Home energy monitoring: Is Big Brother watching?

Whether we like it or not, a "smarter" power grid will likely play an important role in our energy future. And in spite of the huge potential for energy savings, widespread adoption of home monitoring technology may be delayed if concerns about privacy are not adequately addressed.

Plans by California utilities' to replace older residential electric meters with new "smart" meters have triggered a groundswell of opposition. Organized groups like Stop Smart Meters! and The Center for Electrosmog Prevention claim that the new meters are inaccurate and result in overbilling, that they produce harmful radiation, and that they can reveal-- against users' wishes-- information about their energy consumption habits.

Complaints about electric bills are nothing new, and I will leave health experts to debate whether the radio signals emitted by the new meters can really cause health problems. I am concerned, however, about security issues. One important consideration about new meters is whether they can be "hacked," allowing attackers to modify electric bills or even gain control of connected devices and equipment. An article by Erica Naone in MIT's Technology Review, Hacking the Smart Grid, describes vulnerabilities in smart grid technology brought to light by researchers at the Black Hat conference in Las Vegas last summer. Some worry that in the rush to implement the smart grid, we may commit to systems that have not been thoroughly tested, making it expensive to correct problems that are found later. Moreover, even the best designed electronic devices will not work correctly unless they are set up properly, and utility companies lack expertise in computer security.

Much of the concern about security centers on the way smart meters communicate. The ZigBee Alliance is a non-profit industry group that develops and promotes standards for meters, lighting and appliance controls, and a range of other energy saving applications. These standards are among the most widely used in the industry and cover the use of short range radio signals to exchange information among devices. Security will always be an issue where radio transmissions are involved, since there is no practical way to prevent eavesdropping. Fortunately, industry stakeholders have a strong interest in ensuring security in the devices they use and sell. ZigBee Wireless Security: A New Age Penetration Tester's Toolkit, by Brad Bowers, describes how ZigBee networks are getting increased attention from security consultants. The security of your smart meter and the privacy of information about your electricity use, however, are different issues. Obviously, the utility doesn't want its meters tampered with, but it may well be interested in "monetizing" data about the utilization patterns of its customers by selling it to marketers. My view of consumer privacy and the smart grid has been influenced at least a little bit by my own recent experience.

Through a program with my electric utility, I recently installed a ZigBee certified energy monitoring and control device in my own home. It was pretty simple to set up. Once I entered the device code and serial number for my electric meter (supplied by the utility company), the the EnergyHub Home Base began collecting data from the electric meter. I was then able to set up a connection to my home WiFi adapter, so now, wherever I have Internet access, I can check my current weekly and projected monthly electric charges. To actually control my heating and AC or turn appliances on and off while away from home, I'll need additional ZigBee compatible devices to connect to the Home Base. I'll probably wait for prices to come down a bit and for more devices to become available before I make that investment, though.

In the meantime, I set up an account on EnergyHub so I could log in and check my electricity use online. Like most people, I suppose, I clicked through the various agreement details to get to my EnergyHub home page. During the setup, there was a message on the web page made about the connection to my Home Base, but it didn't occur to me then that my electric meter readings were being stored on EnergyHub's data base. Later, while reading a blog article on the EnergyHub site, I noticed a reference to the "total cooling minutes for ... connected thermostats." Only then did I realize that-- of course-- EnergyHub must be collecting data from everyone who sets up a free account to connect to their EnergyHub Home Base. EnergyHub then aggregates this data to create various reports on energy consumption in the community. For example, the blog post I was reading--How Much is 1° Worth?-- analyzed data from participants to determine the average energy bill savings resulting from lowering the thermostat by one degree during the winter heating season.

Could EnergyHub be some sort of evil Big Brother, collecting information about everyone's energy consumption to use against them somehow? If you plug in your electric car every night, will the sheriff knock on your door one day because your electricity use looks just like someone cultivating marijuana in the basement with artificial lights? Is the power company going to throttle your water heater because you're spending too much time in the shower?

When I began writing this post, thinking about how more appliances we use every day are being added to Home Area Networks, it wasn't Big Brother that first stirred my imagination. What if the computer itself were to take over? Even those who haven't seen the movie have likely seen or heard references to Hal, the classic computer run amok in 2001: A Space Odyssey. For the ultimate depiction of what happens when a computer takes control of a Home Area Network, my personal favorite is the 1977 cult movie, Demon Seed.

Well, 2001 has come and gone. Watson may be unbeatable at Jeopardy, but computers have yet to achieve Hal's human-like qualities. Orwell's dystopian view of the future, however, is far more plausible given the reach of the Internet and the capabilities of present-day surveillance equipment. It's not just the government spying on us that's worrisome, but all the companies that collect and exchange information about customers. Is there really any such thing as privacy in the age of social networking?

I take some comfort in the fact that there are numerous laws, however imperfect, aimed at protecting individual privacy. The federal Gramm-Leach-Bliley Act, for example, governs privacy policies for financial institutions. Anyone with a bank account or an insurance policy has probably received notices of the bank or insurance company's privacy policy, with an address to write to, phone number to call or website to visit to opt out of information sharing. And while there is no general requirement that websites have a privacy policy, other laws like California's Online Privacy Protection Act, the European Union Data Protection Directive, and the Children's Online Privacy Protection Act, as well as business self interest, have made privacy policies a practical necessity for all commercial websites that collect personal data.