Internet of Things (IoT)

OTA Response to NTIA IoT Green Paper

Today the OTA responded to the U.S. Department of Commerce (DOC) request for comments on the IoT Green Paper.  The DOC plays an important role in helping to address the mounting security and privacy risks associated with the rapid rise in the use of Internet of Things (IoT) devices.  Society and the global economy are witnessing an unparalleled level of innovation being brought forth from the introduction of thousands of new IoT devices. While it is important to recognize there is no perfect security or privacy, all too many IoT devices appear to be designed primarily for convenience and functionality.  

Unfortunately to-date multiple U.S. Government agencies are fragmenting the industry by asserting conflicting and overlapping roles and principles. Rather then re-invent the wheel, we recommend the DOC work cross both US Agencies as well as other international efforts and drive reconciliation of efforts.  Doing so will provide significant benefits, offering market certainty and help ensure society has the potential to reap the benefits and promise of IoT.  OTA’s submission underscores the need for increased focus on the following key areas;

  1. IoT Security; A Collaborate & Shared Responsibility
  2. Defining Scope & A Common Taxonomy Cross USG
  3. Global Perspective & Free Flow of Data Cross Borders
  4. Privacy & Consumer Control of the Data
  5. Devices & Data Transferability
  6. Vulnerability Reporting
  7. Voice Interfaces
Internet of Things (IoT)

IoT Threats – What we can do today and tomorrow

See Related Readings – Vision for Trust

The rapid rise in the Internet of Things (IoT) has brought forth a new generation of devices and services representing the most significant era of innovation and growth since the launch of the Internet. IoT solutions are game-changers offering consumers, businesses and governments across the globe countless benefits. While the vast majority of devices are safe and secure by today’s standards, all too many are being sold without security safeguards, adequate privacy controls or lifecycle support. Combined, these devices have become proxies for abuse with a capacity for causing significant disruption including life safety issues. 

To address these combined issues, OTA convened a cross industry working group with the vision to develop best practices and create an IoT Trust Framework, a voluntary self-regulatory model.  Released this past March, the Framework identifies 31 criteria initially focused on connected home, office and wearable technologies.  It serves as a voluntary code of conduct and the foundation for several certification and risk assessment programs in development.

The Framework represents a major step to help shape products being developed, but we also need to consider what we can do to help address the risks in products being sold today and in use worldwide. We recommend the Committee to call on stakeholders to consider these initial guidelines. Where technically and economically feasible, these and other efforts are needed so together, we may build a safer, more secure world and enable the IoT industry to reach its full potential.

  1. Developers and manufacturers
    • Proactively communicate to customers any security and safety advisories and recommendations.
    • Products which can no longer be patched and have known vulnerabilities should either have their connectivity disabled, the product recalled and/or the consumers notified of the risk to their personal safety, privacy and security of their data.
    • Provide disclosures, including on product packaging, stating the term of product / support beyond the product warranty
    • Update websites to provide disclosures and security advisories in clear, everyday language.
  2. Retailers / Resellers / eCommerce Sites
    • Voluntarily withdraw from sale products being offered without unique passwords or without a vendor’s commitment to patching over their expected life
    • Apply supplementary labels or shelf-talkers advising buyers of products with exemplary security data protection and privacy policies.
    • Notify past customers of recalls, security recommendations and of potential security issues.
  3. Consumers and users have a shared responsibility. Users need to
    • Maintain devices and stay up to date on patches.
    • Update contact information including email address for all devices.
    • Regularly review device settings and replace insecure and orphaned devices (see Exhibit A).
  4. ISPs should consider the ability to place users in a “walled garden” when detecting malicious traffic patterns coming from their homes or offices. In concept this would allow basic services such as 911 access and medical alerts, while limiting other access. Such notifications can advise consumers of the harm being incurred, and the need to make changes, replace devices or seek third party support. It is important to clarify as outlined by the FCC’s Communication Security & Reliability Council in 2012, such notifications should not directly burden ISPs or carriers to remedy the problem unrelated to their services provided.
  5. Government
    • Fund outreach and education, working with trade organizations, ISPs, local grassroots organizations, media, State Agencies and others to raise awareness of the threats and responsibilities. Focus on teachable moments such as at time of purchase, inclusion in billing statements and emails to installed base of users and notices to ISP customers.
    • Prioritize “whole-of-government” approach to the development, implementation, and adoption of efforts and initiatives, with a global perspective. Coordinated efforts will help to ensure industry can innovate and flourish while enhancing the safety, security, and privacy of consumers, enterprises, and the nation’s critical infrastructure.

