Phase 2 of Chicago Array of Things (AoT) is scheduled for deployment in September 2016. Beginning in August 2016, 46 surveillance sensors will be installed down the coast of Lake Michigan, and throughout downtown. By 2018, over 500 data tracking points will be peppered throughout the Chicago metropolitan area. An elaborate data collection system converting the inner city public into laboratory for behavior mapping and pattern recognition.
Operationally, the program is run by Urban Center for Computational Data (UCCD) in partnership with the City of Chicago and SMART Chicago Collaborative. Research institutions with primary access to data include the Computation Institute at the University of Chicago and Argonne National Laboratory, a research arm of the United States Department of Energy.
The stated purpose of the AoT program “is an urban sensing project, a network of interactive, modular sensor boxes that will be installed around Chicago to collect real-time data on the city’s environment, infrastructure, and activity for research and public use.” While there are considerations for public use, there was no public buy-in, no vote, no consensus, and laughable marketing and public outreach. The Array of Things (Aot) Civic Engagement Report touts transparency and public engagement, however citizens of Chicago were allowed ONLY comment through online forms and TWO public meetings: The first meeting held at 5:30PM on Tuesday June 14, 2016 at Lonzano Library – only 40 people attended. The second meeting held at 5:30PM on Wednesday June 22, 2016 at Harold Washington Library – again only 40 people attended. One wonders why meetings were held on weekdays and at such a difficult hour for the average person to attend… and how such an obvious failure in marketing and engagement could be touted pubic acceptance — only 40 people? Really?
SMART Chicago Collaborative’s outreach goals made it clear…
- Educate Chicagoans about the Array of Things project, process, the potential of the research, and the sensors’ capacities
- Inform future generations of the Array of Things sensors
- Understand what the people want out of the Internet of Things & these neighborhood data
- Collect resident feedback on privacy and governance policies for Array of Things
… public meetings presupposed program “acceptance”, which was not on the discussion board — Chicago citizens were denied the option to say no; a classic neuro-linguistic programing and Delphi technique. People attend the meetings under the guise of involvement when none exists. Meetings are strictly for gauging public pushback; a risk management information gathering session.
“All operational sensor data will be publicly available as open data, owned by the University of Chicago.”
On the policy responses page for AoT, the program confirms harvested data (electronic device identifiers, license plate location and identification, audio recordings, images, personal characteristics, voice signature, facial geometry, and other biometrics) is owned by the University of Chicago, AND they will also hold copyright! Recordings of private conversations, images of individuals, databases of pubic information owned by copyright. This is not a public system with public oversight — no Freedom of Information requests, no redress of grievances, no recourse — this is a private system with enough public access to quiet the masses through the illusion of participation.
Secondly, once vast amounts of behavioral pattern information is publicized, it can be used for ANYTHING — no controls exist on who or how data may be used.
“In order to support economic development, data from approved experimental sensors, installed for specific research and development purposes, may be withheld from (or aggregated for) publication for a period of time in order to protect intellectual property, ensure privacy or data accuracy, and enable the proper calibration of the sensor.”
One wonders what exactly “experimental sensors” translates to; specifically what functionality, specifically what additional data will be harvested, specifically whom will be performing the experiments, specifically whether all experimental study data will be made public, and will the public be notified prior to experimentation?
“PII data, such as could be found in images or sounds, will not be made public”
According to Illinois code:
A person commits eavesdropping when he or she knowingly and intentionally:
(1) Uses an eavesdropping device, in a surreptitious manner, for the purpose of overhearing, transmitting, or recording all or any part of any private conversation to which he or she is not a party unless he or she does so with the consent of all of the parties to the private conversation;
(2) Uses an eavesdropping device, in a surreptitious manner, for the purpose of transmitting or recording all or any part of any private conversation to which he or she is a party unless he or she does so with the consent of all other parties to the private conversation;
(3) Intercepts, records, or transcribes, in surreptitious manner, any private electronic communication to which he or she is not a party unless he or she does so with the consent of all parties to the private electronic communication;
(4) Manufactures, assembles, distributes, or possesses any electronic, mechanical, eavesdropping, or other device knowing that or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious overhearing, transmitting, or recording of private conversations or the interception, or transcription of private electronic communications and the intended or actual use of the device is contrary to the provisions of this Article; or
(5) Uses or discloses any information which he or she knows or reasonably should know was obtained from a private conversation or private electronic communication in violation of this Article, unless he or she does so with the consent of all of the parties.
