Author Archives: Rob Kitchin

Robinson Crusoe dreams of big data

I’ve just come across a very nice passage from Michael Tournier’s 1967 novel, Friday; or, The Other Island (a retelling of the Daniel Defoe’s Robinson Crusoe), which seems to capture perfectly the desire of big data projects and I thought worth sharing:

I demand, I insist, that everything around me shall henceforth be measured, tested, certified, mathematical, and rational. One of my tasks must be to make a full survey of the island, its
distances and its contours, and incorporate all these details in an accurate surveyor’s map. I should like every plant to be labeled, every bird to be ringed, every animal to be branded. I
shall not be content until this opaque and impenetrable place, filled with secret ferments and malignant stirrings, has been transformed into a calculated design, visible and intelligible to
its very depths!

I discovered it in Anne Galloway and Matthew Ward’s piece: Locative Media as Socialising and Spatialising Practices: Learning from Archaeology.

Cork as a smart region?

Back in December we posted about the extent to which Dublin can be considered a smart city.  In this post, we complement this with a similar analysis of Cork, which is seeking to become a smart region rather than city (utilising smart technologies across the city and the county).

In Cork a ‘smart agenda’ is being developed that builds on the existing assets, attributes and experiences in the region through the ‘Cork Smart Gateway’ initiative, which is a collaboration between the two local authorities and the Nimbus Research Centre (Internet of Things, networks) and Tyndall National Institute (ICT, microelectronic circuits, nanotechnology, energy, photonics). The aim is to leverage a quadruple helix innovation model where government, industry, academia and civil participants work together to co-create and drive structural change utilising ICT solutions. As well as a host of EU, SFI and enterprise projects, Cork is also home to the National Sustainable Building Energy Testbed, Water Systems and Service and Innovation Centre, and the Mallow Systems and Innovation Centre, and UCC is a lead partner of Insight and CONNECT.  A full range of projects is set out in Table 1.

In addition to these projects, Cork City Council is a follower City in a Smart Cities and Communities Horizon 2020 project called GrowSmarter, a €25m initiative (lead cities: Stockholm, Cologne, and Barcelona). GrowSmarter establishes three ‘lighthouses’ for smart cities which demonstrate to other cities how they can be prepared in an intelligent way for the energy challenges of the future. As part of this project, Cork will roll out initiatives in transport, energy, and information and communications technology. There are also a significant number of companies driving Internet of Things development in the region, for example, EMC and Vodafone have jointly invested €2m in a new INFINITE internet of things industrial platform that will traverse Cork.  There are also a range of ongoing research and pilot projects that have yet to be mainstreamed, and others that ran for a handful of years before terminating, plus there are a number of other smart city apps available developed by citizens and commercial enterprises.

Table 1: Smart Cork

Smart economy Energy Cork Cluster supporting collaboration and innovation in the energy sector
IT@Cork Cluster supporting collaboration and innovation in the ICT sector
TEC Gateway – part of Nimbus, CIT EI funded technology gateway supporting Irish industry to develop new IoT technologies
Rubicon Incubator – provides supports and capital investment for startups
Smart government City Council housing stock management Stock condition surveys and maintenance activities updated by smart technologies close to real time
Library digital services A suite of library apps for various services
Variable messaging signs Real time off-street parking and road closure information on key access routes to the city
Smart living Smart energy management Real-time monitoring and control of energy use and environmental characteristics for residential and commercial buildings; Secure management and prognostics networks for energy systems – EOS
Smart urban district energy Management Real-time monitoring and control of neighbourhoods (blocks of buildings) for sustainable energy use
Smart lighting Intelligent LED lighting networks
GreenCom Smart microgrid testbed that enables wireless monitoring/control of loads, microgeneration and microstorage energy elements
Smart mobility Coca Cola Zero Bikes Public Hire Bike Scheme
LeapCard Smart card access/payment for trains and buses
Real-time passenger information Real time bus and train information at stops
EV Infrastructure Deploy standard and fast charging points throughout the city
Smart environment Smart testbeds National Sustainable Energy Testbed (NSBET); Community Testbed – A regional community testbed with access to high-performance broadband facilities; Water Test-bed
River Lee deployment Real time wireless sensor river monitoring system looking at water quality and depth
Rainwater harvesting Remote monitoring of rainwater harvesting system in Sunview Fairhill
Smart water Sensor development and integration to support management of Fats, oils and greases in the waste water networks – FOGMON

Aquametrics – Single point monitoring of water networks

Mid-altitude security and environmental monitoring AEOLUS – Mid-altitude (400m) sensor platform combining HD cameras, metrological, Radar and AIS for coastal monitoring for security and environmental assessment
Smart people Maker Dojo Hands-on, ‘hacker’ style workshops
CorkCitiEngage A Cork Smart Gateway Survey Project. Public feedback on public issues, digital skills, and use of public infrastructure
CorkOpenData data.corkcity.ie – An online platform for publishing city information obtained from various sources, from sensors to surveys

Source: Compiled by the Cork Smart Gateway

Like Dublin then Cork lay claim to being a nascent smart city.  Similarly they are very much at the start of realising the ambition of becoming a smart region and over the next number of years the smart region landscape is likely to change quite substantially as new initiatives are rolled out and new technologies deployed.

