nonetheless prohibited such investigatory techniques. Smart meters have the potential to produce significantly more information than that derived in Kyllo and Karo, including what individual appliances we are using; whether our house is empty or occupied; and when we take our daily shower or bath.172 Further, a look at Figure 1, supra, makes it clear that this level of information is much more intimate than prior technologies used by law enforcement. This depth of intrusion suggests that customers may have a reasonable expectation of privacy in smart meter data. [CJF emphasis]

This section discusses federal statutory protections that may be applicable to the contents of communications sent by a smart meter, independent of the Fourth Amendment, while they are either stored within the smart meter prior to transmission, during transmission, or after they have been delivered to the utility. Three federal laws, the Electronic Communications Privacy Act (ECPA),199 the Stored Communications Act (SCA),200 and the Computer Fraud and Abuse Act (CFAA)201 may be applicable to these situations and are discussed in more detail below. [CJF emphasis]

The Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA) prohibits intentionally accessing and obtaining information from a computer used in or affecting interstate commerce, without authorization or in excess of a granted authorization.246 The definition of a computer for purposes of the CFAA is “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device” excluding “an automated typewriter or typesetter, a portable hand held calculator, or other similar device….””247
The servers on a utility’s network would likely fall squarely within the definition of a computer under the CFAA. Similarly, smart meters themselves also appear to meet the definition of a computer, insofar as they store customers’ energy usage data and also perform logical operations by routing transmissions across the utility’s network. Additionally, in light of the significant role that energy utilities play in the modern economy, the smart meter network would also likely be considered to have an effect on interstate commerce, even if they operate entirely within one state. Therefore, intentionally gaining access to the utility’s servers or smart meters to obtain customer data would likely constitute a violation of the CFAA if done without the utility’s authorization or in excess of an authorization granted by the utility. [CJF emphasis]

The criminal penalties for violating the unauthorized access provisions of the CFAA have a three tier sentencing structure. Simple violations are punished as misdemeanors, imprisonment for not more than one year and/or a fine of not more than $100,000 ($200,000 for organizations).248

Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce”251 and gives the Federal Trade Commission (FTC) jurisdiction to bring enforcement actions against “persons, partnerships, or corporations” that engage in these practices.252 In the past, the FTC has used its authority under Section 5 to take action against businesses that violate their own privacy policies or that fail to adequately safeguard a consumer’s personal information.253 Although there do not appear to be any cases in which the FTC has taken action against an electric utility for failing to protect consumer smart meter data, the Commission would have authority to enforce Section 5 against a utility that fell within its statutory jurisdiction.

“Unfair” Failure to Secure Consumer Data
Failure to Protect Against Common Technology Threats or Unauthorized Access
The FTC may consider it an “unfair” practice when an electric utility fails to safeguard smart meter data from well-known technology threats as the data travels across the utility’s communications networks. [CJF emphasis]

The Privacy Act protects the type of electricity usage data gathered by smart meters, provided that the data pertains to U.S. citizens or permanent residents, is personally identifiable, and is retrievable by the individual’s name or another personal identifier. The Privacy Act “governs the collection, use, and dissemination of a ‘record’ about an ‘individual’ maintained by federal agencies in a ‘system of records.’””368 Under the statute, a “record” is “any item, collection, or grouping of information about an individual that is maintained by an agency … that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.””369
An “individual” is defined as “a citizen of the United States or an alien lawfully admitted for permanent residence.””370 A “system of records” is “a group of any records under the control of any agency from which information is retrieved by the name of the individual” or other personal identifier “assigned to the individual.”371
Smart meter data held by an agency certainly fits within the broad definition of a “record” because it is a grouping of information about an individual, namely, data on that individual’s electricity usage. The data is typically stored along with a consumer’s account information, which usually includes a consumer’s name, social security number, or other “identifying particular.”372 Thus, smart meter data would constitute a protected “record” under the Privacy Act, assuming that it pertains to a citizen of the United States or lawful permanent resident and is retrievable by a personal identifier such as a consumer’s name or account number. [CJF emphasis]

Medical Device Radiocommunications Service

History

Operational parameters

• MedRadio devices can only be operated by an authorized health care providers such as a physician or legally authorized entity able "to provide health care services using medical implant devices";
• MedRadio device manufacturers and representatives can only operate the device "for the purpose of demonstrating, installing and maintaining the equipment" for authorized health care providers; and
• MedRadio devices are only "authorized on a secondary status" and must accept any interference created by devices of primary status.

See also

• Wireless Medical Telemetry Service

References

• Elwar, E. (19 May 2012). "Op-Ed: Microchip medicine destroys privacy". Digital Journal. Digital Journal, Inc. Retrieved 24 February 2016.
• Farlow, C.S. (20 June 2011). "An Overview of the Medical Device Radiocommunications Service (MedRadio) and Future Telemetry Considerations" (PDF). Medtronic, Inc. Retrieved 24 February 2016.
• "ETSI EN 301 489-29 V1.1.1" (PDF). European Telecommunications Standards Institute. February 2009. Retrieved 24 February 2016.
• Dortch, M.H. (25 February 2003). "Federal Communications Commission 03-32" (PDF). Federal Communications Commission. p. 7. Retrieved 24 February 2016.
• Federal Communications Commission (2003). Communications Regulation. 28. Silver Springs, MD: Pike & Fischer, Inc. p. 680. Retrieved 24 February 2016.
• "ETSI EN 301 839-1 V1.3.1" (PDF). European Telecommunications Standards Institute. October 2009. Retrieved 24 February 2016.
• Nikita, K.S., ed. (2014). Handbook of Biomedical Telemetry. John Wiley & Sons. p. 736. ISBN 9781118893425. Retrieved 24 February 2016.
• Dortch, M.H. (18 July 2006). "Federal Communications Commission 06-103" (PDF). Federal Communications Commission. p. 29. Retrieved 24 February 2016.
• Knapp, J.P. (6 May 2009). "Federal Communications Commission 09-1027" (PDF). Federal Communications Commission. p. 29. Retrieved 24 February 2016.
• Kalahasty, G.; Alimohammed, R.; Mahajan, R.; Morjaria, S.; Ellenbogen, K.A. (2013). "A Brief History of Remote Cardiac Monitoring". In Asirvatham, S.J.; Venkatachalam, K.L.; Kapa, S. Remote Monitoring and Physiologic Sensing Technologies and Applications. Philadelphia, PA: Elsevier, Inc. pp. 275–282. ISBN 9780323188463. Retrieved 24 February 2016.
• Dortch, M.H. (30 November 2011). "Federal Communications Commission 11-176" (PDF). Federal Communications Commission. p. 56. Retrieved 24 February 2016.
• Versel, N. (13 September 2012). "FCC finalizes MBAN rule, still must appoint coordinator". MobiHealthNews. HIMSS Media. Retrieved 24 February 2016.
• Dortch, M.H. (21 August 2014). "Federal Communications Commission 14-124" (PDF). Federal Communications Commission. p. 34. Retrieved 24 February 2016.
• Primosch, R.D. (16 February 2015). "What the FCC’s new rules mean for wireless body sensors". iMedicalApps. Retrieved 24 February 2016.

Forensic acoustic analysis confirms existence (and range) of second Las Vegas shooter