Privacy Frameworks for Smart Cities

By Lindsey Tonsager, Jayne Ponder January, 2023

This paper identifies some of the core privacy considerations raised by smart cities – government surveillance and data security in Part I. Then, Part II proposes a set of core principles for smart cities to consider in the development and deployment of smart cities to address privacy concerns. These principles include: (A) human-centric approaches to smart cities design and implementation, (B) transparency for city residents, (C) privacy by design, (D) anonymization and deidentification, (E) data minimization and purpose specification, (F) trusted data sharing, and (G) cybersecurity resilience.

I. Introduction

Smart infrastructure and transportation for city operations (“smart cities”) have the potential to enhance the delivery of government services and tackle a range of societal problems, including managing traffic congestion,^{¹See Press Release, N.Y.C. Dep’t of Transp., NYC DOT Announces Expansion of Midtown Congestion Management System, Receives National Transportation Award (June 5, 2012), https://www1.nyc.gov/html/dot/html/pr2012/pr12_25.shtml.} reducing carbon emissions,^{²Copenhagen, World Smart Cities Forum (Oct. 14, 2019), https://worldsmartcities.org/copenhagen/?msclkid=c1451bbbd15911eca302d0f6add159e9.} facilitating efficient waste management,³ improving public health outcomes, constructing affordable housing, and enabling residents to efficiently access government services.^{⁴LifeSG, Smart Nation Singapore, https://www.smartnation.gov.sg/initiatives/strategic-national-projects/lifesg (last visited Oct. 24, 2022).} The COVID-19 pandemic also underscored the opportunity for smart cities to improve public health outcomes. For example, New York City launched an app for residents to more easily store and present their vaccine record and COVID-19 testing information.⁵ Additionally, Kansas City, Missouri installed air quality sensors in areas of high COVID-19 transmission to help reduce infection rates and improve air quality as part of a grant program with the National Science Foundation, a project that was later expanded to Cleveland, Ohio and Chattanooga, Tennessee.⁶ There are smart cities projects around the globe, with 379 fully developed smart cities in 61 countries in 2019.⁷ Analysts predict that the smart cities market will top $7 billion by 2023.⁸

A typical smart city initiative might involve internet-connected sensors, mobile apps, public WiFi offerings, high-speed communications networks, utility meters, and cameras. With these operations, smart cities could collect and use a large quantity of data, some of which could be sensitive in nature. Additionally, smart cities technologies might involve processing data with assistance from analytics tools and algorithms. Consequently, commentators have raised privacy concerns that smart cities’ potential collection of significant amounts of information about residents, as well as new uses and methods of processing this information could contribute to government surveillance and cybersecurity risks, among other privacy concerns.

Privacy questions have had an influential role in the development and outcome of prior proposed smart cities initiatives. For example, Alphabet’s subsidiary Sidewalk Labs announced plans to build a high-tech neighborhood on 12 acres of Toronto’s waterfront in 2017, estimated to reflect at least a $1 billion investment, often called the Toronto Quayside project for the name of the neighborhood.⁹ Citizens and privacy advocates raised concerns that the proposed plans could compromise residents’ privacy interests.¹⁰

Cities play an important role in the responsible integration of smart cities technologies to address these privacy concerns and safeguard public trust. This paper identifies some of the core privacy considerations raised by smart cities – government surveillance and data security in Part I. Then, Part II proposes a set of core principles for smart cities to consider in the development and deployment of smart cities to address privacy concerns. These principles include: (A) human-centric approaches to smart cities design and implementation, (B) transparency for city residents, (C) privacy by design, (D) anonymization and deidentification, (E) data minimization and purpose specification, (F) trusted data sharing, and (G) cybersecurity resilience.

II. Privacy Considerations for Smart Cities

Privacy considerations in smart cities development and adoption are raised across academic commentary, public reporting, and past smart cities pilots, and generally focus on concerns over government surveillance and data security.

With respect to government surveillance, some commentators have voiced concerns that the implementation of smart cities technologies runs the risk of chilling First Amendment expression, as residents might be less willing to participate in free speech and public assembly if they perceive they are being recorded by the city.¹¹ For example, the White House’s recent Blueprint for an Artificial Intelligence (“AI”) Bill of Rights, the Office of Science and Technology Policy found that individuals and communities “should be free from unchecked surveillance” and technologies like AI should not limit the exercise of civil rights and civil liberties, such as with respect to voting, peaceful assembly, speech, or association.¹² At the same time, however, state and local governments have used technology to facilitate citizens’ First Amendment right to vote through the creation of mobile apps that help citizens connect with information about how, where, and when to vote.¹³