Rob Kitchin

Thanks to Claire Davis and Cork Smart Gateway initiative for compiling the table, with was prepared for our recent report on smart cities, privacy and security.

Smart cities, privacy, data protection and cybersecurity

Last Thursday saw the launch of the ‘Getting Smarter about Smart Cities: Improving Data Privacy and Data Security‘ report by Rob Kitchin and published by the Department of the Taoiseach.  The report was submitted a few days before the publication of a similar report by Lilian Edwards titled ‘Privacy, Security and Data Protection in Smart Cities: a Critical EU Law Perspective‘ and therefore has no reference to it.  Whereas my report takes a more governance and policy focused approach, Lilian’s is more legally focused.  If taken as a pair I think they provide a pretty comprehensive overview of the various privacy and security issues raised by smart city technologies and possible solutions.

Kitchin smart citiesEdwards smart cities

New report: Getting smarter about smart cities: Improving data privacy and data security

report launchAs part of ‘EU Data Protection Day’ a new report – “Getting smarter about smart cities: Improving data privacy and data security” – was launched today by Dara Murphy T.D., Minister for European Affairs and Data Protection.  The report, commissioned by the Data Protection Unit, Department of the Taoiseach (Irish Prime Minister) and written by Rob Kitchin (of The Programmable City project), is the first publication by the new Government Data Forum, a panel of experts drawn from across industry, civil society, academia and the public sector. The Forum advises Government on the opportunities and challenges for society and the economy arising from continued growth in the generation and use of personal data.  The report is available from the Department of the Taoiseach website or click here.

Executive Summary
Many cities around the world are seeking to become a smart city, using networked, digital technologies and urban big data to tackle a range of issues, such as improving governance and service delivery, creating more resilient critical infrastructure, growing the local economy, becoming more sustainable, producing better mobility, gaining transparency and accountability, enhancing quality of life, and increasing safety and security. In short, the desire is to use digital technology to improve the lives of citizens, finesse city management, and create economic development.

In this context, a wide range of smart city technologies are being deployed within urban environments, including city operating systems, centralised control rooms, urban dashboards, intelligent transport systems, integrated travel ticketing, bike share schemes, real-time passenger information displays, logistics management systems, smart energy grids, controllable lighting, smart meters, sensor networks, building management systems, and an array of smartphone apps and sharing economy platforms. All of these technologies generate huge quantities of data, much of them in real-time and at a highly granular scale.

These data about cities and their citizens can be put to many good uses and, if shared, for uses beyond the system and purposes for which they were generated. Collectively, these data create the evidence base to run cities more efficiently, productively, sustainably, transparently and fairly. However, generating, processing, analysing, sharing and storing large amounts of actionable data also raise a number of concerns and challenges.

Key amongst these are the data privacy, data protection, and data security issues that arise from the creation of smart cities. Many smart city technologies capture personally identifiable information (PII) and household level data about citizens – their characteristics, their location and movements, and their activities – link these data together to produce new derived data, and use them to create profiles of people and places and to make decisions about them. As such, there are concerns about what a smart city means for people’s privacy and what privacy harms might arise from the sharing, analysis and misuse of urban big data. In addition, there are questions as to how secure smart city technologies and the data they generate are from hacking and theft and what the implications of a data breach are for citizens. While successful cyberattacks on cities are still relatively rare, it is clear that smart city technologies raise a number of cybersecurity concerns that require attention.

To date, the approach to these issues has been haphazard and uncoordinated due to the ad-hoc manner in which they were developed. However, given the potential harms to citizens and the associated costs that can arise, and the potential benefits at stake, this approach should not be allowed to continue. The challenge is to rollout smart city solutions and gain the benefits of their deployment while maintaining infrastructure and system security and systematically minimising any pernicious effects and harms. This is no easy task, given the many stakeholders and vested interests involved and their differing aims and ambitions, and the diverse set of technologies and their complex arrangement.

