General

OTA Seeking Public Comment on IoT Trust Framework

Published: Aug. 21, 2015

Updated: Oct. 05, 2020

The Online Trust Alliance (OTA) released a proposed Internet of Things (IoT) Trust Framework (“Framework”) and is requesting public comment by September 14. The Framework is the first global, multi-stakeholder effort to address the privacy and security risks associated with IoT devices, and is intended to provide best practices for industry participants when designing, creating, and marketing connected devices. In addition to establishing best practices, OTA aims to develop testing tools and methodologies, and to create a voluntary Code of Conduct and certification program.

The proposed Framework resulted from discussions among OTA’s IoT Trustworthy Working Group, and unsurprisingly reflects the influence by the Fair Information Practice Principles (FIPPs). It initially concentrates on two categories of IoT devices, those related to: 1) home automation and connected home products, and 2) wearable technologies, limited to health & fitness categories. Given the range of products that may fall into these categories, the Framework will not necessarily be equally applicable or feasible for every product.

As with other products, the Framework states that privacy by design must be a priority for connected products and many of the proposed minimum requirements capture familiar principles. However, a few items, especially in the security practices, are a little more granular and proscriptive. For example, the device should provide an indicator or notice when pairing with another device, and manufacturers are required to conduct penetration tests on devices, applications, and services. Similarly, the Framework requires PII to be encrypted or hashed at rest. In addition to these minimum requirements, the proposal offers some additional recommendations that companies with these devices may want to consider.