Ontario is pushing homeowners to install smart thermostats — but what about consumers’ privacy?

ANALYSIS: The government is willing to pay for 100,000 internet-connected thermostats intended to improve energy conservation. Trouble is, it’s not doing anything to protect homeowners’ privacy
By John Michael McGrath - Published on September 1, 2017
So-called smart thermostats can collect personal data, raising privacy concerns. (Peter Power/CP)



The Liberals announced this week that they’ll gladly foot the bill for up to 100,000 Ontarians to replace their old thermostats with new internet-connected “smart” thermostats — which could net substantial energy savings.

It could also expose people to substantial privacy breaches. But the government isn’t taking any special steps to protect consumers.

“I’m nervous about the application of these things,” says Ann Cavoukian, head of Ryerson University’s Privacy by Design Centre of Excellence and a former information and privacy commissioner. “It’s all about unintended consequences; that’s what worries me.

“There’s no mention of any issues related to privacy in the government’s documents,” Cavoukian said Wednesday, “and that’s what I want the government to spell out.”

The most well-known device is the Nest, made by Nest Labs (now owned by Alphabet). But more generally, a smart thermostat is simply one that’s internet-enabled, with heat, motion and other sensors and the ability to adapt to users’ behaviour (it may, for example, adjust the temperature based on whether it senses people moving around).

These devices have the potential to save energy: one study found that consumers saved 10 per cent of their natural gas when they switched to smart thermostats, versus 2.5 per cent with conventional programmable devices (the kind Ontario already subsidizes.) Electricity savings were about the same for both kinds of thermostat, at just over 10 per cent.

The question isn’t whether smart thermostats are worth the money, however; it’s whether the government is doing enough to protect consumers’ privacy — and that question becomes more urgent when Queen’s Park incentivizes consumers to buy the devices.

Notably, when the province started compelling hydro utilities to install smart meters to track electricity use throughout the day and enable time-of-use billing, the provincial regulator (the Independent Electricity System Operator) consulted Cavoukian in her capacity as information and privacy commissioner. The IESO implemented her “privacy by design” principles, and Cavoukian in turn praised the IESO’s work in a 2012 report. The IESO is also running the smart thermostat program.

In contrast to the precedent set with smart meters, the government didn’t notify or consult the current Information and Privacy Commissioner Brian Beamish prior to this week’s announcement. Beamish’s staff told TVO.org they would reach out to the IESO “for information about the program and its privacy implications.”

These implications aren’t merely speculative. Cavoukian noted that Toronto was recently prevented from using electricity meter data to enforce a tax on vacant homes.

Beyond Toronto, numerous private interests — including insurance firms — would love to get their hands on the household-level data smart thermostats collect. And that’s not to mention the potential threat of hackers taking control of the devices (which, it must be said, hasn’t been documented in a real-world setting with the major brands Ontario’s program is funding).

That Nest is owned by Alphabet raises questions as well, despite Nest’s privacy policy (available on the brand’s website). The proliferation of voice-activated devices poses its own privacy concerns. Toronto-based Ecobee, a rival smart-thermostat maker, integrates its newest model with Amazon’s Alexa voice-recognition software.

Ecobee did not make a representative available for interview but instead pointed TVO.org to the company’s privacy policy, available online, which emphasizes that Ecobee doesn’t share information with third parties without users’ prior consent, or unless it needs to in order to comply with the law (in the event of a court order, for instance). Ecobee users can also deregister their thermostats and delete any stored personal data. Both manufacturers encrypt their user data.

Ecobee and Nest both say, however, that their privacy policies are subject to change — and Ecobee states explicitly that customer data will be retained as a corporate asset should the company be sold in the future.

The ministry of environment and climate change defended the government’s conduct in a statement to TVO that any information the government collects will be subject to privacy legislation. The information private corporations collect, however, won’t be (although customers will have to sign the companies’ consent forms).

The ministry mentioned that the IESO will conduct a “complete privacy impact review” to ensure that any information collected follows privacy-by-design principles — however, it will do so only after the program is underway.

Thinking of your experience with tvo.org, how likely are you to recommend tvo.org to a friend or colleague?
Not at all Likely
Extremely Likely

Most recent in Politics