This report details the development of smart cities and urban big data, highlights the various privacy and security concerns and harms related to the deployment and use of smart city technologies and initiatives, and makes a number of suggestions for addressing trepidations about and ills arising from data privacy, protection and security issues.

It argues that there is no single solution for ensuring that the benefits of creating smart cities are realised and any negative effects are neutralised. Rather, it advocates a multi-pronged approach that uses a suite of solutions, some of which are market driven, some more technical in nature (privacy enhancement technologies), others more policy, regulatory and legally focused (revised fair information practice principles, privacy by design, security by design, education and training), and some more governance and management orientated (at three levels: vision and strategy – smart city advisory board and smart city strategy; oversight of delivery and compliance – smart city governance, ethics and security oversight committee; and day-to-day delivery – core privacy/security team, smart city privacy/security assessments, and computer emergency response team).

These solutions provide a balanced, pragmatic approach that enable the rollout of smart city technologies and initiatives, but in a way that is not prejudicial to people’s privacy, actively work to minimise privacy harms, curtail data breaches, and tackle cybersecurity issues. They also work across the entire life-cycle (from procurement to decommissioning) and span the whole system ecology (all its stakeholders and components). Collectively they promote fairness and equity, protect citizens and cities from harms, and enable improved governance and economic development. Moreover, they do so using an approach that is not heavy handed in nature and is relatively inexpensive to implement. They are by no means definitive, but build on and extend work to date, advance the debate, and detail a practical route forward.

The report concludes that a core requirement for creating smart cities is the adoption of an ethical, principle-led approach designed to best serve the interests of citizens. In other words, being smart about how we plan and run cities consists of much more than deploying data-driven, networked technologies; it requires a smart approach.

How vulnerable are smart cities to cyberattack?

trafficSmart city solutions utilise complex, networked assemblages of digital technologies and ICT infrastructure to manage various city systems and services.  Any device that relies on software to function is vulnerable to being hacked.  If a device is networked, then the number of potential attack points multiples across the network, and the hack can be performed remotely (1). Once a single device is compromised, then the whole assemblage becomes vulnerable to cyberattacks that seek to ‘alter, disrupt, deceive, degrade or destroy computer systems and networks or the information and/or programs resident in or transiting these systems or networks’ (2).

There are three forms of cyberattack: availability attacks that seek to close a system down or deny service use; confidentiality attacks that seek to extract information and monitor activity; and integrity attacks that seek to enter a system to alter information and settings (such as changing settings so that components exceed normal performance, erasing critical software, or planting malware and viruses) (3).  The vulnerability of smart city systems is exacerbated by a number of issues including weak security and encryption; the use of insecure legacy systems and poor maintenance; large and complex attack surfaces and interdependencies; cascade effects; and human error and disgruntled (ex)employees (19).  The result is that the process of making city systems and infrastructures ‘smart’ has also made them vulnerable to a suite of cyber-threats (4,5,6).

Cyberattacks can target every type of smart city solution and particular system components. There are a number of weak points – including SCADA systems, the sensors and microcontrollers of the Internet of Things, and communication networks and telecommunication switches.

SCADA systems
Various forms of urban infrastructure, including the electricity grid, water supply, and traffic control, rely on SCADA (supervisory control and data acquisition) systems that are used to control functions and flow (4).  These systems measure how an infrastructure is performing in real-time and enable either automated or human operator interventions to change settings.  SCADA systems can be traced back to the 1920s, but were extensively rolled out in the 1980s (12).  As a consequence, many deployments are quite dated.  Many have been found to operate with their original security codes (13).  In some cases, while the infrastructure is relatively secure, the communications network is vulnerable (4).  A number of SCADA systems have been compromised, with hackers altering how the infrastructure performs, or causing a denial-of-service, or have stolen data.  Probably the most infamous SCADA hack was the 2009 Stuxnet attack on Iran’s uranium enrichment plant in which the system was infected by malware that destroyed a number of centrifuges by running them beyond their design specifications (12).  By 2010 over 90,000 Stuxnet infections were reported in 115 countries (5).

Internet of Things
The Internet of Things refers to the connecting together of machine-readable, uniquely identifiable objects across the Internet.  Some objects are passive and can simply be scanned or sensed (such as smart cards with embedded RFID chips used to access buildings and transport systems).  Others are more active and include microcontrollers and actuators.  All kinds of objects that used to be dumb, such as fridges, thermostats and lights, are now becoming networked and smart, generating information about their use and becoming controllable from a distance.  Moreover, sensors can be embedded into the urban fabric and throughout critical infrastructures to produce data concerning ‘location, proximity, velocity, temperature, flow, acceleration, sound, vision, force, load, torque, pressure, and interactions’ (13).  Sensors and microcontrollers are hackable as they often have little effective security, encryption, or privacy protocols in place.  RFID chips, for example, can be hacked, jammed and spoofed (13).

