Security and privacy of the Internet of Things must be addressed proactively, and not just as an afterthought, according to industry body the Online Trust Alliance (OTA).
The OTA, which counts ADT, AVG Technologies, Microsoft, Symantec, Target, TRUSTe, Verisign and nearly 100 other subject matter experts among its members, has warned that security and privacy must been approached holistically by vendors and services providers, and that consumers need long term protection.
The alliance has published the first draft of its Internet of Things Trust Framework, which aims to give end users trust and safety in use of IoT devices, particularly with regard to smart homes and consumer health and fitness wearables. The framework will outline vendor- and technology-neutral best practices, and will evolve over time to reflect the latest best practices, security standards, regulatory requirements and the changing threat landscape.
"The rapid growth of the Internet of Things has accelerated the release of connected products, yet important capability gaps in privacy and security design remain as these devices become more and more a part of everyday life," said Craig Spiezle, executive director and President of OTA. "For example with a fitness tracker does the user know who may be collecting and sharing their data? When you purchase a smart home what is the long-term support strategy of patching devices after the warranty has expired? How do manufactures protect against intrusions into smart TV's and theft of data collected from device cameras and microphones? What is the collective impact on the smart grid or our first respondents should large numbers of these devices be compromised at once?"
Among the key points of the draft framework is that privacy policies must be readily available for review prior to product purchase, download or activation; personally identifiable data, both at rest and in motion, must be encrypted; data collection policies of a device should be disclosed prior to purchase, and it should be clear to consumers how the device's key features will work if they choose not to share data; and users should be told if they can remove or make anonymous their data if they stop using the device or it reaches end-of-life.
The framework also requires that manufacturers look to a sustainable approach to privacy and security, and do not simply stop supporting devices because they have stopped making them. Requirements include publishing a time-frame for support after the device/app is discontinued or replaced by newer version; having the means to remediate vulnerabilities in a fast and reliable fashion, and should have a tested breach response and consumer safety notification plan to use in case of incidents.
In parallel with these best practices, OTA is developing specific testing tools and methodologies to formalize the IoT Trust Framework with scoring criteria, leading to a voluntary Code of Conduct and a forthcoming certification program. OTA welcomes collaboration with organizations interested in partnering to help accelerate and broaden adoption of such certification programs worldwide.