Introduction

Smart city projects have made their way onto an increasing number of government agendas globally. These initiatives aim to improve the efficiency of urban spaces, and provide residents with better services in everything from policing to waste management, by enlisting the help of Internet of Things (IoT) sensors and other connected devices. These devices are supposed to make cities “smart” by enabling different state actors to gather and analyze large amounts of citizen data. The data captured may include online activity tracked through Wi-Fi hotspots, location and movement data tracked through a network of sensors, or even biometric information from facial recognition devices.

In a time where concerns about the abuse of personal data and automated decision-making are grabbing headlines, individuals are increasingly uncomfortable with the amount of data gathered about them, and how this data is used and shared. The Pew Research Center recently found that over 60 percent of Americans do not think it is possible to go about daily life without private or government entities collecting personal data, and over 80 percent feel little or no control over this data. Most concerning, only 4 percent of Americans say they understand what is being done with government-collected data. With private firms such as Equifax and Facebook suffering major privacy and security breaches, and flawed data use by some governments, it is easy to see why the public is worried.

Policymakers are aware of these concerns, but are grasping for solutions. On one end of the spectrum are a set of top-down measures to better protect privacy, whether through data privacy legislation or embedding privacy by design into procurement requirements. On the other are a range of market solutions that call for people to “own” their data as a way of wrestling back control over their information. These ideas are somewhat helpful, but neither is fully satisfying.

Privacy is too narrow a paradigm to fully address the risks that data present, notably biases or inaccuracies during collection and analysis of data.¹ To frame the conversation around privacy is to fence it in, obscuring questions around broader harms, and leaving crucial issues unaddressed. Conversely, the suggestion that data should be private property, and that people should own and be able to sell their data, brings up its own issues. Commodifying personal information may encourage individuals to license or sell their data for little value, without fully understanding the consequences.

We believe there may be another way, adapted from the work of Elinor Ostrom, to help smart city policymakers fulfil the promise of insightful and efficient smart cities while protecting the rights of city residents.

Applying Ostrom’s Approach to Governing Smart City Data

Political economist Elinor Ostrom is remembered for her Nobel Prize-awarded research on the effective governance of commons, which she defined as resources—like water—that are shared and managed by a group. Ostrom’s work identifies the conditions that enable groups to cooperate for long-term, successful use of these collective resources through eight design principles situated within an Institutional Analysis and Development (IAD) framework. The application of these principles as an organizational strategy is known as a “commons approach.”

Ostrom primarily focused on natural resources, but she extended her theories to digital information at the end of her career, viewing data as a shared resource managed by many. She called this realm the “knowledge commons.” Over the past decade, Ostrom’s work has been taken forward by the Knowledge Commons Scholars, who see the emerging digitization of knowledge and information as a way to facilitate a commons approach for its storage, access, and sharing.

We believe Ostrom’s approach can be similarly applied to governing data as a resource, and that some of her principles provide insight on how to effectively govern data collected by smart cities.

Ostrom, and the Missing Link of Public Engagement in Smart City Data Governance

Myriad resources provide guidance on data governance, whether for a city’s overall data practices (e.g., the What Works Cities certification), for focus on privacy (e.g., GDPR), or for cybersecurity (e.g., the NIST Cybersecurity Framework and Privacy Risk Model). However, none of these resources focus on building or empowering communities to actively participate in governing the data they create, share, and cultivate. In other words, many best practices offer little guidance on the public engagement that Ostrom found key.

Given the criticisms generated by smart city initiatives, including their failure to integrate citizen voices into tech design and implementation, and their failure to obtain consent for mass-scale collection and use of publicly-gathered personal data, Ostrom’s work clearly has something to teach cities about transparency and public accountability.

Ostrom developed institutional processes that respond to input from diverse stakeholders who use and steward a resource in different ways. This bottom-up governance approach has several critical benefits: it allows a community to tailor rules to local needs and conditions; it gives community members the autonomy to experiment with diverse rules; and it enables more democratic decision-making, which helps to prevent inequitable outcomes. Ostrom’s built-in channels for input allow for better feedback loops, continued evaluation, and a more dynamic system that ensures that rules continue to align and adapt with changing norms.

Our intention is to translate Ostrom’s design principles into actions that city managers can take to enable meaningful public engagement around data. Rather than leaving elected representatives or third-party vendors scrambling to impose retroactive guidelines after programs become controversial, we hope our suggestions will help build trust, legitimacy, and accountability from the beginning.

Translating Ostrom’s Principles for Smart Cities

From Ostrom’s original eight principles, we adapted four that are most clearly applicable to the context of smart city data:

1. Promote responsibility for data governance among multiple layers of nested enterprises.
2. Create processes for the affected community to participate in making and modifying the rules around data.
3. Develop an effective monitoring system to be carried out by the community.
4. Provide accessible means for dispute resolution, use graduated sanctions against rule breakers, and make enforcement measures clear.