By SOPHIE DONOGHUE
BRUSSELS – With the EU’s planned roll-out of mandatory smart meters across Europe, hard questions are now surfacing about the devices’ implications for data protection and privacy.
A smart meter is an electrical meter that records a household’s consumption of electricity and communicates the information back to the utility at least daily for monitoring and billing purposes. It measures the exact electricity used and, most importantly, generates exact billing information for suppliers, meaning no more need for estimated or pre-paid billing for the consumer. Energy suppliers can also use smart meter data for the purposes of infrastructure planning, network optimisation and load-balance checking in order to improve the overall efficiency of their networks.
Smart meters are also expected to help users improve their energy efficiency since consumers will be able to view their detailed energy consumption data via a web-browser. With the latter they will see their consumption patterns and where these can be modified to save electricity.
According to EU Directive 2009/72/EC smart metering devices are supposed to replace 80 percent of the existing conventional meters in EU households by 2020.
Experts argue that smart metering will prove crucial not only for energy efficiency but for managing the integration of unstable or uneven renewable energy supplies such as wind energy. As society moves towards renewable energy, “more intelligence is critical as renewable energy is much more volatile”, says Markus Bartsch, business development manager at TÜViT, a German information security certification company. Bartsch spoke during the Information Security Solutions Conference known as ISSE, which took place here on 23-24 October.
However, this new monitoring capability goes hand-in-hand with a set of concerns about privacy and data protection issues. For example, in the Netherlands smart metering cannot be mandatory, since it is considered an infringement of privacy rights. Fears that data on energy consumption could be misused by criminals, police or insurance companies curtailed the compulsory introduction of the meters in the Netherlands in 2009.
Recent studies highlighted at the ISSE event point to the risks that new smart metering technologies pose for privacy. One research project called “DaPriM” and led by Germany’s Muenster University of applied sciences, shows that it is possible to deduce a household’s pattern of behaviour via smart metering data.
Indeed, the devices could furnish energy companies with an astonishing level of personal information about consumers and their family members. Smart metering information can indicate when a person is at home, which appliances he uses, when he eats and “they can even tell what TV channel you are watching”, observed Bartsch.
While praising smart metering’s ability to boost energy efficiency, Bartsch and others also warn that the granularity of such information is open to abuse – either commercially by the companies that gather it or maliciously if by criminal parties. For example, if metering indicates when a consumer is home, that potentially exposes their empty residences to burglary. “We have to secure communication against outside gateways,” noted Bartsch.
Alfredo Rial of Belgium’s Catholic University of Leuven agreed, telling the conference that hackers could potentially “cause blackouts by turning off smart meters”. He also advocated “no direct link between users and providers” by establishing a data filter between the two. For example, he said smart meters should be designed to allow maximum two-way communication and transparency with the consumer, while restricting access for utilities to only that data needed for billing and energy efficiency. ENISA (the European Network and Information Security Agency) will be holding a validation workshop on the Minimum Security Measures for the European Smart Grid on 29 November.
The central challenge to their security, however, could be hackers who intercept or manipulate the two-way flow of data between consumer and utility. As Rial pointed out, a “tamper-resistant model” is needed, but one wonders how uniform such a capability will be in a Europe that fragments so easily into competing proprietary technologies.
The bigger data “threat” could come from any marketers who establish links with the utilities for purposes of targeting power customers according to their inferred consumptions patterns and preferences.
Just as an academic exercise, SECURITY EUROPE found no hits after doing a word search for ‘consumer consent’, ‘marketing data’ or ‘commercialisation of data’ across the texts of the smart meter directive or its accompanying recommendation (2012/148/EU) to prepare for the roll-out of the devices.
In fairness, the recommendation does address data protection and security issues by linking to the EU’s directives on the protection of personal data (95/46/EC) and e-privacy (2002/58/EC), which in theory cover such things as smart metering. However, the recommendation’s guidelines are not binding…