Here, Ashley Stevenson explains to us how smart cities need to build trust into connected urban spaces
Our cities are changing.
Every new infrastructure project now brings new examples of smart technologies being used to connect our urban environments: whether it’s the City of Westminster’s SmartPark parking system, or the proposed facial-recognition entry at London’s next tallest skyscraper.
However, with such developments, how do we ensure citizens can trust digital services and secure the personal data collected by smart devices?
The connected urban environment – potential utopia or dystopia?
New digital services and smart IoT devices like cameras, locks and sensors promise to streamline our lives, improve our safety on the streets, and help us manage assets and resources more efficiently. However, to do these things effectively, they must also amass and analyse vast amounts of data — including that of citizens. The question therefore is whether the benefits of the connected urban environment inherently require a tradeoff over data privacy, and exposure to potential security risks.
One example is biometrics, which can be used to seamlessly authenticate access to buildings and payments for services. Everything from fingerprints to facial recognition and gesture recognition are paving the way for enhanced security and advanced identification, as are behavioural biometrics, which monitor people, places and patterns for identification and authentication purposes–all the while making the process far easier, and at times barely noticeable.
Yet in recent weeks, privacy concerns surrounding biometrics have come very close to home for many Londoners, with the revelation that London’s Kings Cross district is using facial recognition in its security cameras, and Canary Wharf planning to follow suit. The developers responsible have made assurances that the technology is being used to enhance public safety. However, many are concerned that this technology represents a breach of privacy, particularly because it’s currently impossible for pedestrians to opt in or out of a service in an open public space.
These questions around privacy echo the concerns raised over Sidewalk Toronto’s Port Lands proposal, a smart city project in Canada. Critics of the initiative are worried about what data would be anonymised and how data in aggregate would be treated once collected. The potential damage to trust is clear, with the project attracting ire on both a local and a global level. In each case, transparency is key. Companies and local authorities need to clearly explain how they use the data they collect, and give more control to citizens to manage their consent.
A complex web of relationships
This is easier said than done. In a diverse urban area like London or Toronto, the sheer complexity of relationships and context-based decisions that underpin real-world use cases across a combination of spaces, buildings, devices, and organisations, means respecting privacy and keeping data secure requires a highly sophisticated and granular way of handling personal and non-personal data. Given this, how can we respect the individual privacy preferences of every citizen that moves through the city? And how do we ensure that data is secure once it has been collected?
This is where digital identity comes in: by providing a single foundation for each citizen’s interaction with devices around the city, a stable digital identity system could effectively carry their privacy preferences with them, in turn making it easier to authenticate who and what has access to specific devices, thereby improving security. Furthermore, not only would people have their own digital identity, but each connected device would need a stable digital identity too so that it can easily be differentiated from the other devices on the network — thus allowing for granular control.
In the King’s Cross example above, certain levels of access control could be enforced around the biometric data gathered by CCTV cameras. For instance, if a user is picked up who has chosen to opt-out of having their data collected by third-party organisations (in this case the property developer who installed the cameras), the central digital identity system would automatically block that data from being tracked.
To support this, access controls should be delegated to the user and designed so that they can be managed from a single dashboard to streamline the process and give the clearest view of what information is — and what information isn’t — allowed to be shared. The User-Managed Access protocol is the ideal candidate to support this system, as it provides such a transparent and secure dashboard.
The same process applies to the non-sensitive data on devices, which could be collected for the purpose of managing infrastructure and monitoring the environment (particularly important as cities attempt to go green). Digital identity provides a formal system for defining how each device fits into the puzzle and provides transparent controls for granting or restricting access to the information on those devices from a higher level, ensuring the data sharing from the device is trustworthy and compliant. For example, this would be a powerful solution for transmitting non-sensitive data on air quality or traffic statuses.
Underpinning the digital identity system is trust. Each identity – whether for a person or a ‘thing’ – must have a set of credentials, which provide a trusted way of confirming that identity is genuine, as well as strong authentication and authorization protocols defining access to the device’s data. This level of authentication mitigates the risk of sensitive information ending up in the hands of nefarious actors.
Catering to local needs
Of course, every city is different. But it is only once we’ve built a solution that’s able to deal with the complex relationships in connected urban spaces that an appropriate and responsible way of regulating data privacy and security be implemented in each town or city.
Ensuring the right balance between public and private ownership will be particularly important. Sidewalk Toronto’s proposal for a ‘Civic Data Trust’ – a separate entity to the lead developer that’s removed from any business interests – might be one possibility, although their proposed model has received criticism for not guaranteeing enough control for citizens.
As is increasingly the case in the online world as well, the gold standard for smart cities must be true ownership of one’s own personal data, and a robust digital identity system that can provide the transparency and control required.
Ashley Stevenson
Senior Director of Applied Innovation