Data privacy and security issues for advanced metering systems


By Mark F. Foley

“Privacy” has different meanings in various contexts. The US Supreme Court has issued dozens of decisions recognising a “right to be let alone.” US Common Law prohibits four privacy violations: 1) Intrusion upon seclusion or solitude, or into private affairs; 2) Public disclosure of embarrassing private facts; 3) Publicity placing a person in a false light in the public eye; and 4) Appropriation of name or likeness.1 Recent “privacy” laws, such as the European Union Privacy Directive 95/46/EC, have established a data subject’s right to control the collection, dissemination, and use of personally identifiable information.2 

In the AMI context, the “right to privacy” means an individual’s ability to set a boundary between permissible and impermissible uses of information about him- or herself. What is impermissible is a matter of culture as expressed in law, markets, consensus values, and what individuals freely accept without objection.

AMI puts privacy interests at risk because its core purpose is to collect information related to a particular household or business. Meters already available can collect a unique meter identifier, timestamp, usage data, and time synchronisation every 15 to 60 minutes. Soon, meters will also collect outage, voltage, phase, and frequency data, and detailed status and diagnostic information from networked sensors and smart appliances. These data show directly whether people are present, when, and what they are doing. Analysis of this data, as demonstrated by George Hart in an article “Residential energy monitoring and computerised surveillance via utility power flows,” can reveal a surprising amount of additional detail.3 Standard seven-year utility data retention practices enhance the risks by making large amounts of data available.

How much privacy risk AMI creates depends on its design. As discussed by Michael LeMay and colleagues at the University of Illinois in the article “An integrated architecture for demand response communications and control,” AMI can employ various technologies, alone or in combination, such as sensors, wireless transfers, Internet connections, mesh networks, and local and remote appliance and HVAC command and control systems.4

What constitutes permissible uses of personally identifiable information varies from culture to culture and time to time; but what goes on inside a residence is generally an area of special privacy concern.5 Even illicit activity within a home has special legal protection. In the US, for example, law enforcement may not use sense enhancing technology to reveal activity within a home if the technology is capable of revealing both illegal and legal activity and residents would not expect such technology to be used against them.6 Because AMI data reveal more about what goes on inside a residence than would otherwise be known to outsiders, the collection and use of such data reduce the scope of private information. Although “privacy” is generally considered to be a personal right, businesses do typically have analogous common law, statutory, and/or constitutional rights.7

Attested metering

Unified architecture for large scale attested metering. (From M. LeMay et al)

Potential interests in AMI data and controls
Battering the walls protecting privacy interests are those who seek financial, political or psychological value in AMI systems and data. Obviously, the sponsoring utility wants advanced metering data to reduce costs and increase profits by enabling remote meter reading, outage management, load forecasting, workforce management, planning, peak load billing, etc. In competitive markets, alternative service providers will want AMI data to identify and target the most profitable customers. 

Other businesses will also be interested in AMI data. System sensors, smart appliances, sophisticated signal analysis techniques on voltage and current wave forms, unusual power consumption, or duty cycle characteristics could reveal information about the presence, absence, or use of systems as small as hair dryers, waterbeds, and individual burners on a stove.  Such data make it possible to monitor changes in the operating signature of individual appliances and therefore to predict their loss of efficiency or imminent failure.8 Appliance manufacturers may therefore want AMI data to learn about how their products are actually operated. Retailers of appliances, extended warranties or repair services may want AMI data to provide advertising or discount offers days or hours before an appliance fails. Insurers may want to look for evidence of unauthorised conduct, to determine when a loss occurred, or to deduce who was present.  Surely, other valuable uses will emerge. 

