Governments Face an Uphill Battle in Data Protection
The idea that government use of smart devices will inevitably lead to human rights issues isn’t sound, Johnson says. Instead, she says, the bigger potential threat to citizen privacy is a breach of government systems, putting data in the hands of bad actors.
“It’s not only a realistic concern, it has already happened in the past with citizen data and government employee data,” she says.
The sheer volume of data that governments collect makes protecting it difficult. Cyber workforce shortages compound the challenge, as does the fact that government agencies have fewer resources than corporations, making data protection an uphill battle for the public sector.
Proper data security in smart cities starts with securing IoT devices, as having a large number of internet-connected devices broadens an organization’s attack surface. Governments can implement zero-trust practices and limit access so that each device only touches the information it needs instead of a whole network, ITIF notes.
Agencies Can Keep Data Anonymous to Protect Citizens
Governments should anonymize data they collect through smart devices. This is usually not a problem, as most of the data collected through many sensor technologies is nonsensitive information that wouldn’t benefit from being connected to specific people. This includes data on traffic patterns, population density and energy consumption.
“For most use cases, the data doesn’t need to tie to a specific person or household,” Johnson says. “That avoids the potential of anyone building profiles of individuals based on their habits or any of that data that, on its own, is innocuous.”
However, in cases when governments do tie data to specific people, Johnson says that agencies should set that data up for automatic deletion. For example, if a state is gathering data from an electronic toll collection system such as E-ZPass, it’s receiving data tied to individuals because payments are processed via credit cards. This kind of data should be deleted once payments are processed or the need for the data is gone, Johnson says.
ITIF cites the company ShotSpotter as an example of an organization that uses automatic deletion to prevent the misuse of data. The gunfire locator service uses sensors that only send audio to a review center if it detects a potential gunshot, ITIF says. That audio is automatically overwritten after a certain period, preventing law enforcement from digging up old recordings to listen in on captured conversations or other audio.
Transparency Must Be a Priority in the Data Collection Process
Citizens will naturally wonder why their data is being collected and how it’s being used, ITIF notes. Governments must have answers to these questions. Information on data collection and use should be easily accessible to the public.
Any broad communications explaining the use of data should be written in a way that’s understandable to the layperson; more technical detail can be provided in additional resources, ITIF notes.
“Having answers would not only put people more at ease and inform them but it would also allow for researchers to explore the ways that data is being used and the potential implications,” Johnson says.
There are also concerns about the commercial use of data. ITIF recommends that Congress pass federal data privacy legislation that pre-empts existing state and local laws and includes opt-in consent for the commercial use of sensitive data and opt-out consent for commercial use of nonsensitive data. Johnson says that she expects the American Data Privacy and Protection Act will be reintroduced to Congress.