“For the purposes of instrument calibration, testing, and software enhancement, images and audio files that may contain PII will be periodically processed to improve, develop, and enhance algorithms that could detect and report on conditions such as street flooding, car/bicycle traffic, storm conditions, or poor visibility.”
The language describing how PII will be processed is left intentionally vague with no indication as to what system capabilities actually are and why specifically PII will be used as opposed to non-PII. This allows program operators to widen the scope of data harvesting and utilization without policy modification.
“Raw calibration data that could contain PII will be stored in a secure facility for processing during the course of the Array of Things project, including for purposes of improving the technology to protect PII. Access to this limited volume of data is restricted to operator employees, contractors and approved scientific partners who need to process the data for instrument design and calibration purposes, and who are subject to strict contractual confidentiality obligations and will be subject to discipline and/or termination if they fail to meet these obligations.”
This section implies no retention policy exists for PII; data is stored and used for the life of the project. — How long is that? If images and audio are stored indefinitely, any individual can be identified based on habits and clothing, common routes can be used to determine location of home, work, family, and friends.
Interestingly enough, the online forum provided by AoT for public comment/questions buried the most articulate questions without addressing in policy responses page for AoT.
From the Symposium on Usable Privacy and Security (SOUPS) members including: Lorrie Faith Cranor, Carnegie Mellon University, Alain Forget, Google Patrick Gage Kelley, University of New Mexico Jen King, UC Berkeley Sameer Patil, New York University Indiana University Florian Schaub, Carnegie Mellon University / University of Michigan Richmond Wong, UC Berkeley:
At the Symposium on Usable Privacy and Security 2016, held last week (June 22-24, 2016) in Denver, Colorado, a group of privacy and security researchers looked at the Array of Things project and its current documentation. The short report below is a compilation of their feedback. Overall, we appreciated the thought and care given to privacy and security throughout the proposed documents and the Array of Things project. Having a period of public comment, an open and thoughtful process for selecting new node locations, and an AoT Security and Privacy group are steps that lead to practical privacy for the people of Chicago.
If sound recordings are going to be made, it is important to make sure this is in compliance with the Illinois wiretapping law. Notice The current policy document has no specifics on how notice will be provided to residents of node areas or visitors who happen to drive or walk through the range of a node. We believe significant thought needs to be given to how to notify people that they are in area/range of a node and their data is being collected. This will also allow them to find out what choices they have in removing their PII or other data from an open repository.
While much of the data collected as part of this project will be made public (through the open data repository) and then can be used for nearly anything, it is still important to explain potential data use to participants. This should include, at least: A description of how each data type collected will be anonymized and aggregated. Specific examples that show how each data type could potentially be used. What sorts and format (i.e., aggregated versus specific data items) of data the annual report will include. Consideration of establishing a use policy for the open data set, or setting up guidelines for how to respond in the event that open AoT data is used by other parties for malicious or discriminatory purposes. Notice regarding whether the data will be used by law enforcement for any purpose.
Annual Report While it is commendable that the AoT group has declared that the policy will be reviewed annually, we would recommend that the review include more specification (What sources of data will be reviewed? How can the community participate? Will this include potential breaches, violations of policy, and/or public complaints?), as well as address the need for evaluation, specifically: is the project meeting its stated goals? Who will review the project for compliance with its stated policies, and how will this review be conducted? How will the annual report be distributed to the public?
