Systematizing Privacy and Governance of Data and the Internet of Things

This blog post was originally published on Data-Smart City Solutions and is by Glynis Startz — Smart Chicago’s Harvard Ash Center Summer Fellow. Glynis is assisting with Smart Chicago’s Array of Things Civic Engagement work, among other smart cities-focused projects. Glynis is a Master in Public Policy Candidate at the Harvard Kennedy School.

As cities begin to see big data as an essential part of governing, more are examining and formalizing their handling of data, and of the Internet of Things (IoT) in particular. There is a growing expectation that governments deal with data in a systematic way and embrace responsibilities beyond encryption of personally identifiable information (PII). As an Ash Center Summer Fellow at the Smart Chicago Collaborative, I’ve had the opportunity to witness Chicago’s process before the deployment of the Array of Things. As feedback rolled in on the Array of Things Governance and Privacy Policy, it seemed an ideal time to explore how other cities have dealt with this issue in comparison, and the direction or directions in which the conversation is moving. Recent examples include Seattle’s Technology Privacy Policy and New York City’s Internet of Things Privacy Policy.

In late 2013, in response to resident concerns over several public failures of data transparency, Seattle launched the City’s Privacy Initiative. According to CTO Michael Mattmiller, its goal was “driv[ing] consistency across the city” and helping departments evaluate their data handling and governance on a project by project basis. Seattle Information Technology led the process by creating a Privacy Advisory Committee of local experts and academics from the University of Washington. The effort culminated in the adoption of six Privacy Principles as City Council Resolution 31570 and a Privacy Policy directing city departments to follow a more in depth Privacy Statement. The principles outlined in the document are 1. We value your privacy; 2. We collect only what we need; 3. How we use your information; 4. We are accountable; 5. How we share your information; and 6. Accuracy is important.  

Approaches in Seattle & New York City

Instead of focusing on creating a set of static requirements, Seattle created a process which forces individuals and departments to fully to think through the implications of their data related actions for individual projects. Staff must consider these privacy principles when creating a new service, as well as create a privacy impact assessment for new technologies. The choice to structure the privacy policy in this way both requires and relies on future care, effort, and thoughtfulness of employees across the city.

New York City’s Internet of Things privacy document, which deals only with the governance of IoT data, is longer and more specific, but sets forth similar principles. There are a number of issues—surveillance, transparency—which are significantly more salient with the sensors required by IoT, but there are many common themes between the two policies. NYC lists their principles as 1. Privacy and Transparency; 2. Data management; 3. Infrastructure; 4. Security; and 5. Operations and Sustainability.

The Seattle and New York City approaches focus on establishing the spirit of the law rather than specific requirements which can be followed to the letter. There are positives and negatives to this approach, which puts the impetus on employees to react to specific situations. This could mean more tailored, sensible approaches to different technology projects, but it also forces citizens to rely on the city government to accurately evaluate each circumstance. That could be difficult for employees to manage and difficult for residents to check. In these policies is the assumption of basic trust in government to follow the spirit of the law when the letter is absent.

Trading less information for more privacy

Both Seattle’s and New York City’s approaches imply that privacy and governance start before the data hit the city servers. They emphasize not just careful handling of data, but also transparency, openness, and careful deliberation surrounding data collection. I believe it is the attention to data collection that really indicates a new level of maturity in technology or data initiatives in cities. It recognizes that cities that hold data have a responsibility to keep it secure. Some could argue that the technical ability to safeguard data has not grown as quickly as the ability to collect large amounts of data inexpensively. This issue is particularly relevant in regard to IoT devices which generally have the ability to gather almost continuous measures. For cities, the decision becomes less about how much data it wants to collect and more about about how much data it will discard.

Growth in the Internet of Things means cities open themselves up to new innovations, but also to a tempting, but potentially dangerous approach to data collection: ‘if we can get it, we may as well’ could create difficult questions about requirements for maintaining data, opening data up to the public, and keeping data secure. The ability to capture large amounts of data easily and cheaply is both a boon and a possible danger for local governments.

