Skip Navigation
BlackBerry Blog

Smart City Limits: Urban Innovations Spark Privacy Concerns

FEATURE / 08.13.19 / Kim Crawley

Imagine if we could harness computer technology and the Internet to improve the functioning of our cities. If properly implemented, Internet of Things (IoT) technology can be used for the greater good to more efficiently regulate street traffic, and municipal matters such as noise, air pollution, and waste management.

And inevitably, at some point in the very near future we will have fully autonomous cars that can interface with signals from “smart” traffic lights and the like to drive safely and efficiently with little to no direct human direction.

Sidewalk Labs is an organization that’s owned by Google’s parent company, Alphabet Inc. One of their Smart City projects is being developed for my hometown of Toronto, Canada. Sidewalk Labs hopes to improve people’s lives through their Sidewalk Toronto initiative. We could soon have an IoT-driven city that operates like the world of The Jetsons!

What could possibly go wrong?

Sidewalk Labs: Building the IoT City of the Future

According to their website: “Sidewalk Labs is an Alphabet company that imagines, designs, tests, and builds urban innovations to help cities meet their biggest challenges.”

Alex Bozikovic wrote for the Globe and Mail about Sidewalk Labs’ Toronto project back in 2017:

“If the initiative proceeds, it would represent North America's largest example of the smart city, an urban district that is built around information technology and uses data – about traffic, noise, air quality and the performance of systems including trash bins and the electrical grid – to guide its operation.

Access to those systems and the use of that data, in this private-public partnership, will raise novel policy questions for governments about privacy and governance.”

I have spoken to people about those privacy and governance related matters. Sidewalk Labs says that they won’t sell any personal information collected in the project:

“Sidewalk Labs has committed that it would not sell (or) disclose personal information to third parties, including other Alphabet companies, without explicit consent. Sidewalk Labs has proposed that an independent, government-sanctioned entity approve proposed collections and uses of urban data in the project area by all parties, including Sidewalk Labs.”

However, Sidewalk Labs’ CEO Daniel Doctoroff has acknowledged privacy concerns related to the project. He wrote:

“We heard lots of concerns about privacy. The approach we’ve developed is in direct response to those conversations, vesting the control of urban data in a democratic, independent process. The approach outlined in the Master Innovation and Development Plan will set a standard for the world.”

But regardless of what the Alphabet Inc. owned company says, security professionals and one particular Toronto politician have raised concerns. Ian Thornton-Trump, AmTrust International Head of Security, notes that:

“(Sidewalk Labs’) goal is to improve urban infrastructure through technological solutions, and tackle issues such as cost of living, efficient transportation and energy usage. A lofty goal indeed however, this project introduces all kinds of important questions around urban planning and surveillance and privacy.”

Privacy Concerns of Smart Cities

The contract between Sidewalk Labs and Waterfront Toronto has been shrouded in secrecy. Board members of Waterfront Toronto, the current owner of the land proposed for redevelopment, had only four days to review the deal to work with Sidewalk Labs for a year on development plans before signing.

Privacy concerns have also been brought up by numerous experts, who note the incentives for parent company Alphabet to collect personal data from residents and visitors. Sidewalk Labs CEO Dan Doctoroff has stated that while data sharing isn’t in Sidewalk Labs’s ethos, he can’t say with definitive certainty what will happen with the information collected in Quayside. That’s because, at this stage, it isn’t clear who will own the data.

I'm inclined to believe that Google will own the data - despite some ambiguous claims of a ‘data trust’ and ‘deanonymization,’ and this could be massively problematic.

Google may have done some calculations. In a city of the future the data (purchases) of the residents living there will prove to be more valuable than the real estate itself, over a lifetime. One could make the argument that Alphabet would control access to the whole residential supply chain. Google Mortgage & Lending, Google Property Leasing, Google Property insurance and the list goes on. Not to mention the recreational, services and entertainment residential supply chain.

As it turns out, Google has run afoul of anti-trust and anti-competitive behavior in the past. This may be a new and innovative way to get around these constraints. Perhaps the ‘smart city’ proposed is actually about the ‘smart way’ to make money from every transaction that happens inside the ‘smart city.’ You get to do that if you are the owner.

There is another issue. Although Canadians are not known for great patriotic zeal, this proposal essentially does land a sizable chunk of what may be very valuable property into the hands of a giant American corporation. So, it is also very curious how Canadian privacy laws would view the mass harvesting of data (by an American company) as Canadians (and other nationalities) moved through a public space covered by sensors and Internet connected ‘things’.

This is precisely the point that invoked a lawsuit by the Canadian Civil Liberties Association which seeks ‘a court orders that will nullify the agreement between Sidewalk Labs and Waterfront Toronto.’

The People vs. The Project

Thornton-Trump is also concerned about the people who are currently in the area of the Sidewalk Labs project:

“It's not accurate to suggest this land is completely derelict and uninhabitable. The Quayside neighborhood does in fact have a current population, and from what I can discern little thought has been given to their fate should the development proceed.”

