IoT security and privacy must be built in, says OTA

Online Trust Alliance reveals draft of Internet of Things Trust Framework
IoT security and privacy must be built in, Says OTA


Security and privacy of the Internet of Things must be addressed proactively, and not just as an afterthought, according to industry body the Online Trust Alliance (OTA).

The OTA, which counts ADT, AVG Technologies, Microsoft, Symantec, Target, TRUSTe, Verisign and nearly 100 other subject matter experts among its members, has warned that security and privacy must been approached holistically by vendors and services providers, and that consumers need long term protection.

The alliance has published the first draft of its Internet of Things Trust Framework, which aims to give end users trust and safety in use of IoT devices, particularly with regard to smart homes and consumer health and fitness wearables. The framework will outline vendor- and technology-neutral best practices, and will evolve over time to reflect the latest best practices, security standards, regulatory requirements and the changing threat landscape.

"The rapid growth of the Internet of Things has accelerated the release of connected products, yet important capability gaps in privacy and security design remain as these devices become more and more a part of everyday life," said Craig Spiezle, executive director and President of OTA. "For example with a fitness tracker does the user know who may be collecting and sharing their data? When you purchase a smart home what is the long-term support strategy of patching devices after the warranty has expired? How do manufactures protect against intrusions into smart TV's and theft of data collected from device cameras and microphones? What is the collective impact on the smart grid or our first respondents should large numbers of these devices be compromised at once?"

Among the key points of the draft framework is that privacy policies must be readily available for review prior to product purchase, download or activation; personally identifiable data, both at rest and in motion, must be encrypted; data collection policies of a device should be disclosed prior to purchase, and it should be clear to consumers how the device's key features will work if they choose not to share data; and users should be told if they can remove or make anonymous their data if they stop using the device or it reaches end-of-life.

The framework also requires that manufacturers look to a sustainable approach to privacy and security, and do not simply stop supporting devices because they have stopped making them. Requirements include publishing a time-frame for support after the device/app is discontinued or replaced by newer version; having the means to remediate vulnerabilities in a fast and reliable fashion, and should have a tested breach response and consumer safety notification plan to use in case of incidents.

In parallel with these best practices, OTA is developing specific testing tools and methodologies to formalize the IoT Trust Framework with scoring criteria, leading to a voluntary Code of Conduct and a forthcoming certification program. OTA welcomes collaboration with organizations interested in partnering to help accelerate and broaden adoption of such certification programs worldwide.

Editor's Choice

The robots are coming: Impact of AI on executive search
As the technology industry’s elite struggle to agree on the potential impact of AI and a raft of people queuing up to advise on the potential disruption it will cause, this article by John Curtis-Oliver, Partner at Boyden studies the potential impact on the executive hiring and the executive search industry.
Saudi Football changes pitch from MBC to STC
The news comes just a few days after the release of Saudi businessman Waleed al-Ibrahim, who has management control of MBC. Reuters reports senior Saudi officials saying that Ibrahim agreed to an “undisclosed settlement after admitting to unspecified violations”.
HetNets: paving the way for “ultraband” age
Over time, telecom operators will provide consumers with a “universal connectivity” service (to rule them all), incorporating Wi-Fi and mobile broadband as a single resource, in an “always best connected” mode, leading to an ultraband connectivity service.

Don't Miss a Story

You may also like

Mobile penetration reaches 70% in least developed countries of the world
Digital skills gap identified as a key barrier to ICT and internet use in LDCs
New model proposes device to device networks for improved mobile services
D2D technology works similarly to personal hotspots shared between individuals
CASE STUDY: Telecom Serbia transforms customer experience with Avaya
Operator doubles its attainment of SLAs on mobile services with almost zero abandoned calls
Bahrain leads the Arab world in ICT development index
However, substantial digital divides continue to exist between regions and countries