‘Smart’ Cities Are Surveilled Cities

When everyone and everything is connected, the door is open to all kinds of digital threats.

By Robert Muggah and Greg Walton, a fellow at the SecDev Group and a researcher at the Oxford Internet Institute.
Pedestrians walk in China.
Pedestrians walk near a massive electronic screen supported by a face recognition system, which shows the image of a jaywalker at an intersection, in Nanjing, China, on July 4, 2019. Traffic police in Nanjing use facial recognition technology to capture jaywalkers. Wang Feng/Imaginechina/Reuters

Cities around the world are getting smarter. A growing number even designated themselves “smart cities.” There are, of course, as many definitions of smart cities as there are cities professing to be smart. Very generally, smart cities deploy a host of information communication technologies—including high-speed communication networks, sensors, and mobile phone apps—to boost mobility and connectivity, supercharge the digital economy, increase energy efficiency, improve the delivery of services, and generally raise the level of their residents’ welfare. Becoming “smart” typically involves harnessing troves of data to optimize city functions—from more efficient use of utilities and other services to reducing traffic congestion and pollution—all with a view to empowering public authorities and residents.

However one defines them, data-enabled cities are booming. By one estimate, there are over a thousand smart city projects underway around the world. Rankings and indices are also proliferating, with such cities as Singapore, Helsinki, Seoul, and Zurich routinely topping the list. Notwithstanding global enthusiasm for hyperconnected cities, this futuristic wired urban world has a dark side. What’s more, the pitfalls may soon outweigh the supposed benefits.

That’s because “smart” is increasingly a euphemism for surveillance. Cities in at least 56 countries worldwide have deployed surveillance technologies powered by automatic data mining, facial recognition, and other forms of artificial intelligence. Urban surveillance is a multibillion-dollar industry, with Chinese and U.S.-based companies such as Axis, Dahua, Hikvision, Huawei, and ZTE leading the charge. Whether they are in China or elsewhere, smart cities are usually described in benign terms with the soothing promise of greener energy solutions, lower-friction mobility, and safer streets. Yet in a growing number of places from New York to Hong Kong, there are growing concerns about the ways in which supercharged surveillance is encroaching on free speech, privacy, and data protection. But the truth is that facial recognition and related technologies are far from the most worrisome feature of smart cities.

Part of what supposedly makes cities smarter is the deployment and integration of surveillance technologies such as sensors and biometric data collection systems. Electronic, infrared, thermal, and lidar sensors form the basis of the smart grid, and they do everything from operating streetlights to optimizing parking and traffic flow to detecting crime. Some cities are adopting these platforms more quickly than others. China, for example, is home to 18 of the top 20 most surveilled cities in the world. Shanghai, which achieved full 5G coverage in its downtown area and 99 percent fiber-optic coverage across the city, is covered by a veritable thicket of video surveillance. Identity collection devices are commonplace, having exploded across public and private spaces. Shanghai recently installed Alibaba’s City Brain public surveillance system, which oversees over 1,100 biometric facial recognition cameras. A combination of satellites, drones, and fixed cameras grab over 20 million images a day. The bus, metro, and credit cards of local residents are also traced in real time. And these tools are spreading. Chinese firms are busily exporting surveillance tech to Latin America, other parts of Asia, and Africa, helping enable what some critics call digital authoritarianism.

A video surveillance camera

A video surveillance camera hangs from the side of a building in San Francisco on May 14, 2019. The city was the first in the United States to ban facial recognition technology by police and city agencies. Justin Sullivan/Getty Images

Surveillance technologies are hardly confined to China. They are also widespread in U.S. cities. Throughout the 1990s and 2000s, law enforcement agencies and private companies deployed surveillance tools, ostensibly to improve public and private safety and security. The 9/11 attacks and subsequent U.S. Patriot Act dramatically accelerated their spread. Yet support for facial recognition systems appears to be ebbing. San Francisco was the country’s first major city to ban its agencies from using them in 2019. San Francisco was among the top five most surveilled cities in the United States when eight of the nine members of its Board of Supervisors endorsed the Stop Secret Surveillance Ordinance. Rolling back surveillance has proved difficult—digital rights advocates recently detected over 2,700 cameras still in use for police surveillance, property security, and transportation monitoring. In 2000, campaigners sued the city for tapping into private cameras to surveil mass protests, in defiance of the new ordinance.

