The Liberals announced this week that they’ll gladly foot the bill for up to 100,000 Ontarians to replace their old thermostats with new internet-connected “smart” thermostats — which could net substantial energy savings.
It could also expose people to substantial privacy breaches. But the government isn’t taking any special steps to protect consumers.
“I’m nervous about the application of these things,” says Ann Cavoukian, head of Ryerson University’s Privacy by Design Centre of Excellence and a former information and privacy commissioner. “It’s all about unintended consequences; that’s what worries me.
“There’s no mention of any issues related to privacy in the government’s documents,” Cavoukian said Wednesday, “and that’s what I want the government to spell out.”
The most well-known device is the Nest, made by Nest Labs (now owned by Alphabet). But more generally, a smart thermostat is simply one that’s internet-enabled, with heat, motion and other sensors and the ability to adapt to users’ behaviour (it may, for example, adjust the temperature based on whether it senses people moving around).
Stay up to date!
Get Current Affairs & Documentaries email updates in your inbox every morning.
These devices have the potential to save energy: one study found that consumers saved 10 per cent of their natural gas when they switched to smart thermostats, versus 2.5 per cent with conventional programmable devices (the kind Ontario already subsidizes.) Electricity savings were about the same for both kinds of thermostat, at just over 10 per cent.
The question isn’t whether smart thermostats are worth the money, however; it’s whether the government is doing enough to protect consumers’ privacy — and that question becomes more urgent when Queen’s Park incentivizes consumers to buy the devices.
Notably, when the province started compelling hydro utilities to install smart meters to track electricity use throughout the day and enable time-of-use billing, the provincial regulator (the Independent Electricity System Operator) consulted Cavoukian in her capacity as information and privacy commissioner. The IESO implemented her “privacy by design” principles, and Cavoukian in turn praised the IESO’s work in a 2012 report. The IESO is also running the smart thermostat program.
In contrast to the precedent set with smart meters, the government didn’t notify or consult the current Information and Privacy Commissioner Brian Beamish prior to this week’s announcement. Beamish’s staff told TVO.org they would reach out to the IESO “for information about the program and its privacy implications.”
These implications aren’t merely speculative. Cavoukian noted that Toronto was recently prevented from using electricity meter data to enforce a tax on vacant homes.
Beyond Toronto, numerous private interests — including insurance firms — would love to get their hands on the household-level data smart thermostats collect. And that’s not to mention the potential threat of hackers taking control of the devices (which, it must be said, hasn’t been documented in a real-world setting with the major brands Ontario’s program is funding).
Ecobee and Nest both say, however, that their privacy policies are subject to change — and Ecobee states explicitly that customer data will be retained as a corporate asset should the company be sold in the future.
The ministry of environment and climate change defended the government’s conduct in a statement to TVO that any information the government collects will be subject to privacy legislation. The information private corporations collect, however, won’t be (although customers will have to sign the companies’ consent forms).
The ministry mentioned that the IESO will conduct a “complete privacy impact review” to ensure that any information collected follows privacy-by-design principles — however, it will do so only after the program is underway.