Stuart Peck is in charge of cybersecurity strategy for ZeroDayLab. He said:

“Sidewalk Labs are proposing some options that could increase the risk to privacy or the security of residents of the Toronto Quayside. One that immediately stood out is the development of a mobile app that integrates all the travel options available to residents. This proposed app will integrate all public travel and ride sharing options.

With Alphabet being a parent company of Sidewalk Labs, I'm very suspicious that this data will not be used to profile residents, or be linked to Google in some way, even with Google apps the data is used for anonymous data profiling today using an Advertising ID, but with enough data this can actually be abused and real people can be identified.”

Another official statement from Sidewalk Labs concerns Peck as well:

“Sidewalk Labs proposes to launch a set of digital services that would catalyze this ecosystem of urban innovation. Furthermore, the (properly protected) urban data generated by these launch services would be made publicly accessible (on a non-discriminatory basis), enabling companies, community members, and other third parties to use it as a foundation to build new tools.”

Peck explained to me what worries him most:

“With the amount of data Sidewalk labs AKA Google is collecting is profiling of residents (and visitors), on an unprecedented scale, reading through the entire plan Sidewalk Labs is creating a centralized meta data framework for the entire Quayside, everything from Traffic Management, Building Management, Heating and Power Management, Retail, even the horticulture, and centralized credentials for accessing these services, under the guise of ‘ease of use’ but could have horrifying consequences if poorly implemented.

In terms of privacy Sidewalk Labs make some comments on ensuring that data is made anonymous where possible, however given Alphabet's business model, and reading through the plan to make the data open and accessible to a number of "third parties", there is no doubt this will be used to profile and provide ‘relevant services.’”

This seems to be the tradeoff of living in a smart city, as by trading privacy for convenience, you become the product in the real estate owned by a company whose business model is to use resident’s data for profit. 

In terms of the residential buildings themselves, there is little details on the smart technologies that may be used, but my biggest concern will be the use of Smart Locks, which have known to be insecure. As with recent cases in the U.S. of landlords forcing their residents to adopt these, we can probably assume these will be used as well.

Concerns About ‘Smart City’ Project

Toronto City Councillor Gord Perks has voiced more concerns about Sidewalk Labs than any other politician. I spoke to him on the phone about the matter. He’s worried that Toronto Mayor John Tory has raised no concerns about the “smart city” project.

I mentioned a very hypothetical conflict of interest that I suspected Tory might have. Rogers Communications is one of Canada’s largest corporations in the telecommunications sector. His father, the late John A. Tory, was a Director of the company, starting in the 1960s. His son, John Tory the Mayor of Toronto, no longer has any official ties to the Rogers corporation. Tory the Mayor can say he has no connection to Rogers, at least on paper.

But what if the Rogers corporation are set to help provide Sidewalk Labs with telecommunications service and infrastructure? Is there perhaps a covert conflict of interest?

Councillor Perks doesn’t suspect so. But Tory’s unwillingness to properly scrutinize the Sidewalk Labs project definitely bothers him. A non-disclosure agreement prevented City Council from acquiring more specific information about the project. Perks is worried about the lack of details that have been shared with the City of Toronto, especially considering the project’s wide-reaching implications.

I asked him which Toronto street blocks encompass the area of the Sidewalk Labs development. He doesn’t know, because Sidewalk Labs hasn’t been specific. He is pretty sure that the area is within the ward of Toronto City Councillor Paula Fletcher, and the address is on Lakeshore Boulevard East.

Julie Di Lorenzo resigned from Waterfront Toronto due to her concerns with Sidewalk Toronto. Regarding the size and scope of the project, she said:

“They are trying again to act like a master developer of hundreds of acres of lands that belong to The City of Toronto and its residents. It’s outrageous. Those monies belong to our democratically elected governments and property owners. Every time Sidewalk shows us a map, the land area they ‘need’ gets bigger.”

Perks believes the project should be put on pause until governments can be given all of the pertinent details about it:

“The three governments who are involved should halt the process with Google and go to the public and say we have an area of land as big as the downtown, what would you like to do? Based on that we should figure out what pieces need to be developed publicly and which pieces involve the private sector.

Rather than wasting time chasing after a pot of gold at the end of that rainbow, we should get on and do what we know does work: build (public transit) with public dollars.”

And even if Sidewalk Labs does intend to use the data they collect in a responsible manner that honors user privacy, that’s a lot more information that could be breached in cyber attacks. Cyber attackers could also intercept and interfere with the operation of any of the computer driven functions of the “smart city,” including traffic lights, garbage collection, and the services inside of people’s homes and businesses.

In the process of making entire city blocks IoT-driven, corporations must be transparent with governments and citizens about every single detail that may affect them. We also should know how cybersecurity is implemented and monitored.

So far it appears that Sidewalk Labs isn’t being as candid and cooperate as they ought to be.

Kim Crawley

About Kim Crawley

Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.

The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance or BlackBerry Ltd.