Across North America and Western Europe, the tensions over smart cities can be distilled to concerns over how surveillance technology enables pervasive collection, retention, and misuse of personal data by everything from law enforcement agencies to private companies. Debates frequently center on the extent to which these tools undermine transparency, accountability, and trust. There are also concerns (and mounting evidence) about how facial recognition technologies are racially biased and inaccurate when it comes to people of color, discriminating particularly against Asian and African Americans. This helps explain why in the two years since San Francisco banned facial recognition technologies, 13 other U.S. cities have followed suit, including Boston; Berkeley and Oakland in California; and Portland, Oregon. By contrast, in China, racial bias seems to be a feature, not a bug—patented, marketed, and baked into national policing standards for facial recognition databases. What’s more, Chinese companies are bringing their technologies to global markets.

But a narrow preoccupation with surveillance technologies, as disconcerting as they are, underestimates the threats on the near horizon. Smart cities are themselves a potential liability—for entirely different reasons. This is because many of them are approaching the precipice of a hyperconnected “internet of everything,” which comes with unprecedented levels of risk tied to billions of unsecured devices. These don’t just include real-time surveillance devices, such as satellites, drones, and closed-circuit cameras. By 2025, there could be over 75 billion connected devices around the world, many of them lacking even the most rudimentary security features. As cities become ever more connected, the risks of digital harm by malign actors grow exponentially. Cities are therefore entirely unprepared for the coming digital revolution.

Baltimore office door

Baltimore’s information technology office lost dozens of time-sheet records in a 2019 ransomware attack. Kenneth K. Lam/The Baltimore Sun via Reuters

One of the paradoxes of a hyperconnected world is that the smarter a city gets, the more exposed it becomes to a widening array of digital threats. Already, large, medium, and small cities are being targeted for data theft, system breaches, and cyberattacks, all of which can undermine their operation and provision of essential services, and pose an existential threat. Hundreds of cities around the world have reported major digital disruptions to municipal websites, emergency call centers, health systems, and utilities delivering power or water. When city security is compromised and data privacy jeopardized, it undermines the faith of residents in digitally connected services and systems. As people feel more insecure, they may feel less inclined to participate in online health care, digitized utilities, remote learning opportunities, electronic banking services, or green initiatives—key tenets of the smart city. While not all digital threats can be countered, cities need to mount a robust capability to deter, respond to, and recover from attacks while preserving, as best they can, data protection and privacy.

To start, city authorities, companies, and residents need to design digital security into all domains of governance, infrastructure, commerce, and society. At a minimum, new smart city technologies must avoid reinforcing disproportionate surveillance that undermines basic freedoms, especially privacy. National, regional, and city governments should also mandate and enforce standards that require that all internet-enabled devices sold and deployed in their jurisdictions have minimum password protection, authentication, and encryption built in. It is essential that cities encourage digital literacy across the public, private, and civil society sectors, since many potential digital harms can be reduced through basic awareness and precautionary measures.

To get smarter, cities need to know their blind spots. This requires undertaking real-time monitoring to map the vulnerability of wireless devices in their environment. Passive monitoring across broad-spectrum wireless networks to detect data leakages will need to be routine—and properly explained to citizens. Cities will need to invest in automated incident response and in identifying and fixing their vulnerabilities in relation to networks and devices. Above all else, cities will need to take digital risks seriously and enforce security requirements across all connected devices, from the health watch to the ticket scanner to the internet-connected refrigerator, in a smart city ecosystem. The pursuit of smarter cities can and should not come at the expense of safety, privacy, or liberty. Indeed, the failure to prioritize both human well-being and security in a world of exponentially increasing complexity is a monumentally dangerous folly.

Robert Muggah is a principal at the SecDev Group, a co-founder of the Igarapé Institute, and the author, with Ian Goldin, of Terra Incognita: 100 Maps to Survive the Next 100 Years. Twitter: @robmuggah

Greg Walton is a fellow at the SecDev Group and a researcher at the Oxford Internet Institute.