Communication networks and telecommunication switches
The Internet of Things are linked together via a number of communications technologies and protocols such as 4G LTE (Long Term Evolution), GSM (Global System for Mobile communication), CDMA (Code Division Multiple Access), WiFi, bluetooth, RFID (Radio-Frequency Identification), NFC (Near-Field Communication), ZigBee (open wireless standard), and Z-Wave (wireless communication).  Each of the modes of networking and transferring data are known to have security issues that enable data to be intercepted and provide access to devices.  Likewise, telecommunication switches that link together the local and long distance Internet infrastructure are known to have vulnerabilities including manufacturer and operator back-door security access and access codes that are infrequently updated (4).

Transport management systems and vehicles
There have been a number of cyberattacks on transport management systems in recent years, as well as proof-of-concept demonstrations of possible attacks.  For example, a cyberattack on a key toll road in Haifa, Israel, closed it for eight hours causing major traffic disruption (9).  A research team from the University of Michigan managed to hack and manipulate more than a thousand traffic lights in one city using a laptop and wireless radio (15).  Likewise, IOActive Labs have hacked traffic control sensors widely used around the world and altered traffic light sequencing and interactive speed and road signs (16).  A teenager in Lodz, Poland, managed to hack the city tram switches, causing four trams to derail and injuring a number of passengers (1, 13).  In the US, air traffic control systems have been hacked, FAA servers seized, the personal information of 58,000 workers stolen, and malicious code installed on air traffic networks (13).  Vehicles themselves are also open to being hacked given that a new car contains up to 200 sensors connected to around 40 electronic control units and can connect to wireless networks.  A recent Wired article details how two hackers were able to remotely hack a car through its Internet computer that controls entertainment and navigation systems, facilitates phone calls and can provide a wifi hotspot, using it as a route to replace firmware that enabled them to take control of the car’s internal computer network.  The hackers could then take over the driving of the car from over 10 miles away, turning the driver into a passenger (17).

Electricity grid and smart meters
The generation, transmission, and distribution of electricity are monitored and controlled using SCADA systems (12).  In addition, the electricity grid consists of a range of other networked devices.  In the case of the US energy grid over 70 percent of components are over 25 years old, including many SCADA systems (13).  Given the potential cascade effects of shutting down the electricity grid, it has been a key point of cyberattack. Electricity grid utilities in the US report being under near constant cyberattack, with one utility recording that it was the target of approximately 10,000 cyberattacks each month (all five commissioners of the Federal Energy Regulatory Commission agree that the threat of a cyber-attack on the electric grid is the top threat to electricity reliability in the United States) (8).  The Israel Electric Corp. reports that its servers register about 6,000 unique computer attacks every second, with other critical infrastructure also under continuous cyberattack (9).  As smart grids and smart meters are installed, the number of potential access points to grid networks increases enormously (12).  Smart meters themselves can be hacked with low-cost tools and readily available software to alter proof of consumption or to steal energy from other users (1, 14).

Building management systems
Building management systems are often considered an aspect of property services rather than IT services and cybersecurity is not a key issue in purchase or operation (18).  The consequence is weakly protected systems, often still configured with manufacturer codes.  Moreover manufacturers often do not have processes in place for responding to vulnerabilities or a notification process to inform customers about security threats (18).  The vulnerabilities of building management systems pose two main threats.  The first is that if they are hacked building operations could be disrupted and safety risks created.  The second is that they provide a potential route for breaking into enterprise business systems and critical company data if they share the same network.  In the case of the Target data breach in which over 100 million customer details were stolen it appears that the retailer did not properly segment its data network, with hackers gaining access through the company that maintained its heating, ventilation and air conditioning (HVAC) system (18).

Cameras
Cities are full of a plethora of CCTV cameras; some owned and controlled privately, others by public authorities and police services.  The security of these cameras is highly variable, with some lacking encryption or usernames and passwords, and others open to infection by malware and firmware modification (20).  Accessing a camera provides a means to spy on individuals, such as viewing home presence or using a bank ATM camera to monitor the digits being pressed.  Demonstrating the scale of the issue, one website provides access to the feeds of thousands of unsecured or poorly secured cameras (uses admin passwords) from 152 countries (21).  Cameras can also be turned off, with some lacking the function to be restarted remotely (19).

