Proposal: Overhaul Surveillance Ordinance as Data Collection, Retention and Sharing Ordinance

By Jan Bultmann and Christopher Sheats


Our city has committed to protecting immigrants, refugees, and the many thousands of other vulnerable populations. We argue that this is not possible without strong privacy oversight, safeguards, and enforcement. The local privacy community urges Seattle’s leadership to set aside for the moment the discussion of our Surveillance Ordinance and any amendments to it, and instead to develop an ordinance that holistically addresses the government’s role in data collection, retention, and sharing.

Why pause now? The ACLU of Washington has proposed a stronger version of the existing bill, which has been watered down by multiple revisions that remove the many critical elements including independent oversight, auditing, reporting, and enforcement requirements. But even with the ACLU’s original, stronger proposal, the foundation of the bill is inadequate.

We now live in a very different environment than when the Surveillance Ordinance was first crafted, although it has only been 3 years. This legislation was drafted in response to the public outcry that accompanied the Seattle Police Department’s acquisition of drones without public knowledge. Council chambers were repeatedly packed with demonstrators. After having wasted $82,000 dollars, the drones were ultimately decommissioned. The Surveillance Ordinance was successful to meet that immediate challenge.

Now we promise vulnerable people that we are a sanctuary city that will defend their human rights. We are literally in the crosshairs of a hostile federal government, one that has been shown to disregard local regulations and make backroom deals with city agencies. For example, putting cameras on City Light poles in direct violation of our existing surveillance law, putting nothing in writing, and further, evading any form of FOIA or PDR process.

“As a sanctuary city we have a greater obligation to protect private citizens.” — Kshama Sawant

We have autonomous cars coming, including wireless car to car technology, wireless car to infrastructure technology, and the lobbyists that come with them. We have facial recognition technologies coming and the lobbyists that come with them. We will be seeing the largest developments of these technologies within President Trump’s term.

Seattle’s Race and Social Justice Initiative clearly states:

By 2017, the City of Seattle will work with community-based organizations to support the movement to end structural racism.

We can tell you that the City has not asked the Seattle Privacy Coalition for input on how we might accomplish this, and we are well into 2017. Further, CTAB-Privacy has not been asked for input on these amendments by the Council. How can Seattle’s Surveillance Ordinance go on to exempt technologies designed and purchased for surveillance? Do black lives really matter to Seattle when data collection, retention, and sharing technologies are historically and routinely purchased in the name of defense but used offensively?

If we do not hold ourselves accountable, a government for the people, how are we going to ethically govern the use of these technologies when they are funded, deployed, and managed by third parties? How is Seattle going to defend our human rights if we have a “surveillance ordinance” that is not adequate for the complexity of a major municipality? Common sense demands that we broaden the scope to include all forms of data collection, retention, and sharing. This would eliminate splitting hairs on terms that exclude any technology not specifically purchased to support law enforcement.

The Electronic Frontier Foundation is a legal digital rights organization that maintains an umbrella grassroots organization called Electronic Frontier Alliance. Last week we discussed surveillance ordinances under development in more than 11 municipalities across the United States. The Seattle Washington ordinance was cited as being “well-intended but weak” whereas the Oakland California legislation was cited as effective because their draft legislation includes provisions for independent oversight that are fundamental to all controls, auditing and reporting requirements, and enforcement options such as the public’s right to sue for privacy harms. We strongly advise that Council review the Oakland California ordinance.

The Seattle ordinance MUST include oversight, auditing, reporting, and enforcement, and it cannot be limited to a false notion of what is or it not for surveillance. Without these fundamental changes, we are a sanctuary city in name only. With federal access to municipal databases unmonitored, unchecked, and unreported, anyone who makes use of a city service is vulnerable. When privacy is by design and policies are made to support the most vulnerable in our city, we, in effect, defend everyone’s human rights.