Both Seattle and NYC have a framework for thoughtful decision making about information collection. New York in particular requires data collection in projects be designed toward specific purposes and addressing specific problems. The importance of these policies rests on a couple of assumptions: that residents give up privacy when their data are collected, even if those data are not technically Personally Identifiable Information (PII), and that the only way for data to be truly protected is for data not to be collected in the first place. I think these are both valid assumptions, though ones that should be weighed against the value of these data collected, or, more importantly, the potential value of these data not collected. This move to push departments to think through all the future implications of data collection is an important step in the maturation of tech in government.

There are drawbacks to being selective in data collection. It’s not always clear ex ante what data will be the most valuable. Valuable research can be done with data that were collected but never used. Requiring exacting rationales for data collection risks losing the possibility for some of those discoveries, particularly as it becomes easier to facilitate discovery and use of government collected data. In some ways this was a main premise of the early open data movement–cities had data they weren’t using and didn’t necessarily know what to do with, and they put it online for transparency’s sake, but also with the expectation that citizens would make use of it in new and surprising ways.

What’s next for privacy policies?

It seems likely that more and more local governments will be coming out with privacy and governance policies for their data in the coming years — both general policies (like in New York City & Seattle) or project-tailored policies (like in Chicago). Larger cities may follow the path of New York and create ones dealing solely with the IoT, but it is less clear what form these policies will take. There are clearly trade-offs between specificity, clarity, and freedom. Structural decisions may come down to who the policies are designed for, residents or experts, and how much cities are willing to hem themselves in. I’m not sure there’s a correct answer here, but I absolutely think these are questions every city should be sure they’ve asked themselves before writing a policy.

27822302445_dffba4e3d7_o (1)

The proper design of a data governance policy may look very different in different cities. Large cities with significant internal resources and expertise may be more able to put forth generalist policies which put the impetus on departments to make specific decisions. Small cities, on the other hand, may not feel they have the ability to leave the process ad hoc and must instead mandate a one size fits all policy. Pushing the other direction, however, small cities may have more freedom to allow individual deviation because of their less bureaucratic structures, while larger cities have less of an ability to make certain the spirit of non-specific policies are being adhered to.

As more cities create policies, and hopefully engage with residents around them, more insight can be gained about what citizens want and expect from their government in this area. What level of specificity do they require? How much trust do they have in government to do the right thing and how much do they require continued oversight? How do residents view the trade-off between privacy and data use?

Prioritizing Resident Engagement When Implementing the Internet of Things

This blog post was originally published on Data-Smart City Solutions and is by Glynis Startz — Smart Chicago’s Harvard Ash Center Summer Fellow. Glynis is assisting with Smart Chicago’s Array of Things Civic Engagement work, among other smart cities-focused projects. Glynis is a Master in Public Policy Candidate at the Harvard Kennedy School.

The Array of Things Public Meeting at Lozano Public Library | June 14, 2016

The Array of Things Public Meeting at Lozano Public Library | June 14, 2016

This summer the Smart Chicago Collaborative is working with the City of Chicago and the operators of the Array of Things urban sensing project to engage with residents broadly and gather feedback on the project’s Governance and Privacy Policy. This project was recently mentioned in an article by Stephen Goldsmith about implementing Internet of Things (IoT) initiatives. In it, he recommended that cities consider five key themes:

  1. Leverage existing physical infrastructure
  2. Engage the local data ecosystem (ie partner with local researchers or non-profits)
  3. Employ a clear data management strategy
  4. Address security and privacy concerns with transparency
  5. Turn collected data into action

These five points are important technical aspects of a successful IoT initiative, but it’s also important to consider non-technical themes of IoT work. One less highlighted theme vital to IoT reaching it’s full potential in a city: engaging residents early and often.

