Sidewalk Labs Tech: The Numina Pilot Project
By Nicholas Studley, CIPPIC Student
On March 2, 2019, Sidewalk Labs announced a partnership with Numina, a computer vision sensor company, to pilot a mobility management platform at 307 Lake Shore Blvd East. Sidewalk is using Numina’s sensors to track the movement of people through the space around their headquarters. Statistics are then combined to understand the amount of time people spend looking at indoor and outdoor exhibits. This pilot is likely a precursor to a more ambitious mobility management solution which could track parking spaces, introduce dynamic parking pricing, ticket vehicles, and dynamically change traffic signals.
How is Sidewalk protecting privacy?
Numina’s technology will help people move more efficiently through cities, but the privacy risks are prevalent. Sidewalk Labs is mindful of these privacy implications and has adhered to several best practices in anticipation of the public concern, including:
- Privacy by design principles
- Open by default, notice and no ad-targeting
- Data anonymization and data minimization
- Encryption and other protections
Privacy by design is a commitment to addressing privacy risks during the design of a technology, rather than as an afterthought. Numina’s sensors were “designed to protect privacy” and Sidewalk’s commitment to privacy by design is evidenced by their Responsible Data Use Assessment (“RDUA”). This assessment describes the privacy concerns associated with the Numina technology and Sidewalk’s efforts to mitigate them.
Being open by default is a commitment to transparency in data collection. When the 307 Lake Shore pilot is over, Sidewalk is going to make the aggregate statistics derived from the study publicly available. At 307 Lake Shore, Sidewalk posts notices that explain data is being collected on site, and that sensors are distributed throughout the environment. These notices use a series of images to describe what information is being collected, who is collecting it and where they can get more information about the initiative. Any data collected by Sidewalk Labs, regardless of anonymity, will not be used for advertising purposes.
Data anonymization and data minimization are policies of de-identifying personal information wherever possible and collecting as little data as necessary. Numina’s sensors de-identify personal images and information “on-device in real time.” The images Numina collects are broken down and a previously identifiable person is assigned to a broad category such as a “pedestrian” or “cyclist.” Once an hour, an identifiable image is transmitted to Numina and stored in the cloud. This image is transmitted for quality assurance purposes. These images have a lowered resolution and before the image is reviewed by the quality assurance team, the image is further de-identified using a combination of object detection and blurring. Sidewalk Labs does not receive these images, nor will they take a de-identified image and try to reconstruct it into identifiable data.
Numina’s sensors encrypt communications. Numina designates authorized devices, and sensors are only able to communicate with those designated devices. They also maintain and
rotate encryption keys.
How could Sidewalk improve privacy protections?
Numina’s mobility management platform captures image data. The images are obscured, with most images being de-identified at the source. Some images are transmitted and saved for quality assurance purposes. These images are stored in the cloud for 30 days. Image data is of particular sensitivity and should only remain identifiable when absolutely necessary. An image which is randomly selected for quality assurance purposes could contain the image of a young person, further complicating the process. Where possible, quality assurance images should be limited to adults in the environment. By posting notifications, Sidewalk has provided adults with notice that their children’s images might be captured while on site, which is a good first step.
Numina has, since their inception, been committed to providing “intelligence without surveillance.” Numina’s sensors capture “moments,” they are not recording the environment. However, the sensors capture images more or less continuously (roughly 172,000 discrete images are captured per day). Surveillance could be reduced by capturing fewer images, but would impact the value of the data collected.
Numina will store aggregate data in the United States because “Amazon Web Services have only one Canadian data center.” Canadians have identified that local storage is a high priority. Storing data in the cloud can also create other privacy concerns. To combat these risks, Sidewalk notes in its RDUA that data will not be “linked to any individuals or combined with other datasets in a way that could link back to individuals.” As long as appropriate due diligence has been conducted with respect to security, new data creation, function creep and any other concerns, the risks are being prudently managed.
Privacy legislation considerations
The Personal Information and Protection of Electronic Documents Act (“PIPEDA”) applies to the collection, use or disclosure of personal information in the course of a commercial activity. Personal information is information about an identifiable individual.
The information collected by Numina’s sensors is identifiable (primarily image data and license plates). This information, as mentioned, is anonymized as much as possible. However, obscured or blurred information still creates a risk of identification. Even non-identifiable information (for example, driving style and time spent observing exhibits and installations) could become identifiable in combination with other data. If identification through combination is a “serious possibility,” then even non-personal data could be subject to PIPEDA. Numina’s activity would likely be deemed commercial. Any information which pertains to a commercial activity that crosses a national border will likely be subject to PIPEDA. Numina is located in the United States and, as mentioned, data will be stored in the United States, so cross-border transfers will occur.
Sidewalk Labs receives data from Numina in the form of combined statistics and insights. They do not receive identifiable images, nor will they attempt to re-identify images. Regardless, as in Numina’s case, if identification through data combination is a “serious possibility,” then even non-personal data could be subject to PIPEDA.