Following the exponential growth of the Internet, mobile devices and applications, consumers worldwide are being presented with thousands of options and solutions claiming to support the promise of making your home “smart” and tracking your steps to fitness with the latest wearable. With this rapid race to market, all too many of these products and services lack basic security and privacy protections. The headlines regarding baby monitor vulnerabilities or TVs watching the user more than the user watches the TV have become alarming worldwide, resulting in calls for regulation and Congressional hearings.

While media and researchers have focused on the device, this is only part of the story; in fact, in most cases, it is not about the device. Connected devices and the applications are just enablers. The real value and threat to the user and business is the data. Perhaps the Internet of Things (IoT) might be better named the “Internet of Data” as the amount of personal and sensitive data being collected is staggering. Increasingly, IoT business models are based on data collection and sharing with third parties and intermediaries and the amounts of “ambient” data collected by networks and carriers is massive.

All this data collection increases risk to consumer security and privacy and raises questions internationally from regulators including the FTC, Article 29 Working Party as well as the ITU and ENSIA. The “Right To Be Forgotten,” data sovereignty and data residency legislation may impede growth and spur more regulation as the data flows without physical borders. As we have witnessed the fall of Safe Harbor and the balkanization of privacy across the Atlantic, we may be headed into troubled waters.

Faced with the convergence of these issues, and building on our past work convening multi-stakeholder efforts, the Online Trust Alliance formed the IoT working group in January 2015 recognizing the need to review security, privacy and sustainability of these devices and services holistically. The group’s initial focus is on the smart home and wearable technologies.

Working with a diverse group of stakeholders ranging from the National Association of Realtors, Target, Belkin, American Greetings and ADT to the ITU and ENSIA as well as technology leaders including AVG, Microsoft, Rapid7, Symantec, Verisign, TRUSTe and others, the IoT Trust Framework was conceived. The group’s primary goal is to establish a code of conduct leading to a certification program while providing prescriptive guidance to app developers, device manufactures and platform companies – guidance they can use today to help make their products safer, more secure and adopt responsible consumer centric privacy practices.

Throughout this year the Framework has evolved and is moving toward last call status, reflecting input from over 100 organizations, individuals and government entities. Thanks to objective insights from these subject matter experts it now includes over 35 measurable and auditable criteria, representing the first global effort to address IoT security, privacy and the associated sustainability or lifecycle risks and practices.

Today these guidelines are helping provide a road map for the FTC and others to help establish and enforce reasonable data security guidelines to support Section 5 of the FTC act. A key principle of the Framework is not only addressing security and privacy out of the box, but through the entire lifecycle of the devices and their associated data as they are used by multiple family members and, where applicable, transferred to new owners.

The OTA IoT Trust Framework is designed to:

  • Provide guidance to manufacturers and developers to help reduce attack surface and vulnerabilities, and adopt responsible privacy and data stewardship practices.
  • Drive the adoption of security, privacy and sustainability best practices; embracing “privacy and security by design,” as a model for a voluntary, yet enforceable code of conduct.
  • Provide positive affirmation and recognition to companies, products and retailers who embrace the code of conduct and meet minimum standards.
  • Provide retailers and commerce sites criteria to aid in their product merchandising and promotion decisions.
  • Evaluate and identify gating issues and considerations for a seal or certification program.

Whether you are part of the IoT Trust Working Group (membership is open to all), a security researcher or a privacy professional looking to learn more, OTA is hosting a public Summit in Washington, D.C. on Wednesday November 18th where the final draft of the Framework will be reviewed and next steps explored.

We welcome your participation. It is a great opportunity to provide input on the Framework, connect with like-minded organizations and participate in robust discussions on the future of public policy and the IoT. Plus you can earn IAPP CPE credits!

 photo credit: Maze Puzzle (Blender) via photopin (license)