Engaging with residents to see what they need, and designing projects that reflect that feedback, is necessary and useful. Effective engagement can provide valuable information to improve the implementation of an IoT project, in addition to easing resident objections or concerns.

Why Engagement Matters for Everyone

Engaging with residents is traditionally thought of as a way to gather and maintain local support for a project, but it can also enable implementers to take advantage of unknown neighborhood (institutional) knowledge to make a project more effective. We often see transparency and engagement as a chore–a political requirement instead of something which has more direct and functional value.  

Governmental or academic implementers sometimes underestimate residents and their genuine interest in innovative projects. There is a tendency to assume residents don’t want to engage in the complexities of a problem, and that it is therefore better for the project heads to go ahead and do what they’ve determined is right, but this undersells the commitment and sophistication of many citizens. Because IoT applications almost always touch on data and sensors, engagement involves privacy issues and can seem particularly scary. There are a few predictable reactions to open discussion of these issues which can put anyone off having that talk, but it’s a mistake to assume you know how the majority of residents will react.

A good example of this is the discussion that was reported around an IoT transportation project in Aberdeen. Researchers were concerned about data anonymity because of the low population of the project area, but when residents were brought into the discussion they felt the utility they gained from the project (improved tracking of bus arrival times) made that cost worthwhile.

Learning from Engaging

With that underestimation comes an undervaluing of the feedback residents can provide. There are vast reservoirs of relatively untapped institutional knowledge about neighborhoods or cities in residents’ minds. The more feedback you open yourself up to, and the more time you spend answering questions and listening, the more useful information you can gather. Sometimes you’ll learn things you didn’t know you didn’t know.

27762544482_a46187bc08_o

Brenna Berman and Charlie Catlett overview the Array of Things governance & privacy policies at a public meeting | June 22, 2016

The importance of engaging residents around civic technology more generally is something the Smart Chicago Collaborative has been grappling with for several years. The Civic User Testing Group (CUTGroup), a community of residents in Chicago and all of Cook County who get paid to test out civic websites and apps, is one example of direct resident engagement with technology tools. Smart Chicago’s Array of Things Civic Engagement work could be considered an extension of that purpose — directly engaging Chicago residents in shaping technology projects and policies, rather than a tool. By acknowledging that there are some things best learnt from residents and users, these initiatives use civic engagement to improve technology and service delivery in Chicago.

Engagement around the Array of Things project recognizes the potential value of that input. In addition to gathering feedback about privacy concerns, events were a chance for residents to air concerns and ask clarifying questions about data, privacy, and governance, but they also became a forum for researchers to learn what new information residents could provide about their environment, and increase their involvement. Researchers would do well to follow up and continue to learn.

The engagement meeting referenced the historical and contextual knowledge of the area residents could provide, and which researchers may want to draw on when choosing sensor locations. For example, Charlie Catlett told attendees at the Lozano Library Public Meeting that they could influence the exact placement of sensors if there were reasons the Array of Things team didn’t know about or hadn’t thought of. Residents of every neighborhood are likely to have superior information about precisely where various aspects of their ecosystem can best be evaluated.

Engage or Inform

When we’re talking about civic engagement, it’s very important not to confuse informing with engaging. Helping residents understand the project is different from, but a necessary precursor to, collecting targeted feedback about the project and what aspects are useful or not to residents. If a project isn’t willing to be responsive to that feedback, they are informing, not engaging.

I think interaction with citizens in the data and open government sector can be split into three levels. The first level is technical transparency. This is creating an open data portal or putting the text of some policy up online. Technical transparency allows an organization to say they are being open without actively reaching out to citizens. The second level is informing–explaining to citizens what you’re doing while you’re doing it. This goes further than technical transparency in that it requires at least some attempt to curate open information for citizens, but it doesn’t require an explicit feedback loop. The third level is engagement, taking the time not only to inform residents, but to listen to and react to their questions, concerns, and desires. Engagement is the hardest to do well, and the most time consuming, but it can also provide the most value added for everyone involved.

