ISO/IEC TS 27570

ISO/IEC TS 27570:2021 — Privacy protection — Privacy guidelines for smart cities

Introduction

In today’s world, smart cities are an amalgamation of wireless networks, mobile and portable devices, IoT (both industrial and consumer), automation, cloud computing, smart devices with artificial intelligence and advanced automation, etc. As disparate ICT systems connect more frequently within our cities, people are faced with both opportunities and risks, including the commercial and governmental service providers (such as those providing communication, energy, transportation, healthcare, and law enforcement).

The scope of the standard

Despite the reference to information security aspects such as safety and resilience, the guideline discusses privacy specifically concerning smart cities, including ‘smart city ecosystem privacy protection’.

Some rhetorical questions are:

– How far should individuals be identified, tracked, and monitored through their ICT devices and digital interactions when they are on the move in their city?
– How should tensions between governments, businesses, and individuals be managed, since privacy requirements and expectations differ between them?
– Even if the collection, use, and disclosure of personal data are restricted for privacy reasons, what can be done (if anything can/should be done) to avoid correlations and inferences being drawn from large amounts of publicly available information?
– Is it even possible to support (a reasonable degree of) anonymity, without disenfranchising and excluding users from the advantages of devices interacting with each other?

Besides the personal and technological, this has social and societal dimensions.

Since the pace of change in this area is so rapid, the guideline cannot address all issues at present, but rather seeks to establish a reference (conceptual) framework on which to develop future standards.

The content

The guideline presents conceptual diagrams and explanations, highlighting other standards that apply.

Status

In January 2021, the standard was published as a Technical Specification.

Commentary

Since 2015, this innovative, visionary and remarkable standard has been in development.

Even outside the specialization, the issues covered by it are barely acknowledged as such. Rather than complain about constraints later, when it may already be too late to change anything fundamental, it is better to influence the direction of privacy, governance, and other issues now.

If only SC 27 had been proactive about IoT security way back when it was just starting!

The frequent use of “ecosystem” catches my attention as a former biologist. The standard does not refer to organisms interacting with their natural environments, but rather to conceptual linkages between IT systems, networks, organisations, and individuals within a technological context. Can there be a more appropriate term than “ecosystem”?