Regarding data security risks, privacy advocates and commentators have raised concerns that because smart cities might collect a large quantity of information, some of which may be sensitive in nature, smart cities provide an attractive target for bad actors. For example, city governments have already grappled with the threat of cybersecurity incidents, even outside the smart cities context. In September 2022, a ransomware attacker gained access to the Los Angeles, California Unified School District, and with it, access to student and teacher data, which led the school district to shut down its computer systems.¹⁴ City governments at large have also been affected, as a ransomware attack on the city of Atlanta caused the city government to shut down its systems in 2018,¹⁵ and a bad actor accessed all of the 156 emergency sirens in Dallas, Texas in 2017.¹⁶

Nevertheless, there are bright spots suggesting cities can do data security well using smart technologies. Members of Congress have introduced several bills that would, among other things, create literacy for small businesses on cybersecurity best practices and establish voluntary cybersecurity certification programs for IoT devices.¹⁷ Likewise, the National Institute of Standards and Technology (“NIST”) has issued reports and best practices recommendations related to cybersecurity and IoT devices, including some specific to government operations such as the NIST Security Guidance for First Responder Mobile and Wearable Devices, which helps secure devices worn in emergency response operations.¹⁸ Additionally, partnerships with private actors can help smart cities strengthen cybersecurity resilience.

Accordingly, any smart cities framework should be calibrated to consider how to minimize privacy risks while maximizing benefits to citizens and government efficiency.

III. Safeguarding Privacy in Smart Cities

Cities play a critical role in ensuring public trust with the deployment of technologies for city government. This Section explains each of the key privacy principles in turn, and discuss how these principles can help address privacy concerns raised with smart cities. These principles include: (A) human-centric approaches to smart cities design and implementation, (B) transparency for city residents, (C) privacy by design, (D) anonymization and deidentification, (E) data minimization and purpose specification, (F) trusted data sharing, and (G) cybersecurity resilience. These principles are informed by numerous privacy frameworks, such as those proposed by the Organization for Economic Co-operation and Development (“OECD”), NIST, and the Asian-Pacific Economic Corporation (“APEC”), as well as existing laws in the European Union and the United States.

A. Human Centered Smart Cities

Because smart cities rely on the trust and confidence of its residents, smart cities should prioritize a human-centered approach to designing and operating smart cities to help allay privacy concerns like government surveillance and data security. Some critics of smart cities have reflected that smart cities advocates overlook the importance of individuals in the pursuit of deploying smart cities technologies.^{¹⁹See Karrie Jacobs, Toronto Wants to Kill the Smart City Forever, MIT Tech. Rev. (Jun. 29, 2022), https://www.technologyreview.com/2022/06/29/1054005/toronto-kill-the-smart-city/; see also Riad Medded & Calum Handforth, We Need Smarter Cities, Not “Smart Cities,” MIT Tech. Rev. (Jun. 27, 2022), https://www.technologyreview.com/2022/06/27/1053896/we-need-smarter-cities/ (reflecting that a focus on smart cities “talk[s] about ‘users’ rather than people” and “[m]onthly and ‘daily active’ numbers instead of residents”).}Thus, in order to be successful and address privacy concerns, smart cities must therefore routinely engage with its residents to understand the benefits smart cities might bring to bear for residents, analyze how smart cities can be designed to benefit all residents equitably, appreciate the unique norms and culture of a city that will determine what smart cities implementations are appropriate, attend to concerns about resident privacy, and promote trust and accountability.

The Toronto Quayside project provides an example of the importance of incorporating residents in the process of designing and deploying smart cities. The Toronto Quayside project involved a partnership with Sidewalk Labs to build a smart city “from the internet up.”²⁰ Not long after the project was announced, the Toronto Quayside project drew criticism for dismissing privacy concerns, which led four members of the project’s advisory board to quit the project “over concerns about privacy and lack of public input.”²¹ As this example underscores, involving residents in the process of designing and building smart cities is critical to help ensure that the smart cities project reflects the norms and culture of the city and has the support of city residents.

B. Transparency

Transparency allows residents to shape the development of smart technologies in their city and understand the nature and extent of processing of their personal information to make informed choices about their information. In this way, transparency can help address concerns about government overreach because residents and civil society stakeholders can monitor and take action in potential instances of government overreach. Transparency – in particular, the principle that people should be informed over how their information is collected and used – is foundational across global data protection frameworks.^{²²The GDPR, U.S. state privacy laws, and other global frameworks likewise contemplate some form of transparency with respect to how individuals’ information is collected, used, and shared. See, e.g., GDPR, Articles 13 & 14.}

