“If your toilet’s so smart, how come I can hack it?”

Thus reads the headlines on David Meyer’s Gigaom post on news that the Satis toilet, manufactured by the Japanese firm Lixii, comes with a smartphone app that can be used to control any Satis toilet (see also this BBC news article). You may wonder why a toilet needs an app, which is a valid question; this one allows recording of one’s activity (if you so choose …), remote flushing, remote air freshener spray, and remote bidet operation. Subjective utility being what it is, I’ll consider Lixii as entrepreneurs responding to what they perceive as some undersatisfied preference in the market, which the extent of their subsequent profits will indicate or not …

Although the story is scatologically humorous, Meyer’s closing observation hits upon exactly the same point I made recently in my post about the hackability of home management systems:

Of course, it’s not like someone will be exploiting this vulnerability to prank someone a continent away — Bluetooth is a pretty short-range wireless technology. However, it’s the kind of thing that should be borne in mind by manufacturers who are starting to jazz up previously low-tech appliances with new-fangled connectivity.

Because when it comes to security, as Trustwave SpiderLabs and others have warned, the home is the last place you want to be caught with your pants down.

Honey, someone hacked our smart home

Ever since the first “vision” meeting I attended at the Department of Energy in 2003 about the technologically advanced electric power grid of the future, digital network security in a smart grid has been a paramount concern. Much of the concern emphasizes hardening the electrical and communication networks against nefarious attempts to access control rooms or substations. Less attention goes to the security of the home automation system itself.

Here’s why privacy and security issues matter so much in customer-facing smart grid products and services: how likely is it that someone can hack into your home energy management system? The resourceful technology and privacy journalist Kashmir Hill gained access to eight homes, merely by doing an Internet search to see if any homes had their devices set to be discoverable by a search engine:

Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search engines – meaning they show up in search results — and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.

In this instance, early adopters of a now-discontinued home automation system had not changed their default settings to implement security protocols. They had not followed the simple security protocols that we have become habituated to in our home wireless networks, which most of us now routinely know to secure with a password at least. This security hurdle doesn’t seem very high, and it shouldn’t be; securing a home automation system separately with a username/password login is not difficult, and can be made less difficult for the technologically challenged through helpful customer service.

She goes on in the story to relate her interactions with some of the people whose houses she was able to access, as well as her discussion with people at Insteon:

Insteon chief information officer Mike Nunes says the systems that I’m seeing online are from a product discontinued in the last year. He blamed user error for the appearance in search results, saying the older product was not originally intended for remote access, and to set this up required some savvy on the users’ part. The devices had come with an instruction manual telling users how to put the devices online which strongly advised them to add a username and password to the system. (But, really, who reads instruction manuals closely?)

“This would require the user to have chosen to publish a link (IP address) to the Internet AND for them to have not set a username and password,” says Nunes. I told Nunes that requiring a username/password by default is good security-by-design to protect people from making a mistake like this. “It did not require it by default, but it supported it and encouraged it,” he replied.

One of the interesting aspects of her story (and you get a much deeper sense of it reading the whole article) is the extent to which these early adopters/automation hobbyists identified some but not all of the potential security holes in the home automation system. These are eager, knowledgeable consumers, and even they did not realize that some ports on the router were left open and thus made the system discoverable externally.

I think she’s right that for such technologies in such sensitive applications as home automation, default username/password authentication is good design. This is an application in which I think the behavioral economics arguments about setting defaults to overcome inertia bias are valid.

Insteon has since changed their default settings to require username/password authentication on the automation system separate from the home wireless network authentication, and the rest of the article describes some other companies that are working to close security holes in their home automation systems.

As we extend the smart grid into our home and the “Internet of things” becomes more deeply embedded in our lives, being aware of the value of securing our privacy and reducing the risk of unauthorized access to our homes and the devices and appliances in them becomes more important. The digital rules we apply to our financial transactions should guide our privacy and security awareness and decision in our home network too. That way we can enjoy the benefits of home automation and transactive energy that Hill lays out in her article while minimizing the risk of unauthorized access to our homes and our information.