The future of IoT it cannot be realized without addressing security and privacy risks and policy issues. Securing and protecting the things that matter most—our systems, our data, and our privacy—is a shared responsibility. Security and privacy must become part of every product’s feature set. These cannot be bolted on mid-flight, and instead must be designed in from the onset. Creating a culture of security, privacy and sustainability with transparency will yield long-term benefits to society. OTA looks forward to working with all parties to help accelerate the development of best practices, including core safety and privacy requirements, to realize the potential of IoT.  Read More >

Internet of Things (IoT)

Wearables; the Next Fashion Statement

Do Consumers Know The True Price They May be Paying?

See OTA Call for Comments on IoT Security, Privacy & Sustainability Best Practices

Innovation in personal connected devices, aka the Internet of Things (IoT), has the enticing promise of enabling consumers with a wide range of function and benefits. These advancements are leap frogging what we have realized from smartphones and mobile apps. We are a data driven society and economy, and increasingly conscious of the opportunity the data these devices can provide. Wearables and cross device tracking can provide significant insights into the lives, behaviors and tastes of consumers than ever before. Done right the vendors, marketers, retailers and consumers can equally benefit. As companies who are rushing to the market are they considering the consequences and responsibilities when consumers entrust them with their data.  If the past news headlines are an indicator of the future, one might say no.

Thanks to Samsung we have TVs which listen and watch us. Hertz, the world’s largest car rental company has cameras watching the driver versus watching the road and according to 60-minutes we now have cars which can be taken over by a hacker. But of greater concern is the implications of wearables technologies. Not only are they capturing where we are physically, but our vitals, redefining personal data and risk.

We have to be careful to not let the promise of innovation blind us. Not unlike smartphones, the majority of wearable devices can be tracked or located through bluetooth connections and device identifiers. If one knows where you are, they also know where you are not. Stalkers could use this information for malicious intent and physical harm. Knowing your history and applying powerful analytics, one can calculate where you will be going. The predictability of the future is now conceivable.

Not unlike the iPhone’s introduction nearly 8 years ago, the Apple Watch is making a fashion statement. Consumers by the millions are rushing to be the first on the block but are they thinking about the privacy and security safeguards?  While the utility is compelling what about the consequences?  Apple’s CEO Tim Cook recently made bold statement that your data will never be shared, brokered and sold. I applaud Apple’s commitment, but remain concerned on the unanticipated breach or forced legal disclosure of data.

We are the “yes” generation, clicking on yes, to download an app or access for “free” yet rarely does anyone read the policy. This point was illustrated in the movie “The Kingsman: The Secret Service”. Without disclosing the end of the movie, the villain is an internet billionaire known for his philanthropy. He announces a giveaway of SIM cards, granting free cellular and Internet access to everyone. Not surprisingly consumers flocked to stores to get their cards, but never asked or inquired on the privacy or security implications. Unknown to everyone his plan was to broadcast a signal to the phones causing everyone to become uncontrollably violent and kill each solving the problems of over population.

While I am not suggesting any of the recent security and privacy exploits are as sinister as was what was depicted in the movie, it serves a stark reminder for the need for self-regulation, supply chain integrity, adherence to security best practices and clear and concise consumer notices.

As leaders in interactive marketing you have significant opportunities for leadership.  

  1. Put the Consumer First. At the end of the day the data is theirs.  – Is your data strategy aligned with user expectations? If not re-engineer your strategy and do not defend it as saying your policy discloses it or others are doing it. 
  2. Make Security & Privacy by Design Job One.  A misstep will not only bring on regulatory oversight and fines but potentially irreversible reputational damage.
  3. Set The Course for The Future – Get involved and help make meaningful self-regulation a reality.   Step up to the plate. Put the consumer first and make a real fashion statement.
Internet of Things (IoT)

Certification Model for IoT

Following the exponential growth of the internet, mobile devices and applications, consumers worldwide are being presented with 1000’s of options and solutions purporting to support the promise of the connected home and wearable technologies.  Unfortunately with this rapid race to market, all too many of these products and services lack basic security and privacy considerations.  The implications range from identity theft and personal security compromises to consumer distrust with products being difficult to use and set up.  Regulators including the FTC and State Attorney Generals are paying attention, seeking fines and settlements.  At the same time device manufactures and application developers are looking for leadership and an outline of best practices to adopt.

OTA is now seeking comments from stakeholders. How can we make IoT devices more trustworthy?  OTA is working in partnership with a broad group of stakeholders and is in the midst of developing a framework for a trustworthy certification program for IoT devices.  The initial focus is on the connected home and wearable technologies, (health and fitness).  Stakeholders being invited include major retailer, (online and offline), OTA members, device vendors and members of the privacy and security communities. 

It is envisioned it would be a voluntary certification model, driving vendors to adopt user centric privacy and security enhancing best practices, competing on usability, privacy, security and sustainability. If you would like to get involved contact me directly. craigs @ otalliance.

See related blog