Monthly Archives: April 2014

Smart gas meters, and privacy

A former colleague reported today that she had a Hive smart gas meter installed from British Gas. Having read and heard a bit about privacy implications of smart meters for electricity (look at some of George Danezis’ work on this), I wondered how this would be for gas. I reckon the privacy implications are much less obvious and enormous than for electricity, but there must still be interesting information being collected. Off the cuff now … (so possibly naive, but not finding anything quickly with Google …) Particularly if hot water for taps is generated on demand or on a thermostat only, the gas usage should allow patterns of showering and bathing to be detected. Certainly the absence of that, indicating nobody’s home. That information alone is worth protecting.

So what does the British Gas Hive privacy policy say? Very very little indeed. It is 99% a standard privacy policy talking about how they deal with the standard personal information – not a single reference to information they obtain through your smart gas meter. There is one reference to the gas meter: notification that they may use it as an alternative way of sending you messages!

So what is the industry regulator’s view of this? Not a lot, judge for yourself. The Ofgem smart metering installation code of practice says:

  • “”Privacy charter” means to provide a Customer with information about what data is collected from smart meters and what that the information will be used for and sets out the rights and choices that apply to the Customer in relation to smart metering information”
  • “Data privacy and security are not in scope of the Code as these are covered under existing data protection legislation”, nevertheless:
  • “Installers have a basic knowledge and understanding (appropriate to their role) of data protection and privacy”
  • “All reasonable endeavours should be used to provide the Customer with a copy of the Privacy Charter or make the Customer aware of the Privacy Charter commitments prior to the Installation Visit” but with a rather broad disclaimer footnote: “Subject to the Privacy Charter being approved and made available”

Nothing deep here, but still an interesting privacy gap. Here because this is a bit long for a tweet – feel free to give reactions to @cyberseckent.