Many cyberattacks are relatively inconsequential, such as probes and address scans, and are unsuccessful, while a small number are much more significant and involve a security breach.  In a 2014 study of 599 utility, oil and gas, energy and manufacturing companies nearly 70 percent reported at least one security breach that led to the loss of confidential information or disruption of operations in the previous 12 months; 78 percent expected a successful attack on their ICS (industrial control systems) or SCADA systems in the next two years (10).  In 2012, 23 gas pipeline companies were hacked and source code and blueprints to facilities stolen (7).  Between 2010 and 2014, the US Department of Energy (that oversees the US power grid, nuclear arsenal, and national labs) documented 1,131 cyberattacks, of which 159 were successful (11).  In 53 cases these attacks were ‘root compromises’, meaning that the attackers gained administrative privileges to computer systems, stealing various kinds of personnel and operational information (11).

Cyberattacks can be performed by hostile nations, terrorist groups, cyber-criminals, hacker collectives, and individual hackers.  Former FBI director, Robert Mueller, details that 108 nations have cyberattack units, targeting critical infrastructure and industrial secrets (13).  The majority of attacks are presently being repulsed using cybersecurity tools, or their effects have been disruptive or damaging but not critical for the long term delivery of services (3).  Indeed, it needs to be recognised that to date, successful cyberattacks on cities are still relatively rare and when they have occurred their effects generally last no more than a few hours or involve the theft of data rather than creating life threatening situations.  That said, it is clear that there is a cybersecurity arms race underway between attackers and defenders, and that more severe disruption of critical infrastructure has been avoided through the threat of mutually assured destruction between nations (22).  This is not to suggest that smart city initiatives should be avoided, but rather that the cybersecurity challenges of creating secure smart cities should be taken seriously.  It is likely that cyberattacks will increase over time, they will become more sophisticated, and that they have the potential to cause significant disruption to city services and the wider economy and society (5).

