We’re not done talking about privacy in the smart city

January 24, 2019

By Brenda McPhail and Nabeel Ahmed

Since Sidewalk Labs and Waterfront Toronto announced their agreement to develop a plan for a Quayside smart city project, privacy concerns have been a big part of the conversation. Such a big part that recently, there’s been a bit of a backlash against smart city privacy conversations, most notably in a recent Toronto Star editorial which suggests that despite not much having happened yet on the project, it does seem as though many people who know they should be more vigilant about their privacy than they are when it comes to all those apps on their cellphones have decided to dump all their pent-up privacy concerns on this one project.

Frankly, if it is true, as the Star argues, that the project is facing greater public scrutiny because last year’s scandals involving big data collecting companies and millions of unsuspecting users have people worried about the risks of data misuse and misappropriation, that seems fair. After all, the company driving Toronto’s smart city project is in fact a sibling of Google, the company that just this week was fined $57m in France for failing to abide by the EU’s General Data Protection Regulation. More significant than the size of the fine is the rationale for it, the New York Times reported: “In a statement, the regulator said Google’s practices obscured how its services “can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.” Sidewalk is not Google, as they tell us often and with frustration, but we don’t need to conflate the two to believe that the relationship matters.

Despite the media air time given to privacy issues, we would argue that there hasn’t been much meaningful conversation with the public about privacy at all. Sidewalk’s claim of “world-leading best practices” has not been seriously examined in any public forum, whether at one of the PR-heavy Sidewalk Roundtables or at Waterfront Toronto’s own Digital Strategy Advisory Panel. The benefits of the (voluntary) Privacy by Design model have been touted, but its limitations have not been discussed, especially given the inadequacy of existing legal frameworks regarding privacy. There has been very little public education around issues of individual and collective privacy, how they are distinguished, and how they should be approached.

We’d argue that now really is the right time to air concerns and discuss the thorny topic of what Sidewalk themselves initially characterized as a “digital layer” of the city–before they design products that are hard to change, or embed something extraordinarily difficult and expensive to replace into our infrastructure. Digging out sensors from the street isn’t as simple as deleting an app from our phone, and with greater risk and financial exposure should come greater due diligence. Conversations about threats that have yet to crystallize is probably the price we have to pay to make sure that they never do.

Furthermore, it is absolutely necessary to talk about privacy policy, including data governance, at this initial stage. It has become trite to say that technology innovation has outpaced legal protections for privacy, but that fact is relevant in this context. In a project with innovation at its core, strong policy that uses law as the threshold, not the bar is necessary up-front. If we have any hope of getting this right, it’s not going to happen without talking about what we are willing to allow, what we aren’t, what is legal, what is ethical (and those aren’t the same), and what is feasible, now and throughout the project, iteratively and unavoidably, repetitively.

Obviously, privacy isn’t the only topic that matters in the larger smart city conversation that Toronto should be having. It’s a valid concern that we may be spending so much time talking about privacy, that we’re not talking not enough about all the other fundamental questions this project raises, starting with, “Do we really want a city where human experience is conceived as data?” There are so many discussions we need to have where privacy doesn’t play a role–democratic accountability and deficits, intellectual property, asymmetrical economic and power relationships, the difference between innovation we need versus innovation that needs us as a “test bed”, all of these things and many more should be part of the comprehensive conversation not just about this particular smart city project, but more basically, about the kind of city we want to live in.

But that means we need to do a better job of opening up space to talk about all of those other issues, not shut down the privacy conversation, not least because it is a thread that weaves through many others. If the smart city is a sustainable city, how can we monitor energy usage without creating dwellings that monitor the ways we live within them? If the smart city includes affordable housing, how can we make sure that vulnerable people (who need homes so badly they aren’t going to argue with terms and conditions for achieving them) don’t end up as guinea pigs for intrusive behavioural modelling? If the smart city includes “new mobility” what kind of information about users would, for example, an autonomous ride-share service need versus what they might want to know about customers, and who gets to decide how that gets balanced?

Toronto residents are not wrong to have persistently raised privacy issues created by this project, and the fact that privacy is only one of many issues that need attention doesn’t mean it doesn’t deserve ongoing, careful scrutiny moving forward. A city built “from the internet up” is a city built on the data we all create as we navigate daily through the places we live our life. What is done with the bits and bytes of data about us, the minutiae of our interactions through time in city spaces, and what impact that has on us as individuals and as a community, is going to be a key factor in whether a smart city is liveable or not, sustainable or not, successful or not. Privacy protection, in design, governance, and policy, must play a key part of the conversation if we want a smart city to be a place where we control the technology that serves us, rather than one where we serve the technology and those who control it.

Nabeel Ahmed is a researcher on smart cities and a member of the Toronto Open Smart Cities Forum.

Brenda McPhail is the Director of the Privacy, Technology & Surveillance Project at the Canadian Civil Liberties Association and a member of the Toronto Open Smart Cities Forum.