Your E-mail:

CFPHR joined EPIC comments to the National Institute on Standards and Technology on Smart Grid Cyber Security

CFPHR joined EPIC comments to the National Institute on Standards and Technology on Smart Grid Cyber Security
December 1, 2009

Comments to the National Institute on Standards and Technology on Smart Grid Cyber Security“>http://www.scribd.com/doc/49010646

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER
Joined by

PRIVACYACTIVISM
PRIVACY RIGHTS CLEARINGHOUSE
LIBERTY COALITION
ELECTRONIC FRONTIER FOUNDATION
GOVERNMENT ACCOUNTABILITY PROJECT
U.S. BILL OF RIGHTS FOUNDATION
CENTER FOR MEDIA AND DEMOCRACY
CYBER SECURITY PROJECT
THE RUTHERFORD INSTITUTE
WORLD PRIVACY FORUM
CENTER FOR FINANCIAL PRIVACY AND HUMAN RIGHTS
AMERICAN CIVIL LIBERTIES UNION
CONSUMER ACTION
AMERICAN LIBRARY ASSOCIATION

Privacy and Security Experts
Bruce Schneier
Christopher Wolf
Pablo Molina
Prof. Helen Nissenbaum
Deborah Hurley
Philip Friedman
Edward G. Viltz
Chris Larsen
Stefan Brands

to
THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
on
DOCKET NO. 0909301329–‐91332–‐01

“Draft NIST Interagency Report (NISTIR) 7628, Smart Grid Cyber Security Strategy and Requirements; Request for Comments”

December 1, 2009

TABLE OF CONTENTS

I. Background and Signatories ……………………………………………………………………………………….. 1

II. Privacy and the Smart Grid ………………………………………………………………………………………… 6
a. Defining Privacy and the Smart Grid ……………………………………………………………………………………6
b. Assessing Smart Grids and Privacy …………………………………………………………………………………… 11
c. Privacy Threats …………………………………………………………………………………………………………………… 15
i. Identity Theft………………………………………………………………………………………………………………………………………15
ii. Personal Surveillance ………………………………………………………………………………………………………………………16
iii. Energy Use Surveillance…………………………………………………………………………………………………………………18
iv. Physical Dangers………………………………………………………………………………………………………………………………22
v. Misuse of Data……………………………………………………………………………………………………………………………………23

III. EPIC Recommendations on How to Make the Smart Grid Privacy Smart…………..26
a. NISTIR’s Approach Is Insufficient ……………………………………………………………………………………… 26
b. Adopt Fair Information Practices……………………………………………………………………………………… 27
c. Establish Independent Privacy Oversight………………………………………………………………………… 29
d. Abandon the Notice and Consent Model…………………………………………………………………………… 31
e. Impose Mandatory Restrictions on Use and Retention of Data…………………………………….. 34
f. Verify Techniques for Anonymization of Data …………………………………………………………………. 36
g. Establish Robust Cryptographic Standards……………………………………………………………………… 37

IV. Conclusion………………………………………………………………………………………………………………….39