As defined by Seattle’s Privacy Program, we have a Privacy Review Process (PDF) that we can leverage for all forms of data collection. All forms, because there cannot be a lack of transparency and accountability. This must be baked into a Data Collection, Retention and Sharing Ordinance. Every act by the City that takes in information should have a corresponding unique identifier that must be published so that anyone can learn more about the data being collected, what it is being used for, and who is responsible for it. This will build trust. In line with Councilmember Sawant’s wishes to pull down foreign cameras from City utility poles, people have the right to be informed about what their government is collecting about them and their community. We should have the ability to learn about and to respond to our government in constructive ways. With the City’s drive for increasing open data and community engagement, why haven’t we started doing this yet?

Privacy is at risk from always-on microphones, cameras, smartphones, smart meters, automobiles, internet assistants like Alexa, Siri, Echo, and Cortona, Internet connected children’s toys, home appliances, and so many other things that have yet to even be invented. The city of Seattle cannot protect people today from predatory corporate data exploitation. We can, however, model what a human-rights respecting privacy policy looks like. And we must.

Please do not pass the watered-down Surveillance Ordinance rewrite into law because it will cause more harm than good. Instead, we urge the City Council to reach out to local community organizations such as the Seattle Privacy Coalition, Electronic Rights Rainier, and the body that the City Council assembled to advise them on technical issues, the Community Technology Advisory Board, to create a bill we can all be proud of.

If We Care For Survivors, Surveillance Technologies Must Be Heavily Regulated

By Christopher Sheats


In Seattle tomorrow, City Council will be discussing Surveillance Ordinance amendments originally proposed by ACLU of Washington and watered down by the council. The Surveillance Ordinance would be incredibly deficient if we passed these amendments. Of primary concern, there are multiple exemptions that are *crazy* if you were to juxtapose a United Nations privacy report.

Surveillance technology does not include:

(a) technology used to collect data from individuals who knowingly and voluntarily consent to provide, or who do not avail themselves of an opportunity to opt out of providing, such data for use by a City department;

(b) social media sites or news monitoring and news alert services;

(c) a body-worn camera;

(d) a camera installed in or on a police vehicle;

(e) a camera installed in or on any vehicle or along a public right-of-way used to record traffic patterns or traffic violations or to otherwise operate the transportation system safely and efficiently, including in any public right-of-way;

(f) a camera installed on City property for security purposes;

(g) a camera installed solely to protect the physical integrity of City infrastructure, such as Seattle Public Utilities reservoirs; and

(h) routine patches, firmware and software updates, and hardware lifecycle replacements.

In February, I spoke along side ACLU of Washington lawyers, University of Washington lawyers, and a domestic violence survivor at a public hearing in our state capitol to support an ACLU bill limiting Automatic Licence Plate Readers. Domestic violence survivors’ privacy, specifically their physical location privacy, is paramount to them and their families. Further, many survivors are victims to police men and women, making this under-served population a critical voice in discussions concerning surveillance technologies. At the hearing, A women with incredible courage showed up to educate the committee about her and the other 5,000+ Address Confidentiality Program participants. With permission, below is her testimony.

As content on our website is licensed using Creative Commons, please feel free to use share her testimony to further privacy rights.

Madame Chair, and members of the committee,

I am here today to discuss a part of my life so terrifying that, at times, I have actually contemplated writing a horror movie script.

Please forgive me, but by the end, it will make sense to today’s hearing.

I am here as a participant in the Washington State Address Confidentiality Program, ACP for short.

You will never understand, nor will I ever be able to convey the fear and torment that one individual can deliver. His words are still etched in my mind: “No woman is going to tell me, a man, what to do.” When trying to end a relationship, what I got in return was physical abuse and psychological terror. I would see him outside my home, my work, at my children’s school or stalking me in my rear-view mirror.

At times, he would convey to me each and every way or place he could have killed me that day.

I discovered that he had made duplicate keys of both my home and my car. Changing door locks didn’t matter. He still got inside. He was letting me know that he was in control.

My oldest son and I would eventually bobby trap our doors when we left, to more easily determine if he might be inside when we returned.

And though time, our much-loved pet cats disappeared one by one.

I lived through death and kidnapping threats to my children’s lives. I feared for my own life.

