Click for Full Transcript

Intro (00:01):

Welcome to the, she said privacy. He said, security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century,

Host (00:21):

Hi Jodi Daniels here. I’m the founder and CEO of Red Clover advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified information, privacy professional, and I help provide practical privacy advice to overwhelmed companies. Hi, I’m Justin Daniels. I am a cybersecurity subject matter expert and business attorney. I am the cyber quarterback, helping clients design and implement cyber plans. I also help them manage and recover from data breaches. I also provide cyber business consulting services to companies. We have John Corcoran here who has done thousands of interviews, and we have flipped the script and he’ll be interviewing us today. John, take it away.

John Corcoran (01:05):

All right, Justin and Jodi, it’s a pleasure to be with both of you here today. And in this episode, we’re going to be talking about smart cities. What are they? What, how do you deal with them? What are some of the privacy concerns that we have about them? So we’re going to talk all about that. But first, before we get into that, this episode is brought to you by Red Clover Advisors, which helps companies to comply with data privacy laws and establish customer trust. So they can grow and nurture integrity. Red Clover advisors works with companies in a variety of fields, including technology, SAS, e-commerce media agencies, professional services, and financial services. In short, they use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more. You can go to redcloveradvisors.com or you can also email info@redcloveradvisors.com. All right, guys. So let’s launch into this topic of smart cities. It’s a term we, many of us have heard of probably a lot of people, not sure exactly. Where does the line between an existing city and, and a smart city start. So Justin, I want to start with you. Can you define for us, what does this term smart city mean?

Host (02:17):

Well, when I think about a smart city, I think about the use of technology to make a city more productive, more efficient and easier where its citizens to access it. So think about transportation and how technology could be used to have better traffic and how the traffic lights might be done differently, or how you might use things such as drones to make more efficient transporting products and services within the community.

John Corcoran (02:49):

Those sound like all really positive things. But I imagine there is a flip side to that. So Jodi, let me turn to you. What are some of the privacy that we should all be aware of when it comes to the development of these smart cities?

Host (03:04):

Well, it all goes back to what I’m always talking about, which is what data is being collected and how is it being used. So if I’m standing in a public area and there’s some cool gadget that’s going to monitor and collect information, does it have a picture of me? Does it have a picture of my car? Does it know what I’ve done? Can it connect to my phone? What kind of information will it have? And so then, okay, so let’s say it had my license plate. Great. Well, what does it do with it? Does it just keep it in a nice little filing cabinet for posterity? Or is it going to match it up to something else or did it even get that information kind of by accident? Because what it was really trying to do is figure out how many cars it was going through, but it didn’t the only way to do that is because it captures the license plate, but doesn’t really even want the license plate. Does that make sense? So it’s really all going back to the understanding of data collection. What data are we collecting and how is it being used

John Corcoran (04:04):

And what sorts of categories of data are you seeing being collected these days? It sounds like photographs, video personal information.

Host (04:15):

Yeah, well some of the other newer ones are going to be biometric information. So I scan fingerprint, scan, facial recognition, things like that. And justin, I’m sure you have some others.

Host (04:29):

I think the other kinds of data would be what route you traveled to work, where you are at a particular, certain time and day during your work day. So you can use one piece or multiple pieces of data to really construct where each one of us goes and what we’re doing all day. And we may not even realize it at the time that all of this data is being collected and can be booked together to create this kind of roadmap as to where we are, where we’re going and what we’re doing all day.

John Corcoran (05:00):

So, for example, if do use your example, the route we drive to work, if you had a, let’s say a very contentious custody battle between two parents and that information was public, the other spouse could find out what route they’re driving to get to work. Is that the sort of thing that might arise from this type of situation,

Host (05:18):

Or think about the route they may be driving to go see their not spouse or their spouse, isn’t aware of it, or you could have a situation. And I’ve seen this happen already with attorneys that I’ve talked to is if you have smart devices all over your house and you’re living with someone and you’re mad at them, you might put on the smart device when it’s like really hot and turn the air, not down but up and there’s cases where people have done that. Cause they’re mad at somebody in that why get mad? You can just get, even by doing something like that, utilizing smart technology.

John Corcoran (05:54):

And so we need to think what data is being collected and then the other piece, or the next piece is what should be shared, what shouldn’t be shared. So Jody, turning back to you, share with us our thoughts on, you know, what should be shared, what shouldn’t be shared and what our expectations are here.

Host (06:12):

Well, that’s a key question around expectations. So if I’m in a public area, is the expectation that it’s public data or that it’s private data. That’s kind of the quintessential question. You know, you go to a, an event someone’s taking a picture. Was that a public picture with you in it? Or was it a private picture? Right? And the other piece to sharing is then who is going to, so are these going to go to vendors or service providers that might be doing something else with the data, maybe they’re going to help us analyze it. And so they need that information, how that company is going to use, it’s going to be very different and our concerns are going to be making sure they only use it for what we sent it to them. And we want a strong contract in place, but do we share it to some other, maybe we’re going to participate in a research study and who else is going to have that information and are, are they going to take that and match it with somebody else?