Customers, utilities, vendors, and third party data brokers will want to position themselves to sell AMI data or analytics, just as credit reporting agencies have done. If utilities want to capture this revenue, and/or want to prevent others from capturing it, they will need carefully crafted contractual provisions that clearly define who owns the AMI data and what rights the consumer, utility, service provider, or other third parties have to use or transfer it. According to Rod Dow and Fritz Vorlop in the article “Making the AMR solution your solution,” the final resolution of these issues must be part of a sophisticated approach to strategies, negotiation tactics, and contract terms in both acquired and outsourced AMI systems.9 

Other private persons will covet AMI data. Neighbourhood busybodies will want to know what their neighbours are doing for the sheer pleasure of knowing, or the greater pleasure of gossiping. Vengeful ex-spouses, jealous paramours, determined stalkers and civil litigants may want to know an individual’s whereabouts and activities. Burglars could use intercepted data to determine when a location is unoccupied, what an occupant is doing and whether valuable electronics are inside.10 A thief gaining access to AMI bi-directional communications or controls could activate or deactivate intrusion alarms to divert police from, or to facilitate unlawful access to, a target. Vandals could manipulate environmental controls, fire suppression systems, etc., to damage property as an end in itself.

Law enforcement will also want on-demand access to AMI data. In the US, law enforcement presently has limited access to meter data to establish ownership of a place involved in criminal activities or to obtain search warrants for facilities suspected of drug production. Otherwise, the prohibition of unreasonable searches and seizures in the Fourth Amendment of the US Constitution limits access to this data without first obtaining a warrant from a judge.  However, because these protections generally do not apply to information revealed to third parties, a California Court of Appeals held that data collected from a specially installed surveillance electricity meter could be obtained by law enforcement without a warrant.11, 12 Because the metering equipment was outside and did not reveal information about activities within the home, the Court found no constitutional protection.

Sophisticated analysis of AMI data might reveal enough about in-home behaviour to reverse this outcome. On the other hand, as the use of such technologies becomes more common, consumer expectations may change, thereby placing law enforcement use of AMI data outside of Fourth Amendment protections. As a result, AMI data revealed to a utility, billing agency or other vendor may now be available to law enforcement without a warrant. Utilities and others handling AMI data will need to understand what they may, or must, do when law enforcement agencies demand access.

Market manipulators, extortionists, terrorists and others with political agendas could use unauthorised access to AMI command and control systems to disrupt the delivery of services to targeted facilities, create widespread blackouts, disrupt load balancing commands, or create fear and panic among the general population. Crackers may be interested in compromising command and control systems for personal satisfaction or bragging rights.

Consumer and utility interests converge
If customers believe a utility is itself abusing personally identifiable data, or is generally enabling the use of personal information beyond what they deem acceptable (whether or not legal), then they are likely to resist the implementation of AMI. Consumers may refuse to consent (where required), hide their data, or awaken political opposition. Utilities may face customer liability claims or regulatory fines if inadequate privacy or security practices enable eavesdroppers, adversaries, or bad actors to acquire and use AMI data to a customer’s detriment. Utilities must take privacy and security concerns into account when designing AMI and must persuade consumers, regulators, and politicians that privacy interests are adequately protected. 

The first step is to adopt appropriate privacy policies defining what data may be collected and their permissible uses, disclosing those practices clearly and conspicuously, and obtaining consents where required. Since AMI data differ qualitatively from what utilities collected in the past, they will likely need new and stronger privacy and security policies. Consumers are interested primarily in controlling what information is collected, who has access to it, and how it may be used. These interests are often described in fair information privacy practices or core principles, such as the Organisation for Economic Cooperation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.13

Once a utility establishes the permissible uses of AMI data, it is in its interest to assure that unauthorised uses do not occur. For example, if an electricity service provider is allowed to sell appliance related data to a manufacturer or retailer, the utility will want to protect its economic interest by preventing access or use by others who might become competitive data brokers. Every utility will want to avoid regulatory sanctions for violating express or implied privacy policies, as well as damages claims based on compromised customer data or facilities.

A policy that appropriately limits the use of collected data provides no consumer protection if the data can be accessed by unauthorised persons or can be used by authorised persons for unauthorised purposes. Thus the utility’s second step is to establish systems for enforcement of the policies and control of the data through adoption of suitable security practices, training, and audits.