Small edits to the language “Collection may include but is not limited to” or “other biometric data” are phrases that should be avoided. While they may be standard legalese for privacy policies, given your project’s spirit and values, we recommend that you strive for openness and transparency. You should do your best to explicitly describe all data collected and the purpose of collecting them. If more types of data are collected in the future, then the descriptions and explanations should be updated.
From the Future of Privacy Forum (FPF), a think tank seeking to advance responsible data practices and is supported by leaders in business, academia, and consumer advocacy:
- How long will PII be retained, how PII will be disposed of after it is no longer reasonably necessary for the purposes for which it was collected, and how PII will be treated if the AoT program dissolves or transfers ownership. – How and when PII will be deleted or de-identified.
- How the program operators will respond to requests from local, state, or federal civil or law enforcement agencies to access PII (such as when presented with a warrant or subpoena) and to what extent PII is subject to Freedom of Information Act disclosure requests.
- Information on how to contact AoT officials regarding any privacy or data security breaches.
- How will PII be secured through appropriate administrative, technical, and physical safeguards (such as encryption at rest and in transit, local processing or storage, etc.) against a variety of risks, such as data loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
- What mechanisms, if any, are available for individuals to exercise control or choice over the collection of PII (e.g., could individuals turn off their phones or participate in an opt out to avoid certain kinds of tracking?)
- In privacy nomenclature, describing data as PII typically means that the data can be linked to an identifiable individual, whereas considering data “sensitive” typically signals that the data will be treated to a higher standard of privacy protection. In order to avoid confusion, we suggest clarifying these terms. – When audio or image files may contain PII, what specific kind of PII is collected. There is a stark difference in privacy impact between software used to simply detect faces (facial detection) and software capable of identifying individuals in photos via biometric templates (facial recognition).
- A similar distinction is made between speech detection and speech recognition capabilities. Given the general public unease about loss of anonymity and privacy in public spaces, it is key to clarify what technologies are being used in this context and what capabilities they have for processing PII. This will help allay fears regarding the use of PII from image and audio files captured in public spaces.
- How the AoT will ensure adequate de-identification for data made public through the City’s data portal. Open data enables important scientific research and urban innovation. Given the AoT’s intent to make its data available freely, it must implement the strongest possible protections against the intentional or inadvertent re-identification of any individuals within the data set. AoT should clarify publicly how it will ensure that the risk of re-identification is sufficiently low that individual privacy can be guaranteed. What is the acceptable threshold for re-identification risk, and how is it calculated? Will the AoT use differential privacy solutions? How will AoT handle the de-identification within image or audio files as opposed to structured textual data? Will any legal controls or commitments (such as agreements to not attempt to re-identify data) be required before accessing de-identified data? While not expected to publish every detail of its de-identification strategy or lock itself into a particular set of practices, the AoT should make known important parameters to increase trust and transparency.
3. Additionally, FPF recommends that all smart city initiatives, including the AoT, implement a variety of other organizational and technical measures to safeguard personal data, including: a. Mapping data flows, including where data is collected and how it is used throughout the entire AoT ecosystem. b. Classifying data according to sources, identifiability, sensitivity, and uses. c. Documenting processes and procedures for sharing data with third parties and monitoring vendors, including data use agreements, audit and standard contractual terms, and transparency about how and by whom scientific partners are “approved.” d. Safeguards to protect against unfair or discriminatory uses of data. e. Identifying what data sets are owned by which stakeholders, and any relevant copyright, licensing, or access provisions. f. Documenting risk-benefit assessments and structured ethical review processes for evaluating new research or uses of PII. (See, e.g., fpf.org/wp-content/uploads/FPF_DataBenefitAnalysis_FINAL.pdf) Thank you again for this opportunity to comment.
“In general you could not assume that you were much safer in the country than in London. There were no telescreens, of course, but there was always the danger of concealed microphones by which your voice might be picked up and recognized…”