Sustainability is key to IoT development, says OTA
August 19, 2015
The Online Trust Alliance (OTA) has produced guidelines for IoT manufacturers, developers and retailers to follow when designing, creating, adapting and marketing connected devices in home automation and consumer health and fitness wearables.
Its IoT working group was formed in January 2015 and has concluded that the safety and reliability of any IoT device, app or service depends equally on security and privacy, as well as a third, often overlooked component, sustainability.
Sustainability – the life-cycle supportability of a device and the protection of the data after the warranty ends – is critical to the security, privacy and personal safety of users and businesses worldwide.
“The rapid growth of the internet of things has accelerated the release of connected products, yet important capability gaps in privacy and security design remain as these devices become more and more a part of everyday life,” said Craig Spiezle, executive director and president of the OTA. “For example with a fitness tracker does the user know who may be collecting and sharing their data? When you purchase a smart home, what is the long-term support strategy of patching devices after the warranty has expired? How do manufactures protect against intrusions into smart TVs and theft of data collected from device cameras and microphones? What is the collective impact on the smart grid or our first responders should large numbers of these devices be compromised at once?”
Without addressing sustainability, devices that may have been secure off the shelf will become more susceptible to hacking over time. This could lead to hackers remotely opening garage doors and turning on baby monitors that are no longer patched to infiltrating fitness wearables to spy on health vitals, or creating mayhem by sabotaging connected appliances.
The working group includes security and privacy experts, policymakers, and companies in the fields of consumer product goods, health care, retail and e-commerce, and home security. Some of its proposed best practices include:
- Making privacy policies readily available for review prior to product purchase, download or activation.
- Encrypting or hashing all personally identifiable data both at rest and in motion.
- Disclosing prior to purchase a device’s data collection policies, as well as the impact on the device’s key features if consumers choose not to share their data.
- Disclosing if the user has the ability to remove or make anonymous all personal data upon discontinuing device or device end-of-life.
- Publishing a timeframe for support after the device or app is discontinued or replaced by newer version.
“As the nation’s largest home security provider, ADT supports the sharing of best practices focused on the privacy and security considerations for the connected home,” said Paul Plofchan, chief privacy officer at ADT. “As a member of the working group, we applaud the OTA’s effort to open the dialogue with public and private sector participants in an effort to create a sustainable consumer protection framework.”
In parallel with these best practices, the OTA is developing specific testing tools and methodologies to formalise its IoT Trust Framework with scoring criteria, leading to a voluntary code of conduct and a forthcoming certification programme. The OTA welcomes collaboration with organisations interested in partnering to help accelerate and broaden adoption of such certification programmes worldwide.
The alliance is seeking public and industry comment on this list of best practices from now until September 14, 2015.