Smart cities, difficult choices: privacy and security on the grid

Smart cities, difficult choices: privacy and security on the grid

All is not well in the land of smart city planning, as the latest major planned development from Google’s sister company Sidewalk Labs continues to run into problems in Toronto, Canada.

A groundswell of support?

Building a city “From the ground up” is apparently no longer a thing: at least some folk with a hand in digital urban design are saying it’s “From the Internet up” now. The plan was to take Toronto’s waterfront and transform it into an innovative smart city location. Sidewalk Labs got the contract to design a big chunk of Toronto’s waterfront in 2017, with potential for expansion.

New tech and an eye for environmentally-friendly design should have been the icing on the cake. Instead, continued delays over revealing what is happening is leading to complaints and protest groups like Block Sidewalk who aren’t happy with the direction things have taken.

A bump in the road

As it turns out, planning something like a smart city is incredibly complicated, and things appear to be slipping behind schedule. Worse, nobody seem to be able to tell the residents exactly what’s coming in this brave new world of digital connectedness. Google’s Sidewalk Labs want to try and set a “Global standard” for how user data should be treated, but there’s still no real information available as to how this will work in practice.

Interestingly, it’s the data privacy concerns now primarily coming to the fore, as bigger tech critics weigh in. It’s no fun when your project is on the receiving end of comments like, “A colonizing experiment in surveillance capitalism” or “…a dystopian vision that has no place in a democratic society,” especially if your main aim was to build some wood paneled houses and a functional drainage system.

Various resignations from the advisory panel and even the former privacy commissioner of Ontario, stating, “I imagined us creating a smart city of privacy as opposed to a smart city of surveillance” has definitely not helped to smooth out concerns.

The clear signifier is that early buy-in is crucial in getting one of these projects off the ground. Without an early affirmation of what to expect, people will dig their heels in and say no regardless of what’s on offer.

Puebla, in East-Central Mexico, is a good example of this. They have 15 locations slated to become smart cities. Santa Maria Tonantzintla has essentially refused to go any further after a lack of information as to what’s coming next. Demolishing some local landmarks certainly didn’t help matters. I would’ve linked to the 15 cities project, but the website is offline, which may or may not be very on brand for this kind of enterprise.

What is a smart city?

Good question, and one we may take for granted. Defining a smart city can be an exercise in frustration, but experts broadly peg them as one of two distinct flavours: top down, and bottom up.

Top down smart cities

These are major projects put together through a combination of governments, city councils, and major technology vendors. Ideally, an entire city is constructed from nothing, with the essential technology backbone required to make it all work in place from the outset.

Someone, somewhere sits Wizard-of-Oz style with a large control bank ensuring every aspect of day-to-day living works seamlessly—from trash collection and street lighting to traffic flow management and energy use.

That’s how it pans out in an ideal world with no need to worry about things going wrong, anyway. As you’ll see shortly, things tend to go wrong quite a bit. For now, let’s look at the next style of smart city.

Bottom up smart cities

This is what people who live in a city get up to when left to their own devices (pun probably not intended). Crowdfunders, crowdsourcing, smaller disruptive organisations working with communities to make things work more efficiently; it’s all here, and it’s as potentially chaotic as you’d imagine.

Piecing the puzzle together

Of course, it’s usually tricky to slap a city together from scratch and be home in time for supper—most of our towns and cities are already here with us. What we mostly have is a haphazard assemblage of council-led approaches bolted onto crumbling infrastructures while independent apps and community projects simultaneously do their own thing. The residents are by and large caught in the middle of this ebb and flow, and there’s never a real guarantee any of it is going to work as expected.

Smart city shenanigans

Despite their best efforts, projects can and do run into troublesome situations. Many of them aren’t even strictly security related; you’re probably more likely to fall victim to negligence or poor planning. Even so, the end result is still the same, whether or not someone hacked the Gibson, and a problem will still cause headaches. Below, we look at a few issues facing both top and bottom styles of smart city.

Top down smart city problems

1) In the UK, Westminster ran into issues when the company managing the city’s street lights went into administration. With nobody at the lightbulb wheel, residents were amazed to find some 8,000 street lights blasting away 24/7 for an entire week. The local council had to pay a “small fee” to the new company administrators to get things resolved.

