CNIL has been participating for several months in the working group of the Commission for Energy Regulation ("CRE") on electric "smart meters". At the CNIL plenary meeting of 14 October 2010, our Commission developed recommendations to limit the impact of these innovative devices on privacy and freedoms.
Smart meters" are different from existing regular meters as they have the ability to transmit electronically the index of consumption to the network operator. Thanks to this remote transmission, intelligent networks use advanced computer technology to optimise the production and delivery of electricity. In addition to the optimisation of production, these systems facilitate the billing of subscribers. They also allow providers to carry out, automatically, some technical operations remotely, such as cutting or changing the power of a meter. However, these devices justify new security requirements to prevent an unauthorised malicious third party from remotely cutting the power supply of an individual.
Some infrastructures for electronic surveillance and data capture (SCADA systems) that use the Internet to communicate information are not properly secured. CNIL therefore recommends being vigilant about securing these critical infrastructures. The potential impact of such attacks - as evidenced by the recent Stuxnet virus in Iran which disrupted the operation of power stations - can be dramatic and may physically damage power stations. This could cause a chain reaction on the whole electricity grid and large scale power outages. In terms of data confidentiality, CNIL recommends that necessary measures are taken both at the counter level (since the data are stored in the counter for two months) and at the servers level where data collected through remote transmission is stored. It is necessary to ensure data encryption, to establish a system of management of authorisations for people who have access to the data and traceability of logs to the server.
Smart devices have raised concerns about privacy. Indeed, specific information on the power consumption of subscribers allows educated guesses on their lifestyle (time they wake up, time they go to bed...) or even, in specific cases, on the type of devices they used. Therefore, CNIL recommends adjusting the level of details of the data collected according to different uses. Indeed, if detailed information is sometimes necessary to manage the network management, a daily record is sufficient to charge a standard subscription.
CNIL reminds the main network operators that information on how to exercise one’s rights will have to be given in the subscription agreement and when new meters are installed. CNIL proposes an information leaflet detailing the new features of these counters (such as remote transmission) to be handed out.
As far as optional services that require the use of accurate consumption information are concerned, the subscriber will also have to be informed to ensure informed consent. In fact, to receive the information related to energy consumption, it is imperative that energy suppliers first get the consent of consumers.