Malcolm Dowden, Consultant, Charles Russell LLP

2014 promises to be the “year of the smart city”. With World Cup host Rio de Janeiro winning the World Smart City Award 2013, media coverage is likely to spur on similar initiatives around the globe.  Inevitably, concerns about “data mining”, privacy and civil liberties loom large.  How real are those concerns? Are “smart cities” likely to be a dystopian surveillance state, a honey pot for cybercrime or a goldmine for market researchers?

There is no single model for a smart city. Projects seek to harness technology to make cities more “liveable” and resilient. For Rio, the priority was to establish a “mission control” to monitor and allow swift response to infrastructure problems, power failures, extreme weather or law enforcement issues.  For others, such as Shenyang in China, “smart” relates primarily to environmental performance, focusing on energy generation and consumption, water and waste management.  In even more sophisticated models, piloted in Stockholm and Dublin, real-time data produce a dynamic map of human behaviour, revealing the city’s needs and pressure points and allowing authorities to plan and refine infrastructure and service provision.

The common factor, though, is the central role of electronic communications, data-mining and data-analytics.  Information is both the crucial enabler for smart cities and, arguably, their point of greatest vulnerability.

Data: the price of progress?

Interconnectedness between the private sector, local authorities and individuals is a central part of the “spirit” of a smart city.  The UK’s Department of Business, Enterprise and Skills (BIS) described it as “enabling and encouraging the citizen to become a more active and participative member of the community, for example providing feedback on the quality of services, the state of roads and the built environment”.  In Rio, citizens can highlight a problem, from potholes to pollution, simply by taking a picture of it on their smartphone and uploading it.

Even when they are not purposely uploading data, citizens are constantly giving up information about their movements, activities and economic choices.  RFID devices such as travel cards log data about individual movements, readily supplemented by data from mobile phone base stations that can also identify factors such as the angle of arrival into a cell, dwell time and even purchasing choices.  Add to that the constant stream of CCTV images and an exceptionally detailed picture of individual life can be constructed.  Apply analytics to that data and it is possible to build an actionable picture of collective life, allowing authorities to move towards the “liveable” city.

To date, the focus has tended to be on gathering rather than protecting data, though data security must emerge as a central concern of governments, municipal authorities and individual citizens.  Information held by authorities offer a vast honey pot to cybercriminals and “hacktivists” and place a significant burden of responsibility on governments.

In October 2013 BIS listed trust in data privacy and system integrity as a barrier to smart city projects.  However, it offered no solutions, merely reciting that “good cyber security implementation will be essential: and clear communication with service users about how data about them is used and protected, and how the use of that data benefits them, will help build trust”.  That reads as an aspiration rather than as a plan.

Equally significant is the potential for authorities to succumb to the temptation to regard data as commercially exploitable.  Smart city projects are expensive, so it is a logical enough step to seek access to private sector funds otherwise than through taxation.  However, the already fragile confidence in government handling of information is easily dented by controversies such as the UK’s NHS Care.data project, delayed when it emerged in February 2014 that hospital data had been given to the insurance industry and used to assist with the pricing of its products.

Big Brother or BigCo?

While authorities seem to accept that there is a need for cybersecurity to combat malicious activities, it is less apparent that there is any clarity of thought when it comes to defining the legitimate use of data gathered by those authorities.  In Europe, and other regions with similar data protection laws, the key battleground is likely to be the definition of “personal” data relating to identified or identifiable individuals.

Determining whether something is held as “personal” data is not always easy. The UK’s Information Commissioner has published 30 pages of guidance on the question.  It identifies several borderline cases, where the same information could fall either side of the line.  For example, a photograph of a crowd taken by the police to identify troublemakers should a riot erupt would be personal information.  The same photograph taken by a photo-journalist with no intention of identifying individuals would not.  Anonymous or anonymised data, packaged and passed on or sold for statistical purposes, may not be personal data unless it includes elements such as code numbers that could be used to identify individuals.

Historically, information gathering has often turned rapidly to commercial gain.  The UK’s Mass Observation project set up in 1937 to produce an “anthropology of ourselves” unsurprisingly became, by the 1950s, a market research company.  Information is not only power, it is value. Even if governments adequately address the risk of malicious access, smart city projects are likely to face and seek to find ways around legal restrictions on data processing and disclosure.  The issues will be extremely complex.  Individuals often click through screens requiring agreement to terms and conditions including the sale of data, to get to the product or service they require.  From a government perspective, disclosure of personal information might easily be regarded as fair exchange for improved services and “liveable” cities, with at least some costs being recouped by selling information to the private sector.  The debate is not about narrow regulation, but about the extent to which any concept of data privacy ought to yield to a greater need to address the stresses and resource-hunger of modern urban life.