One of the main concerns of the community as it exists today when the concept of Smart City is unveiled is on what happens to the concept of Privacy?

The very concept of a “Smart City” is one where information exchange happens between the residents and the command center in such a manner that every aspect of the individual’s life gets reported to the command center and triggers actions in different parts of the city. The concept of “Internet of Things” and “Smart Transport” etc can work only if individuals give up the concept of “Privacy”. Unfortunately the residents of a smart city cannot have the option of “opting in or out” since “Opting out” of a Smart City information network would essentially mean that the individual not only is denied of the benefits of the smart city but also be a “rogue” element as to the rest of the community. The community norms would therefore force every one who comes within the “network boundaries” of the Smart City to “Opt in” or otherwise be identified as an “Untouchable” within the city.

We will therefore be in a situation where either we accept the Smart City concept and forgo the “Privacy Right” or opt to remain outside the boundaries of the smart city. It would perhaps be a “Visa” condition for entry into a smart city that one has to forego his Privacy Rights.

We all know that in India we are still struggling to form a “Privacy Law”. Repeated attempts have not been taken to the logical end and have died at the stage of drafts.

Now, we are discussing the concept of  smart cities 100 in number to start with and perhaps  more to follow as India turns Digital. We already hear that one city in Gujarat, a part of Mumbai and perhaps a part of Bangalore may either come up as a complete Smart City or become significantly more smart than the rest of the environment.

In many areas of technology, we some times observe that some “developing” countries jump the developmental steps that other earlier developed countries take and join the que in the front.

I see the possibility that the development of “Privacy laws” in India may be confronted with this choice of whether we first pass the Privacy Law and then fight against it in Smart Cities or all together work for a “Smart Privacy Law” that works both within the smart city and outside.

The solution that can solve the Smart city-Privacy Conflict is “Regulated Anonymity” which the undersigned has presented a few years back. (Refer : The Theory of Regulated Anonymity published on  2nd March 2012).

The essence of this theory of “Regulated Anonymity” is the creation of an “Authority” to “Anonymize” a participant in such a manner that no state actor will have an unfettered right to “identify” an individual. The system will however provide the identity as required for the information exchange except that the data will travel in the name of an “Avatar” rather than the real physical identity of the individual. It is the ideal situation for exploiting the best of both worlds, the benefits of identifying to the “Smart City Control Center” and maintaining the anonymity of who the individual is in the physical world.(..though the Big Data Analysts would say that we can still find out who you are..).

The undersigned had also discussed

It is therefore interesting days ahead of those who watch the development of Privacy laws in the county as also the Smart City administrators.

Naavi

Related Articles:

Privacy Protected Zones Required.

“International City Zone” scheme suggested to address US investor’s concerns

Is India’s 100 smart cities project a recipe for social apartheid?

Smart Cities: are you willing to trade privacy for efficiency?

When we visualize a “Smart City”, we normally see a futuristic city  laced with the clean, wide roads with sky scrapper buildings with fancy architecture all around. But the “Smartness” of a city does not lie with the civil architecture alone. In fact, a good looking civil architecture can make any city look like a “Futuristic City”. But it need not necessarily be a “Smart City”.

A “Smart City” by definition has to be characterized by an information exchange system that flows all across the city like the nerves or blood go across a human body making each organ give and take information that eventually make it function better.

The key therefore to “Smartness” is the way how this information network is built and how the functional units interact with individual organs of city administration. Hence most of the critical work that determines how the smart city shapes up has to be complete before the first roads are built or first civil structure comes up.

While each organ of administration such as the Transport, Health, Electricity Supply, Water supply, Sewerage systems, Supply of  Clean air, Education, etc can be considered as sub systems and can be developed with the best available ICT resources, the key is the information infrastructure.