Transparency has long been a central aspect of the U.S. privacy framework. The Fair Information Practices, a 1970s government report identified principles for fair government processing of information that provide the foundation for modern U.S. privacy requirements, one of which is the principle of transparency.²³ With respect to presentation of notices, the Federal Trade Commission (“FTC”) has recommended that entities make disclosures to consumers “at a relevant time and in a prominent manner” (and provide choice) to individuals, in instances where personal information collection is inconsistent with what consumers might expect.^{²⁴See FTC, Protecting Consumer Privacy in an Era of Rapid Change 27 (Mar. 2012), https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf.} The California Privacy Rights Act, which enters into effect January 1, 2023, requires that a business provide notice “at or before the point of collection” to consumers.^{²⁵Cal. Civ. Code § 1798.100(a) (effective Jan. 1, 2023).}

While global frameworks are not uniform with respect to the content required in such notices, many privacy frameworks call for notice that includes the purposes for which personal information is being collected, used, and shared; recipients of the data (including third parties); and information about any applicable choices with respect to that data.^{²⁶See, e.g., Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005); U.S. Dep’t of Health, Educ. & Welfare, Records, Computers, and the Rights of Citizens (1973); FTC, supra note 34.}

Although transparency has been a longstanding principle in privacy frameworks, the nature of smart cities technologies and their integration with city government raises novel challenges for transparency. First, the reality of developing technologies means that the way in which residents interact with the tool may not be through a traditional account signup process or on a screen. This presentation likely requires that smart cities think creatively about how to provide notice to residents. For example, where smart cities use sensors to collect data automatically, providing notice may include using QR codes that link to a city’s privacy disclosures or providing public signage about when sensors or in use. Cities could also use standardized images in these signs where appropriate to signal to residents when sensors or cameras are in use. As another example, cities can develop privacy portals or hubs where citizens can go to access comprehensive information about how technologies deployed throughout the city might process personal information.

C. Privacy by Design

Privacy by design can help allay privacy concerns related to smart cities, including those related to government surveillance and data security, as privacy by design requires a proactive consideration of privacy risks and available safeguards. Privacy by design has been recognized in global privacy frameworks, including in the Global Data Protection Regulation (“GDPR”), in FTC guidance, and most recently, in the proposed legislative text for the American Data Privacy and Protection Act, the leading bipartisan U.S. federal legislative framework for privacy.²⁷

Privacy by design is not a new concept for smart cities. Seattle implemented a programmatic privacy review process that assists city government officials in collecting and using data.²⁸ Designed to provide “structure and guidance” for city agencies to build confidence in how residents’ personal information is used, the privacy program asks Seattle officials to complete a privacy impact assessments to review how data is collected and managed by a project or proposal through a series of questions.²⁹

Privacy assessments can serve as a component of a privacy by design program, like the one deployed in Seattle.³⁰ Recently, the Dutch Data Protection Authority issued recommendations for smart city applications that include a recommended data protection impact assessments before the integration of smart cities technologies to assess privacy risks and potential safeguards available.³¹ Additionally, the White House Blueprint for an AI Bill of Rights recognized that pre-deployment assessments and ongoing assessments of privacy and surveillance considerations would be appropriate for some applications of technology that could be used for surveillance purposes “to protect privacy and civil liberties.”³² Impact assessments also help address privacy concerns of government surveillance and data security, as the impact assessment would require the city to examine who would be allowed to have access to the data, what safeguards and policies should be in place, and how the data should be protected. Likewise, impact assessments promote public trust through transparency with citizens about how their data is used and managed.

D. Anonymization and Deidentification

Importantly, not all data collection necessarily raises the same types and degrees of privacy concerns. Privacy interests are arguably substantially lessened where information cannot be associated with a particular individual – for example, data in aggregated or deidentified forms. Many data privacy frameworks explicitly exclude aggregate and deidentified information from its scope.³³

Relying on aggregate and deidentified information wherever possible, instead of personal information, could help city governments unlock the potential benefits of smart cities, while also managing privacy concerns. For example, environmental sensors that measure temperature, air quality, and humidity would address privacy concerns, as would sensors that measure the amount of trash in a bin. Additionally, collection of information about the number of cars that travel through an intersection at a given time – not the type, make, model, or license plate of the vehicle – could help a city reduce congestion without implicating serious privacy concerns. Consequently, cities could consider as a principle prioritizing the collection and use of aggregated and deidentified data whenever feasible to address privacy concerns with smart cities development and implementation.

