#16 Must we trade privacy for the smart city dream?

#16 Must we trade privacy for the smart city dream?

#16 Must we trade privacy for the smart city dream?

Ashwin Krishnan

Ashwin Krishnan

Ashwin is the COO of UberKnowledge, where he regularly interviews cybersecurity leaders for the UberKnowledge podcast, in order to bring cybersecurity awareness and training to the community, and close the growing skills gap. He has a particular interest in those demographics currently underrepresented in our industry.  Ashwin is also a tech ethicist, writer, podcast host (the #UndercoverLeaders podcast), and speaker.

Smart cities have long been touted as the solution to managing the explosive growth in cities, making services and infrastructure more accessible and convenient to all. But for smart cities to work, vast amounts of data are prerequisites. That automatically brings into question citizen personal data and where a city, or enterprise such as Apple, draws the line between data privacy rights and the collective wellbeing of the city. On this episode, Ashwin Krishnan breaks down for us the current draw of smart cities, provides examples of what it is like to live within smart city boundaries, and what implications all of the “smarts” have on our personal data rights and freedoms.

Episode number:
Date Published:
May 28, 2020

KRISTINA PODNAR, HOST: Todays guest is Ashwin Kirshnan, COO of UberKnowledge, podcast host of the UndercoverLeaders podcast, a tech ethicist, writer and speaker.  Ashwin, welcome to The Power of Digital Policy podcast. I'm excited to talk to you because everything and anything that I pick up these days in the news seems to talking about smart cities and I love the idea of smart cities versus dumb cities. But tell me beyond being a buzzword, what is a smart city?

ASHWIN KRISHNAN, GUEST: Yes, the way I look at smart cities, you look at the outcome, right, the outcome that you're trying to drive as a city mayor or city council is really to enhance the life, the work experience, even the play experience for your citizens and your businesses. So that's the outcome that you want. Now the way the Smart City definition has evolved is what does it entail? It entails instant communications. It entails, yeah, another buzzword IoT, internet of things which includes sensors and most importantly includes data, but none of this would really get anywhere unless you're able to take action on the data be able to react, predict and then wrapped accordingly, right? So I know it's a lot of things but ultimately I think the outcome is where we should start off which is really to enhance the citizens and enhance their businesses experience in the city.

KRISTINA: This is a great definition. And when I kind of think about that definition, I kind of wonder if there's a shift in that definition sort of a pre-COVID versus post-COVID time if you will. Are we really talking about smart villages instead of smart cities here?

ASHWIN: Yeah. It's a good point. In fact, one of the one of our common friends Anthony Veri, was talking about the exact same thing. When he was on the Arc, he was talking about an extended relation of his was talking about how they had about 20-25 people just essentially do what you said, which is decide to leave a high-rise and go into the wilderness. So again, you look at it and say from as long as he kind of agree on the definition, which is okay regardless of where you are the definition of smart everything to make your life, your work, your business more effective. So if you talk about people going into suburban neighborhoods or even into the hinterland if you will, the question is, how does it result in a positive work life experience? So for instance you and I are talking over Zoom right now. So we assume internet as a given, we assume we have reasonable bandwidth, we assume that it gets recorded in the cloud or in a computer. So I think the definition of regardless of where you are, your life and work experience needs to get enhanced. Now clearly, if you're talking about a less populated neighborhood and people have let's say now it's what's of land, then you're talking about ensuring that if you have cattle on the farm, or if you just have the need to have security cameras all over and be able to get alerted if you have an intruder in your in your 10 acre land, that's very, very different than ensuring that the traffic signals are coordinated so that you and I are not stuck at a traffic light for 90 seconds. Even though there's no traffic the other direction, right? So I think yes, I think we the need for the technology and the need for data collection and the need for acting on the data will remain the same but the outcome desired would be radically different. Now, clearly from a business perspective, if you take somebody like Google and what they did with Toronto with the Sidewalk project. That got a lot of attention because they were able to get a lot of, right or wrong, I mean it obviously had a lot of transparency and data privacy issues tied along with it. But for them that was a kind of a cornerstone project because of a lot of people highly densely populated and so you can get a lot of information. So now you look at it and say if you talking about people moving into the into rural neighborhoods, it's what sorts of data collection is possible and how long does it take to actually make a meaningful data model to make predictions right? So I think that will be the question in my mind at least if we going into less populated neighborhoods in terms of what is the efficacy of a smart village.