References
(1)    Nanni, G. (2013) Transformational ‘smart cities’: cyber security and resilience. Symantec, Mountain View, CA. https://eu-smartcities.eu/sites/all/files/blog/files/Transformational%20Smart%20Cities%20-%20Symantec%20Executive%20Report.pdf (last accessed 12 October 2015)
(2)    Owens, W.A., Dam, K.W. and Lin, H.S.  (eds) (2009) Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.  Committee on Offensive Information Warfare, National Research Council, National Academic Press, Washington DC.
(3)    Singer, P.W. and Friedman, A. (2014) Cybersecurity and Cyberwar: What Everyone Needs to Know.  Oxford University Press, Oxford.
(4)    Singh, I.B. and Pelton, J.N. (2013) Securing the Cyber City of the Future.  The Futurist http://www.wfs.org/futurist/2013-issues-futurist/november-december-2013-vol-47-no-6/securing-cyber-city-future (last accessed 19 Oct 2015)
(5)    Townsend, A. (2013) Smart Cities: Big data, Civic Hackers, and the Quest for a New Utopia.  New York: W.W. Norton & Co.
(6)    Peters, S. (2015) Smart Cities’ 4 Biggest Security Challenges, 1st July, InformationWeek: Dark Reading, http://www.darkreading.com/vulnerabilities—threats/smart-cities-4-biggest-security-challenges/d/d-id/1321121 (last accessed 21 Sept 2015)
(7)    Perlroth, N. (2015) Online Attacks on Infrastructure Are Increasing at a Worrying Pace.  Bits, New York Times, October 14th, http://bits.blogs.nytimes.com/2015/10/14/online-attacks-on-infrastructure-are-increasing-at-a-worrying-pace/ (last accessed 16th October 2015).
(8)    Markey. E.J. and Waxman, H.A. (2013) Electric grid vulnerability: Industry Response Reveal Security Gapshttp://www.markey.senate.gov/imo/media/doc/Markey%20Grid%20Report_05.21.131.pdf (last accessed 15 Nov 2015)
(9)    Paganini, P. (2013) Israeli Road Control System hacked, caused Traffic jam on Haifa Highway.  Hacker News. October 28, 2013 http://thehackernews.com/2013/10/israeli-road-control-system-hacked.html (last accessed 29 Nov 2015)
(10)    Prince, B. (2014) Almost 70 Percent of Critical Infrastructure Companies Breached in Last 12 Months: Survey.  Security Week, July 14th.  http://www.securityweek.com/almost-70-percent-critical-infrastructure-companies-breached-last-12-months-survey
(11)    Reilly, S. (2015) Records: Energy Department struck by cyber attacks, USA Today, Sept 11th. http://www.usatoday.com/story/news/2015/09/09/cyber-attacks-doe-energy/71929786/
(12)    The Center for the Study of the Presidency and Congress (2014) Securing the U.S. Electric Grid.  Washington DC https://www.thepresidency.org/sites/default/files/Final%20Grid%20Report_0.pdf (last accessed 15 Nov 2015)
(13)    Goodman, M. (2015) Future Crimes: A Journey to the Dark Side of Technology – and How to Survive It.  Bantam Press, New York.
(14)    Krebs (2012) FBI: Smart Meter Hacks Likely to Spread, April 9th, Krebs on Security. http://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/ (last accessed 21 Sept 2015)
(15)    Leitner, T. and Capitanini, L. (2014) New Hacking Threat Could Impact Traffic Systems. NBC Chicago. http://www.nbcchicago.com/investigations/series/inside-the-new-hacking-threat/New-Hacking-Threat-Could-Impact-Traffic-Systems-282235431.html (last accessed 19 Oct 2015)
(16)    Cerrudo, C. (2014) Hacking US (and UK, Australia, France, etc.) Traffic Control Systems, IOActive Blog, April 30th 2014 http://blog.ioactive.com/2014/04/hacking-us-and-uk-australia-france-etc.html (last accessed 12 Oct 2015)
(17)    Greenburg, A. (2015) Hackers Remotely Kill a Jeep on the Highway—With Me in It.  Wired 21st July 2015. http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ (last accessed 16th Oct 2015)
(18)    Vijayan, J. (2014) With the Internet of Things, smart buildings pose big risk. Computer World, May 13th. http://www.computerworld.com/article/2489343/security0/with-the-internet-of-things–smart-buildings-pose-big-risk.html (last accessed 13 Nov 2015)
(19)    Cerrudo, C. (2015) An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks. Securing Smart Cities, http://securingsmartcities.org/wp-content/uploads/2015/05/CitiesWideOpenToCyberAttacks.pdf (last accessed 12 October 2015).
(20)    Brewster, T. (2014) Smart or stupid: will our cities of the future be easier to hack?  The Guardian, May 21st.  http://www.theguardian.com/cities/2014/may/21/smart-cities-future-stupid-hack-terrorism-watchdogs (last accessed 21 Nov 2015)
(21)    Cox, J. (2014) This Website Streams Camera Footage from Users Who Didn’t Change Their Password.  Motherboard, Oct 31st. http://motherboard.vice.com/read/this-website-streams-camera-footage-from-users-who-didnt-change-their-password (last accessed 22 Nov 2015)
(22)    Rainie, L., Anders, J. and Connolly, J. (2014) Cyber Attacks Likely to Increase.  Digital Life in 2025, Pew Research Center.  http://www.pewinternet.org/files/2014/10/PI_FutureofCyberattacks_102914_pdf.pdf (last accessed 19 Oct 2015)

No longer lost in the crowd? How people's location and movement is being tracked

Up until relatively recently tracking the location and movement of individuals was a slow, labour-intensive, partial and difficult process.  The only way to spatially track an individual was to follow them in person and to quiz those with whom they interacted.  As a result, people’s movement was undocumented unless there was a specific reason to focus on them through the deployment of costly resources.  Even if a person was tracked, the records tended to be partial, bulky, difficult to cross-tabulate, aggregate and analyze, and expensive to store.

A range of new technologies has transformed geo-location tracking to a situation where the monitoring of location is pervasive, continuous, automatic and relatively cheap, it is straightforward to process and store data, and easy to build up travel profiles and histories.  This is especially the case in cities, where these technologies are mostly deployed, though some operate pretty much everywhere.  Here are eleven (updated from 7 in original post) examples.

1.  Many cities are saturated with remote controllable digital CCTV cameras that can zoom, move and track individual pedestrians.  In addition, large parts of the road network and the movement of vehicles are surveyed by traffic, red-light, congestion and toll cameras.  Analysis and interpretation of CCTV footage is increasingly aided by facial, gait and automatic number plate recognition (ANPR) using machine vision algorithms.  Several police forces in cities in the UK have rolled out CCTV facial recognition programmes (1,2), as have cities in the U.S., including New York and Chicago (each with over 24,000 cameras) and San Diego (who are also using smartphones with facial recognition installed) (3).  ANPR cameras are installed in many cities for monitoring traffic flow, but also for administrating traffic violations such as the non-payment of road tolls and congestion charging.  There are an estimated 8,300 ANPR cameras across the UK capturing 30 million number plates each day (15).