The information infrastructure has the technical component which consists of the Optical Fiber network which should run side by side with the water and power lines and should be a supported by a network of WiFi  that is as ubiquitous as the air around us.  While the WiFi network can also be brought in later during the development of a city, the Optical Fiber network is one which needs to be built as a fundamental component of infrastructure before the city layout is completed. The quality of this physical network would be what would determine the future of the city. It is therefore writing the horoscope of the city.

In the future, this network of Optical fiber would also be the biggest target for attack by all types of Cyber criminals including the terrorists. Hence even while laying down these cables, the security of these cables in future both from unauthorized physical and logical access becomes critical. This security starts from the people employed today to lay the cables and the knowledge and information shared with these people would determine how secure the network would be in future.

Knowing the smartness of terrorists around the world and their motivation, it is possible that these terrorist organizations may be already planning to infiltrate the work force who would be involved in the construction of smart cities in India. Hence we need to identify the possibility of moles being introduced to the work force as a “Risk”.

Extensive back ground checks and also security motivation of the workers would therefore be an essential part of the management of the smart city infrastructure. People need to be continuously monitored and their behaviour analysed to identify existence of people with deviant mindsets  who can be exploited by the criminals and anti national elements.

Additionally, measures to obfuscate some critical information that can be misused, randomizing the network paths, testing the misuse of the network in future as well as checks and balances to prevent any deviant behavior of the network need to be planned and built into the systems today itself.

It is in this context that we are highlighting that “Cyber Security” should be among the first building blocks of a smart city infrastructure and needs to be focused. In fact the Cyber Police Station of the Smart City should be in place now before the network cables are laid.

Presently the way the planners are moving ahead does not indicate the appreciation of this security requirements.

As always, we hope that the planners will turn their attention on this issue before it is too late.

Naavi

New Mobile App launched for Cyber Law Awareness for Everyone

One of the major investments in a Smart City would be on an integrated intermodal  transport network which connects the personal transport vehicles to the public systems of different kinds.

To understand the issues involved, a really smart city transport service means that the city bus service, the private taxi or auto services  are needed to be connected to the railways, metro and air network so that a person leaving his residence in his vehicle knows exactly how is the transport network which will reach him to the airport in time. This network of transport vehicles need to be connected to the traffic light system, (including the VIP movement system..or privileged access system) to enable smooth vehicular movements. The GPS records of the movement need to be picked up say with visuals from different CCTV cameras en-route, processed in real time and decisions to be transmitted back to the grid. If an ambulance is on the way, it should be recognized and provided privileged access. If an accident happens, there needs to be an intelligent rerouting, alerts to the hospital etc.

The technologists will look at different components that will address these systems. However the biggest challenge would be in working out the interoperability of different systems. Application level security may be guaranteed to some extent by the vendors of the systems but the security challenges that may arise from the interconnection of one system to the other would be the responsibility of the network integrator. The decisions of such an integrator would conflict with the decisions of other functionaries as regards to vendor choice, application choice etc and are likely to introduce political and commercial hurdles.

The Smart City management team need to be suitably empowered to take decisions on purchase of products and services by the City. In a way this is similar to what we say in a corporate scenario where the CISO should have a say in hardware and software purchase but it does not happen as often as necessary. In the Corporate scenario we try to over come this hurdle with the formation of a high level Information Security Committee. Perhaps the Smart City project should also create a CISO and Information Security community even at the time of initial planning so that security inputs go into every decision right at the architecture level.

If these challenges are properly addressed, then the cost of the smart city projects will be controllable. Otherwise the project will be delayed and there will be cost escalations along with inefficient implementation of the project.

The Smart City projects should therefore be on the look out for IS professionals of all hue and colour and it would be a great time for such professionals in terms of job opportunities.

Naavi

Just as Maggi has got into a controversy on its taste enhancing additives to its noodles, Airtel appears to be encountering a controversy by introducing a “Computer contaminant” into its customer’s browsers which is an offence under Section 66 of ITA 2008.

