From Amsterdam to Dubai, smart cities promise a bright and sustainable future. Think GPS systems that turn street lights green for oncoming ambulances and irrigation systems that monitor soil quality and weather to conserve water.

However, the technology behind them can have serious implications for our privacy and civil rights. In 2016, San Diego rolled out street lights equipped with surveillance cameras to monitor traffic, but police have since used their footage during investigations. In the spring of 2020, they were even turned on Black Lives Matter protests. The city council is now considering new regulations to govern their use. 

In 2017, Dr. Ann Cavoukian agreed to work as an advisor on a now-abandoned project, in which Google’s sister company Sidewalk Labs planned to equip Toronto’s waterfront with robots to move waste to disposal facilities, heated pavements to melt snow and myriad ways to collect data in preparation for the use of autonomous vehicles. She resigned in 2018 over concerns that other companies associated with the project could not guarantee privacy.

Cavoukian, who also served as Canada’s information and privacy commissioner from 1997 to 2014, went on to create “privacy by design,” a framework for embedding safeguards in smart city technology at the point of development. She sat down with Coda Story to talk about how we can create modern urban environments with privacy baked into them. 

This conversation has been edited for length and clarity

Coda Story: What is privacy by design? 

Dr. Ann Cavoukian: We can develop smart cities that will do amazing things and preserve our privacy. It shouldn’t be the zero-sum model of either or, which so many people lead with. They say, “Well, you want a smart city, you’ve got to give up privacy.” The hell you do. Privacy is the foundation of our freedom. You don’t give that up for a smart city or smart tech. You do both. 

I was the Privacy Commissioner of Ontario, in Canada, for many years. What I know from that time is that privacy laws do not apply if there’s no personally identifiable data. We make it a win-win. That’s what the concept of privacy by design, which I created, is all about. Make it a win-win. Data utility and total privacy. We can do both.

What does privacy by design look like in the context of a smart city?

A while back, I was retained by Sidewalk Labs, when they were going to build SmartCity Toronto. That fell apart, and I can explain why. I looked at all the technologies that would be on 24/7. I said, “OK, there’s going to be data collected all the time. We’re going to have to de-identify it at source.” By that, I meant all data, no matter what it is, the minute it’s picked up, scrub it of any possible personal identifiers. You still have very valuable data that can be used for a variety of purposes in the smart city context that will not have privacy risks, because all associated Identifiers will have been removed. 

You headed up that project, but you resigned. What went wrong?  

When I started working with Sidewalk Labs, they were all committed to embedding privacy and de-identifying data at source. But, then, they got some criticism. They had a board meeting with all the companies involved, and they said, “Look, we will ask the companies involved in the IT to de-identify data, but we can’t make them do it.” The minute they said that, I had to leave, because you’re not going to leave it up to companies to decide that on their own. 

So much smart city technology is built by private companies. How do we ensure that they are building privacy into their own tools? 

We can basically mandate that data must be de-identified at source. If there is a governing body or legislative body that can lay down the law and insist on that, then you will have a much better outcome. 

I can understand when de-identifying data will be effective. If you want to use a smart streetlight to know how many cars are driving through an intersection, you don’t need license plates. But, in circumstances where you need to identify someone, in order for the technology to serve its intended purpose, what do you do?

What you need to do is obtain the positive consent of the individuals involved, proactively. Privacy is all about personal control, relating to the use and disclosure of your personal information. If you have an individual’s positive consent upfront, they know how you intend to use it and they consent to that, great. 

Is privacy by design a technological fix, a legislative fix or both?

I think it’s primarily a technological fix. What you want to do is ensure that your measures to protect data are embedded in the tech that you’re using as its default setting. You can’t forget about it, because it’s always there. That’s what’s critical. This doesn’t rely on someone remembering to make the right policy or whatever. It has to be automatic. 

What prevents cities from rolling out technology with privacy by design?

It’s early days. They’re just beginning to address these issues. I think they will come to embrace privacy by design within a smart city, but we have to overcome the zero-sum mindset. Of course you have to focus on the tech, but not at the expense of privacy. You do both. That’s the biggest hurdle that we have to overcome. We can do it, but it takes time. 

Where is this working? Where are you seeing smart cities rolled out without privacy by design?

All of the Smart Cities coming out in the east — Shanghai, Dubai — forget about privacy. That’s not what we want to do. Look for models that do this properly. For example, the city of Mississauga, here in Ontario. They are just crafting a smart city and they are embedding privacy by design before anything begins. They’re wedded to de-identifying data at source, and I’m working with them to make this happen, so it is beginning.