The Internet of Things as a concept is now well-embedded into the digital market. From smart metering to wearable tech and medical aids, the range of devices and applications covered is immense and growing. However, there has been a steady stream of stories in recent years highlighting potential or actual security issues with familiar devices which can now connect to the Internet. Although many manufacturers are producing devices or services which utilise the internet, these may not always adequately address all the related security risks.
In an attempt to address this, the Online Trust Alliance (OTA), a grouping of technology suppliers, has recently published a draft Trust Framework for the Internet of Things.The draft Trust Framework is intended to set out best practice, with a view to potentially forming part of a certification or self-regulation regime. The document has been published as a ‘discussion draft’, with the explicit aim of seeking comments on it from those outside the OTA.
What does the draft Trust Framework recommend?
The draft Trust Framework contains 23 minimum requirements, with a further 12 recommendations. These span both privacy and security – the term “trust” here encapsulating both concepts. They include requirements that:
- User websites adhere to SSL best practice, and use of HTTPS encryption by default.
- Manufacturers must conduct penetration testing for devices, applications and services.
- Manufacturers must have capabilities to remediate vulnerabilities in a prompt and reliable manner, either through remote updates and / or through consumer notifications and instructions.
- Manufacturers must have a breach response and consumer safety notification plan, reviewed at least semi-annually.
- Security and privacy should be “a priority from the onset of product development and addressed holistically”.
- The privacy policy must not be hidden, e.g. so that it is only available after purchase of the product or service, and must be readable on the device on which it will be viewed.
- Privacy policies explain clearly what data is being collected, and how long it will be kept.
- Data should be shared only with people who agree to keep it confidential, and only for limited purposes.
Many of the recommendations may not be surprising, but the challenge will be to encourage manufacturers from across the spectrum to follow any final version of the framework. An industry-driven certification regime would provide a clear incentive to manufacturers, as well as reassurance to consumers.
Of course in many countries, the products and services involved will already be governed by consumer protection and data privacy legislation, which is itself increasingly changing to address some of the privacy and security issues arising in this area.
The OTA is inviting responses on the draft Trust Framework by 14 September 2015.