Wr5qzyx6 1346641179

Is Origin Smart sleepwalking into a shocking personal data breach?

The Origin Smart portal provides customers with an estimate of future electricity bills. fudj

Is Origin Smart sleepwalking into a shocking personal data breach?

The Origin Smart portal provides customers with an estimate of future electricity bills. fudj

Early last week, Origin Energy, Australia’s pre-eminent energy retailer, launched an online energy-use monitoring portal Origin Smart to much fanfare. All good – but what about the the privacy and security of the data being collected and made available?

Origin Smart is a website that lets Origin’s Victorian customers to see their home electricity usage updated every half hour. The electricity usage information comes from the new smart meters that were rolled out over the past six years.

Victorian customers (and then customers nationally) will be able to view their electricity usage for up to 24 hours prior to the current half-hourly reading.

Other energy companies, including United Energy, are in the final stages of testing a portal similar to Origin Smart.

What you’re getting

The Origin Smart portal provides customers with an estimate of future electricity bills and the capability to set daily electricity consumption targets.

But the value of Energy Smart is yet to be identified because customers may need to see historical energy usage data – beyond the current one-day provided – to gain an understanding of their energy usage over time and to be able to make informed decisions.

Customers will be also able to compare their usage with households of a similar size and occupancy.

This all sounds fine, right? I mean, who wouldn’t want to know how much energy they’re using? But, as mentioned above, there are bigger issues at play here, involving privacy and security.

Risk of a cyber-attack?

In recent weeks I have written on The Conversation about cybercrime and cyber-terrorism laws. The Cybercrime Legislation Amendment Bill 2011 increases the scope of customer data that carriers and internet service providers (ISPs) must collect when notified by police or security organisations.

Proposed changes to cybersecurity laws include a provision for a two-year internet data retention requirement for all Australians.

How is this relevant to Origin Smart? Well, I’ve received several requests for an example of a national network-related privacy and security problem.

I submit Origin Smart.

Origin Smart has all the characteristics of an information store that will be a target for hackers.

Knowledge is power and information about customers’ electricity usage is a saleable commodity. Information about electricity usage for business, government, defence and national infrastructure is of value to hackers and terrorists. (Origin Energy hasn’t made it clear whether Origin Smart will be available only to residential customers.)

Will Anonymous target Origin Smart as part of its current Operation Australia campaign? I don’t see why not.

Victorian customers can access the portal from any internet-connected computer. The portal does not utilise two-step authentication – that is, a second layer of security (such as being sent a password by text message) that makes a security breach less likely.

By contrast, most Australian banks and many online services, including Google and Dropbox, do use two-step authentication.

Failure to utilise these additional security measures is a potential flaw that makes Origin Smart more of a target than it needs to be.

Collection

At the most basic level, Origin Smart is collecting critical information about customers putting it all into internet-connected systems and making it available to customers from any internet-connected computer around the world.

Why would a Victorian Origin Energy customer need to see their half-hourly energy usage while on holiday in Russia?

More concerning is the fact the Origin Smart: Initial Privacy Consent provides a list of organisations that customers agree, when signing up to the service, to allow access to their data.

That list includes:

… relevant contractors which may include installers, mail houses, data processing analysts, IT service providers and smart energy technology providers, debt collection agencies and credit reporting agencies, relevant Government authorities …

Why would I want to share my half-hourly electricity usage data with a debt collector? Or a credit reporting agency for that matter?

Is Origin Smart being set up as a dual-purpose portal that will allow a range of companies to log in and access the complete energy usage history of one or more customers? No-one as yet is saying so, but it would be reassuring to have such issues clarified.

Offshoring data

The Origin Smart Terms and Conditions indicate customer information will be sent to a “third-party smart energy technology provider” located in Colorado, USA.

The Australian government should be very concerned that potentially most (Origin Energy currently has 4.4m customers nationwide) of Australia’s residential, business and corporate energy usage is being sent to the USA - a country that does not have strict privacy and security rules.

The Origin Smart Terms and Conditions read:

The USA does not have laws that provide the same level of protection for an individual’s personal information as in Australia, however, the Third Party Provider is required to comply with any applicable privacy legislation.

But let’s be clear: the US company is not subject to Australian law and would never agree to being subject to Australian privacy laws.

This statement in the Origin Energy Terms and Conditions should be investigated by the relevant authorities immediately.

Data breach?

Are we in danger of inadvertently paving the way for the largest personal data breach in Australian history? And all without having been attacked by Anonymous, by cyber-terrorists or a potential enemy nation carrying out an act of cyber-warfare.

Origin Energy has stated it will send customer data to a company in a country that does not require that company to keep the data secure and permits the company to on-sell the data to whomever they please. I’m gobsmacked.

Can Origin Energy guarantee the data sent to the USA will be destroyed at some point in the future? When would this be?

We all should remember Google making a similar promise to the Australian Privacy Commissioner in the context of the Google Street View controversy.

Google admitted to collecting Wi-Fi data when capturing information for Google Steet View. After assuring the Australian Privacy Commissioner that all of the data collected had been destroyed, Google later admitted to finding more data that had not been destroyed.

To summarise, my concerns about Origin Smart are the following:

  1. Poor security. Without two-step authentication the system could be a juicy hacking target

  2. Poor privacy. The list of organisations that can be provided with access to customer data is extraordinary and access for many is unnecessary and unwarranted

  3. National security. The data of everyone who signs up to Origin Smart will be sent to the USA.

The Origin Smart Initial Privacy Consent requirement and the Terms and Conditions were red flags for me. As an Origin Energy customer I chose not sign up to Origin Smart.

I strongly recommend you refrain from doing so as well.