Ultimately, as P. A. Subrahmanyam et al recognised early in a report “Network security architecture for demand response/sensor networks,” the AMI architecture will determine the points of security vulnerability.14 Wireless sensor networks, for example, are subject to the general security problems of computer networks, ordinary wireless networks, and ad hoc networks. The limited resources of common sensor nodes – slow CPUs and small memories – hinder the use of cryptography defences. Packet jamming and insertion may occur over any network or link layer in the communication infrastructure. Adversaries may use simulated nodes, out-of-band channels, and modified or self-generated data to facilitate sinkhole attacks, acknowledgement spoofing, rushing attacks, “Hello” floods, or blended attacks. These may result in denial of service to customers or utilities (e.g. access to billing information or energy usage), payment avoidance, system overload, reduced quality of service, and violation of power control protocols.

Attacks may come from inside the network via disgruntled, negligent or untrained employees or an outsider’s access to a compromised node or IP server. Indeed, AMI security weaknesses could enable penetration of presently secure systems. Thus robust security, as demonstrated by LeMay et al in the article “Unified architecture for large-scale attested metering,” is imperative.15

At least some utilities will likely adopt broadband over power line (BPL) to communicate AMI data. This introduces unique security issues. A BPL node could communicate with any device plugged into an electrical socket. Capture of a substation node would provide control over messages going to smart appliances or computing systems in homes and offices. A utility may also offer customers BPL as a separate revenue stream. This creates risks that AMI data could be read or modified over the Internet or that common Internet attacks could be brought against the electrical grid or individual customers. 

Even if a utility uses only its own hardware for collection or transfer, it may outsource data collection, billing, customer support, or web services. Each time the data are entrusted or transmitted to a third party, additional privacy and security risks arise.

The upshot is that customer’s interest in having effective security to protect privacy interests converges with the utility’s need to protect its economic interests in the data and to secure its systems against malicious attacks. By recognising that utility and consumer have convergent interests, the tension between AMI implementation and privacy interests fades.

Legal considerations
Privacy and security laws vary widely from place to place. In the European Union, for example, Privacy Directive 95/46/EC establishes a presumption that personally identifiable information belongs to the data subject. Such information may be processed only for specified, legitimate, and limited purposes where there is either valid consent from the data subject or a legitimate need of the data processor that outweighs the data subject’s general privacy interests. This general privacy right will extend to personally identifiable AMI data. In the United States, privacy and security rules arise out of a large number of federal and state laws regarding the processing of particular types of data or economic sectors, disposition of business records, utility tariffs, etc., but there is no general right of privacy in the European sense.

Which laws and regulations apply depends upon the system architecture. For example, if a utility collects and transmits AMI data via BPL and also offers consumers Internet access, the utility may be subject to rules governing telecommunications service providers.16 If a utility sends AMI data to a billing firm in a different state, then federal laws applicable to interstate commerce or the receiving state’s privacy laws may apply. If a utility sends personally identifiable information concerning EU residents to an outsourcer on another continent, the EU Privacy Directive limits on transborder data flows will apply. If personally identifiable data may have been compromised, breach notification laws may require the utility to send notices to data subjects in certain jurisdictions. Failure to adopt, disclose or adhere to suitable privacy and security practices may result in US Federal Trade Commission enforcement action against “unfair and deceptive trade practices.”17

Utilities will need to consult legal counsel to determine how a contemplated AMI design may implicate various laws and whether the ramifications are acceptable. It is important to do this at the design stage, because it is always more expensive to revise systems after initial deployment.