Nevertheless, absent processes and controls to prevent reidentification, deidentification and anonymization alone might not address privacy concerns due to the ability to reidentify datasets and should be coupled with policies and procedures to prohibit reidentification.^{³⁴See Woo, supra note 20, at 961.} Even where data has been pseudonymized or deidentified, academics have raised concerns about the use of big data or other data sets to reveal previously anonymous portions of the data or enable complete reidentification.^{³⁵Id. (citing example where researchers re-identified medical records using sex, date of birth, and zip code of patients).} Thus, smart cities should consider policies, procedures, and safeguards to prohibit reidentification and refrain from storing data longer than required. As at least one academic commentator noted, deidentification may not be the only solution, but it has a role to play.³⁶

E. Data Minimization & Purpose Specification

Smart cities could adopt the “less is more” principle of data minimization to help respond to concerns about government over-collection of personal information and surveillance. Data minimization describes collecting and maintaining the minimum amount of data required for a particular purpose.³⁷ Like transparency, data minimization is a principle grounded in the Fair Information Practice Principles³⁸ and is a common theme across global privacy frameworks.³⁹

Data minimization helps address some of the privacy concerns raised in the context of smart cities.⁴⁰ A frequently cited concern with smart cities is that the over collection of personal information that could be used for government surveillance or that, when data collected by the smart city is stored together, attracts bad actors seeking to obtain unauthorized access. However, if smart cities limit the volume and types of data collected, this helps address concerns that government agencies can use and analyze information for purposes of government surveillance.

F. Trusted Data Sharing

Smart cities will need to work with partners and vendors to source and facilitate the technology used for smart cities, a process that will necessitate sharing some personal information collected by smart cities with partners. Absent some data sharing, cities may not be able to provide smart solutions if they lack the necessary technical infrastructure, robust security measures, or to share data with researchers (e.g., to validate their efficacy of their solutions, promote transparency, or enable additional technological developments). Moreover, data sharing helps ensure that smart city technologies are designed, trained, and tested with datasets that represent the diversity of the city’s population and avoids unintended biases.

Such sharing can be accomplished in a way that fosters trust and confidence with the individuals about whom the data relates. For instance, contractual terms that delegate the roles, responsibilities, and rights of the city and the relevant data recipient with respect to personal information can provide assurances to the city and to residents that the recipient must use their data responsibly and in line with any specific provisions of the contract.⁴¹ In coordination with the University of Washington, the City of Seattle undertook a review of vendor contracts to understand whether vendors with access to city data were contractually obligated to adopt best practices for privacy and cybersecurity, and the findings of this study led to the city renegotiating contracts with a vendor so that these protections were in place.⁴²

Additionally, certification programs for vendors or other third parties that are in line with privacy principles can also provide an easy mechanism for cities and residents to identify whether the recipient of smart city data has undergone vetting of their privacy and security programs. Certification programs have had some success in other privacy contexts. For example, the Children’s Online Privacy Protection Act (“COPPA”) allows the FTC to approve self-regulatory guidelines that implement the protections of the COPPA Rule.^{⁴³See 15 U.S.C. § 6503 (providing a safe harbor for companies that comply with FTC approved self-regulatory guidelines).} The creation and adoption of certification programs could serve as a valuable mechanism to innovate on privacy best practices for smart cities and provide a means for residents to easily understand how smart cities partners are processing their personal information.

G. Cybersecurity Resilience

Data security is critical to both addressing smart cities privacy concerns and fostering public trust. Smart cities can adopt a cybersecurity program similar to that included in global privacy frameworks. For example, many privacy frameworks include a security principle to ensure that personal information is only used by those authorized to do so and safeguarded in a reasonable manner, taking into account the nature of the underlying data and the purposes for processing.⁴⁴ In the smart cities context, this could mean implementing access controls to limit who and what types of personnel can access certain types of resident data collected by the smart city. For example, data from a traffic light sensor collecting aggregated data about congestion (i.e., 100 cars passed through an intersection during rush hour) might be limited to those who service and operate the traffic light and may not be available to, for example, law enforcement or government personnel determining benefits entitlement. Smart cities can also put in place procedures like multi-factor authentication to verify the identity of the individual seeking to access the data. In considering cybersecurity safeguards, smart cities can learn from other government entities, such as those at the federal and state level, and might identify support and resources from grant programs, such as the $1 billion cybersecurity grant program for state and governments allocated in the Bipartisan Infrastructure Law.⁴⁵

Not only does cybersecurity resilience protect residents against harm from malicious actors, but robust cybersecurity also furthers public confidence and trust in the smart city project.

IV. Conclusion

Smart cities offer tremendous opportunity to improve how citizens experience and benefit from their city governments. Cities have an important role to play in adopting a privacy framework – such as through the adoption of principles like those described in this paper – to address privacy concerns and foster public trust and confidence in smart cities projects. Privacy in smart cities can be a feature, not a bug, and the principles outlined in this paper can help provide a framework for the responsible adoption of smart cities projects.