KRISTINA: In so you just brought up something that's I think of interest to both of us here, which is data tracking and collection and the balancing between that and privacy. And so maybe the rate of tracking collecting data is a little bit slower in rural areas versus highly populated areas, but at the end of the day, I think we still have that same equation right between data collection management, its use and privacy and how do you see that getting accomplished, you know, out there right now like, what trends are you're seeing?

ASHWIN: I think we were on the right path, right with GDPR are being in affect, for a year and a half right now CCPA going to affect in California, the Illinois Biometric Act and so forth. Now what they were trying to do at least right in the spirit of things is to ensure that there is more transparency, businesses are accountable, there is obviously responsibility from a legal standpoint. So obviously they want to make sure that they're doing the right thing from a business community perspective. But I think we were still I'd say years away from really making this a true customer experience. I’ll give you an example. I mean CCPA being in California, this was heralded to be a big thing. Which it is, but I think it's really not a consumer privacy. A consumer has no idea of what he or she is supposed to do and you and I talked about this is one of the largest gym chains at that point. It was going like crazy now, obviously it's shuttered but regardless they had this this 18-page disclosure as part of CCPA compliance. And in one of those tables they had actually called out the fact that they take videos and photos of their members. They actually give it out to third parties. And so you kind of look at it and say “Yes, you're following the letter of the law by making the data available to consumers.” But how many what percentage of your of your gym population members would actually even go through page 18 of the table much less understand what it what it means or even click on the link that says hey by the way, we are CCPA compliant, if you're interested go here. No one goes there, right? So in some sense, I think that that continues to be a big problem

KRISTINA: In the “ New Normal” we're going to go back to the way things were or are we going to see that this is leading to free high-speed access for all and then again, you know kind of back to this point of like well who's in charge of privacy and security and who ought to be in charge of privacy and security. So, you know as we kind of think about these smart cities as we think about the infrastructure whether it's for post-COVID, you know, should we have somebody who is centrally looking at the privacy and security issue and being sort of a steward for that and would that even look like?

ASHWIN: I like the focus this on the consumer, you and I and everybody else, right? It's like okay, we take Internet for granted I go to the Cupertino Library every now and then and I like to work from there, but I have a VPN client with me every single time. So I think there are two aspects of this, one is I think there needs to be more consumer awareness in terms of knowing what is a secure Wi-Fi location versus what is not. And going to Starbucks or going to San Francisco right now and using super spots or heading to your gym and between workouts you start working literally working on your project. Those are very different experiences. So the question to ask yourself is yes, you are utilizing it as you would for other utilities like electricity, power, water etc, but the question is; this is very different. Right, and as we talked about earlier there is going to be more surveillance. Your data is going to be intercepted into, an encryption will be a myth and continues to be a mess with somebody who has the key and somebody who can tap into your stream of traffic. So I think end of the day all you can do is be aware of what's going on. And I mean VPN has been around for, I don't know 25-30 years, right? Yet you look at people who go to the Starbucks and just fire up their laptops and Chromebooks and connect as if the world is not watching. The world is not watching the world is watching.

So I think the first question to ask yourself is, yes, is ubiquitous internet access everywhere going to become a citizen's right? Probably. Yes. And you'll see more and more of that but also the other angle to this, like I said is ownership from end users perspective in terms of understanding contextual right and I don't even mean that TMI, too much information overload that people are grappling with and therefore you need to be contextually aware and know when to fire up the VPN now, I mean, all of these VPN technology is one the values you can you can set up trusted Wi-Fi hotspots and everything else is untrusted the moment you hit an untrusted location. It fires up in the VPN, off you go. So I just one example of how you need to take ownership. I think the other aspect of this and I was talking to a guest of mine last week on The Uberknowledge podcast, and he was saying that they are retooling their WIFI at the workplace right now since nobody's there to make it look like Starbucks, right and he says which means everything is zero trust you come into that you get free Wi-Fi access you get access to a printer and that's it. Right. So there is no nothing in the physical corporate location that's going to look any different than your home or any different than a coffee shop. Right? And so that's there so they redefining zero trust everywhere and he says that that is going to be rolled out through the entire organizations, people are constantly aware of the fact that hey you connecting to a network and we give you free Wi-Fi access, but just imagine that you're sitting in Starbucks. And so the same principles need to be applied. So I think we will see a shift but I think increasingly I do believe that the end users need to take a little bit more responsibility and contextual awareness of where they are and what they do.

