On August 11, 2015, the Online Trust Alliance (OTA) released an Internet of Things (IoT) Trust Framework (the Framework), which presents guidelines for IoT manufacturers, developers, and retailers. The Framework was designed by a group of multi-stakeholders formed in January 2015, including ADT, AVG Technologies, Microsoft, Symantec, TRUSTe, Verisign, and over 100 other IoT experts. Craig Spiezle, Executive Director and President of OTA, said, “The rapid growth of the Internet of Things has accelerated the release of connected products, yet important capability gaps in privacy and security design remain as these devices become more and more a part of everyday life.” The Framework addresses only two key categories of IoT devices: home automation devices and consumer health and fitness wearables.
Specifically, some of the Framework’s highlights are:
- Limit Disclosures: “Any default personal data sharing must be limited to third parties/service providers who agree to confidentiality and to limit usage for specified purposes.”
- Encrypt: “Personally identifiable data must be encrypted or hashed at rest (storage) and in motion using best practices including connectivity to mobile devices, applications and the cloud utilizing Wi-Fi, Bluetooth and other communication methods.”
- Test: “Manufacturers must conduct penetration testing for devices, applications and services.”
- Mitigate: “Manufacturers must publish and provide timely mechanisms for users to contact the company regarding issues including but not limited to the loss of the device, device malfunction, account compromise, etc.”
For the list of guidelines, click here.
Public comments on the Framework are due to the OTA by September 14, 2015. The OTA is also developing tools and methodologies that will formalize the Framework and ultimately lead to a voluntary Code of Conduct and certification program for IoT manufacturers, developers and retailers.