A city or project should decide which of the three levels of interaction is appropriate and manageable. This may depend on the magnitude of privacy concerns or likely impacts on residents, on the potential malleability of the project, and on whether the design of the project makes local knowledge potentially valuable. For some IoT implementations, especially ones testing specific hypotheses, some aspects of the project may not be open to change. To measure the lake effect, for instance, Array of Things may need sensors set up in a certain formation. Sometimes simple informing is ok, and sometimes it’s not.

To capture the full value of the IoT, cities must not only “integrate it into existing data strategies” as Goldsmith points out, but integrate it into the existing social and cultural structures as well.

A resident snaps a picture of an Array of Things sensor at a public meeting | June 22, 2016

A resident snaps a picture of an Array of Things sensor at a public meeting | June 22, 2016

Documentation from the Array of Things Public Meeting at Harold Washington Library

We’ve compiled documentation from the Array of Things Public Meeting on June 22, 2016 at Harold Washington Library. This is part of our Array of Things Civic Engagement project — a series of community meetings and feedback loops to create dialogue around the Array of Things project, collect community input on privacy, and introduce concepts around how the Internet of Things can benefit communities.

array-of-things---public-persons-standing-up_27251765634_o

The purpose of the Array of Things Public Meeting was to educate the public on the Array of Things project and help facilitate community feedback on the Array of Things Governance & Privacy policy. These were open meetings in Chicago Public Library Branches. No knowledge of technology or sensors was required to be a welcome, meaningful addition to the event.

Pictures

Here is a link to a Smart Chicago album on Flickr with all photographs from the event. See a selection of the photographs below:

Social Media

Here is a Storify of the meeting created by Smart Chicago:

Handouts

 Below is the flyer used to the promote the event. Smart Chicago documenters tasked with outreach distributed flyers and event information around the city, focusing on community spaces like churches, computer centers, libraries, small businesses, etc.

Lavelle_Dollop Coffee
Here is an agenda that was distributed at the meeting:

Here is a map distributed at the meeting that showcases the possible Array of Things Sensor node locations:

Here is the full text of the privacy policy that was distributed during the event also found online here:

Here is a one-pager distributed to meeting participates describing how they can provide feedback on the policy:

Presentations

 Here are the slides that Charlie Catlett of UrbanCCD used at the event:

Here are the slides that Brenna Berman, CIO for the City of Chicago, used at the event:

Notes

Below are the detailed notes from the event which we continue to compile and improve. Very important disclaimer: this is an unofficial record of proceedings and not an exact transcript of the event — rather, a summary of the conversation. We are certain that there are errors and omissions in this document. If you have any questions, comments, or concerns, contact Smart Chicago here.

This documentation is made possible by our Smart Chicago Documenters Program. Our Documenters program is an essential tool for us to add new thinkers, generate ideas, and expand the field for civic tech. The Program played an important role in other Smart Chicago Projects like the Chicago School of Data and the Police Accountability Meeting coverage. Leah Lavelle, Liz Baudler, and Veronica Benson assisted with event outreach. Liz Baulder assisted with notes. Angel Rodriguez took pictures. Lucia Gonzalez and Veronica Benson provided general event support.

Documentation from the Array of Things Public Meeting at Lozano Library

We’ve compiled documentation from the Array of Things Public Meeting on June 14, 2016 at the Lozano Library Branch. This is part of our Array of Things Civic Engagement project — a series of community meetings and feedback loops to create dialogue around the Array of Things project, collect community input on privacy, and introduce concepts around how the Internet of Things can benefit communities.

glynis 2

The purpose of the Array of Things Public Meeting was to educate the public on the Array of Things project and help facilitate community feedback on the Array of Things Governance & Privacy policy. These were open meetings in Chicago Public Library Branches. No knowledge of technology or sensors was equired to be a welcome, meaningful addition to the event.

