Addressing IoT risks with a trust framework

The Online Trust Alliance (OTA) released its Internet of Things Trust Framework, the first global, multi-stakeholder effort to address IoT risks comprehensively.

The framework presents guidelines for IoT manufacturers, developers and retailers to follow when designing, creating, adapting and marketing connected devices in two key categories: home automation and consumer health and fitness wearables.

With members that include ADT, AVG Technologies, Microsoft, Symantec, Target, TRUSTe, Verisign and nearly 100 other subject matter experts, the OTA IoT Working Group was formed in January 2015. Through extensive research, this taskforce concluded that the safety and reliability of any IoT device, app or service depends equally on security and privacy, as well as a third, often overlooked component: sustainability.

Sustainability—the life-cycle supportability of a device and the protection of the data after the warranty ends—is critical to the security, privacy and personal safety of users and businesses worldwide.

“The rapid growth of the Internet of Things has accelerated the release of connected products, yet important capability gaps in privacy and security design remain as these devices become more and more a part of everyday life,” said Craig Spiezle, Executive Director and President of OTA. “For example with a fitness tracker does the user know who may be collecting and sharing their data? When you purchase a smart home what is the long-term support strategy of patching devices after the warranty has expired? How do manufactures protect against intrusions into smart TV’s and theft of data collected from device cameras and microphones? What is the collective impact on the smart grid or our first responders should large numbers of these devices be compromised at once?”

Without addressing sustainability, devices that may have been secure off the shelf will become more susceptible to hacking over time. This could lead to hackers remotely opening garage doors and turning on baby monitors that are no longer patched to infiltrating fitness wearables to spy on health vitals, or creating mayhem by sabotaging connected appliances.

OTA’s Internet of Things Working Group includes security and privacy experts, policymakers, and companies in the fields of consumer product goods, health care, retail and e-commerce, and home security. Some of its proposed best practices include:

• Making privacy policies readily available for review prior to product purchase, download or activation.
• Encrypting or hashing all personally identifiable data both at rest and in motion.
• Disclosing prior to purchase a device’s data collection policies, as well as the impact on the device’s key features if consumers choose not to share their data.
• Disclosing if the user has the ability to remove or make anonymous all personal data upon discontinuing device or device end-of-life.
• Publishing a timeframe for support after the device/app is discontinued or replaced by newer version.