2.  Smart phones continuously communicate their location to telecommunications providers, either through the cell masts they connect to, or the sending of GPS coordinates, or their connections to wifi hotspots.  Likewise, smart phone apps can access and transfer such information and also share them to third parties.  With respect to the latter Leszczynski’s analysis (14) of the data generated by The Wall Street Journal in 2011 (4) details that 25 out 50 iPhone apps, and 21 of 50 Android apps transmitted location data to a third party other than the app developer.  Of these, 19 of the iPhone apps and 13 of the Android apps did not require locational data as a functional requirement.  Half the iPhone and a third of the Android apps did not request consent for passing on the locational data.  These locational data are shared with advertisers and utilised by data brokers to create user profiles. For example, ‘Verizon have a product called Precision Market Insights that let businesses track cell phone users in particular locations’ (5).  It sells data ‘about its cell phone users’ “age range, gender and zip codes for where they live, work, shop and more” as well as information about mobile-device habits’ including URL visits, app downloads and usage, browsing trends and more’ (5).

3.  In a number of cities sensor networks have been deployed across street infrastructure such as bins and lampposts to capture and track phone identifiers such as MAC addresses.  In London, Renew installed such sensors on 200 bins, capturing in a single week in 2014 identifiers from 4,009,676 devices and tracking these as they moved from bin to bin (6).  The company reported that they could measure the proximity, speed, and manufacturer of a device and track the stores individuals visited, how long they stayed there, and how loyal customers are to particular shops, using the information to show contextual adverts on LCD screens installed on the bins (6).  The same technology is also used within malls and shops to track shoppers, sometimes linking with CCTV to capture basic demographic information such as age and gender (7, 8).

4.  Similarly, some cities have installed a wifi mesh, either to provide public wifi or to create a privileged emergency response and relief communication system in the event of an urban disaster or for general surveillance.  In the case of public wifi the IDs of the devices which access the networked are captured and can be tracked between wifi points.  In the case of an emergency/police mesh access might not be granted to the network, however each network access point can capture the device IDs, device type, apps installed, as well as the locational history (9). Such a wifi mesh, with 160 nodes, was installed by the Seattle Police Department in 2013 (9).  The locational history of previous wifi access points is revealed because a wifi-enabled device broadcasts the name of every network it has connected to previously in order to try and find one it can connect to automatically.  Such data reveals the movement of device owners between locations, revealing the sites of popular spots such as home, work, and where they shop.  Beyond a wifi-mesh, anyone with a wi-fi adapter in monitor mode and a packet capture utility can capture such data (12).

5.  Many buildings use smart card tracking, with unique identifiers installed either through barcodes or embedded RFID chips.  Cards are used for access control to different parts of the building and to register attendance, but can also be used as an electronic purse to pay for items within the facility.  Smart card tracking is becoming increasingly common in many schools to track and trace student movements, activities and food consumption (10).  Smart cards are also used to access and pay for public transport, such as the Leapcard in Dublin or the Oyster Card in London. Each reading of the card adds to the database of movement within a campus or across a city.

6.  New vehicles are routinely fitted with GPS that enables the on-board computers to track location, movement, and speed.  These devices can be passive and store data locally to be downloaded for analysis at a latter point, or be active, communicating in real-time via cellular or satellite networks to another device or data centre.  Active GPS tracking is commonly used in fleet management to track goods vehicles, public transport and hire cars, or to monitor cars on a payment plan to ensure that it can be traced and recovered in cases of default, or in private cars as a means of theft recovery.   Moreover, cars are increasingly being fitted with unique ID transponders that are used for the automated operation and payment of road tolls and car parking.  Again, each use of the transponder is logged, creating a movement data trail, though with a larger spatial and temporal granularity (at selected locations).

7.  There are also many other staging points where we might leave an occasional trace of our movement and activities, such as using ATMs, or a credit card in a store, or checking a book out of a library.

UPDATE: I’ve had three further ways of tracking people pointed out to me (thanks Linda, Stephen, Jim) and I also thought of one more.  Plus I’ve updated method 4 (thanks Paul-Olivier).

8.  Selected populations — such as people on probation, prisoners on home leave, people with dementia, children — are being electronically tagged to enable tracking.  Typically this done using a GPS-enabled bracelet that periodically transmits location and status information via a wireless telephone network to a monitoring system.  In other cases, it is possible to install tracker apps onto a phone (of say children) so the phone location can be tracked, or to buy a family tracking service from telecoms providers (11)

9. Another form of staging point is the use of the Internet, such as browsing or sending email, where the IP address of the computer reveals the approximate location from which it is connected.  Typically this does not have a fine spatial resolution (mile to city or region scale), but does show sizable shifts of location between places.

