MA: blurbs on HCI, privacy, standards

ma/safety_reset.tex

@@ -375,7 +375,6 @@ offset by the resulting savings in electricity cost\cite{bmwi03}.
 
 \subsection{Human-Computer Interaction aspects of smart meter technology}
 
-% TODO the following paragraph uses "us" a bunch. Is that ok?
 A fundamental aspect in realizing the cost and energy savings promised by the smart metering revolution is that it
 requires a paradigm shift in consumer interaction. Previously most consumers would only confront their energy use when
 their monthly or yearly electricity bill arrived. All of the cost savings smart meters promise over traditional metering
@@ -391,9 +390,21 @@ it does manage to capture our attention and lead us to modify our behavior, what
 does an in-home display increase financial anxiety in economically disadvantaged customers?
 
 Human Computer Interaction research has touched the topic of smart metering several times and has many insights to offer
-for technologists\cite{pierce01,rodden01,lupton01,costanza01,fell01}.
+for technologists\cite{pierce01,rodden01,lupton01,costanza01,fell01}. An issue pointed out in \textcite{rodden01} is
+that at least in some countries consumers fundamentally distrust their utility companies. This trust issue is
+exacerbated by smart meters being unilaterally forced onto consumers by utility companies. Much of the success of smart
+metering's ubiquitous promises of energy savings fundamentally depends on consumer coöperation. Here, the aforementioned
+trust issue calls into question smart metering's chances of long-term success.
 
-% FIXME continue this.
+As \text{pierce01} pointed out smart metering developments could benefit greatly from early involvement of HCI research.
+HCI research certainly would not have overlooked entire central issues such as privacy as it happened in the dutch
+case\cite{cuijpers01}. The current corporate-driven approach to a technological advance forced through national
+standardization bears a serious risk of failing to meet its ostensible objectives for consumers. The role of consumers
+and the complex sociotechnological environment posed by this new technology is seriously considered nowhere in the
+standardization process. While certainly noone will admit to outright ignoring consumers in smart meter standardization
+their role is largely limited to the occassional public consultation. At the same time the standards are written by
+technologists--it seems largely without input on their practicality or socio-technological implications from fields such
+as HCI. % TODO citation? too much burn?
 
 \subsection{Common components}
 \label{sm-cpu}
@@ -496,7 +507,23 @@ base protocol ountry-specific standardization only covers which precise variant
 supported.
 
 \subsection{International standards}
-% FIXME
+
+The family of standards one encounters most in smart metering applications are IEC 62056 specifying the Device Language
+Message Specification (DLMS) and the Companion Specification for Electronic Metering (COSEM). DLMS/COSEM are
+application-layer standards describing a request/response schema similar to e.g.\ HTTP. DLMS/COSEM are mapped onto a
+multitude of wire protocols. They can be spoken over TCP/IP or mapped onto low-speed UART serial interfaces
+\cite{sato01,stuber01}.  Besides DLMS/COSEM there are a multitude of standards usually specifying how DLMS/COSEM are to
+be applied.
+
+DLMS/COSEM show some amount of feature creep. They do not adhere to the age-old systems design adage that a tool should
+\emph{do one thing and do it well}. Instead they try to capture the convex hull of all possible applications. This led
+to a complicated design that requires extensive additional specification and testing to maintain even basic
+interoperability. In particular in the area of transport security it becomes evident that the IEC as an electrical
+engineering standards body stretched their area of expertise and resorting to established standard protocols would have
+improved the situation\cite{weith01}. Compared to industry-standard transport security the IEC standards provide
+a simplistic key management framework based on a static shared key with unlimited lifetime and provide sub-optimal
+transport security properties (e.g.\ lack of forward-secrecy).
+% TODO maybe expand this?
 
 \subsection{The regulatory situation in selected countries}
 
@@ -530,7 +557,7 @@ would be a spearate installation from the smart meter. In Germany there are sign
 before a utility company may cut power to a household\cite{delaw01}. The elision of a load switch means attacks on
 German meters will be limited in influence to billing irregularities and attacks using DSM equipment.
 
-% FIXME elaborate DSM attacks vs. whole-household attacks in attacks section
+% TODO elaborate DSM attacks vs. whole-household attacks in attacks section
 
 \subsubsection{The Netherlands}
 The Netherlands were early to take initiative to roll out smart metering after its recognition by the European
@@ -581,7 +608,7 @@ A unique point in the Japanese utility metering landscape is that the current pr
 Japan residential utility meters are usually mounted outside the building on an exterior wall and every month someone
 with a mirror on a long stick will come and read the meter. The meter reader then makes a thermal paper print-out of the
 updated utility bill and puts it into the resident's post box. This practice gives consumers good control over their
-consumption but does incur significant pesonnel overhead. % FIXME citation. Maybe the toshiba one?
+consumption but does incur significant pesonnel overhead. % TODO decide on citation. Maybe the toshiba one?
 