Host (07:12):

So it really goes back to kind of that use piece and connected to all of this is how do you inform somebody about how this is all going on? And so we have the idea of smart devices that a city, a public entity might have. And so where’s the obligation because, you know, I’m driving, you, can’t just like pop up notices all the time. If there’s something on a traffic light and we’ve had cameras up before. And so those you kind of just had to know, or you’d go to a central place to be able to, to learn what was being captured in those. So it’s kind of an interesting challenge of how many devices and then how someone learns about what’s actually happening in a language. Someone can understand. I know you work on this a lot. So one of you share some of your real lives.

Host (08:12):

So I think to Jody’s point in some of the work that I’ve been doing for the curiosity lab, I’ve had, the research would have happened in some other cities. So in the center city of San Diego, they put up some video cameras as part of smart streetlights. And in their contract, it allowed the manufacturer of the streetlight to get the data and sell it to third parties. They didn’t go through their procurement process and negotiate that. So when the citizens found out about that, they were understandably upset about that. But then the other thing that happened in San Diego with those streetlights is the black lives matter movement. And all of a sudden the streetlights that were supposed to be for innovation and technology start to get the perception that they’re being used for surveillance. And to me, when you start talking about smart cities, one of the biggest issues that you have to grapple with is what is the difference between innovative technology for smart cities versus enabling government to have more surveillance.

Host (09:21):

And so what Jodi and I are talking about really is how do you proactively think about privacy at the inception of designing and implementing or deploying all of this technology? Because what happens in too many places because the public sector is no different than the private sector, they deploy all this. And then the privacy crap hits the fan and they worry about it later with a lot of negative results. Because one of the other studies I looked at with sidewalk labs in Toronto is once they lost the support of the public, there was no getting it back. It wasn’t like you could do another campaign to get people to say, okay, no harm, no foul. We’re going to believe in this. It completely torpedo the whole project. And that’s why I think in this whole public arena, the privacy issue is a critical issue to be thinking about before you deploy this technology, because as we’ve alluded to on this call, well, Jodie and I are in the public right away. Well, we really don’t have an expectation of privacy, but what are you doing if you are collecting and using that data? Cause I didn’t get to consent and how you’re using that data, but yet it really impacts me in, in several of the examples we talked about just a few minutes ago. So

John Corcoran (10:38):

Would you say that cities are doing a good job so far of anticipating the different privacy concerns which come up or are they not? It sounds like there are plenty of examples where cities haven’t anticipated other ways in which privacy concerns come up, Jodi I’ll turn over to you.

Host (10:58):

Yeah. I mean, I think there are certainly some cities that are doing a really nice job in realizing that this is a modern day problem and they’re taking the steps that an organization of any kind or company or a city public should be taking. And at the same time, there are a lot of cities that are not even realizing all the different areas that they need to be paying attention to. So I would say it’s probably fairly similar to the private sector of what you would find. There’s always room for improvement.

John Corcoran (11:34):

Following up on that question, Jody. So how do cities that want to take advantage of new technology, but don’t want to lose trust with their citizenry and don’t want to infringe on privacy. How should they be anticipating these issues? Is there a public process? What would you recommend?

Host (11:54):

So I’m actually gonna send that over to Justin because he’s worked on some things like this and it has some good firsthand notes. So I guess the first thing I’d like to say is I’m going to quarrel a little bit with Jodi and say that most cities are not doing a good job with the privacy. And there’s a reason why, and it’s one word funding. So think of private corporations who have lots of money and they struggle with privacy and security. You’ve read about it in the paper now.

John Corcoran (12:24):

I mean, to the point, I mean, there are companies that have billions of dollars and they have big privacy, unanticipated issues that come up. So you think of like a small city that has a small, much smaller budget.

Host (12:36):

Yeah. So what I’m going to say is most cities aren’t even thinking about this or doing anything about it because one, there’s a lack of awareness, but two, even when there is, where do you find the funding as a public entity to do a lot of this stuff because to do it requires a lot of time, money and effort with smart people. So I would argue that it’s an even tougher problem in the public sector for funding alone. But to answer your question about what cities can do, one which Jodi does a lot, it’s privacy notices on websites, where if you have smart cameras in rights away, you may put something up in the right away. But the other thing is, and this is where I think this is going to be more of a societal thing that we’re going to have to talk about is maybe if you do collect data in the right of way, maybe it’s only used for maybe a research project.

