Are Smart Cities the Next Principal Step in the Loss of Privacy?

January 29, 2021

By Dr. Ian McAndrew, Capitol Tech's Dean of Doctoral Programs, and Alan Tilles, Capitol Tech Board of Trustees member

Architects, town planners, environmental groups and many others believe smart cities are a feasible step to the creation of a zero carbon footprint way of living. There are many advantages and opportunities to integrate transport, work, shopping, and the control of all interconnecting aspects, from food deliveries to the electrical power demands based on our personal ways of living. Artificial Intelligence (AI) will be able to offer heating schedules that balance when home, working, or our level of comfort in advance, so that electrical power planners can minimize over-production of electricity.

The technology currently exists to make this happen if we accept that control needs to be managed on the larger scale. What is rarely discussed or addressed is the erosion of our privacy and how that will potentially create issues of who owns our data and recorded ways of living. While the concept of “Big Brother” is not new, the collection and use of data, even when anonymized, has serious societal and legal implications that must be addressed by policy makers to ensure that the benefits of a connected city are realized.

Smart Cities are being designed, justified and planned in many different countries. Current technology exists to deliver the majority of innovation planners want and offer. For example, how an integrated electric car charging system will be two-way. That means they will be charged in batches as not to overload demand, and in extremes the charge in a car can be returned to the national grid. To achieve this, private information about the owner’s demands each day, habits and limitations much be captured. This does not add much complexity to designing a system. On the larger scale, the daily habits of each car user will be stored and this will be the input for the calculations. Add to this, AI and predictive patterns will be used for the charging of all cars whereby the supply (possibly wind turbines) will be managed fully. Technically, data access is easy to obtain, but what are the implications of the unfettered use and legal implications of date use?

On a more narrow focus, managing the house in a smart city offers equally positive and negative ways to live. A lost key? We can find a locksmith or break a window to enter. Even if alarmed the key is entered and it is disarmed. On a biosecurity security level, what happens if the sensor does not recognize the owner or approved person? If there is a system fault, how does one enter? A broken window may be difficult with modern toughened glass. Do we have our information shared with a cyber-locksmith? If yes, which one? Must that cyber-locksmith be licensed by the municipality? Indeed, the hacking of this company by external people, or simple theft of data may have much wider implications. Technology leads and the law seem to catch up in most cases. In the smart cities, lagging legislation can cause significant problems that must be addressed as part of planning, or the possibility is that there will be cybersecurity problems inherent in the implementation.

Another focus is the ability of law enforcement to access this information, and make use of it. The legal implications of such access are huge. In doing so, decisions must be made with regard to whether search warrants are necessary for data acquisition (and the impact on the 4th Amendment’s bar on unreasonable searches and seizures), the transmission and storage of data (chain of custody issues), and the ability to de-anonymize data.

Further, the potential of a municipality to monetize collected data, combine data from a variety of trusted and non-trusted sources, and exchange data with other collectors significantly impacts the smart city vision.  Ensuring that a reasonable balance is struck between these varying interests is a core component to system rollouts.

There have been several cases lately reporting how Apple and Amazon partners are using Siri and Alexa devices to ‘spy’ and record and then inform of conversations. If this is possible within a household, then in smart cities when audio, video and facial recognition software is universal the boundary of privacy is now not controlled by anyone and responsibility is not borne by any entity or person. Imagine how a stalker in a position of authority could track every movement of an individual1. The possibility exists that a criminal could accurately predict that an apartment will be empty to enter for that ever-nefarious action or deed with the potential consequence of blurring lines of responsibility for law enforcement. The complex question of what is illegal is now unclear and crime is more difficult to be defined or attributed.

Smart cities are likely to heavily, if not totally, rely on driverless cars. It has been suggested that no one will own a car and a form of Taxi use similar to that available with Uber with prevail. If travel is controlled centrally, then the control of reducing travel will be held by a few, allowing such entities to control (for example) how many taxis are available at any one time. Independence will be removed and the basic human right of freedom of movement guaranteed by the Fifth Amendment could be removed for the good of traffic management. How would travel priority be established that is not biased? Many cases of AI in the criminal justice systems have been alleged to be racist or biased against groups2. Without answers smart cities may compound the problem and perhaps be free from challenge, as sufficient laws do not presently exist to hold those legally accountable.

The creation of data privacy laws is not only complicated in terms of making choices of what to protect, but is fraught with public perception issues. The recent experience with Covid-19 masking regulations infringing on civil liberties is not a singular example. In 1974, the public outcry against seat belt ignition interlock regulation bears reexamination in how to manage public perceptions and expectations for future situations.

Presently, there are a variety of industry segments that have Federal Data Privacy Regulations.  Most people are familiar with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Children’s Online Privacy Protection Act of 1998 (COPPA)1n.   Less publicly familiar is the Federal Communications Commission’s Customer Proprietary Network Information rules (CPNI)2n.

States have taken on data privacy, too, most famously California’s Consumer Privacy Act (CCPA).  However, there is scant consideration at a federal level, beyond HIPAA and COPPA, which takes into account the shear volume of data that is being made available through the “magic” of IoT (from sensors to cameras) in government controlled spaces (public streets, for example) to private spaces (homes, office buildings, sports arenas, businesses, etc.), to data collections which perhaps haven’t been routinely considered before now (data collection in vehicles and Family Ancestry sharing DNA information with law enforcement).

There have been some governmental efforts to provide limitations on data collection, such as San Francisco’s ban on governmental use of facial recognition, followed by Somerville, Massachusetts and Oakland, California.  However, we are still missing universal consideration of these issues.  A hodge-podge of rules by Block layout different municipalities results in uncertainty by businesses in the development and deployment of advanced technologies.  This has the impact of delaying the creation of smart cities and potentially limiting the benefits which smart cities are designed to enable.

As a result, there have been a number of industry efforts to step in to create standards where regulatory bodies have so far failed to do so.  In 2019, Cisco called for governments to establish privacy as a fundamental human right in the digital economy3.  Cisco laid out certain principles which it seeks to have included in legislation which it urges be adopted.  Similarly, the Alliance for Telecommunications Industry Solutions (ATIS) created a framework for data sharing for smart cities4.

Our collective experience with lockdowns during the COVID-19 pandemic may actually hasten regulation.  What the pandemic demonstrated was that data privacy regulations necessitated by remote meetings (particularly virtual doctor visits) needs revision. In the case of telehealth, guidance was developed to define acceptable means of secure communications and for the handling of private information passed as a part of it.  Similar action should be taken at a federal level of similar data privacy issues which will allow the unimpeded development of smart cities with adequate protection for the individual.



1. While the CBS Network television show “Person of Interest” is fictional, as technology advances the possibility becomes very real.


3. Cisco. (2019, February 19). Cisco Calls for Privacy to be Considered a Fundamental Human Right. Retrieved from

4. ATIS. (2021). ATIS Data Sharing Framework for Smart Cities. Retrieved from


1n. On the international level, there are privacy regulations such as the European Union’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and Australia’s Notifiable Data Breach Scheme.

2n. Please note that this article focuses on data privacy rules, and not cyber security.  Obviously, cyber breaches can result in the release of private data.  However, we must first determine the information sought to be protected (data privacy) and then how to perform the actual protection (cyber security).