 \subsubsection{The USA}
 
@@ -696,6 +723,21 @@ without smart meters and only gains speed from smart meters. A smart meter canno
 with a section of wire.  Due to the limit on its volume, electricity theft using smart meter hacking would not scale.
 Hackers would quickly be triangulated with no damage to consumers and limited damage to utility companies.
 
+\subsection{Privacy in the smart grid}
+
+A serious issue in smart metering setups is customer privacy. Even though the meter ``only'' collects aggregate energy
+consumption of a whole household this data is highly sensitive\cite{markham01}. This counterintuitive fact was initially
+overlooked in smart meter deployments leading to outrage, delays and reduced features\cite{cuijpers01}. The root cause
+for this is that given sufficient timing resolution these aggregate measurements contain ample entropy. Through
+disaggregation individual loads can be identified and through pattern matching even complex usage patterns can be
+discerned with alarming accuracy\cite{greveler01}. Similar privacy issues arise in many other areas of modern life
+through pervasive tracking and surveillance\cite{zuboff01}. What makes the case of smart metering worse is that even the
+fig leaf of consent such practices hide behind does not apply here. If I as a citizen do not consent to Google's privacy
+policy Google says I can choose not to use their service. In today's world this may not be a free choice making this
+argument totally invalid, but it is at least technically possible. Smart metering on the other hand is mandated by law.
+In some countries such as Germany a customer unwilling to accept the accompanying privacy violation cannot legally
+evade it\cite{bmwi04}.
+
 \subsection{Smart grid components as embedded devices}
 
 A fundamental challenge in smart grid implementations is the central role smart electricity meters play. Smart meters
@@ -753,8 +795,7 @@ the two most effective measures for embedded security is reducing the amount of
 checking and double-checking this code on the other hand. A smart electricity manufacturer does not have a say in the
 former since it is bound by the official regulations it has to comply with, and will almost certainly not have sufficient
 resources for the latter.
-% FIXME expand?
-% FIXME cite some figures on code size in smart meter firmware?
+% TODO expand?
 
 \subsection{Attack avenues in the smart grid}
 
@@ -765,7 +806,7 @@ such as one that shuts down a power plant to decrease generation capacity. The l
 that forges grid frequency measurements where they enter a power plant's control systems to provoke increasing
 oscillation in the amount of power generated by the plant according to the control systems' directions.
 % FIXME cite
-% FIXME expand
+% TODO expand
 
 \subsubsection{Communication channel attacks}
 
@@ -1092,7 +1133,7 @@ complexity in parts that do not require full debugging capabilities as provided
 The kind of microcontroller that would likely be used as the main application controller in a smart meter application
 will almost certainly support JTAG. These microcontrollers are high pin-count devices since they need to connect to a
 large set of peripherals such as the LCD and the large program flash makes it likely for a proper debugging interface to
-be present. % TODO maybe citation here?
+be present.
 
 The one remaining issue in this coarse technical outline is what communication interface should be used to transmit the
 trigger command to the reset controller. In the following section we will give an overview on communication interfaces
@@ -2499,10 +2540,10 @@ correctly configure than it is to simply use separate hardware and secure the in
 \appendix
 \chapter{Transcripts of Jupyter notebooks used in this thesis}
 
-%\includenotebook{Grid frequency estimation}{grid_freq_estimation}
-%\includenotebook{Grid frequency estimation validation against ROCOF test suite}{freq_meas_validation_rocof_testsuite}
-%\includenotebook{Frequency sensor clock stability analysis}{gps_clock_jitter_analysis}
-%\includenotebook{DSSS modulation experiments}{dsss_experiments-ber}
+\includenotebook{Grid frequency estimation}{grid_freq_estimation}
+\includenotebook{Grid frequency estimation validation against ROCOF test suite}{freq_meas_validation_rocof_testsuite}
+\includenotebook{Frequency sensor clock stability analysis}{gps_clock_jitter_analysis}
+\includenotebook{DSSS modulation experiments}{dsss_experiments-ber}
 
 \chapter{Demonstrator Resources}
 \section{schematics and code}