KRISTINA:  Does that automatically imply that businesses can shrug some of that responsibility off?

ASHWIN: Great question. So, I think it comes back to the culture, comes back to how you're treating. So if you look at it and say okay. I'm going to treat my employees. I'm going to treat my customers and I'm going to give them visibility into what's going on. So let's dig a little bit deeper into that. Right? Let's say you go to work and you get free Wi-Fi access and the company has told you hey, you know what, you need to have your VPN on all the time in to have to say and so assume that, but if the business without telling their employees who they are also actually tracking your activities, right I gave when you enter the office how long in fact Zoom has this innovative tracking and realized it's like let's say you and I are talking on a video call and I switch screens. I'm looking at something else Zoom knows that and you can actually get alerted the hosting get alerted saying, you know what you have a guest who's absconding. So the question really is you can't have it both ways. So businesses can tell their employees saying, you know, what treat us just like any other Starbucks location any other coffee location or whatever you your local library, while having full visibility and tracking and the following the digital trail that their employees leave behind regardless of where they go, right? So I think transparency is key over here, which is you need to tell them that hey by the way. Yes, you're in the office location. May you be giving you free Wi-Fi but in exchange for that?

You are an employee and we have full rights to actually do complete tracking and you know, you don't get any kind of waiver from that perspective. So, that's one aspect of it. Right? So as the other piece of it is data collection, which is again, like we talked about somebody coming to the office how long they're there. When do they leave under which it out for lunch. In fact, I think Nvidia has this notion where they actually track you from building to building and how long you actually go for lunch and come back and all that and the part of it is just to drive efficiency so they can actually make me the cafeteria more efficient and going back to the whole smart cities smart cafeteria, right? But that is data that has been collected on the employees. Now. How is the rate of going to be used is it anonymized is it does it continue to be there after the employee resigns and leaves the company and those are all questions that I think no business can shrug and he really point in terms of who actually needs to be responsible for this? Right? But that's a difficult question because it really depends on the business. I think it starts with the with the CEO and the board right now with COVID-19 hitting clearly. I mean everything is getting upended. So it's a great time to actually look at it and say fact I was reading this morning completely blew my mind that there is actually technology that exists, right, in this is technology that believe is the GitHub right now, which can actually allow you to deep everything. Right? So deep fake everything. There's an open source to a program that can deep fake who you are if Kristina decides that hey she wants Beyonce to be the avatar of you on a Zoom call, you can actually do it in real time.

KRISTINA: Are we seeing more and more technology? And how do we deal with the trust factor? And if we are kind of going into that trust factor model, is it the role of the citizen really to kind of stand up and own that? Is it the government that needs to actually be involved? Is that the private sector? Is it some crazy combination? What are we looking at? You know and How do we kind of leap forward together into this or is it just sort of like trial and error you think?

ASHNWIN: I don't believe I'm saying this but it is going to be true that we are going to have more of these hop economies. Google, Apple, Facebook, Microsoft, that we will inherently need to trust more and more. Why? Because they have the data stack and a city even the one that I live in Cupertino, which is Apple headquarters, despite having highly tech population, good dollars coming in from at least pre-COVID from for businesses. It still relies a lot on the technology that the private sector is offering, right, or Google in Mountain View does the same thing  to the city of Mountain View. I think it's going to be difficult if we only have to rely on the consumers awareness and or the city to be able to put these things up by seven particularly now, right you look at let's say fast-forward 60-90-120 days, City They have any of city coffers are going down. the wayside, tax dollars are down. So ultimately the impact that a city can have in these kinds of initiatives going to be somewhat muted, right, let alone the lack of skill set and awareness and digital privacy gurus that collaterally want to join a city and make a difference. Now, this was different pre-COVID, right?