According to this report in ehacking news.com , a programmer has published his findings that when customers using Airtel broadband internet account and browse internet, Airtel introduces a java script and an iframe into the browser. This script and iframe points to a specific URL.

On its part, Airtel has released a statement trying to explain its position. The explanation does not appear convincing but appears to suggest that it is trying to develop a tool to provide users information about the data usage during their browsing sessions.

In a way therefore there is an admission that Airtel has introduced what is considered as a “Computer Contaminant” under Section 43 of ITA 2008 which is defined as follows:

“Computer Contaminant” means any set of computer instructions that are designed –
(a)to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or
(b)by any means to usurp the normal operation of the computer, computer system, or computer network

Introduction of a Computer contaminant without the permission of the owner of a computer is a contravention under Section 43 of ITA 2008 and an offence under Section 66. The company would be liable for financial compensation and probably for at least being tried for a cognizable offence.

While the Company may have a reason to experiment with a tool not meant to harm the users, it has ignored the ITA 2008 compliance requirement which could have been met by providing a proper notice to the users.

Hope it would take the necessary corrective action by sending a proper notice to its customers clarifying its position.

(P.S: Thanks to a published erroneous judgement of the Adjudicator of Karnataka in December 2011, and the continued neglect of the Karnataka High Court and the apathy of the Central Government in not appointing a Chair person for the Cyber Appellate Tribunal,  neither Section 43 nor Section 66 is applicable to Bharti Airtel in the state of Karnataka.)

Naavi

New Mobile App launched for Cyber Law Awareness for Everyone

One of the first innovations that the proposed Smart Cities in India need to build up is an efficient way of distributing electricity so that the net cost of consumption of Electricity is reduced. The solution for this without doubt is to build a Smart Grid. A Smart Grid is a mechanism where there is an intelligent sharing of information from the  end of the consumer of electricity and using it to modify the electricity supply and usage pattern so that a balance is achieved between production and consumption.

This requirement of matching demand with supply on a real time basis arises since electricity production and consumption varies throughout the day and there are peak requirements and slack period requirements. Since power cannot be easily and economically  stored and used at different times, if we need to satisfy consumer demand, we always need to keep production matching the peak requirement and let it go waste at other times. Otherwise outages would occur when peak load is demanded and the grid cannot supply the same.

If  smart management of demand and supply is possible,  the consumers can stagger the use of electricity to match the production and suply. Also different production sources such as solar production, wind production, etc can be connected to a common grid to which the conventional production sources dump their production. Since the natural source production of electricity may depend on say the availability of Wind or Sun, there will be variation in production of such energy which needs to be balanced by the consumers being incentivised to  stagger their consumption by offering discounts on consumption when surplus power in the grid is available as against premium charged when there is a shortage.

Also if the consumers are able to produce electricity on their own by say owning solar panels on their rooftops or a single wind turbine in the farm etc., they can supply electricity to the grid during peak hours and earn premium income while consuming electricity for their own use in the off-peak hours when the prices can be at a discount. In a way the consumers will consume electricity when it is cheap on the grid and produce electricity and push it to the grid when it is expensive on the grid.  This makes a consumer become a new category of user who may be called a “Prosumer” who both produces and consumes.

These fancy ideas of a smart grid are very much within the realms of possibility even now if the electric grid architecture can be planned properly ab-initio. The architecture will require supply of electricity and exchange of data over the same power line. In other words, every electric line will carry both electricity and data which will be resolved at each end through appropriate modems. Even broadband on power lines will also be possible under the same system.

The above smart grid applications can be built and are expected to be built in the smart cities. In cities like Amaravati where the electricity lines are to be drawn from scratch, perhaps it would be easier to use the appropriate hardware to build the dual purpose electricity distribution system which can carry power and data over the same lines.

