Smart cities need an audit plan for IoT

Cities may soon get a significant influx of federal cash, as the Biden administration appears ready to write a multitrillion-dollar bill that would fund repairs to existing roads, bridges, water treatment plants, and other critical infrastructure while also investing in new technology tied to mobility, the environment, and digital initiatives — including IoT.

But as state and city officials evaluate digital investments, they should look to best practices that have been established over the last few years, as they are designed to support the building of smart infrastructure optimized for citizen needs, not collection traps optimized for the vendors that supply the underlying technology.

This week, The Seattle Times published a story asking how the vendor that provides a network of sensors to generate Seattle traffic data currently stores — and could eventually share — that data. The gist of the article was that Acyclica, a subsidiary of FLIR Systems with a questionable history of corruption, was gathering what could be identifiable information on people as they traverse the city. It further implied that such data could eventually be sold to others.

It’s not a crazy concern. Governments are buying data from companies that take geolocation data from apps on users’ phones. The supply of information we provide is almost endless thanks to the phones we carry around, the gadgets we bring into our homes, and the surveillance network of public and private cameras that monitor our (almost every) move. And the demand for that information from governments and private companies is almost as endless as the reasons they give for wanting it — from police departments that demand geo-warrants to make arrests to companies that try to fine-tune your demographic so they can show you the best ads.

So when it comes to smart cities, understanding what data a city and vendor collect and what they can do with it should be an essential part of the requisition process. Transparency from both camps matter. Just ask Alphabet’s Sidewalk Labs, which blamed COVID-19 for pulling out of a deal to develop part of Toronto’s waterfront after years of fighting with activists and city planners about data access.

Or take Seattle, where researchers are questioning what happens to the data of the people who live there. The Acyclica system works by grabbing phones’ MAC addresses — unique device identifiers tied to connected devices — as they pass through various intersections in vehicles. Acyclica strips the MAC address of the first three pairs of characters immediately, then hashes it to create a random value. It then ships the random value to the cloud, where it is stored for 12 hours.

Acyclica shares only the time it takes for a vehicle to get from point to point with the City of Seattle. It does so by using the random value generated to replace the leftover bits of the MAC address, so it’s effectively tracking a device in a vehicle, although the city doesn’t have a way to see anything that identifies the device. Moreover, every 12 hours the random value associated with a device is changed.

And after 24 hours, the entire random value and route of the phone that supplied the original MAC address had taken is permanently deleted, according to Tim McDowd, a spokesman for FLIR. This is a good system, no matter what The Seattle Times story might imply.

I was concerned at first, but after digging into the way the monitoring, randomization, and data retention work, I feel pretty comfortable. I suppose one could argue for a shorter retention time, but keeping the random number (which is the weakest link that could perhaps be used to identify someone) for half a day is pretty good. Permanent deletion after a day is even better.

When I started reporting this story, I thought I’d use as a case study to illustrate why municipalities, and vendors selling to municipalities, need to follow best practices. But this system already follows most of them. It rapidly strips identifying data and replaces it with a random value. It sends the random value to the cloud using the secure transfer protocol TLS. It only shares need-to-know information with the city. And it only keeps the route information for 12 hours, then deletes everything after 24 hours. The only thing it’s missing is an outside audit to ensure the system works as advertised.

Yes, one may possibly be able to identify a particular person using the random value if they tracked 12 hours of driving data to see where that person spent their time. But when it comes to smart cities, I think the key issues are tied to data anonymization, securely storing and shipping data, and having a narrow window for retaining that data.

These are good values, but it’s clear that both Seattle and FLIR are missing out on another essential ingredient to good smart city deployments: transparency. When it comes to using technology to track cars, count people, or monitor an area for gunshots, there is a tremendous amount of distrust around the amount of data gathered, how it’s used, what it can say about an individual, and who can access it.

As such, every municipality should establish rules to address these issues, publish them, and ensure its vendors comply by way of outside, independent audits. New York City is taking a partial step as we speak. Last week, the city published a 78-page document detailing its Internet of Things strategy. Part of that document includes a section on privacy and transparency that calls for the city to explain clearly to vendors and citizens the “who, what, when, where, why and how of data collection, transmission, processing, use, and disclosure.” The document does not, however, provide for external audits.

All in, the document follows much of the advice laid out in a report from 2018 by the Center for International Governance Innovation. It was written by Bianca Wylie, who was a CIGI Senior Fellow at the time. Wylie is one of the activists who helped tank Sidewalk Labs’ efforts to build a smart city in Toronto by demanding more transparency over the company’s data collection and ownership practices.

I point these reports out because many of the best practices associated with deploying connected sensors and AI in cities are well documented and available to both municipalities assessing new projects and vendors hoping to sell cities on these projects. They just need to start using them.