Google’s smart city dream is turning into a privacy nightmare

Sidewalk Labs wants an independent trust to manage citizen privacy in Quayside.

Sidewalk Labs, an Alphabet division focused on smart cities, is caught in a battle over information privacy. The team has lost its lead expert and consultant, Ann Cavoukian, over a proposed data trust that would approve and manage the collection of information inside Quayside, a conceptual smart neighborhood in Toronto. Cavoukian, the former information and privacy commissioner for Ontario, disagrees with the current plan because it would give the trust power to approve data collection that isn't anonymized or "de-identified" at the source. "I had a really hard time with that," she told Engadget. "I just couldn't... I couldn't live with that."

Cavoukian's exit joins the mounting skepticism over Sidewalk Labs and the urban data that will be harvested through Quayside, the first section of a planned smart district called Sidewalk Toronto. Sidewalk Labs has always maintained that the neighborhood will follow 'privacy by design', a framework by Cavoukian that was first published in the mid-1990s. The approach ensures that privacy is considered at every part of the design process, balancing the rights of citizens with the access required to create smarter, more efficient and environmentally friendly living spaces.

Sidewalk Labs has been debating how to adopt the framework since it was selected as a Quayside planning partner last year. The team has held countless meetings with the public and technology experts, including Cavoukian, to explain its thinking and ensure everyone's concerns are considered in the Master Innovation and Development Plan due early next year. (The plan is effectively a final pitch or proposal that will need to be approved by the City of Toronto before any building work can go ahead.)

Sidewalk Toronto

Privacy, of course, has been a constant source of discussion. Some Torontonians are nervous because of Google's reputation as an advertising business and the vague information Sidewalk has given about data collection so far. Sidewalk Labs, though, can't be specific because it hasn't finalized anything -- it's still researching and considering its options.

Still, progress is being made. Sidewalk Labs published some initial proposals for data governance in Quayside last week. The bottom line: It wants someone else to handle the issue. The company suggested an independent trust that would oversee all data collection in the neighborhood. If any company, including Sidewalk Labs, wanted to set up citizen-tracking hardware or services, they would need to file an application, called a Responsible Data Impact Assessment (RDIA), with the trust first. Some applications could be "self-certified," or quickly approved, while others would require careful consideration by the group.

Which sounds great, right?

Cavoukian believes all Quayside data should be de-identified at the source.

Sidewalk Labs says all of its applications would follow Cavoukian's privacy by design framework. But here's the rub -- the trust would also have the power to approve applications that don't anonymize data at source. In its proposal document, the Alphabet-owned team gives a theoretical example involving video cameras in public parks. The application, Sidewalk Labs says, couldn't be self-certified because it involves personal information. It could be approved, however, on the condition that the video footage is only used for park improvement, and that the files are destroyed on a rolling seven-day basis. The company in question would also need to erect signs near the cameras and add their locations to a public registry.

That wiggle room concerns Cavoukian. She believes all Quayside data should be de-identified at source to maintain citizen privacy. "The minute you say, 'well it's going to be their choice,' you can bet more and more data will be collected in personally identifiable form," she said. "Because that's the treasure trove. That's what everybody wants."

Sidewalk Toronto

Cavoukian heard about the decision at a Waterfront Toronto Digital Strategy Advisory Panel meeting last week. "[Sidewalk Labs] told this group in no uncertain terms that the proposed Civic Data Trust would have broad authority, including decisions relating to the de-identification of personal data," Cavoukian wrote in her resignation letter. "[Sidewalk Labs] indicated this group would be 'encouraged' to de-identify personally identifiable data, but that the decision would be theirs to make."

Sidewalk Labs takes a different view. The organization is committed to privacy and will follow Cavoukian's framework. It doesn't, however, think it should be responsible for setting policy in Quayside. An independent trust, the team argues, would be better equipped to make these decisions -- even if they allow other companies to collect personally identifiable data.

In a statement, the company said: "At last week's meeting of the Waterfront Toronto's Digital Strategy Advisory Panel, it became clear that Sidewalk Labs would play a more limited role in near-term discussions about a data governance framework at Quayside. Sidewalk Labs has committed to implement, as a company, the principles of privacy by design. Though that question is settled, the question of whether other companies involved in the Quayside project would be required to do so is unlikely to be worked out soon, and may be out of Sidewalk Labs' hands."

Sidewalk Toronto

The debate, then, is whether Sidewalk should force the trust -- and, by extension, every company in Quayside -- to de-identify data at source.

In her letter, Cavoukian said: "Just think of the consequences: If personally identifiable data is not de-identified at source, we will be creating another central database of personal information (controlled by whom?), that may be used without data subjects' consent, that will be exposed to the risks of hacking and unauthorized access. As we all know, existing methods of encryption are not infallible and may be broken, potentially exposing the personal data of Waterfront Toronto residents. Why take such risks?"

Cavoukian is now pressuring Waterfront Toronto, the government entity that hired Sidewalk Labs, to change the company's mind and enforce de-identification at source. "You have to lay down the law," she told the group.

Cavoukian isn't the first privacy expert to abandon the Quayside project.

Cavoukian isn't the first privacy expert to abandon the Quayside project. Saadia Muzaffar, founder of TechGirls Canada, left the Digital Strategy Advisory Panel earlier this month. In a resignation letter, she said Waterfront Toronto had shown "apathy and [an] utter lack of leadership regarding shaky public trust and social license." The advisory panel was attended "in good faith," she said, but showed "a blatant disregard for resident concerns about data."

These disagreements will add to the concerns of Torontonians. Sidewalk Labs still has time to address these issues and create a master plan that will be accepted by everyone. If the company continues to lose public trust, though, there's a good chance residents and government officials will make up their minds and reject the plan before reading the first page.

Images: Sidewalk Labs