RE: Notes on Privacy

["Holmberg, David G. (Fed)" <david.holmberg@nist.gov>]

Thank you Toby. This is looking good, if long. Where is the “data destruction” principle, or whatever it might be called, that requires that any data that is no longer needed to satisfy whatever agreed on purpose must be destroyed?

 

Couple typos. There’s a sentence with “tame” instead of “same”. And the last sentence “form markets built using this specification.” Should be “for”

 

From: energyinterop@lists.oasis-open.org <energyinterop@lists.oasis-open.org> On Behalf Of Considine, Toby
Sent: Tuesday, September 14, 2021 12:24 PM
To: energyinterop@lists.oasis-open.org
Subject: [energyinterop] Notes on Privacy

 

As we get ready for our first public review, we are still lacking any material on privacy. A privacy section is required for new OASIS specifications.

 

I have put together a first shot at this matter, almost certainly too long, to start the conversation.

 

CTS and Privacy

 

The United Nations has defined privacy as “the presumption that individuals should have an area of autonomous development, interaction and liberty, a ‘private sphere’ with or without interaction with others, free from state intervention and excessive unsolicited intervention by other uninvited individuals. The right to privacy is also the ability of individuals to determine who holds information about them and how that information is used” (UN General Assembly 2013:15). 

Electrical usage data inherently creates a privacy risk. Published work has demonstrated that simple usage data can be used to reveal the inner operations and decisions in a home. Other research has demonstrated that anonymous electrical usage data can be “de-anonymized” to identify an individual electricity user. The more granular the data, the more intimate the details that can be garnered from meter telemetry. 

In an amicus brief in a case on smart metering, the Electronic Freedom Foundation testified that that aggregate smart meter data collected from someone’s home in 15-minute intervals could be used to infer, for example, whether they tend to cook meals in the microwave or on the stove; whether they make breakfast; whether and how often they use exercise equipment, such as a treadmill; whether they have an in-home alarm system; when they typically take a shower; if they have a washer and dryer, and how often they use them; and whether they  switch on the lights at odd hours, such as in the middle of the night. And these inferences, in turn, can permit intimate deductions about a person's lifestyle, including their occupation, health, religion, sexuality, and financial circumstances. These privacy concerns are linked to increased security risks criminals may be able to access the data and use the information to enable inferences about what people are doing in their home or if they are away from home. 

This specification describes how to share communications beyond mere electrical usage telemetry. Communications reveal what the user would like to buy, how much they would be willing to spend, and future intents and plans.  

System developers using this specification should consider legal requirements under the Fair Practice Principles and the European Union's General Data Protection Regulation. These include: 

(1)    The Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. 

(2)    The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. 

(3)    The Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. 

(4)    The Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except a) with the consent of the data subject, or b) by the authority of law. 

(5)    The Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. 

(6)    The Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller. 

(7)    The Individual Participation Principle. An individual should have the right: 

1. to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; 
2. to have data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him; 
3. to be given reasons if a request made under subparagraphs (a) and (b) is denied and to be able to challenge such denial; and 
4. to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended; 

(8)    The Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above. 

In developing this specification, the Technical Committee has kept in mind the need to support a developer wishing to support privacy. Actors representing an up-stream electrical serving entity, say a distribution system operator or traditional utility, use the tame messages as anyone else—no actor is inherently privileged. Messages to provide market information or “ticker-tape” functions do not include party IDs. General advertising of tenders, while necessary to draw matching tenders quickly to market, may be anonymous.  

The system developer should keep the privacy principals in mind when making specific technology choices. For example, messages between an actor and the market MAY be encrypted to protect the privacy of people represented by individual actors. While the transactive energy market must know both buyers and sellers to support transaction contracts and settlements, the developer should take steps to guard that information. A developer may opt that each notice of contract sent to an actor always has a counterparty of the market, so as to protect the sources and uses of electricity.  

It is beyond the scope of this specification to specify security practices and system design form markets built using this specification.