Tech, Retail Firms Propose Privacy Standards for Internet of Things

New guidelines from the Online Trust Association will put the onus on connected device makers to protect consumer privacy and security.
New guidelines from the Online Trust Association will put the onus on connected device makers to clarify data collection practices and ensure the privacy and security of the devices throughout their useful life. (Photo of a WalMart store courtesy of WalMart.)

In-brief: The Online Trust Alliance, a group representing some of the largest technology and retail firms in the U.S., has proposed a framework for ensuring the privacy and security of connected devices. The OTA proposal would eliminate some of the more egregious data harvesting practices of connected device makers.

The Online Trust Alliance, a group representing some of the largest technology and retail firms in the U.S., has proposed tough new standards for the emerging Internet of Things that would raise the bar for both privacy and security in connected devices and eliminate some of the more egregious data harvesting practices of connected device makers.

The Online Trust Alliance (OTA), which includes firms such as Microsoft, Symantec, Target, home security firm ADT and TRUSTe, on Tuesday released its Internet of Things Trust Framework, which offers guidelines for IoT manufacturers, developers and retailers. The group is targeting consumer IoT devices in categories such as home automation, consumer health and fitness wearables. OTA said its proposed guidelines will help ensure that IoT devices meet basic standards for security and privacy and sustainability – meaning support over the lifecycle of a product.

Craig Spiezle, Executive Director and President of OTA, told Security Ledger that part of the impetus for the new framework came from his personal experience of buying a “smart” home, only to realize that key features – like a gate and garage door opener with wi-fi connectivity were not being actively managed by the vendor who supplied them.

“I chose to disable the smart functions because I wasn’t convinced that they were secure.”

Connected home technologies like thermostats and home security systems – if improperly designed and deployed – could introduce new risks that home owners and even manufacturers hadn’t considered, Spiezle said. A thief with a software exploit, for example, could compromise all gates from a certain maker, compromising he security of hundreds of homes in a geographical region in a single go.

The OTA guidelines set a high bar for IoT device makers. On the security front, the framework calls on manufacturers to employ end-to-end encryption, including device connections to mobile devices and applications and wireless communications to the cloud or other devices. Device makers should include features that force the retirement of default passwords after their  first use and to configure multiple user roles with separate passwords for administrative and end-user access.

Privacy policies must be made available to potential buyers prior to product purchase and disclose the consequences of declining to opt in or out of policies, such as data collection. And, in a nod to consumer advocates’ complaints about long and legalistic end-user license agreements (EULA) and privacy policies that are the p, device makers would be required to “maximize readability.”

Beyond that, manufacturers must conspicuously disclose all personally identifiable data types and attributes collected. A health or fitness band would need to inform potential buyers that it harvests data such as their physical location and biometric data like heart rate, pulse, blood pressure and so on.

Spiezle said that such questions and issues are currently “uncharted waters” in the consumer space. And, in fact, issues related to data collection and disclosure in connection to smart appliances have already come to the fore. In 2014, device maker LG issued a firmware update for its SmartTVs that disabled the “connected” features of the device if users would not agree to lengthy new Terms of Service and Privacy Agreements. The revised documents granted LG permission to monitor and record their viewing habits and their interactions with the device, including voice commands.

The terms of that monitoring were spelled out in lengthy “Legal Notice,” “Terms of Use” and “Privacy Policy” documents that appeared when SmartTV users first attempt to access the non-broadcast viewing options on their devices.

Consumers were also dismayed to learn that Samsung smart TVs could capture ambient audio collected from its customers and transmit that to “third parties” – in essence: a kind of eavesdropping. As with LG, Samsung explained the data collection only in the Terms of Service that consumers must agree to before operating the home appliance.

Under the new OTA guidelines (PDF), manufacturers and retailers would need to spell out any data collection and sharing on device packaging, so consumers can make informed decisions about which products to buy. Beyond that, any default personal data sharing would be limited to third parties or service providers who agree to confidentiality and to limit use of the data to specified purposes such as supporting product features and functionality.

Spiezle said that retail buyers who must choose among dozens or scores of competing devices often don’t know to ask about issues like data collection, device security and privacy protections. The OTA guidelines give those firms a checklist to refer to.

And OTA is focusing on what it calls “sustainability,” as well, noting that – especially in the home appliance market – devices might have useful lives measured in decades, not the two or three-year life spans common in much of the consumer electronics marketplace.

“We’re asking manufacturers to think about how these devices will be managed over time,” Spiezle said. “How will you notify consumer that a patch is available? Will that happen when they register a device?” Spiezle offered as examples of the kinds of questions IoT device manufacturers would be expected to be able to answer.

Device makers would also need to disclose if the user has the ability to remove or purge personal and sensitive data when they sell or stop using a device. Such features should be available at no charge to the owner, the OTA said.

Spiezle acknowledged that the risk posed by a vulnerable home thermostat or garage door opener was low. However, the aggregate effect of abandoned and connected devices could be dire. “What happens when you have 100,000 garage door openers or thermostats that are no longer supported?”  Speizle said it is not far-fetched to imagine an attack on widely deployed but unsupported and insecure home automation technologies as a way to sow chaos or disruption as part of a coordinated terrorist attack.

Despite the recent attention to connected vehicles, however, OTA is staying away from that category of product. Spiezle said that the safety of connected vehicles is already overseen by multiple federal agencies, making recommendations from the OTA superfluous.

The group is soliciting feedback on the framework for 30 days. After that, members will work to consolidate their recommendations and then release the framework. “This is version one,” said Speizle. “The goal is to raise awareness for consumers and businesses alike.”