And in utter, desperate fear one night, I called a helpline, told them of my situation, and was advised to leave the state immediately. I did. On their advice, I gave my house keys to a friend, told nobody where I was going, put my kids and some clothes in my car, and drove to a state where I was offered protection.

I thank you so very much WA for the ACP. I no longer have to be afraid. It took me months but I no longer have to fear looking in my rear-view mirror.

This is hopefully the end of my desperate story.

But now, I want you to clearly understand one implication of unrestricted ALPR technology
I am here representing a vulnerable part of society, those who live in domestic violence situations. My ex-boyfriend kept telling me that he had connections to the police department, that there was no place to hide.

What if that was true? What if someone like me, couldn’t hide ever?

With unrestricted and retained ALPR data that becomes a real possibility.

I want you to consider the lives of spouses of law enforcement who might be in a domestic violence situation. My tale of torture existed because my stalker knew where I lived. Please protect your citizens, all your citizens, from potential location abuse. Please put restrictions on ALPR data.

Seattle City Light: Seattlites Need an Opt-In Policy for Smart Meters

By Molly Connelly and Jan Bultmann

As Seattle City Light customers, we ask Seattle City Light (SCL) to create an advanced metering infrastructure policy that mandates that SCL obtain informed consumer consent before installing advanced metering devices (AKA “smart meters”) — that is, an opt-In policy.

The system should carry no financial disincentives for those customers who decide not to opt-in.  

In this blog:

  • Threats to Privacy
  • Potential Unintended Consequences
  • Erosion of Public Trust
  • Current Legal Landscape
  • Gap Analysis of Federal and State Regulations
  • Precedents that Support an Opt-in Model
  • Conclusion

Threats to Privacy

Advanced metering technology poses a threat to individual privacy, as federally funded research shows. Government agencies including the Congressional Research Service1, Department of Energy2 and National Institute of Standards and Technology3, have written extensively about the specific threats to privacy generated by residential smart meters. Independent researchers have further documented the level of intimate detail that can be gathered from smart meter data, such as what customers are watching on television.4,5 

Potential for Unintended Consequences

We are concerned that smart meters can now, or in the future, be misused to act as data collection devices which make previously private activities inside our dwellings subject to unauthorized official and criminal surveillance. We are concerned about such data being collected and stored in databases that may not be protected against warrantless searches, and may be managed by companies that have a history of profiting off of warrantless electronic surveillance.6 We are concerned about a lack of clarity regarding Constitutional protections for information collected by Seattle City Light that could be shared with city, state and federal law enforcement via the Seattle Shield Program7 and the Washington State Fusion Center.

Erosion of Public Trust

In the midst of the continuing Snowden revelations about government use of unregulated technology for warrantless electronic surveillance, public trust in the ability of elected officials and public institutions to adequately protect us is at a low point. We need laws and regulations to catch up with technology so that there are clearly defined privacy protections for smart meter data, and data collection and storage protocols that are based on established, relevant law, not just departmental policies. 

Current Legal Landscape

Legal experts acknowledge that our current federal laws and regulations don’t provide adequate smart meter data privacy protection. For example, the Federal Wiretap Act could allow a utility to give permission to law enforcement or a third party to intercept smart meter data without a warrant.8  The third party doctrine as it relates to utility records containing smart meter data has not yet been tested in the Supreme Court. The Stanford Technology Law review advises that “When confronted with a business record or other information held by a third party, the Court should ask whether the record, or the technology used to create the record, reveals information about activities taking place inside the home that otherwise would not be available absent a trespass into the home. The Court should further inquire as to whether the consumer has been able to exercise any real choice about whether to create such records…Under this test, information about in-home activities generated by advanced meters or sensors in a demand response system would be protected by the Fourth Amendment” and “law enforcement officials should be required to obtain a warrant before being given access to those records”.9

At the September 26, 2013 Foreign Intelligence Surveillance Court Review, Senator Mark Udall asked Deputy Attorney General James Cole for clarification on whether section 215 of the Patriot Act (the “business records” provision of the Foreign Intelligence Surveillance Act which allows records to be collected via secret general warrants issued with a diluted standard of probable cause and placing the recipient under gag order) can be used by the National Security Agency to collect business records including “utility bills”; Mr. Cole was unable to rule it out.10 