10.  Another set of staging points can be revealed from the geotagging (using the device GPS) and time/date stamping of photos and social media posted on the internet and recorded in their associated metadata.  This has more spatial resolution than IP addresses and is also accompanied with other contextual information such as the content of the photo/post.  Such data can be used in interesting ways such as tackling cyber-bullying by revealing the location of posters (13).

11.  Location and movement can also be voluntarily shared by individuals through online calenders, most of which are private but nonetheless stored in the cloud, and some of which are shared openly or with colleagues.

As these examples demonstrate, those companies and agencies who run these technologies possess a vast quantity of highly detailed spatial behaviour data from which lots of other insights can be inferred (such as mode of travel, activity, and lifestyle).  These data can also be shared between data brokers and third parties and combined with other personal and contextual information.  For example, Angwin (5) has identified 58 data brokers in the mobile and location tracking business in the US, only 11 of which offered opt-outs (in total she found 212 data brokers operating in the US that consolidated and traded data about people, only 92 of which allowed opt-outs – 65 of which required handing over additional data to secure the opt-out).  Moreover, these data can be accessed by the police and security forces through warrants or more surreptitiously.  The consequence is that individuals are no longer lost in the crowd, but rather they are being tracked and traced at different scales of spatial and temporal resolution, and are increasingly becoming open to geo-targeted profiling for advertising and social sorting.

If you can think of other ways location/mobility is being tracked, please leave a comment – thanks.

Rob Kitchin

(1)  Graham, S. (2011) Cities Under Siege: The New Military Urbanism.  Verso, London.
(2)  Gardham, M. (2015) Controversial face recognition software is being used by Police Scotland, the force confirms. Herald Scotland, 26th May http://www.heraldscotland.com/news/13215304.Controversial_face_recognition_software_is_being_used_by_Police_Scotland__the_force_confirms/
(3)  Wellman, T. (2015) Facial Recognition Software Moves From Overseas Wars to Local Police. New York Times, 12th August. http://www.nytimes.com/2015/08/13/us/facial-recognition-software-moves-from-overseas-wars-to-local-police.html
(4)  http://blogs.wsj.com/wtk-mobile/
(5)  Angwin, J. (2014) Dragnet Nation. St Martin’s Press, New York
(6)  Vincent, J. (2014) London’s bins are tracking your smartphone. The Independent. June 10th http://www.independent.co.uk/life-style/gadgets-and-tech/news/updated-londons-bins-are-tracking-your-smartphone-8754924.html
(7)  Kopytoff, V. (2013) Stores Sniff Out Smartphones to Follow Shoppers, Technology Review, Nov 12th http://www.technologyreview.com/news/520811/stores-sniff-out-smartphones-to-follow-shoppers/
(8)  Henry, A. (2013) How Retail Stores Track You Using Your Smartphone (and How to Stop It). Lifehacker, 19 July, http://lifehacker.com/how-retail-stores-track-you-using-your-smartphone-and-827512308
(9)  Hamm, D. (2013) Seattle police have a wireless network that can track your every move. Kirotv.com, 23 November. http://www.kirotv.com/news/news/seattle-police-have-wireless-network-can-track-you/nbmHW/ cited in Leszczynski, A. (forthcoming) Geoprivacy.  In Kitchin, R., Lauriault, T. And Wilson, M. (eds) Understanding Spatial Media. Sage, London.
(10) Goodman, M. (2015) Future Crimes: A Journey to the Dark Side of Technology – and How to Survive It.  Bantam Press, New York.
(11) see http://gizmodo.com/how-to-stalk-a-cheater-using-satellites-and-cell-phones-1546627447
(12) Gallagher, S. (2014) Where’ve you been? Your smartphone’s Wi-Fi is telling everyone. Ars Technica, Nov 5th, http://arstechnica.com/information-technology/2014/11/where-have-you-been-your-smartphones-wi-fi-is-telling-everyone/
(13) Riotta, C. (2015) How Facebook and Twitter Geotagging Is Exposing Racist Trolls in Real Life.  Tech.mic, Dec 2nd, http://mic.com/articles/129506/how-facebook-and-twitter-geotagging-is-exposing-racist-trolls-in-real-life
(14) Leszczynski, A. (forthcoming) Geoprivacy.  In Kitchin, R., Lauriault, T. And Wilson, M. (eds) Understanding Spatial Media. Sage, London.
(15) Weaver, M. (2015) Warning of backlash over car number plate camera network. The Guardian, 27 Nov. http://www.theguardian.com/uk-news/2015/nov/26/warning-of-outcry-over-car-numberplate-camera-network