Regulation’s effects on innovation in energy technologies: the experimentation connection

Lynne Kiesling

Remember the first time you bought a mobile phone (which in my case was 1995). You may have been happy with your land line phone, but this new mobile phone thing looks like it would be really handy in an emergency, so you-in-1995 said sure, I’ll get a cell phone, but not really use it that much. Then, the technology improved, and more of your friends and family got phones, so you used it more. Then you saw others with cool flip phones, in colors, and you did some searching to see if other phones had features you might like. Then came text messaging, and you experimented with learning a new shorthand language (or, if you’re like me, you stayed a pedant about spelling even in text messages that you had to tap out on number pad keys). You adopted text messaging, or not. Then came the touch screen, largely via the disruptive iPhone, and the cluster of smartphone innovation was upon us.  Maybe you have a smartphone, maybe you don’t; maybe your smartphone is an iPhone, maybe it isn’t. But since 1995, your choice of communication technology, and the set from which you can choose, has changed dramatically.

This change didn’t happen overnight, and for most people was not a discrete move from old choice to new choice, A to B, without any other choices along the way. Similarly for technological change and the production of goods and services. For both consumers and producers, our choices in markets are the consequence of a process of experimentation, trial and error, and learning. Indeed, whether your perspective on dynamic competition is based on Schumpeter or Hayek or Kirzner (or all of the above), the fundamental essence of competition in market processes is that it’s a process of experimentation, trial and error, and learning, on the part of both producers and consumers. That’s how we get new products and services, that’s how we signal to producers whether their innovations are valuable to us as consumers, that’s how innovation creates economic growth and vibrancy, through the application of our creativity and our taste for creating and experiencing novelty.

This kind of dynamism is common in our world, and is increasingly an aspect of our lives that creates value for us; mobile telephony is the most obvious example, but even in products as mundane as milk, the fundamental aspect of the market process is this experimentation, trial and error, and learning. How else would Organic Valley have started coming out with a line of milk that is entirely from pasture-raised cows? (I am happily consuming this milk; pasture-raised cows make milk with more essential fatty acids and conjugated linoleic acid, very important for health)

But this kind of dynamism, while common, is not pervasive. Institutions matter, and in particular, various forms of government regulation can influence the extent to which such technological dynamism occurs in a market. The example I have in mind as a counterpoint, the example I want to explain and understand, is consumer-facing electricity technologies, like thermostats and home energy management systems. For the past several years there has been considerable innovation in this space, due to the application and extension of digital communication technology innovations. But despite the frequent claims over the past few years that this year will be the year of the consumer energy technology, it keeps not happening.

Tomorrow in New Orleans, at the Southern Economic Association meetings, I’ll be presenting a paper that grapples with this question. My argument is that traditional economic regulation of the electricity industry slows or stifles innovation because regulation undercuts the experimentation, trial and error, and learning of both producers and consumers. As I state in the abstract:

Persistent regulation in potentially competitive markets can undermine consumer benefits when technological change both makes those markets competitive and creates new opportunities for market experimentation. This paper applies the Bell Doctrine precedent of “quarantine the monopoly” to the electricity industry, and extends the Bell Doctrine by analyzing the role of market experimentation in generating the benefits of competition. The general failure to quarantine the monopoly wires segment and its regulated monopolist from the potentially competitive downstream retail market contributes to the slow pace and lackluster performance of retail electricity markets for residential customers. The form of this failure to quarantine the monopoly is the persistence of an incumbent default service contract that was intended to be a transition mechanism to full retail competition, coupled with the regulatory definition of product characteristics and market boundaries that is necessary to define the default product and evaluate the regulated monopolist’s performance in providing it. The consequence of the incumbent’s incomplete exit from the retail market suggests that as regulated monopolists and regulators evaluate customer-facing smart grid investments, regulators and other policymakers should consider the potential anti-competitive effects of the failure to quarantine the monopoly with respect to the default service contract and in-home energy management technology.