Gap Analysis of Federal and State Privacy Protections

The US Supreme Court has asserted that “at the very core [of the Fourth Amendment] stands the right of a man to retreat into his own home and there be free from unreasonable government intrusion”.11Our Washington State Constitution provides even more rigorous protection of privacy rights than those guaranteed by the Fourth Amendment. Unlike the Fourth Amendment, WA State Const. Article I Section 7 “clearly recognizes an individual’s right to privacy with no express limitations”12 and states that “No person shall be disturbed in his private affairs, or his home invaded, without authority of law.”  Washington State has historically recognized that an individual has some level of protected privacy interest in power usage, but existing regulations on how law enforcement can access utility records are based on analog meter electrical consumption records collected monthly which are not able to reveal discrete information about a customer’s in-home activities. 

The current Revised Code of Washington (RCW 42.56.335) which regulates law enforcement access to utility records does not require a warrant, or a showing of probable cause, but instead only requires the weak standard of “reasonable belief” that the utility record will help establish that the customer committed a crime.  Advanced meter electrical consumption records can reveal discrete information and intimate details about a customer’s activities occurring within the confines of their home, including use of medical equipment, hours of occupancy, and more. These merit Constitutional protection requiring a warrant for law enforcement to access.

Our laws have not kept pace with changing technology, and we are at risk of violating constitutionally protected privacy rights. In 1994 State v. Young the WA Supreme Court recognized strict privacy protections regarding infrared as a device that discloses information about activities occurring within the confines of a home, and which a person is entitled to keep from disclosure absent a warrant.  An apt quote from the ruling:

However, in construing Const. art. 1, § 7, we have resisted the uncertain protection which results from tying our right to privacy to the constantly changing state of technology. We recognize as technology races ahead with ever increasing speed, our subjective expectations of privacy may be unconsciously altered. Our right to privacy may be eroded without our awareness, much less our consent. We believe our legal right to privacy should reflect thoughtful and purposeful choices rather than simply mirror the current state of the commercial technology industry.”13  

We need the City of Seattle to step in and model privacy policies that reflect thoughtful and purposeful choices.

Precedents that support an opt-in policy

Other jurisdictions have heard customer concerns about smart meters including privacy and data security issues and have responded by creating opt-in policies. The Eugene Water and Electric Board (Oregon’s largest customer owned utility) voted unanimously on Oct. 1, 2013 to move forward with an advanced metering project that takes an opt-in approach that focuses on consumer choice.14 In 2012 the state of New Hampshire enacted a law which prohibits electric utilities from installing smart meter gateway devices without the property owner’s consent.15 Vermont now requires written notice before installing a smart meter, and prohibits fees for those customers who choose not to opt-in.16 Section 1252 of the United States Energy Policy Act of 2005 acknowledges consumer choice and supports an opt-in approach. There is a current bill in the Washington state legislature that will give additional statutory protection to smart meter data by adding it to the public records disclosure exemptions.17


Given the privacy risks of smart meters, consumers must be allowed to choose whether to accept these risks or avoid them by not opting-in to a smart meter.  In the absence of adequate state and federal legislation, we call upon the City of Seattle and Seattle City Light to enshrine the “Opt-in” model in law. The current plan for an opt-out presumes consent; which we argue is inadequate and potentially even unethical, because the technology of smart meters has gotten ahead of consumers as well as regulators. The opt-in model requires explicit, informed consent and encourages customers to be active participants in their utility decisions by allowing them to make an informed consumer choice after being educated about the benefits and risks of smart meters and the security of their information.  

