'To build a better life': Chicago's new data-collecting sensors stir privacy concerns

© Charles Platiau
The Array of Things project could be life changing. By using cameras, sound level monitors and air quality sensors, the network digitizes city living. But privacy experts fear potential problems with the program.

The Array of Things made its live debut Monday in the Pilsen neighborhood in Chicago, where the city installed two 10-pound nodes on traffic posts last week. The nodes contain low resolution cameras, microphones and various air quality sensors, along with sensors that detect use of WiFi and Bluetooth devices within a 100-foot range.

For some, this could offer a massive boost in the quality of life for residents. For parents deciding which route to use when walking their children to school, a tool like this could streamline their morning. The Array of Things is a collaborative project between the University of Chicago, Argonne National Laboratory and the School of the Art Institute of Chicago that was originally launched in 2014 and is designed to be a “fitness tracker” for the city.

Brenna Berman, Chief Information Officer of the City of Chicago, said in a statement, “You’re going to see community groups use this data to understand their communities and neighborhoods better as we all try to build a better life here in Chicago.

But for privacy-minded citizens, there are glaring holes in the project that have yet to be addressed.

The resolution on cameras is thought to be low, and the sound sensors are meant to only monitor sound levels – not record noises, as there will be audio and image files that will be used to calibrate the sensors. A written response from project managers explained, “These images will contain no sensitive PII [personally identifiable information], but some may show faces or license plate numbers.

All information gathered by AoT will be available to the public – except for ones containing PII.

In an attempt to maintain transparency, the Department of Innovation and Technology fielded questions from residents about their concerns. PII data will not be made public but will be stored in a separate, safe facility, where access to this data is “restricted to operator employees, contractors and approved scientific partners who need to process the data for instrument design and calibration purposes, and who are subject to strict contractual confidentiality obligations and will be subject to discipline and/or termination if they fail to meet these obligations.

But who are these people, and will the public know who may have their picture or license plate stored? In a written response, a project manager said, “The Array of Things has no capability to access or detect sensitive PII, but can detect visual features that are considered to be ‘non-sensitive PII’ such as faces in the public way or license plate numbers.

They went on to explain, “The privacy and governance policies nevertheless limit who will have access to data, under what circumstances, and for the limited purpose of research and development.

So, no, there will be no way to learn who is looking at what behind the scenes of The Array of Things.

When it comes to warrants, the project managers were even vaguer, saying, “The University of Chicago, as copyright holder of the data, would be responsible for responding to law enforcement requests.

Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, was brought in to advise the AoT team on drafting their earlier versions of their privacy policy. Now that the final draft has been approved, he still has his doubts.

"The handling of law enforcement, it seems pretty clear it's not in there at all and it should be," Tien told the Chicago Tribune. "So that's definitely a failure."

The final draft of the policy contains no mention of law enforcement. However, it does make reference to transmitting data over OpenSSL, the same software library responsible for the Heartbleed hack in 2013.