In August 2011 I wrote about the Bell Doctrine, Baxter’s precedent from the U.S. v. AT&T divestiture case, and how we have failed to quarantine the monopoly in electricity. This paper is an extension of that argument, and I welcome comments!

If you’ll be at the SEA meetings, I hope to see you there; I am headed to NOLA tonight, and look forward to a fun weekend full of good economic brain candy.

Something not-so-funny happened on the way to the smart grid: Xcel, Boulder and the Colorado PUC

Michael Giberson

Four-and-a-half years ago I relayed on these pages Xcel’s announcement of its Smart Grid City project. It was exciting stuff, I thought, and I said it “should prove to be a very useful project.” (See also Lynne’s post on a NYT‘s article discussing the project.)

It has proven useful, but not entirely in the way it was intended.

A Wall Street Journal article from 2008 noted one bold move by Xcel: “Departing from the norm, Xcel isn’t seeking permission from regulators to recover its costs in advance, but will wait until ‘we have proven the benefits,’ says Mike Carlson, Xcel’s chief information officer.”

Suffice to say all has not gone as hoped in Xcel’s effort to turn Boulder into a Smart Grid City.

The Denver Post provides a current update. In brief: the company has spent about $45 million on the project, regulators have approved recovery of $28 million and the city, other Colorado ratepayers, and the utility are battling before the CPUC over responsibility for the remaining $17 million in expenses.

Oh, and voters in Boulder approved (just barely) two ballot issues last November in an effort to municipalize electric utility service in the city (and see the utility comments here).

ALSO from the Denver Post: “Changing energy policy rules keep Colorado guessing in election year.”

Smart shopping for electric power just got easier in Houston

Michael Giberson

CenterPoint Energy, the Houston-area electric distribution company, has launched MyTrueCost.com to help area retail electric customers shop for electric power. Help may be needed: currently 43 companies offer a total of 239 different service options in the CenterPoint service territory according to data from Powertochoose.org, the Texas PUC’s retail power website.

The basic idea is pretty simple: customers sign up, TrueCost accesses their smart-meter based electric power consumption data and estimates bills, the customers provide some information on the kind of retailer and contract they want (low price, environmental characteristics, number of PUC complaints, years in service, etc.), and then the website identifies the contracts that appears most suited to the customer.

TrueCost doesn’t search through all possible contracts, however, just contracts from the several retailers that have agreed to participate. Currently 10 of the 43 companies in the area are participating. Customers should be aware that TrueCost gets paid a flat fee by the retailer for each customer that signs up through the service. (TrueCost noted in the Q&A that the flat fee means that the service doesn’t have an incentive to upsell customers to more costly contracts.)

Simple. Smart. Cool. (And speaking of cool, the young people of Houston would like you to know that a Forbes real estate blogger has named Houston the #1 on its list of America’s Coolest Cities to Live.)

By the way, TrueCost also charts average retail power prices offered in Texas’s competitive retail power markets and provides commentary in an accompanying blog.

One-year plans keep momentum from summer price spike

One-year plans keep momentum from summer price spike (July 5, 2012)

INVITATION: If any of our Houston area readers have tried out MyTrueCost, send me an email and let me know what you think. My email address can be found here.

Smart meter cybersecurity and moral panics

Lynne Kiesling

In March I wrote about Adam Thierer’s paper on technopanics — “a moral panic centered on societal fears about a particular contemporary technology” — and I argued that we should bear the moral panic phenomenon in mind when evaluating objections to smart grid technologies. In the past two weeks we’ve seen news articles on this topic: according to the FBI, smart meter cybersecurity is loose enough that hackers have been able to hack into smart meters and steal electricity.