Best practices
Utilities can substantially reduce the data privacy and security risks inherent in AMI by adopting privacy and security best practices recognised in other contexts. These include:

  • Consulting with legal counsel to resolve privacy and security issues at the system design stage 
  • Collecting only the data needed for specified purposes
  • Retaining data only for a reasonable period of time related to the purpose for which they were collected 
  • Adopting privacy and security policies for internal and external access to and use of personally identifiable information that satisfy both legal requirements and fair information privacy principles
  • Defining the data collection and use rights of customers, vendors, etc. in clear contractual language with strong privacy and security commitments and accountability for breach
  • Avoiding resistance by permitting consumers to turn off or limit detailed data collection, especially during early research phases. Make “Off” the default mode for data transmissions
  • Designing security into every collection, access, and transfer point. Create separate pathways for personally identifiable information and use single hop networks to reduce transmission and storage vulnerabilities
  • Training all utility and third party employees who have access to AMI data or controls
  • Employing internal and external audits
  • Establishing incident response and breach notification procedures
  • Establishing Board of Directors and senior management oversight of data privacy and security practices.18

Utilities will need to address these and other data privacy and security issues if they are to realise the economic potential of AMI implementation.

This article is informational only, not legal advice, and does not constitute the opinion of Foley & Lardner LLP or any of its clients.


  1. William L. Prosser, Handbook of the Law of Torts, 2nd ed. (West 1955).
  2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 On The Protection Of Individuals With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data,
  3. Hart, G. W., Residential energy monitoring and computerized surveillance Via Utility Power Flows, IEEE Technology and Society Magazine, Vol. 8, No. 2, (June 1989).
  4. M. LeMay, R. Nelli, G. Gross, and C. A. Gunter, An integrated architecture for demand response communications and control, Hawaiian Int’l. Conf. on Sys. Sciences, (Jan. 2008),
  5. “The common law has always recognised a man’s home as his castle, impregnable …” Samuel D. Warren and Louis D. Brandeis, The right to privacy, 4 Harv. L. Rev. 193, 220 (1890).
  6. Kyllo v. United States, 533 US 27 (2001).
  7. See e.g. Restatement (Third) Unfair Competition § 43 (1995) (right to enjoin improper acquisition or use of trade secrets).
  8. Hart, supra at 12-16.
  9. Rodney H. Dow and Fritz R. Vorlop, Making the AMR solution your solution, EEI Electric Perspectives (Sept/Oct 2006).
  10. Hart, supra at 14.
  11. “[A] person has no legitimate expectation of privacy in information he voluntarily turns over to third parties … in the ordinary course of business.” U.S. v Starkweather, No. 91-30354, 1992 U.S. App. LEXIS 20207, at *3 (9th Cir. Aug. 18, 1992).
  12. People v. Stanley, 72 Cal. App. 4th 1547, 1552 (1999).
  13. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,,2340,en_2649_34255_1815186_1_1_1_1,00.html
  14. P. A. Subrahmanyam, D. Wagner, D. Mulligan, E. Jones and J. Lerner, Network security architecture for demand response/sensor networks, Final Report to California Energy Commission, Public Interest Energy Research Group (Oct 10, 2005).
  15. M. LeMay, G. Gross, C. A. Gunter, and S. Garg, Unified architecture for large-scale attested metering, Hawaiian Int’l Conf. on System Sciences, (Jan 2007),
  16. See e.g. Directive 2006/24/EC of the European Parliament on the Retention of Data Generated or Processed in Connection with the Provisions of Publicly Available Electronic Communications Service or Public Communications Networks (March 15, 2006),
    , and the Electronic Communications Privacy Act, 18 U.S.C. § 2510.
  17. For a detailed analysis of Federal Trade Commission privacy and security rules and enforcement actions, see Mark F. Foley, The FTC’s website privacy and security rules for every business, Wisconsin Lawyer, Vol. 81 (forthcoming March or April 2008).
  18. Mark F. Foley, Board oversight of information technology, data privacy and security: the new imperative, Wisconsin Lawyer, Vol. 80, No. 8, Aug. 2007,

Mark F. Foley, Twelve questions for board oversight of data privacy and security, Wisconsin Bar Association Business Law Section Newsletter (June 2007), republished by Internet Business Law Services,