While Electrical Engineers will work on the technology required for the purpose of carrying data over power lines and software professionals build applications to process the data and use them to modify distribution etc., the cyber security professionals will be concerned about the risk of data being unauthorizedly accessed and modified. In fact, the experience of Stuxnet is too recent to be forgotten. All Smart grids will fall into the category of  critical infrastucture and will be juicy targets for Cyber terrorists and as targets during a Cyber War.

Security will therefore be a major concern for Smart Grid developers and hence this is one of the first challenges to be tackled by the Smart City Cyber Security managers.

Note that use of smart grids will immediately require a modification of electricity laws as well as redefining of many cyber crime related laws and there could be obstructions from short sighted politicians who donot understand security issues. Modification of Cyber Laws is therefore a part of the cyber security plan for smart grids or smart cities.

In designing a Cyber Security system for a smart grid, all the five aspects of data security such as Availability, Integrity, Confidentiality, Authentication and Non Repudiation will be applicable. There will be threats and vulnerabilities to be recognized and risks estimated. Controls need to be built to mitigate the risks with a very very low tolerance levels and with redundancy built in some form to tackle the inevitable security breaches.

Building security to a smart grid system after it is established would be complicated, inefficient and some times impossible. Hence planners of the Smart cities need to integrate cyber security plans when building the smart grid network itself.

It is difficult to conceive of the cyber security system for a smart grid without knowing exactly the architecture. But NIST has worked on the requirements and come up with a suggested architecture for interoperability as well as guideline for information security applicable for smart grids and perhaps it needs to be adopted to our requirement with whatever minor changes need to be made.

If these requirements are not studied now and addressed, the specifications for the hardware would be imperfect leading to delay in projects, escalation of project costs and also compromise of security for which we may have to pay a huge price some time in future.

I therefore request the CM of AP in charge of Amaravati project,  Mr Chandrababu Naidu and also the Union Power minister Mr Piyush Goyal  not to neglect the cyber security requirements of smart grids when they plan for the smart cities, and more particularly for Amaravati where work has to commence from a zero base.

Naavi

AP Chief Minister Mr Chandrababu Naidu laid the foundation stone for the new Capital City of Andhra Pradesh to be known as Amaravati. The City is to be developed as a “Smart City”. Knowing the cyber savvy nature of Mr Chandra Babu Naidu and the opportunity to build the capital city with a Zero based planning, it is possible that Amaravati can come up as an ideal smart city which is the dream of Mr Narendra  Modi.

While we watch the developments as they unfold, we once again reiterate that the success of the concept of “Smart City” is closely associated with the Cyber Security plans that are implemented when the smart city is built brick by brick. As if to remind everyone about the vulnerabilities associated with the dependence on “Information” in Governance, US Government has announced its apprehensions of a major hacking of its federal information systems by China. (Read the article in Independent here).

A Smart City by its very concept is highly susceptible to information security vulnerabilities since its critical resources such as Electricity Supply, Water Supply, Road Transport, Health system etc will be vulnerable to terrorist attacks and cyber warfare. We are not sure if managers of other smart cities are capable of understanding these risks and taking appropriate security measures but feel that Mr Chandrababu Naidu is one who can understand the risks and take such steps which would form a guideline to other smart cities in India.

We therefore congratulate Mr Naidu on laying of the foundation stone for  Amaravati, and at the same time urge him to lay the foundation stone for an appropriate “Smart City Cyber Security Framework” which is technologically sound.

We reiterate that the technologically sound cyber security framework should also be supported by a “Smart City Cyber Law Framework” which takes into account the issues surrounding Big Data and Internet of Things. Aditionally  people involved must be adequately trained and motivated to implement the information security as a backbone to the city’s law and order eco system.

Naavi.org will try to present the major information security issues to be tackled by a Smart City one by one. I request all security professionals to consider contributing to this knowledge base in the form of articles on various issues involved in securing the Smart City cyber systems. The articles and comments can be sent to naavi@vsnl.com with a brief profile of the author, for publication in Naavi.org. Students of Technical and Legal institutions are also welcome to contribute.

Naavi