Chris King from eMeter has done some digging into this question, and writes at Earth2Tech suggesting that the problem is old-fashioned criminal human behavior, not any technology-specific security failure:

Upon a closer look, this situation is not so much about smart meters as it is about criminal human behavior. Former Washington Post reporter Brian Krebs explained that it was not actually the smart meters themselves which were “hacked.” The meters’ own security measures were not breached.

Instead, criminals accessed the smart meters by stealing meter passwords as well as some devices used to program the meters. This is more like stealing a key and opening a door, rather than breaking the lock on the door.

These criminals were former employees of the utility involved, and of the vendor who provided the smart meters. These people were paid (bribed) by customers to illegally reprogram the meters so that those meters would record less energy consumption than actually occurred. This is not fundamentally different from bribing human meter readers to under report consumption — which happens often in some developing countries.

Which brings us back to Adam’s original point: why are we so willing to accept the technopanic argument? Why are so many people so suspicious of new technology, and so willing to give up both the consequentialist potential benefits and the moral defense of individual liberty and impose controls and limits on technology?

The Internet of things and computational energy efficiency

Lynne Kiesling

Today in Technology Review, Jonathan Koomey has an interesting analysis of computational energy efficiency. We’re all familiar with Moore’s Law — Gordon Moore’s prediction that the number of transistors on a chip will double approximately every two years — but I did not realize that Moore’s Law is also borne out in improvements in the electrical efficiency of computation. Not only do we have more and more computational capacity per unit of area, each of those increased computations is performed with less electricity per computation. Koomey’s graphic showing this result over time is striking:

If this trend continues, Koomey claims, ” the power needed to perform a task requiring a fixed number of computations will continue to fall by half every 1.5 years (or a factor of 100 every decade). As a result, even smaller and less power-intensive computing devices will proliferate, paving the way for new mobile computing and communications applications that vastly increase our ability to collect and use data in real time.”

The ability to do more work with less effort is one of the most meaningful consequences of technological change, whether we’re talking about horse harnesses, water wheels, diesel engines, or digital sensors. One of the fascinating aspects of this improvement in computational electrical efficiency is that it opens up the feasibility of lots of distributed low-power sensors that get enough electricity to operate by harvesting “background energy flows”; Koomey’s example is small weather sensors that harvest stray energy from television and radio signals to send weather condition updates every five seconds. Imagine how a distributed network of such sensors could improve severe weather preparation, for example.

In the rest of this very interesting article, Koomey discusses the research and design efforts going into achieving such energy efficiency in data transmission and taking a system-level perspective on the electricity use of an entire network of devices. He also claims, and I think he’s right, that without such energy efficiency the “Internet of things” cannot become a reality.

The “Internet of things” framing of the Internet envisions interconnected networks of devices able to communicate their states, generate more granular information, and/or trigger tasks autonomously, without human intervention. For example, right now the water filter in my refrigerator needs to be replaced, which means I go down to the basement to see if I have one (which I do), and if using it reduces my filter inventory to one, I get online and order three more. It would economize on the most scarce resource in this supply chain — my time — if the filters had RFIDs and the refrigerator had an algorithm that would implement the inventory query and ordering process for me. I still have to install the new filter, but if that installation triggered an automated query and order, I’d come home from work in a few days to find a box of three water filters, with little effort on my part. That’s an example of the potential of the Internet of things; I’m sure you can come up with more examples that you would find valuable in your own work or personal lives, and I know you can see where this IoT framework intersects with consumer-focused smart grid networks.

Of course, details matter, such as getting the interoperability rules and security right so that only refrigerators can query the filter inventory in the house (no infiltrators, including the government), and so that the refrigerator’s connection to order replacements is secure. The same applies to electricity devices in the home and the digital meter, which is why one of the important phases in the process of smart grid development is laws protecting consumer privacy and property rights in data. Innovation in both computational power and computational energy efficiency have created this potential to create more value while economizing on the scarce resources of human time and attention.

UPDATE: And check this out: carbon nanotubes that can dump heat separately from current into a separate device, which should contribute to continued gains in computational energy efficiency.