Pictures

Smart Chicago created album on Flickr with all photographs from the event. Here is a selection:

Social Media

Here is a Storify of the meeting created by Smart Chicago.

Handouts

Below is the flyer used to the promote the event. Smart Chicago documenters tasked with outreach distributed flyers and event information around the city, focusing in particular on community spaces in Pilsen — churches, computer centers, libraries, small businesses, etc.

Nblacantina3
Here is an agenda that was distributed at the meeting:

Here is a map distributed at the meeting that showcases the possible Array of Things Sensor node locations:

Here is the full text of the privacy policy that was distributed during the event also found online at this link:

Here is a one-pager distributed to meeting participates describing how they can provide feedback on the policy:

Here is a letter submitted in person by the community coalition, FAiR:

Presentation

Here are the slides that Charlie Catlett of UrbanCCD used at the event:

Notes

Below are the detailed notes from the event which we continue to compile and improve. Very important disclaimer: this is an unofficial record of proceedings and not an exact transcript of the event — rather, a summary of the conversation. We are certain that there are errors and omissions in this document. If you have any questions, comments, or concerns, contact Smart Chicago here.

This documentation is made possible by our Smart Chicago Documenters Program. Our Documenters program is an essential tool for us to add new thinkers, generate ideas, and expand the field for civic tech. The Program played an important role in other Smart Chicago Projects like the Chicago School of Data and the Police Accountability Meeting coverage. Nourhy Chiriboga and Liz Baudler assisted with event outreach.  Veronica Benson assisted with event outreach, notes, and pictures. Jackie Serrato took pictures. Lucia Gonzalez provided Spanish language support.

The Internet of Things in Action

This blog post is by Glynis Startz — Smart Chicago’s Harvard Ash Center Summer Fellow. Glynis is assisting with Smart Chicago’s Array of Things Civic Engagement work, among other smart cities-focused projects. Glynis is a Master in Public Policy Candidate at the Harvard Kennedy School.

glynis blog 1

Last month Smart Chicago wrote about civic engagement and the Internet of Things in Aberdeen, Scotland. Given the conversations & questions at the public meetings for the Array of Things project, we wanted to explore and share some examples of the Internet of Things (IoT) around the world.

IoT is defined as

“the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data.”

Unless you work in technology or ‘Smart Cities’ it can be difficult to mentally translate the concept of the IoT to the reality. Imagining how the Internet of Things will affect the way your city is run, or how you interact with the government or your environment, is hard without some reference points. Here are a couple of ways the Internet of Things is currently being used, and how it has affected citizens and cities.

IoT in our backyard

big belly

If you live in Chicago (or in hundreds of other places), you’re throwing your trash into the IoT. Smart waste removal is intended to save money and keep things cleaner through better timed trash pickups. The solar powered Bigbelly trash compactors the city has used since 2011 are one of the most visible examples of the IoT in action. Bigbelly trash cans send information back to a hub about how full they are, and indicate when they need to be emptied. Philadelphia was an early adopter of the now ubiquitous cans, and reported savings of around $900,000 in the first year. (The program isn’t without its critics, of course, with reports of overflowing cans in some areas and the usual complaints about graffiti.)

IoT far, far away

Some cities have started weaving together multiple IoT applications, creating what is often referred to as a network of networks. Laura Adler has written an article on Barcelona’s network of networks on the Ash Center blog. The city has long had an extensive network of fiber optic cable which it has used “to build out individual IoT systems across urban services.” Now, the Internet of Things is embedded in energy consumption, waste management, and transportation.

There are two distinct types of IoT applications to explore in Barcelona: ones in which citizens interact directly with technology (either their own or the city’s), and ones in which technology facilitates some government process, improving it before citizens enter the equation.

