Click to learn more about author Samuel Bocetta

Sometimes, it can seem that the Internet of Things (IoT) is getting out of hand. One of the biggest data trends in 2020 has been device manufacturers embedding “smart” chips into everything from running shoes to refrigerators.

At first glance, the “smart streetlight” program that has been running in San Diego for the past few years seems to fit into this category. There is no immediate, obvious reason why streetlights need to be that smart, after all. According to the city government, however, these intelligent lights will help to improve electricity consumption in the city and also (more worryingly) provide data on the movements of citizens.

This last objective has some citizens of the city worried that their city doesn’t understand Data Governance and might be using the information that the streetlights collect to spy on their own residents. In this article, we’ll take a look at whether they are right, the implications of their court case, and why issues like this are not going to go away anytime soon.

“Smart Streetlights” and Privacy Protection

The most recent development in this saga has been the decision of a local advocacy group, called the San Diegans for Open Government, to sue their own city government in December 2019. The group claims that smart streetlights are being used to collect data on citizens without their consent.

To be clear, the complaint is not that this program was designed as a malicious attempt to secretly collect data. Rather, the group accuses the San Diego city government of simply not understanding basic Data Literacy principles. Their concern is also shared by lawmakers. Earlier this year, three city council members requested that the mayor stop using the cameras until they were provided additional information on where and how the data is being used.

The city government responded by embarking on an extensive process of implementing common reputation management protocols, seeking to defend itself against these allegations.

“The data collected from those nodes are exclusively owned by the city, and any assertion otherwise is wholly inaccurate,” read a statement from General Electric, who partnered with the city to set up the system.

The IoT and Data Collection

The upcoming court case is being seen as a test of whether average citizens in the US are adequately protected by existing data privacy laws. Some have argued that consumers have already lost the privacy war in the country. Others claim that recent legislation — including the California Privacy Act, which is seen as a groundbreaking piece of law — ensures that citizens have the right to request that their data be deleted.

For many, this line of defense will be seen as completely inadequate. Technological advances such as unlimited cloud storage, the miniaturization of computing devices, and AI-driven data analysis have made it possible for both government agencies and corporations to collect unprecedented amounts of data on citizens, often without their consent. For the citizens of San Diego (or any other city), the fact that they can request their data to be deleted is not enough. They simply don’t want to be spied on in the first place.

Another relevant issue that is cause for concern is that the corporate partner for the program General Electric also has access to this data. Though the company claims that this will never be shared with third parties, San Diegans clearly do not trust this assertion.

Why it Matters

Even with the promise of data not being shared widely, it still wouldn’t make a difference regarding the dangers of using streetlights to collect data on everyday citizens.

This is because city governments have a terrible record when it comes to protecting this kind of data. They are increasingly a target for hackers, and not just because they hold plenty of sensitive (and therefore lucrative) information. They are also poorly protected against cyberattacks because they lack the expertise necessary to secure the increasingly complex networks that they are using.

At the broadest level, there is also another principle at play. They claim to use this data for analyzing the way that citizens use the city and not for selling purposes. However, this is worryingly close to the kind of “profiling” that both hackers and mega-corporations use to target their attacks and their ads. Usage of a particular street, for instance, could be correlated with other data that the city holds, like SSNs, financial statistics, and tax records, to build detailed profiles on the people of the city.

And finally, there is a caveat hidden within the city’s protestations of innocence. “Unless explicitly instructed to do so by the city in accordance with all applicable law, the partners in the project do not provide that data to any third parties,” General Electric’s corporate team spokesperson said. However, this data becomes accessible to the government as soon as it invokes (or passes) a law that gives it access.