Federal grant recipients can actively avoid liability risk if they move quickly to comply with public privacy regulations.

Over 70 cities nationwide have signed up as grant recipients for Obama’s Smart Cities initiative. Most are expected to build diverse systems to apply wireless, IoT infrastructure or Artificial Intelligence to municipal projects.  What seems to be lacking in Obama’s 80 million endorsement of Artificial Intelligence is guidance on IoT privacy compliance.

One belittled fact across American cities is local governments, as federal grant recipients, must comply with a set of rules for public privacy regulations. NIST and other federal standards agencies, like the FTC, engage in public accountability for the commercial or private sector.  The Office of the Inspector General oversees and regulates discipline applied to public offices if they do not comply with federal rules for laws, like the Privacy Act.  The Funded are expected to comply with certain privacy laws; which do apply to public grant recipients acting on a government’s behalf.  Laws, like the Privacy Act, apply to every level of government local, State and Federal .  

PRESUME NOTHING

Examine this statement for liability.

“City governments are not required to produce Privacy Impact Assessments.”

Let’s say a private company produces a technical application, like a Chameleon IV software system to network images from ubiquitous Cohu intersection cameras. They sell this to a major metropolitan area. The City pays for the cameras system and installs it with a federal grant from DHS. DHS is required to produce Privacy Impact Assessments of systems that move personally identifiable information. They are also required to release public accountability reports on mass surveillance systems they issue as funded mandates to communities.  They do this to comply with federal laws and privacy regulations; which apply to their offices.

What about the City? Cities face voluntary compulsory pressures to adopt federal surveillance infrastructure. Some towns are so small City council members take a very low public salary or part-time stipend, as volunteer elected officials. They aren’t lawyers. Cities have meetings about whether they can afford a legal battle with a well-funded agency over consent.

For most, the federal pressure to integrate mass surveillance technology seems to go away if they buy the camera system or other mass surveillance equipment required as ‘regulatory convention’.  Does DHS educate vendors or local cities about privacy conventions they are held to?  Most experienced American mass surveillance researchers would say ‘no’.

Cities across America have differing levels of information security or IT staff to serve their needs.  Some cities are very well funded and can accept more responsibility for public innovation in their systems in a secured manner.  Most other cities struggle with expense resources for their IT departments.  Many IT managers are not permitted to perform needed security updates or bring in important upgrades to city infrastructure due to diverse municipal limitations.  Some IT positions are staffed with non-paid volunteers.

We know cities all over America have absorbed mass surveillance equipment regardless of the costs, liability to constituents or local technical ability to maintain the infrastructure.

Whatever City security and privacy infrastructure, equipment, or knowledge standards are present as it eagerly accepts a Smart City grant will be the same to regard the public's private information gathered from IoT devices. If a City does not have adequate privacy, information security guidance or systems in place to accommodate new personally identifiable information coming in, they become a soft-target for hackers, foreign governments or breach from a disgruntled or incompetent employee. 

Presume nothing. 

Ask your local officials if they have a breach notification protocol in place for members of the unsuspecting public whose information may be rolled into a federally funded IoT project. Their answer will be very revealing. If a City isn’t already protecting personal information coming in from mass surveillance outposts sponsored by the federal government, they are liable for this today.

Cities can be sued by members of the public for unfair practice by not securing systems housingpersonal information.  If a City can’t account for its data lifecycle practices that is a sign the City doesn’t have a functional practice or isn’t compliant with federal rules for privacy.  In either case, they aren’t ready for the demands of IoT prime time.

Principles of notice and consent apply to IoT information gathering.  If a citizen’s information is moved without their consent, the government actor may face a criminal penalties of a 5 year jail sentence. This extends to prinicpals of projects who have received federal grant funding. So IoT developers who have managed to be rather cavalier about the trafficking of personal information over wireless networks may now face jail time if they move a public citizen’s personal information without consent. 

It appears an IoT grant recipient can go to jail for failing public information consent mandates and a City can be sued for negligent information security practices. The choice to flout public rules for privacy or neglect privacy and information security in key build stages of a publicly used network initiative is a foolish one. One too foolish for a Smart City.

THE SMARTEST CITY OF ALL

The Smartest Cities will prevent foreseeable fraud and legal duress for their town.  They will hire a Privacy Project Manager qualified to help audit City infrastructure for all federally funded projects gathering personally identifiable information. They will hire knowledgeable certified information security engineers to help add encryption and relevant technical protections for municipal access points. They will get an Insider Threat consultant to scope employee access limits and provide internal training to avoid project derived liability.  The City will produce a breach notification protocol and purchase some liability insurance for its public information holdings. Finally, the Smartest City, proud to support its innovation efforts, will gladly tell the public all they have done to secure their personal information by releasing a general notice of their information practices. 

Then informed citizens will gladly applaud innovative effort, hasten to be removed from City information collection by legal means of non-consent or a combination of both.

However, the most brilliant City of all will humbly admit its limitations.  Many cities don’t have means to develop all these protective or compliance measures in the course of the time they are needed. Rather than face them alone, they will include the public on how to approach the matter. Together perhaps they will make a decision that does not enforce a harmful information environment for the City and its public.