Jericho from Attrition.org sent me a link to an interesting post on Risks Digest 26.80 from a homeowner who installed solar panels on his roof. The firm that installed the panels provide s a user-specific web page that customers can use to monitor their system’s performance. The page goes one step further: it also displays electricity production. So homeowners who click on the link to their unique monitoring web page can see helpful graphs showing their electricity consumption decrease if solar production is meeting their energy needs.
So what’s the problem? Well, the web page displayed the homeowner’s name and address. And by looking at their consumption pattern, you could likely figure out when they’re not home or away on vacation.
The homeowner writes:
Their exposure of their customers’ names and addresses on a publicly accessible web site without their prior knowledge or consent is clearly a violation of the Massachusetts Data Privacy Law, 201 CMR 17.
There’s another interesting twist in the story… As soon as I realized that our address was visible to the world on our monitoring page, I updated our settings to tell the site not to make our address visible. They do provide that as an option, although they don’t enable it by default. However, after doing that, I was digging a little deeper into how the monitoring page works, and I discovered that the bit controlling whether to display the address is enforced on the client side via AJAX, not on the server. In other words, our address was being sent down to the web browser regardless of whether the bit was set; all the setting did was tell the browser whether to display the address to the user. Therefore, anyone could use a network sniffer like wireshark or even just a browser tool like Firebug to find out our address.
Needless to say, I raised a big stink to SunBug. They fixed it for us by making back-end changes in their database to completely remove all of our PII from the site. They also said they understood my concerns and were looking into how to address them for all of their customers, although I don’t know what in particular they’ve done in the several months since I brought the issue to their attention.
The box that SunBug installed to monitor our electricity production and consumption is a “smart meter” of sorts, so this story illustrates that the concerns people have with smart meters are legitimate and already manifesting in the real world.
The homeowner was clear to note that he was happy with the company and its product, but it was just the privacy and security aspect that he wanted to raise.
I wonder how often this type of thing occurs.
If any other readers have had a similar experience, please use the Comments section to tell your story.