The next generation of urban infrastructure is on the horizon. As the technologies of the Internet of Things (IoT) become increasingly prolific, we can soon expect to see local authorities relying on it to improve living, working and traveling conditions in myriad ways. Everything from road traffic to municipal services could be more efficiently managed, and environmental issues from noise levels to air pollution improved.
It’s not just city infrastructure that’s changed. We’re quickly moving toward a world where autonomous vehicles communicate with each other and interface with cloud services as well as smart traffic signals and road sensors to drive safely without human involvement.
There are concerns as well as benefits associated with these altered cities. The more connected devices a smart city employs, the greater the risk to individual privacy. Citizens have legitimate concerns that data shared to access smart city services could be compromised in the event of a network breach. For this reason, companies working on smart city initiatives must ensure they embed cybersecurity into the very heart of their projects. Any smart city must be a highly secure city following an open and approved strategy.
This blog explores one example of a company working on smart city technology and the security challenges it exemplifies. Sidewalk Labs, owned by Google’s parent company, Alphabet Inc., is one of the leading organizations in this field. It’s smart city project Sidewalk Toronto Initiative, is currently slated for launch in Canada. If this goes ahead, it will be the first step towards a futuristic connected community. But, how secure is it in practice – and what impact will it have on citizen privacy?
Alphabet’s Search for the City of the Future
Sidewalk Labs’ far-reaching plan for Toronto would fold data on everything from traffic, noise and air quality to garbage collection, traffic and power distribution into North America’s largest smart city deployment. Serious questions must be raised over how access to these new systems and the data that passes over them are managed, particularly given both public and private organizations are involved.
BlackBerry Cylance’s Kim Crawley recently spoke to these questions of privacy and governance. Sidewalk Labs confirmed that it would not monetize access to personally identifiable information, and to quote:
“Sidewalk Labs has committed that it would not sell (or) disclose personal information to third parties, including other Alphabet companies, without explicit consent. Sidewalk Labs recommends that an independent, government-sanctioned entity approve proposed collections and use of urban data in the project area by all parties, including Sidewalk Labs.”
Sidewalk’s CEO Daniel Doctoroff says he’s fully aware of the privacy issues that the project raises:
“We have heard lots of concerns about privacy. The approach we’ve developed is in direct response to those conversations, vesting the control of urban data in a democratic, independent process. The approach outlined in the Master Innovation and Development Plan will set a standard for the world.”
Smart City Initiatives and the Risk to Privacy
Despite this apparent confidence, the cybersecurity community and some local politicians continue to express concerns over security risks of this project, underlining that the incentives for Alphabet to harvest data from residents and visitors must not lead to compromised security.
In the information economy, personal data is a valuable resource. In fact, in a fully smart city, the data generated by residents over decades could well be more valuable than the land on which they live. If data isn’t adequately secured and privacy not guaranteed, smart cities could evolve from user-centric initiatives into communities that pose significant risk.
Sidewalk Labs’ response to these concerns deepens the potential for confusion. Doctoroff claims he can’t say with definitive certainty what will happen with the information collected in Toronto. His company declares that it will ensure data in the system is anonymized where possible – but it has also published a plan to make data open and accessible to a number of “third parties”. If Sidewalk Labs follows Alphabet’s wider business model, it seems possible that data may be used, in part, to profile residents to provide “relevant services”.
The likely cause of confusion regarding the use of data is the lack of clarity over who has authority over that information. When personal data enters smart city systems, responsibility for the security of that information must be clearly assigned. This issue has recently surfaced in a lawsuit where the Canadian Civil Liberties Association is seeking “a court order that will nullify the agreement between Sidewalk Labs and Waterfront Toronto” – precisely because of the fears of Canadian citizens’ data being collected and stored by a US company.
Unless proper controls are established from the outset, there’s a risk that data accessibility is the trade-off of living in any smart city. Companies must ensure that residents aren’t exchanging convenience for security and privacy.
Building a Secure Smart City
Even if companies like Sidewalk Labs were to use the data they collect in a responsible manner that honors user privacy, a great deal of information is still vulnerable to breach in cyberattacks. Given the large number of potential entry points in a smart city deployment of this size, cybercriminals could feasibly have opportunities to interfere with operations of digitally-enabled services including traffic lights, public transport management, energy, water, snow removal, sewage, refuse and emergency service deployment.
The effects of a smart city breach could be far-reaching, affecting citizens on many levels. Cybersecurity technology, operations and standards must be designed into the portfolio from the outset of the project. Endpoint security, in particular, should be a priority, given the extent to which smart cities rely on connected devices such as cameras, lights and sensors. A single breached device can become a gateway to an entire network. Companies and community councils working on prospective projects must understand this and ensure that their earliest planning includes detailed endpoint security measures.
In the process of creating IoT-driven city districts, corporations and local government bodies must be transparent about every detail that may affect citizens, including the ways that cybersecurity is implemented and monitored. We must be transparent about the data collected, as well as the intended lifecycle and purpose. The current connected ecosystem has established some effective cybersecurity practices, technologies and standards; however, within the existing deployments, it’s clear that citizen data is already used for purposes of which many are unaware.
As we begin to secure IoT deployments on this new scale, we must ensure we’re building high-level data transparency and leveraging it in such projects and continually evolving our cybersecurity best practices.
By Charles Eagan, CTO at BlackBerry