Many smart home devices leak some level of data, according to researchers at Princeton University.
Among the group of smart home devices they tested was Google’s Nest thermostat. Individual information was not transmitted, but some incoming weather information with weather station location and ZIP codes were not encrypted.
When the researchers contacted Nest, “they thanked us,” Princeton postdoctoral researcher Sarthak Grover said during a presentation at PrivacyCon. Nest told Grover it was a bug that has been fixed.
Compared to some other smart home devices, such as one web-connected photo frame, the researchers concluded that Nest was a “fairly secure device,” since all outgoing personal traffic was encrypted and sent through HTTPS.
"The weather information is provided by an online weather service, and the geolocation coordinates are for their remote weather stations, not our customers' homes," Nest said in a statement. "The only user information that is contained in the requests is ZIP code."
Incoming unencrypted ZIP codes may not be a significant data issue, but Nest is one of the more sophisticated devices in the smart home ecosystem, raising concerns about the overall market. In Grover’s presentation, his conclusion was, “Be afraid!”
He ended with questions about who is ultimately responsible for data breaches: internet service providers, manufacturers or consumers? The plethora of manufacturers of different devices and various standards and ports in the smart home only complicates matters.
When utility data is layered onto smart home information, the issue becomes even more complex.
During a technical conference in December as part of New York’s Reforming the Energy Vision proceeding, stakeholders gathered to talk about the myriad issues surrounding data sharing.
There are two overarching sets of data concerns. One is around how much utility data needs to be shared for distributed energy providers to provide the most value to utilities in siting projects, such as battery storage or solar projects.
The other issue is sharing customer data that utilities have, especially interval data from smart meters and other private information on accounts. When utility data is married with in-home devices, such as thermostats and door locks, it can offer a detailed snapshot of a home.
Cameron Brooks with Mission:data, a group representing consumer-facing energy companies, cautioned against simply starting with older protocols that are already used between some energy service companies and utilities, such as electronic data interchange, as they may lack the cybersecurity needed in today’s world.
Instead, he advocated for Green Button, which so far has been mostly adopted in California but not much elsewhere, despite support from companies and utilities in many parts of the U.S. Many other stakeholders have called for Green Button as a starting point for consumer energy access in New York under REV.
At least in New York, companies that want consumer data may fall under the purview of regulators when it comes to data access. The New York Public Service Commission has asserted it has the right to exert jurisdiction over vendors that access data through tools that the commission has created, according to Doug Elfner, director of consumer engagement for New York’s PSC.
“The idea is that everyone who has access to this data will review practices for maintaining accurate data, compliance and process improvements,” said Erin Hogan, director of the Utility Intervention Unit in New York’s Department of Consumer Protection. “And then [they will] also provide simple, efficient and effective measures to address customer concerns.”
In states like California and New York, which are trying to open up data while maintaining privacy to allow for more customer choice and participation in energy markets, there is a chicken-and-egg question about choosing technical architecture for data sharing while also not getting so tied up with the process of architecting that the market can’t grow. Each state has its own emerging guidelines, and there are also resources like the U.S. Department of Energy’s Voluntary Code of Conduct.
“The information has to be machine-readable, adhere to industry standards and [be able to] be delivered through secure and convenient web service protocols,” said Brooks. “Experience from other states -- and certainly common sense -- would suggest that designing the systems from the beginning with data in mind is a lot easier than trying to retrofit them after the fact.”
The minor data issue recently uncovered in Nest’s technology, however, shows that even systems designed with privacy and leveraging standard protocols will have bugs that the entity sharing the data will need to monitor.
It’s not just data breaches that utilities and third parties will need to monitor with far more scrutiny as they work closer together, however. Recently, Nest also had a bug that drained the battery in some thermostats (including one owned by a writer for The New York Times), which frustrated customers and had the potential for more serious consequences in regions with freezing nighttime temperatures.
Many forward-looking utilities are increasingly enthusiastic about building new revenue streams based on partnering with third parties. They will need to be more clear with customers about who is managing data streams between the different companies, and most importantly, who to call when the connected smart lights go out.
“Customers need to understand what data they're giving,” said Hogan. “Even if all parties are in full compliance of more stringent privacy criteria, there is no doubt the data-risk breaches will increase.”