Online Trust Alliance releases Internet of Things trust framework for addressing security risks related to IoT

The Online Trust Alliance (OTA), a non-profit with the mission to enhance online trust, recently released its Internet of Things Trust Framework, the first global, multi-stakeholder effort to address IoT risks comprehensively. The framework presents guidelines for IoT manufacturers, developers and retailers to follow when designing, creating, adapting and marketing connected devices in two key categories: home automation and consumer health and fitness wearables. In the spirit of collaboration, OTA openly invites industry leaders to review the document and provide feedback.

With members that include ADT, AVG Technologies, Microsoft, Symantec, TRUSTe, and nearly 100 other subject matter experts, the OTA IoT Working Group was formed in January 2015. Through extensive research, this task force concluded that the safety and reliability of any IoT device, app or service depends equally on security and privacy, as well as a third, often overlooked component: sustainability.

Sustainability—the life-cycle supportability of a device and the protection of the data after the warranty ends—is critical to the security, privacy and personal safety of users and businesses worldwide.

“The rapid growth of the Internet of Things has accelerated the release of connected products, yet important capability gaps in privacy and security design remain as these devices become more and more a part of everyday life,” said Craig Spiezle, Executive Director and President of OTA. “For example, when someone sells a house with a smart thermostat or garage door, how does the new owner ensure former users can no longer access these devices? How do manufacturers protect against intrusions into smart TVs and theft of data collected from device cameras and microphones? What is the collective impact on the smart grid or our first responders should large numbers of these devices be compromised at once?”

Without addressing sustainability, devices that may have been secure off the shelf will become more susceptible to hacking over time allowing hackers to remotely control these devices. This is a persistent concern, first demonstrated with baby monitors, just recently by infiltration of fitness wearables to spy on health vitals, and will likely be again soon, perhaps through general mayhem caused by sabotaging connected appliances.

OTA’s Internet of Things Working Group includes security and privacy experts, policymakers, and companies in the fields of consumer product goods, health care, retail and e-commerce, and home security. Some of its proposed best practices include:

> Making privacy policies readily available for review prior to product purchase, download or activation.

> Encrypting or hashing all personally identifiable data both at rest and in motion.

> Disclosing prior to purchase a device’s data collection policies, as well as the impact on the device’s key features if consumers choose not to share their data.

> Disclosing if the user has the ability to remove or make anonymous all personal data upon discontinuing device or device end-of-life.

> Publishing a time-frame for support after the device/app is discontinued or replaced by newer version.

“As the nation’s largest home security provider, ADT supports the sharing of best practices focused on the privacy and security considerations for the connected home,” said Paul Plofchan, Chief Privacy Officer at ADT. “As a member of the working group, we applaud OTA’s effort to open the dialogue with public and private sector participants in an effort to create a sustainable consumer protection framework.”

In parallel with these best practices, OTA is developing specific testing tools and methodologies to formalize the IoT Trust Framework with scoring criteria, leading to a voluntary Code of Conduct and a forthcoming certification program. OTA welcomes collaboration with organizations interested in partnering to help accelerate and broaden adoption of such certification programs worldwide.

OTA is seeking public and industry comment on this list of best practices from now until Sept 14, 2015.

To review the framework, provide feedback, or for information on joining the IoT Working Group, visit: https://otalliance.org/IoT