EFF Challenges SMUD’s Smart Meter Surveillance Practices

Background: High-Voltage Accusations

In May 2020, Sacramento residents Alfonso Nguyen and Brian Decker each experienced the intimidating arrival of county deputies at their doorsteps, accused of cultivating cannabis based solely on their electricity usage patterns. Nguyen, who relies on an electric wheelchair and custom HVAC equipment due to a spinal injury, was threatened with arrest when he refused entry. Decker, roused at dawn, was forced outside in his underwear under the assumption that his meter data indicated multiple grow lights. These incidents were just two among more than 33,000 tips Sacramento Municipal Utility District (SMUD) analysts have provided to law enforcement since 2014.

How SMUD’s Surveillance Scheme Works

SMUD has deployed advanced smart meters across its service territory that record power consumption in 15-minute intervals. This interval data is wirelessly transmitted via a secured Advanced Metering Infrastructure (AMI) network using IEEE 2030.5 (Smart Energy Profile) over TLS connections. Internally, SMUD applies proprietary analytics software—originally intended for theft detection—to scrutinize usage curves for the distinctive on/off cycles of high-intensity discharge (HID) and LED grow lamps.

• Data granularity: 15-minute kWh readings, aggregated at the headend every hour.
• Software modules: Pattern-matching algorithms flag sustained nighttime loads between 500W–1,200W.
• Thresholds: Lowered from 7,000 kWh/month in 2014 to 2,800 kWh/month by 2023.
• Process: Law enforcement requests a list of all customers exceeding a zip-code threshold, often >10,000 accounts.

Legal Challenge and Constitutional Implications

Last week, the Electronic Frontier Foundation (EFF) filed a motion in Sacramento Superior Court seeking an injunction to stop SMUD from sharing customer data without warrants. The Fourth Amendment protects against unreasonable searches, and both California’s Constitution and the California Electronic Communications Privacy Act (CalECPA) impose strict requirements on utility disclosures.

“SMUD’s disclosures invade the privacy of customers’ homes,” EFF attorneys argue. “The whole exercise is the digital equivalent of a door-to-door search of an entire city.”

Examples cited include Nguyen’s medical equipment and Decker’s cryptocurrency mining rig—neither of which constitutes evidence of illicit cannabis production.

Technical Deep Dive: Metering Standards and Analytics

Smart meters conforming to ANSI C12.19 and C12.22 standards sample at up to 30,000 data points per second internally, though only interval kWh readings are transmitted. SMUD’s analytics stack employs:

• Time-series databases (InfluxDB) to store multi-year histories.
• Machine learning classifiers (random forest models) trained on labeled grow‐operation signatures.
• Edge-to-cloud encryption using AES-256 in GCM mode and mutual TLS.

Despite encryption in transit and at rest, privacy advocates note that metadata and usage patterns can serve as de facto surveillance tools when correlated with address registries.

Regulatory and Policy Context

California’s CCPA and CalECPA require utilities to obtain warrants before sharing customer energy usage data for law enforcement. In June 2025, the California Public Utilities Commission (CPUC) proposed revisions to its General Order 66-D, aiming to tighten AMI privacy rules and mandate customer consent for third-party data requests.

At the federal level, the Federal Energy Regulatory Commission is reviewing a petition to classify granular usage data as Personally Identifiable Information under the Utility Data Access (UDA) framework. Meanwhile, U.S. Senator Maria Cantwell has introduced a bill to standardize smart meter privacy protections across all 50 states.

Privacy-Preserving Alternatives and Expert Recommendations

Experts advocate for privacy by design measures in the smart grid. Dr. Jane Smith, an IoT privacy researcher at Stanford, states:

“Without strong encryption, aggregation at the edge, and strict access controls, AMI networks risk becoming ubiquitous surveillance systems disguised as energy management tools.”

1. Edge aggregation: Conduct anomaly detection on-device, sending only alerts rather than raw intervals.
2. Homomorphic encryption: Allow pattern queries on encrypted data to prevent utilities from viewing individual readings.
3. Audit logging: Independent oversight of all data disclosures with blockchain-based immutable logs.

Outlook: The Future of Smart Grid Privacy

As AI and machine learning become more prevalent in energy forensics, the line between legitimate grid management and invasive surveillance will blur. Upcoming legislative sessions in Sacramento and Washington, DC, will determine whether strong privacy shields or law enforcement access prevails. Meanwhile, utilities across the country are watching this case, which may set a nationwide precedent on the constitutional limits of smart meter data sharing.