Host (13:33):

It’s not used to commercialize the data by selling it to third parties, maybe as a city, you have a open city council meeting and say, Hey, we want to implement that. You hear from citizens and you put in place a set of privacy principles that talk about transparency and other things. And then as Jodi will tell you, you can’t just have a policy because it doesn’t matter what you say. It matters what you do. And your, what you say has to matter has to be consistent with what you do. And so that’s really where it comes into play is you’ve got to decide what are we going to do and do it. And then you put things in writing in terms of privacy notices and whatnot that are consistent with what you actually do. And you do all of this prior to the deployment of the technology. So that you’ve thought about this. So when, when the unanticipated thing inevitably happens, you’re in a much better place because you’ve thought about these issues to address that unanticipated, what happens as opposed to not thinking about it at all. And now you have no idea what to do, and you’ve lost public confidence, which is very difficult to get back.

John Corcoran (14:41):

Jody are cities creating some sort of like city committees or subcommittees, which has stakeholders that are involved in it. Do you see anything like that happening right now?

Host (14:52):

Not really. I mean, it’s maybe the person who’s aware of, Oh, I should pay attention to privacy, putting their privacy hat on or put it, putting their hat on a recognizing. I need to get more information on this or speak to experts and bringing the right people, but a committee. I haven’t really seen a whole lot of committees taking place. What I would offer is that anyone who’s embarking on this, the stakes to me are extremely high. When you have taxpayers that right, no one wants to lose a customer, but if I lose a customer, you know, one me as the customer, I can go find another company to go get my item, but I can try and lure them back here. Or you’re going to have really angry taxpayers who might try and vote you out of office of whoever’s in office. That might’ve been responsible, but this is the place that they live.

Host (15:46):

This is their society. This is their home. This is very different information than whatever company I might’ve given it to. So the public trust that Justin was talking about, I think to me, the stakes are extremely high when it comes to, you know, my, my home, my area, where my tax dollars are going to cause I can’t control where tax dollars go. Only my, with my vote is how someone can control. I can absolutely control if you, if you do something and I don’t like, I’m just not going to use you as a company anymore.

John Corcoran (16:16):

Yeah. Justin, you mentioned a second, Oh, privacy practices like, like kind of a template or something are there. I know you’ve been involved in these sorts of things, but are there templates being developed that for the, especially for smaller cities that don’t have the resources where they can put in place a set of best practices. So that on at least on the, on the guideline side, as opposed to the committee oversight side, they have something in place or is our smart city so dynamic and changing that it’s hard to create something like that. That’s template it and it’s not customized. And that’s a set of best practices.

Host (17:01):

So I know that NIST, which is called the national Institute of standards and technology, which is a government organization, is trying to come out with some standards that do apply to smart cities. You can put together some principles like transparency and some other things where we’re at, because we don’t have any kind of overarching privacy or security laws. You do get into communities that may feel different about privacy versus commercialization. And I think that’s where you have to take into consideration that a city in Georgia might feel one way about how they interact with law enforcement, as opposed to a city in California or New York, that may feel a different way. And so I think there are ways to have a template approach about overarching principles, but the implementation, you know, communities aren’t homogenous, you know, even in Georgia, I can go to Atlanta or go to a city, South Georgia or Northeast Georgia, and there’ll be very different communities. So you have to take that into consideration as you develop this. But I think the key takeaway, and this is what I see time and time, again, both in the private and public sector is you need to be thinking about these issues as you are developing your technology prior to deployment. Cause it’s just been the default, we’ll just deploy this. The efficiency is great. The benefit is great. Oh, that privacy and security stuff, it’s an afterthought. And then when you have an incident or something else, that’s when it comes to the forefront. And that’s the mindset that has been difficult to shift unless you’ve had a breach or you are subject to regulation, it’s kind of been, that’s the way it’s gone.

Host (18:50):

Running a little short on time, but Jodi, any final thoughts on smart cities, privacy concerns that any city regulators, managers or administrators who may be listening to this in the future be thinking about?

Jodi (19:04):

I think to me, privacy is always about building trust. And especially when you have taxpayers, when you have the public, it’s essential to be able to establish that sense of trust, what they’re doing from a smart city perspective, it’s just one slice of everything else that’s happening. And so making sure that they really realize that the capabilities of these technologies and thinking through all aspects of data. So for example, the situation that happened in San Diego wouldn’t happen because you would have thought through, I’ll wait, I have this data it’s going to this vendor. Then what happens? And you’re just kind of following the data trail all with a basic principle.

Host (19:47):

It’s not only transparency as justin just said but this foundation of trust because at the end of the day, that’s what it’s about. What’s made to do something to make it a better community. That’s really what, what they’re trying to accomplish through technology. And so if we remember that they’re humans, that they’re people and we need to keep that sense of trust with them. Then I think that will start to help that privacy more at the top for the cities who haven’t already considered it. Well, if I’m a citizen or I’m a city manager and we want to learn more about Red Clover Advisors and you, the work that you do, Jody, where can people go to learn? Absolutely. So visit us at redcloveradvisors.com or send us an email at inf@tredcloveradvisors.com and find us on social media. Find us on LinkedIn.

New Speaker (20:37):

Justin, Jody, thanks so much. Thanks for listening to the, she said privacy. He said security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.