The first type includes projects like interactive bus stops to help travelers plan their routes, and a public parking pay app. ApparkB lets residents use their smartphones to pay for public parking in the city, utilizing GPS to limit the number of people who have to use traditional parking meters. IoT applications in this mold often seem like first generation tests at this point. They conform more closely to what many people think of as ‘smart’, but at this point still seem like fun toys or conveniences instead of things being built into the architecture of governance.

Projects in Barcelona that are more tied into the city’s fundamental structure are the second type of IoT applications, which operate behind the scenes. Traffic lights interact with emergency vehicles, clearing their path to an incident, which decreases response times and traffic incidents. Barcelona also uses sensors in irrigation systems to save money and water across the city. Sensors monitor and control the output of water in public spaces by evaluating data on weather, rainwater, evaporation, and drainage.

Where do we go from here?

Waste management and irrigation might seem mundane, but the most functional examples of the IoT are often the least “sexy.” They’re the ones that let citizens keep living their lives the way they did before: smoothing the rough patches off daily actions or optimizing government actions to lower costs. IoT and Smart Cities are often sold as complete reinventions of The City as we know it, and the relatively unobtrusive applications we see today can be a letdown, but implementations that promise to entirely change the way residents live or move just haven’t manifested yet. From the unfinished Smart Cities in South Korea and China, to a 50 million dollar competition for redesigning transportation in a US city, transformative smart city projects are still possibly years or decades down the road.

It seems that the more transformative a technology promises to be, the more skeptical we as citizens should be. Balancing academic and practical goals within a single implementation is a difficult task. It’s much easier to imagine what researchers will do with granular ecosystem data than imagine how those granular ecosystem data will immediately impact residents. Benefits of academic research are diffuse and long term. Conversely, projects that provide short run cost savings for a city don’t necessarily create the type of data researchers need to answer academic questions. This doesn’t mean the IoT can’t create value in both of these categories, just that residents should be wary about promises of new technology being everything to everyone right away. There’s a great deal of potential value in smart city technology and the IoT, but the type or timing of that value may look very different depending on the project.

Ways Residents Can Give Feedback on the Array of Things Governance & Privacy Policy

ArrayofThingsLogo-smallToday the draft Array of Things Governance & Privacy Policy was released. The policy discloses the privacy principles and practices for Array of Things and defines how decisions about the program are made. Residents can comment on this draft policy from June 13, 2016 to June 27, 2016. This blog post takes inventory of each way residents can contribute their voices to the draft Governance & Privacy Policy.

Annotate the Governance & Privacy Policy Using Madison

The text of the draft Governance & Privacy Policy is posted here on the OpenGov Foundation’s Madison Platform. Using Madison, residents can edit and annotate specific sections and language of the policy. Using this co-creation web tool aligns with Smart Chicago civic engagement model & goals.

Screen Shot 2016-06-12 at 5.50.45 PM

See this video to get more information on how to sign up for and use Madison:

Comment on the Policy Using this Online Form

In addition to or instead of using Madison, residents are invited to submit comments and questions on the policy through this form also below:

Attend a Public Meeting

To learn more about the Array of Things and give feedback on the Governance & Privacy policy in person, all are invited to the scheduled public meetings:

  • The first meeting will be at 5:30pm on June 14, 2016 at Lozano Library. Here is our blog post announcing the event and giving more details
  • The second meeting will be at 5:30pm on June 22, 2016 at Harold Washington Library. Here is our blog post announcing the event and giving more details

Food will be served. Smart Chicago documenters will record, archive, and share the proceedings from these meetings.

 

Smart Chicago will synthesize and analyze residents’ comments from Madison, the online form, and the public meetings. We seek to facilitate a process where smart city infrastructure like the Array of Things is built for and with everyone. We want to spur a conversation about data, sensors, privacy, and the Internet of Things and how these innovations can be put in service to the people of Chicago.

Find all of the background information, writing, and work for Smart Chicago’s Array of Things Civic Engagement work on here.