Monday, October 22, 2012

Thoughts on Personal Data Privacy

Many home owners that pay for their electricity that I've ever talked to, has done the same as I do when going to visit someone else's house;  You get to the front door of the house you are visiting, see the nearby electricity meter spinning, and then you ask yourself "Is this meter spinning faster or slower than my meter?".  If it's more recently, then you spot the Smart Meter and watch the "black square" flashing and ask yourself if it's flashing faster or slower than yours.

Meter data is supposed to be a private affair. In Ontario, there was a lot of chest-pounding by Ministers about the security of this data as it's moved from your house to the central MDM/R (Meter Data Management and Repository) far away.  If you have access to the meter data, you can deduce/infer a lot about a house and it's inhabitants, including patterns of activity.  Without even having to visit a house, if you have access to their data, you can determine when they've gone on vacation for instance, because the pattern of peaks and troughs suddenly changes.

The first problem with this is that black flashing block; I can see mine whilst standing on my neighbour's property - effectively meaning someone can gather my family's data (with an optical sensor) without trespassing on my property. If I mount a clear magnifying lens on the meter, I can see that block flashing away, unaided, from a much greater distance.  Now, if you mount a clear magnifying lens on someone's meter, the chances that they'd notice it within several weeks are very slim.

The second issue I had was on the front of the meter is an IR (Infra-Red) port.  I ordered a $2 IR sensor, hooked it up to a $25 Arduino board I had kicking around using a breadboard, plugged in some AA batteries and and held the entire mess up in front of my meter. It registered that the port was live and spewing out data. Googling the code to decipher this data was trivial from that point.

From here, it's only a hop-skip-and-a-jump to put the Arduino in a weatherproof box with a battery power-source, connect it to a ZigBee transmitter and theoretically throw the whole kit-and-kaboodle into the eavestrough of a neighbours house with just a small wire coming down to the meter where the sensor is over the smart meter.  At that point, I could theoretically broadcast the data to a nearby location where it's monitored, recorded and analysed…. which is essentially the same thing that the Smart Meters and MDM/R are supposed to be doing already.  In fact, they're transmitting the same data (in a compact, encrypted, and less-verbose manner) hourly, from each house to a designated aggregator house which then sends the entire package to the MDM/R.

So unless I'm mistaken, they've secured the data from a transmission standpoint (from the house to the MDM/R) and left the higher granularity data spewing onto my driveway in an easily detectable and decipherable, unprotected, fashion.

And they've done it twice.