As security and standardization concerns around IoT rise, a new organization called The Online Trust Alliance has its sights set on establishing industry standards and best practices for security, privacy and sustainability.
The Online Trust Alliance (OTA), a non-profit organization and think tank made up of industry leaders, including Microsoft Corp. (Nasdaq: MSFT), Symantec Corp. (Nasdaq: SYMC), VeriSign Inc. (Nasdaq: VRSN), ADT Corp. and TRUSTe, has come together to create voluntary industry standards. The group's "IoT Trust Framework – Discussion Draft," published in August, offers 23 minimum requirements plus 12 additional recommendations for best practices in security, privacy and sustainability, particularly for devices used in the connected home and wearables for health and fitness.
Share and share alike -- or not
Essentially the OTA's best practices and standards boil down to two overarching considerations. One: Device manufacturers have to consider how they will secure the data collected on their devices. Two: The consumer has to be clearly informed about the nature and extent of the data collected. Having that information allows the potential purchaser to know exactly what they would be getting into with the Internet of Things (IoT) device, and whether or not they consider the gains are worth the risk. Having a universal standard also makes it clear how one company compares to another with respect to data privacy and security.
For example, fitness wearables often default to a passive share mode that not only picks up on personal data, including vital signs and real-time location, but also posts it on the user's social networks. As a result, a number of the OTA's best practice requirements address that type of situation.
According to the OTA's best practices, not only would consumers have to be warned about the data collected, but they would also have to be informed about how to opt in or out and about potential vulnerabilities. Manufacturers would also be accountable for what happens to the data collected if the device is no longer on the market and supported by the company.
The concern about people unwittingly giving up privacy through devices is not altogether new. In 2013 the US Department of Commerce's National Telecommunications and Information Administration (NTIA) tried to address these concerns and pushed for a Short Form Notice Code of Conduct to Promote Transparency in Mobile App, but today it's not just a matter of apps people download on their phones.
The OTA's framework calls for the best practices are meant to prompt the industry to be proactive rather than waiting to patch a problem only after it is uncovered by a hack or a breach.
Jim Kilmer, vice president of Manufacturing, Automotive, Energy and Utility Vertical Practices at Verizon Enterprise Solutions , echoed this call during a recent Tune in Tuesday Radio Show on The New IP. During the show, he acknowledged that the exponential increase in data that comes with IoT brings in particular challenges of balancing the access to data to those who are supposed to work with it while protecting it from exposure points that could compromise security.
Kilmer says that Verizon mitigates those risk through "preplanning." He explained, "The way that we build our core networks, [they're set not just to prevent] something bad from happening [but also with the] ability to respond." (Listen to: The Manufacturing, M2M & Analytics Tipping Point.)
Fixing a broken model
Today, Craig Spiezle, executive director and president, Online Trust Alliance, says "The US model is broken which helps explain the decline of trust in advertising and the increase in the use of ad blockers." But he says there is an alternative model, as found in the EU, which demands a lot more of companies with respect to data protection and privacy than the US. What OTA proposes is similar to the EU's approach in "requiring consumer consent to the collection, and sharing of their data," says Spiezle.
As for industry involvement in data and privacy protection, Spiezle says, though, they "have technology leaders," there are still no IoT device manufactures that have truly "demonstrated leadership and commitment to consumer protection and trust." But he is optimistic, as many are now involved and reviewing their own practices to comply with the framework as Spiezle says that both "the public and private sector [recognize] the importance of privacy, security and sustainability."
Reassuringly, on Tune in Tuesday, Kilmer noted that Verizon is committed to standards in this space as well as others. "When you get to standards, we have been an integral partner not only with the folks that we compete with but also with our customers in developing standards for all of the different network platforms -- MPLS or 4G LTE or SDN," he said. "We will continue that practice because we need to have standards to make all of these things as usable as possible for our customers."
Whether or not all in the industry will agree to the OTA's 23 requirements and 12 recommendations, though remains to be seen. However, their requirements and recommendations are not etched in stone and the organization specifically asked for companies to weigh in on the requirements by September 14.
Indeed, just as technology is constantly evolving, industry players have to adapt with more robust standards of security that can stand up to today's challenges.
— Ariella Brown, Freelance Contributor, special to The New IP