While you’d think a contingency plan would be in place for contract explosion at this level, it somehow ended up being missed. Nobody wants to go to bed with typically much brighter smart bulbs pouring in through the window, not to mention the power drain/environmental impact. A simple but effective example of how sometimes top down gets it wrong.

2) What if an entire neighbourhood’s identity vanished from online maps to the extent that it’s data-driven invisibility meant you might never find it? That’s exactly what happened to the community of the Fruit Belt, aka “Medical Park,” courtesy of bad data not only from Town Hall but also a variety of mapping startups, tech orgs, and data brokers.

The residents’ fight to reclaim both the name and the location’s acknowledgement as a physical space is quite something. As with Westminster and their 24/7 lights, we see another situation where defunct companies leave unforeseen problems in their wake with nobody to play clean-up.

3) There’s also the threat from hacks in a top down system; control the hub, control the city. Exposed devices, default passwords, vulnerabilities, and critical flaws—all ready and waiting for someone to come along and take advantage. You expect a street light to break or a pipe to burst. What you don’t expect is people tampering with early warning systems or road signs displaying random messages.

4) Sticking with that same theme, a lot of work has been done in this area by the Securing Smart Cities project, which looks at ways companies, governments, media outlets, and more can work together to address these concerns. Amongst other things, they’ve done smart research on how CCTV systems can be a danger from something as banal sounding as not covering up labels. They’ve also explained how bad actors could scale up attacks to (for example) knock out air conditioners across multiple streets or an even bigger radius with the aid of some $50 equipment. That may not sound like a big deal, but in hot weather it could be potentially lethal for the sick or elderly.

5) Hong Kong residents protesting the proposed extraction law chose to avoid using their Metro cards for travel for fear of being tracked by the government. Instead, they opted for cash payments like tourists tend to do. This data has been used in the past for law enforcement, so one can understand their apprehension. In a place where even advertising has been used to name and shame litterbugs via DNA, this raises potent questions about where, exactly, power lies when so much of our day-to-day existence is at the whim of top down systems.

Bottom up smart city problems

1) Tracking in the age of smart tech is something people are naturally concerned about. When I looked at the hacking simulation NITE Team 4, I mentioned tracking someone’s phone via smart billboards. I was particularly taken by this appearing in a video game, because it’s a supposedly out-there concept that doesn’t sound real but (shocker) it is.

Wandering the streets, whizzing by in a car, walking around some shops? If your Wi-Fi is enabled, it’s quite possible you’re being tracked for marketing purposes.

2) What happens when your landlord and/or building complex decides the time has come for everybody to receive smart locks whether they want them or not? Chaos is what happens. Not everybody is a fan of taking control over basic functions like premises security away from the resident, and there’s multiple compelling reasons for not having them installed.

Case in point: What if there are potential security issues? What happens if the power goes down while there’s an apartment fire? What if the locks just stop working while you’re asleep? Who has access to the data? Before you know it, it’s all gone a bit legal and some people in suits are probably shouting a lot.

3) Of course, we can’t go on without the increasingly large mess that is IoT/smart home technology and domestic abuse cases. It’s a chilling example of what can go wrong with too many random technologies are mashed together in real-world settings with a malicious actor in the middle.

Quite often, there’s zero chance of the abused person being able to figure out where bad technology things are happening, and it can be a challenge for tech experts familiar with these issues to find a decent starting place for their investigation.

Sandcastles in the sea

We’re scratching the surface here, but there’s a lot to take in where constructing a smart city is concerned, whether government-led or people doing it themselves. There are also some huge success stories in smart city land—it’s not all disasters, broken street lamps, and roadsigns yelling about zombie outbreaks.

For example, Bristol in the UK springs to mind as a great example of how to retool a city in a way that makes sense. There’s still a long way to go before we have other smart cities to rival Bristol though, and that probably applies to the somewhat embattled Toronto waterfront project.

As these projects drag on, issues of data, privacy, and consent appear to be the places where the primary battle lines are drawn. Without some solid answers in place, generals may find themselves run out of town by a cheerfully tech-unenhanced community.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.