There were a lot of smart city initiatives that would have been very effectively, but now with these tax dollars in play you kind of look at and see what's on the chopping block right? Do we cut electricity, do we cut water do we cut he housing projects, do we cut Smart City projects. So I think this is going to be one big question now. So from a from a like who is in charge and who's going to help drive this and how does it kind of help the average citizen being the more aware of what's going on? I think the private sector will have a much bigger role going forward. Now that does come with issues, no doubt, but I think again, maybe I'm being idealistic over here, I don't know, but I think coming out of this this pandemic, I think the there's going to be a reset in moral values for the good from a business perspective as well as a citizen perspective, right or a consumers perspective and I think maybe right and I'm being again, maybe too idealistic to glass-half-full kind of person over here, but I think maybe we start seeing a reset in terms of what some of these have economies can, will do going forward but also I think the awareness factor of whether it's Apple and Google right now teaming up to track COVID-19 connectivity or other kinds of initiatives. I think those will be the need for quite a bit of time especially like I said given the ability to collect data to be able to act on the data to be able to predict the data predictions going forward and using that for good. Now can it quickly turns south, you have another Cambridge analytical you have some other kind of snafu probably but I think this, the scars that this is going to leave is going to be with us for a long time. So hopefully that's that serves us as a reminder to kind of keep to what's good for a considerable period of time again, I might be dreaming of here, but that's my hope.

KRISTINA: There's a sweet spot between smart anything and privacy and security. Do you have a personal hero that you would nominate to help us define what that sweet spot is and you can self nominate if you would like to but who do you think and who do you hold in high esteem? They would point today and say look, this is the person of our time who I think has the capacity to get this done and to help us identify that sweet spot.

ASHWIN: Wow, that's a that's a loaded one.

KRISTINA: Wait. I asked you a question that you have to think about.

ASHWIN: I'm looking at I'm trying to look for examples of people that have stayed consistent right over the many years, Now better think I think so. Let's talk about Apple as a company. As a company. I think they have maintained their vision of what it is that they will and will not do and I think starts with Tim Cook and I think he's been phenomenal in terms of being able to drive that the other Hub economy that I have enormous respect for is Microsoft CEO Satya Nadella. And so you look at all the way down from Satya down to the to the president, like Diana Kelly, their cybersecurity evangelist in the CTO field. I think there's a cultural awakening that has happened in that company over the course of Satya tenure over there. So there's that piece over there. Then I think there are companies that are wanting to do the right thing. I don't remember off the top of my head Evernotes CEO, but I trust Evernote more than ever before because I think about six months ago. I was doing some digging around the privacy practices and it was so evident that the company lives in breach this they say you own your data. We secure your data and you can take your data and walk away whatever you want. Right and it takes less than 30 in 15 seconds to kind of look as those three and you can expand each one of those three bullets and it will actually tell you what it is that Evernote is doing to protect the data, what data ownership really means for you and how do you transfer your data out at any point in time? So I think there are there are few examples where you feel that if this is what Evernote is putting out there for everybody to see, if I'm an Evernote employee, I know now what the company stands for so whether it's what I'm software testing, whether I'm business development, marketing, sales, does matter, that's how I'm going to lead my conversations or my software development or testing. So I think there are there are examples of companies out there and some have lived through this and I've kind of given gone through rebirth like Microsoft others like Evernote have been this way from day one, since evolution.

And then there are companies in Europe. Thanks to GDPR, our activism over there that by definition are doing the right thing. I've given this example before, Lufthansa of all the companies out there that I think I learned how to explain website cookies better than anything that I've ever seen thanks to going to Lufthansa website. Right? It's very obvious. They have a pop-up. It says, Hey for statistics, for personalized or customize it. So three levels right if the statistics then we're not going to collect your information your browser information, your history, your language preference, etc. Etc. And as you go down you giving up more information but in exchange for that next time you come visit our website, we know exactly your typical takeoffs point and where you want to land and so forth because we've stored cookie. So I think companies like that are not just embracing the need to kind of Follow the Leader Salah, they're also going one step forward and saying okay if I just tell you hey, we have this ugly pop up and talking about website cookies so that I'm being compliant versus let me actually explain in layman's terms how this is going to impact the um, you select what it is that you want to offer us an exchange for either a completely non personalized experience or a highly personalized experience that next time you go back.

KRISTINA: Right there. You just made my heart go pitter-patter. Great examples of companies with good digital policies and getting it right with a user which is simply amazing sometimes because it can be a really high bar to reach and not everybody does it. So Ashwin thanks for joining us today. Really insightful,l really appreciate it. Hopefully you'll come back again and be a guest sometime because I think so much more to unpack here not just around smart cities and maybe smart hubs and economic hubs, but also, what's happening out there in the future once we all get out of this quarantine, so thanks for your time, and hopefully we'll see you again on the other side of this.

You can reply to this podcast here: