Array of Things Governance & Privacy Policy
Shared for feedback by The Smart Chicago Collaborative
The Smart Chicago Collaborative has committed to educate and engage residents with the new Array of Things project, which is operated by the Urban Center for Computation and Data (UrbanCCD) an initiative of the University of Chicago and Argonne National Laboratory. Array of Things is an urban sensing project — one of the first of this kind and scale. Sensors will be placed across the city to measure livability factors like climate, pedestrian traffic, air quality, and flooding. The sensors will collect data about our city. That data will then be released for residents and researchers to interpret and use.
One of the goals of this engagement work is to gather resident input on the governance & privacy policy for Array of Things. This policy was developed in cooperation between the operators of the Array of Things and the City of Chicago, with input provided by an independent policy board including the American Civil Liberties Union, the Electronic Frontier Foundation, and the Center for Applied Cybersecurity Research.
The public comment period is now closed. We will now start to centralize and analyze the public feedback. Between June 13th - June 27th, there were 3 ways to provide feedback on the Array of Things governance & privacy policy:
-
Residents could annotate and comment on specific language and sections of the policy using Madison. The complete text of the policy is below. See this video to get more information on how to sign up and use Madison. If you're having trouble with Madison or have a question about the tool, email sayhello@opengovfoundation.org
-
Residents could provide general feedback on the governance & privacy policy using this form
-
Residents could attend public meetings to learn more about the Array of Things project and give feedback on the governance & privacy policy in person. The first meeting will be at 5:30pm on June 14, 2016 at Lozano Library. The second meeting will be at 5:30pm on June 22, 2016 at Harold Washington Library.
7/5/16 Update: The Smart Chicago Collaborative made 44 manual additions to this page to represent resident comments/questions posed during public meetings on 6/14 & 6/22 and through Wufoo form submissions during the public comment period (June 13th - June 27th). Each manually added comment or question includes a link to the source of the comment or question. When possible, these comments and questions were inserted into a related section of the Array of Things Governance & Privacy Policy document text. General, miscellaneous, or multi-topic questions and comments were placed in the "Discussion" section. These manual additions were included so that all public input could be centralized and visually represented on Madison.
8/15/16 Update: The operators of the Array of Things have posted the final versions of the governance and privacy policies. The operators also addressed comments and questions collected about the draft policies below. You can read the operators' responses to those questions and comments here. Smart Chicago also released an Engagement Report summarizing our civic engagement process/methods as well as general lessons learned about civic engagement with the Internet of Things & other emerging smart city projects.
Array of Things Governance & Privacy Policy
Array of Things Governance Policy and Process
1 Purpose and Scope
This document provides a framework within which the University of Chicago and Argonne National Labs (program operators) and the City of Chicago will implement and manage the Array of Things (AoT) in Chicago by 1) defining the initial scope of the program, 2) establishing the roles and responsibilities of program partners; and, 3) describing the process by which decisions about the program will be made.
This document is complemented by the AoT Privacy Policy, which sets forth requirements regarding Personally Identifiable Information (PII).
1.1 Guiding Principle
We value privacy, transparency, and openness.
1.2 Program Overview
The AoT program operators aim to build an urban-scale research instrument comprising a network of at least 500 Internet-connected "nodes," each supporting multiple environmental and air quality sensors. As a first of its kind public sensor utility, AoT will produce an open and freely available source of urban sensor measurements to support research, development, education, prototyping, and demonstration. The program operators have designed AoT to enable the instrument to evolve at a pace commensurate with consumer electronics, maintaining state-of-the-art capabilities over many years.
The initial prototype, funded by Argonne National Laboratory, involved 12 nodes equipped with a collection of environmental sensors (e.g., temperature, light, sound, humidity, air quality). Each node was mounted on private facilities at the University of Chicago, Argonne National Laboratory, and DePaul University for testing purposes, with installation occurring between July 2014 and June 2015.
Beginning in summer 2016 a second set of prototypes will be mounted in Chicago on street signal light poles and external building walls. The network will be expanded to roughly 500 nodes from 2016 to 2018. The program operators will develop functionality to enable research, application development, education, prototyping, or demonstration projects. The location of each of the 500 nodes will be determined via the process identified later in this document (§4.3) . The program will be evaluated nine months after the second set of prototype nodes are mounted in the City and every 12 months from that time on. The evaluation criteria and the results of each review will be made available to the public.
Sensor readings will be processed and sent to a database managed by the program operators. A period of evaluation and calibration will be required for each sensor; this period will vary based on the sensor or data that is collection. As one function of AoT is to evaluate new sensor technologies, the evaluation process will also involve a determination as to whether a particular sensor is producing accurate data reliably. Once evaluation determines that the sensor is producing accurate and reliable data, and once calibration is complete, the sensor will enter operations and its data will be made publically available via the City's Data Portal to support application development and data analysis. All operational sensor data will be publicly available as open data, owned by the University of Chicago. The program operators have designed the AoT system to protect privacy. This document describes the processes, procedures, and technologies that will be used to collect and publish sensor data is both correct and, where necessary, anonymized before publication. Any images and other data collected by AoT nodes for calibration will be protected by information security controls, and available only to authorized individuals and only for research purposes.
2 Technical Objectives
The AoT will operate as an "instrument," involving an infrastructure and related services for research, development, education, prototyping, and demonstration of both open and proprietary technologies and services aimed at improving the sustainability, resilience, efficient operation, and livability of cities. In short, AoT will support "Smart City" and related research, development, and education. AoT is designed to support three general types of instrument use: open access to sensor data, research in areas such as sensing and information/communications technologies, and support for research in software and services.
Provide Open Data Access Regarding Urban Environment and Air Quality
Each node will report sensor values at regular intervals. To comply with security and privacy requirements (detailed in the Privacy Policy document), data will first be transmitted to a database managed by the program operators. Data meeting the AOT privacy policy standards will be published to the City's Data Portal and may also be published to other data analytics services as needed. All data published from the platform will be open and free of charge. In order to support economic development, data from approved experimental sensors, installed for specific research and development purposes, may be withheld from (or aggregated for) publication for a period of time in order to protect intellectual property, ensure privacy or data accuracy, and enable the proper calibration of the sensor.
2.1 Support for Evolving Technologies Over Time
The AoT involves engineering and placing a network of physically secure enclosures with power, Internet access, and standard specifications that will allow for efficient installation/replacement of those devices by City technicians. These devices must operate for period of months without physical intervention, and must be provided with adequate environmental protection, particularly with respect to temperature and moisture. The program operators and the City of Chicago will cooperate to enable nodes to be repaired and replaced in case of damage or loss.
2.2 Support for Software and Services Projects
Though the pace at which information and communication technologies evolves is rapid, there is a much larger potential research and education community focused on new software and services, harnessing existing hardware technologies. To support such projects will require that the AoT allow controlled access to shared programmable devices within the nodes. Once this functionality is available, changes may be required to AOT polices and processes to prevent misuse and ensure reliable and usable functions for provisioning and scheduling resources, validating and loading custom software, and restoring the devices to a known state between experiments.
3 Governance Bodies
3.1 Program Operators
The University of Chicago and Argonne National Laboratory serve as program operators and in partnership with the City will manage and operate the AoT program. The program operators are responsible for the design, development, repair, replacement, and support of the nodes and the technical infrastructure needed to enable data collection, processing, and storage.
The program operators will leverage strategic partnerships with industry, academia, and not-for-profits, as well as the increasing availability of open source tools and frameworks that can be adapted to or applied directly to the instrument, to support program goals.
The City will support the operators by providing program oversight; policy guidance; installation and maintenance support; and technical assistance to make AoT data publically accessible.
3.2 Executive Oversight Council
An executive oversight council (EOC) will oversee the AoT program, and is responsible for setting policy and establishing processes and procedures related to system operation, configuration, and capabilities, access to data and other resources, and communication and interactions with the City and community.
The council will be co-chaired by the Commissioner of the City's Department of Innovation and Technology, City of Chicago and the Director of the Urban Center for Computation and Data at University of Chicago and Argonne National Laboratory, with additional members selected from academia, industry, not-for-profits, and the community. These members will be invited based on recommendations from AoT partners and others who work with community groups.
The EOC will meet at least quarterly or as needed.
3.3 AoT Security and Privacy Group
The AoT Security and Privacy Group (SPG) will advise the EOC with regards to the cyber security and privacy of the AoT technology, procedures, and policies to enable the AoT instrument to provide the security and privacy goals described in this and other AoT policies. This group will review and advise the EOC on proposed changes to the AoT technology, procedures, and policies impacting the instrument's security and privacy, as well as making recommendations based on feedback from AoT stakeholders, experiences of the AoT program operators and other Smart City deployments. The SPG will advise the EOC and help coordinate the conducting of external reviews or testing of the AOT instruments cybersecurity and privacy.
The group will be initially chaired by Von Welch, the Director of the Center for Applied Cybersecurity Research, Indiana University, with additional members including the City's Chief Information Security Officer and others with relevant expertise, selected from industry and academia by Welch in collaboration with the EOC. The TSPG will meet at least quarterly or as needed and all recommendations of the group will be made public.
3.4 Scientific Review Group
In some cases third party teams may propose changes or additions to the instrument hardware and/or software. A scientific review group (SRG) will evaluate these proposals from AoT participants as well as other parties (individuals, community groups, companies, universities, etc.). The SRG will consult with the SPG when proposed changes may impact the security or privacy attributes of the AoT instrument. The SRG will provide a regular report on these proposals to the Executive Oversight Council.
The SRG will be co-chaired by the Chief Technology Officer of the Urban Center for Computation and Data at University of Chicago and Argonne National Laboratory and a senior representative from the scientific community.
The SRG will meet quarterly or as needed.
4 Governance Policy and Processes
As a public data service, a set of policies and processes is required to ensure that the instrument operates according to the program's guiding principles and, within the established scope and budget. These policies and processes must uphold the AOT Privacy Policy, protect the privacy and security of Chicago residents and visitors, ensure accountability and transparency, and consider education and proactive communication.
4.1 Policy
This policy document, and associated data management and privacy policy documents, will be maintained and updated under the direction of the EOC, with at least an annual review.
4.2 Transparency
The AoT program operators will maintain a public website with current information on the project ( http://arrayofthings.us/ ), including educational materials regarding the hardware and software technologies and capabilities associated with AoT, a directory with detailed information on all components, experiments, and projects supported by AoT, all policies and procedures for AoT operation, governance body meeting minutes, and reports.
The program operators will produce an annual report, which will be published to its website and will summarize any legal request and requests for changes or changes made to policies, processes, node locations, or capabilities made throughout the year.
4.3 Node Locations
The locations selected for AoT nodes will maximize the positive impact that city residents, policy practitioners, and scientists can obtain from the project.
Node locations may be proposed by any individual or group, and locations will be selected with the goal of enabling at least two of the following benefits within a geographic area:
(a) Nodes can provide data relevant to a local concern or issue of importance to the residents and businesses
(b) A relevant scientific research question may be better investigated with data from the instrument
(c) A planned or potential policy or investment that could be optimized, measured, or informed based on use of data from the instrument, and/or from scientific analysis of that data
In addition, neighborhood density, the location of partner institutions within a geographic area, and the availability of traffic lights or alternative structures (e.g. a building wall) required to mount the nodes will be considered.
Suggestions that meet selection criteria should be submitted first to the program operators at AoT@uchicago.edu , and will then be reviewed and pre-approved by the EOC if the program operators agree that the criteria has been met.
Prior to deploying AoT nodes in a given geographical area, the program operators and/or the Commissioner or designees of the City's Department of Innovation and Technology will:
1 Meet with alderman and community leaders to discuss the objectives of the project and the policies and processes in place regarding issues such as privacy, coordinated by the University of Chicago
2 Work with the Smart Chicago Collaborative or other partners to hold community meetings with residents, where the goals and details of the project will be discussed, including an emphasis on policies and procedures regarding safety, security, and privacy of the network, and on the benefits to the neighborhood associated with the network. Local media will be invited to cover these workshops
3 Post the privacy policy online prior to community meetings for residents to provide comments and questions.
4 Present the locations to the EOC for final approval.
4.4 Node Security
The AoT hardware and software design and operation procedures follow security practices developed by and for national laboratories.
The SPG will review and advise the EOC on proposed changes to AOT design, procedures and policies and their impact on the cyber security and privacy of the AoT instrument.
4.5 Node Capabilities
Node capabilities (i.e., the list of sensors and the associated data collected) will be maintained on the AoT website. Changes to the node capabilities (i.e., changes to existing sensors and introduction of new sensors) that require a change in the privacy policy must be first reviewed by the TSPG. The TSPG will advise the EOC regarding approval of such changes.
4.6 Education
Workshops will be designed and led by AoT partners and the University of Chicago. These will build on prior work including pilot workshops for high school students, held in 2014 and 2015, as well as an 8-week curriculum developed with Lane Technical High School and taught to 150 high school students in 2016. These workshops and curricula are intended to introduce concepts, ranging from environmental science to electronics design to data analytics, to neighborhood youth (and other interested parties), and provide training and education about the technologies and related science.
The AoT team continues to work with industry, local government and educational partners to explore additional opportunities to support for education and training programs leveraging the instrument. Educational materials will be made available via the AOT website.
4.7 Updates
This policy will be reviewed annually at a minimum by the program operators and the EOC for needed revisions. Others may request a review of this policy or submit a question to the operators AoT@uchicago.edu. Any proposed changes to the policy will be posted online for public review and comment prior to their incorporation.
Array of Things Privacy Policy
1 Purpose and Scope
The Array of Things is designed to collect and share data about Chicago's urban environment to support research that seeks will provide insight into city challenges. This includes, but is not limited to, information about temperature, humidity, barometric pressure, vibration, air quality, cloud cover, and pedestrian and vehicle counts and patterns. Pedestrian and vehicle movement data will come from computer software analyzing images.
The purpose of this policy is to disclose the privacy principles and practices for the Array of Things program. It is complemented by the Governance Policy and Process document, which defines how decisions about the program will be made. The privacy policy sets forth how the operators of the Array of Things program will collect and manage data, some of which may include personal information or Personally Identifiable Information (PII). The operators of the Array of Things are defined as the University of Chicago and Argonne National Laboratory.
2 Guiding Principle
We value privacy, transparency, and openness.
3 Personally Identifiable Information
Personally Identifiable Information or PII (1) is any information about an individual, including "(1) any information that can be used to distinguish or trace an individual's identify, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." As noted in NIST 800-122, this includes the following:
-
Names
-
Personal identification numbers
-
Email or street address information
-
Personal characteristics, including photographic images of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)
-
Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information)
The operators recognize the potential sensitivity of location information, electronic device identifiers, or vehicle license plate information and will apply the same processes to these data types as those described for PII in the following section.
4 Information Collection, Use, and Sharing
All policies, hardware and software specifications, design, and open source code will be publicly posted and made freely available online. Public sensor data will be published to the City of Chicago's Data Portal at data.cityofchicago.org. An Array of Things annual report will be published each year, beginning in June 2017, outlining the achievements of the program, as well as any updates or unintended deviations from the privacy policy.
The Array of Things technology is designed and operated to protect privacy. PII data, such as could be found in images or sounds, will not be made public. For the purposes of instrument calibration, testing, and software enhancement, images and audio files that may contain PII will be periodically processed to improve, develop, and enhance algorithms that could detect and report on conditions such as street flooding, car/bicycle traffic, storm conditions, or poor visibility. Raw calibration data that could contain PII will be stored in a secure facility for processing during the course of the Array of Things project, including for purposes of improving the technology to protect PII. Access to this limited volume of data is restricted to operator employees, contractors and approved scientific partners who need to process the data for instrument design and calibration purposes, and who are subject to strict contractual confidentiality obligations and will be subject to discipline and/or termination if they fail to meet these obligations.
5 Updates
This policy was developed in cooperation among the operators of the Array of Things (University of Chicago and Argonne National Laboratory) and the City of Chicago, with input provided by independent security and privacy experts.