1 Congressional Research Service, Smart meter data: privacy and cybersecurity, CRS Report for Congress, 2012.

Available at:

2 Department of Energy, “Data access and privacy issues related to smart grid technologies”, 2010. Available at:

3 National Institute of Standards and Technology, “Guidelines for smart grid cybersecurity: Vol. 2, privacy and the smart grid”, The Smart Grid Interoperability Panel – Cybersecurity Working Group, vol. NISTR 7628, 2010. Available at:

4 Ulrich Greveler, Peter Glosekotter, Benjamin Justus and Dennis Loehr. Multimedia content identification through smart meter power usage profiles. In Computers, Privacy and Data Protection, 2012. Available at:

5 Miro Enev, Sidhant Gupta, Tadayoshi Kohno and Shwetak N. Patel. Televisions, video privacy, and powerline electromagnetic interference. In ACM Conference on Computer and Communications Security, pages 537-550, 2011. Available at:

6 e.g. SAIC, who presented the Seattle City Light Business Case for AMI in 2012. SAIC has a long and troubling history of producing unconstitutional data collection programs for government entities, e.g. they developed the NSA Trailblazer program for warrantless electronic surveillance; it ended in failure, costing taxpayers billions of dollars. They also created PRISM, the NSA program which is currently being used for unconstitutional metadata collection. Note that SAIC offshoot Leidos is a vendor for Meter Data Management Systems used in advanced metering infrastructures.

8 Balough, Cheryl Dancey (2011) “Privacy Implications of Smart Meters,” Chicago-Kent Law Review: Vol 86: Iss. 1, Article 8, page 18. Available at:

9 Jack I. Lerner, Deirdre K. Mulligan (2008) “Taking the “Long View” on the Fourth Amendment: Stored Records and the Sanctity of the Home”, Stan. Tech. L. Rev. 3. Available at:

11 Silverman v. United States, 365 U.S. 505 (1961), discussed in section 512. Also see: Kyllo v. United States, 533 U.S. 27 (2001), (discussed infra part II)

12State v. Simpson, 95 Wash.2d 170, 622 P.2d 1199 (1980) (discussed infra part I, section (2))

13 State v. Young, 123 Wash.2d 173, 867 P.2d 593, (1994), (discussed infra Section II, [7])



What Seattle City Light smart meter forums are like, where to find the next one


Here’s a summary from Seattle Privacy correspondent Molly Connelly of the August 19 Seattle City Light forum on Smart Meters:

I went to the AMI (smart meters) forum last night. SCL didn’t do a presentation, and instead just had tables set up for Q&A on Health, Privacy, and Customer benefits, and said they are in the “listening phase” and haven’t made any concrete decisions yet.
Customer Benefits table: City Council approved SCL’s AMI plan in 2012, but they haven’t yet authorized funding for it, and meters will not be purchased until budget authority is given. (This means that potential meter vendors are still unknown, so we don’t know what models will be used and can’t do any kind of security audit on them yet.) (There is still an option to tell City Council to deny funding). Doesn’t sound like federal funding is available for new meters.
Estimated timeline: 2014 get Council to approve funding, secure vendor contracts; 2015 install smart meters (or digital meters if consumer opts out). Opt-out clause is a yes for now, but policy is subject to Council approval, and not clear about additional consumer costs associated with this. Existing analog meters do need to be replaced, options are 1. smart meter, or 2. digital meter (similar to analog but easier to read, no two-way communication, still need a meter reader to physically look at it). Digital meters can’t be converted to smart meters. Industrial/office buildings give useful info about energy usage – potentially could only have smart meters on these buildings (and not residences) and still get good data to help cycle/load energy in efficient manner.
Privacy Questions table: Staffed by SCL employee Kelly E, very friendly/smart/seemed transparent/open to suggestions. Tech citizens concerned about security vulnerability to unauthorized third party access; say wireless can never be truly secure. SCL open to having an independent auditor to test/analyze meter security vulnerability. SCL requires a subpeona to give records to law enforcement and has a legal dept. that reviews all requests before sharing info; mostly deals with fraud issues and sporadic grow-ops.  Citizens concerned about warrantless Fed access, section 215/gag orders etc.
SCL seems unfamiliar with this, and said they don’t know what a fusion center is. Re: danger of federal agencies accessing data without a warrant – SCL suggested a Council ordinance to forbid it. We asserted that if we create a system where big data exists, the Feds will find a way to access it regardless, NSA and co. track record proves this again and again; real-time in-home behavioral data would be an irresistible target for their dragnet surveillance efforts. SCL says meter data can be shared with third parties for “work related to the utility” e.g.  for a conservation effort or fraud detection effort. Tech citizens noted that this option could easily be exploited for data mining.
SCL rep emphasized that SCL is a public utility, owned by the citizens, and offered to create an AMI stakeholders group of citizens to meet regularly and further discuss the privacy issues with her.
SCL rep emphasized that SCL is a public utility, owned by the citizens, and offered to create an AMI stakeholders group of citizens to meet regularly and further discuss the privacy issues with her.
Readers, please note, I’m not publishing the email of the SCL rep because I don’t want her spammed, but if you want to write and encourage the formation of a stakeholders group, please email contact [at] and we’ll get you the email.
Citizen consensus: the inside of our home is the last remaining refuge of privacy (ALPR, cameras, phone GPS etc track our every public movement; NSA tracks every email and phone call. Home is last refuge. Must protect it. This seems like an argument that would resonate strongly with general public). Loss of privacy due to high probability of govt. dragnet surveillance (and third party hacking and data mining) trumps potential environmental and cost benefits of smart meters. Might be helpful to present SCL and City Council with alternative solutions to the problems that smart meters are intended to solve.

The next Seattle City Light forum on Smart Meters is happening September 10 at Seattle Center:

Seattle Center – Shaw Room
Seattle Center
305 Harrison St.
Seattle, WA 98109
*Shaw Room is located on the corner of 1st Ave N and Republican St.
(North of Key Arena)

Tuesday, September 10
5 – 7:30 p.m.South
Seattle Housing Authority NewHolly – Gathering Hall
7054 32nd Ave S
Seattle, WA 98118
Thursday, September 26
5 – 7:30 p.m.



SPD event tonight and this week’s recommended #privacy reading

SPD event tonight:

Tonight at beautiful Golden Gardens, we’ll hear Seattle Police Department spokespeople and techies talk about the Port of Seattle surveillance cameras. If you can, please come: This is pretty interesting stuff.

Details: Golden Gardens Bathhouse, 8498 Seaview Pl. NW, Friday, May 24th at 7 p.m.

SPD also invites your e-mail comments or questions at

Seattle Privacy Coalition members have made it to each of the previous public meetings (at Alki and Belltown) and we plan to be there tonight.

This week in recommended reading

We don’t really mean to tell you to read Bruce Schneier every single time the man posts something, but we couldn’t resist sharing this very alarming article, which envisions all our devices, appliances, clothing, and other items tracking us and each other and reporting in: The Internet of Things.

Speaking of things that know where you are: From the opposite side of the country comes news of the Maine Senate voting to require police to get a warrant before engaging in location tracking of cell phones and other GPS-enabled devices in non-emergency situations.

We feel like we see articles almost every day that refer to new (or existing) programs and systems that gather and store data, such as ORCA and other transit cards, Smart Meters, and more.

Lately we’ve been seeing and using the term “Accidental Surveillance” to describe how, when they are all put together, these systems paint an alarmingly detailed picture of our lives and movements.

Here’s a piece by Seattle City Councilmember Tim Burgess that discusses how, starting April 1, owners of commercial and multifamily residential buildings of at least 20,000 square feet must report energy usage to the City on an annual basis. We’re all for saving energy, we just want to make sure privacy protection is part of the conversation: Tracking Building Energy Use.

Finally we saw that Woodinville plans to purchase surveillance cameras to fight crime, and is also considering the sort of automated license plate reader (ALPR) system in use currently in Seattle. Props to Mayor Bernie Talmas, the lone no vote, who was reported in The Seattle Times as voting no, “saying he was concerned about privacy issues and possible liability to the city.”

And this seems like a good moment to note that Seattle Privacy Coalition does not oppose data gathering systems, but we also are concerned about privacy issues and possible liability to our fair city, and would love to see oversight in place to review department protocols.