This policy will be reviewed annually at a minimum by the operators, the AoT Security and Privacy Group, and the Executive Oversight Council (also described in Governance Policy and Process document) for needed revisions. Others may submit questions or suggestions regarding this policy to the operators through the project's public website (http://arrayofthings.us). Any proposed changes to the policy will be reviewed by the Security and Privacy Group and posted online for public review and comment prior to their adoption. Notifications of these and related actions will be disseminated through the project's social media account (@arrayofthings in Twitter).
1 : “PII” has been defined in accordance with the National Institute of Standards and Technology’s Special Publication 800-122 _ Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)._ _ _ Updates to the NIST guidelines will be reviewed as part of the regular review of this policy.
Debbie Liu
and open for public comment (similar to Madison and community forums)
Debbie Liu
What happens if in a couple of years - we want to look into gun violence prevention, will you program it to look at shootings/firearms? If you add this type of data or any other forms of data that is not currently captured, what is the process of adding (or removing) programming?
Timothy MCGovern
Not saying "camera imagery" is misleading. The data that will be gathered IS IMAGES. Pedestrian and vehicle movement information will be inferred from that data. And it is absolutely 100% certain that unless this policy says that imagery will only be used for pedestrian and vehicle movement, then it WILL be used for something else. Using data in creative ways is exactly what data scientists get paid to do. This absolutely must be rewritten.
John Ryding
This is a concerning piece of wording and implementation of this proposal. This makes me have to ask about the specific management rules of these images - who has access, how long will they be stored, and how do they get deleted? If these images are never deleted, then the entire PII section of this document is void from a technical perspective. With enough images taken over time, one can find an individual based on their clothing, follow them through each image, and eventually determine where they work and where they live. From there, it's pretty easy to figure out the rest of that person's identity. Blurring out images and license plates is not enough. To me, I think it would be better if a smarter solution could be implemented to where images are not even needed for these metrics (i.e. traffic patterns). I don't know what that solution would be, but I'm more afraid of the potential of future harm to be done with these images more than anything.
Timothy MCGovern
Vibration is sound. Specify: "vibration outside audible frequencies" or the like.
Timothy MCGovern
A public suggestion process would be better....
Timothy MCGovern
Presumably a method for doing this will be required in the public web site.
Timothy MCGovern
What about under subpoena or warrant?
Timothy MCGovern
Add a provision to pull the plug. "If a regular evaluation determines that the AoT is unable to meet the goals of the program, or if the program is producing a preponderance of adverse effects, it may be discontinued." (or the like) The public may well be scared at a new level of surveillance/coveillance and reassurances that misuse of the data will be stopped will go a long way towards encouraging acceptance.
Timothy MCGovern
Would like to see an open nomination process for some percentage of seats. Yes, it's Chicago, but we're aiming for a better Chicago.
Timothy MCGovern
AoT
Timothy MCGovern
consistency of style
Timothy MCGovern
"access" isn't a type of use (the second and third phrases here are). "research on quality and use of public spaces"? "commercialization of knowledge about public spaces"? This sentence could—and probably should—be the core of this document, but it dodges the question by stating a tautology.
Timothy MCGovern
How many?
Charlie Catlett
This information is subject to change so not locked in as policy here. The website will have this information as it is finalized. Along with publication of these documents we have published a map of the first wave of ~50 devices.
Timothy MCGovern
Program Operators
Timothy MCGovern
suggest capitalizing "program operators" throughout for clarity and explicitness.
Timothy MCGovern
stored and published by the University of Chicago.
Timothy MCGovern
Make U of C's involvement explicit, and legally definable.
Timothy MCGovern
Avoid language of "data ownership"—data cannot legally be owned (in the United States). This is not just cosmetic, it's important not to introduce a legally indefensible concept into a document that will (we hope) be a binding understanding of how the AoT will work. The idea that data will not only be owned by someone, by by the University of Chicago particularly, adds a level of political sensitivity that is unnecessary and possibly counterproductive.
Showing 61 to 75 of 75 entries