A Trustmark for IoT

Summary: For Mozilla, we explored the potentials and challenges of a trustmark for the Internet of Things (IoT). That research is now publicly available.

UPDATE 04/2018: Together with ThingsCon and with support from Mozilla Foundation in the form of a Mozilla Fellowship, I’ll be turning this research into action in 2018/2019. The best place to learn more is thingscon.com/iot-trustmark.

If you follow our work both over at ThingsCon and here at The Waving Cat, you know that we see lots of potential for the Internet of Things (IoT) to create value and improve lives, but also some serious challenges. One of the core challenges is that it’s hard for consumers to figure out which IoT products and services are good—which ones are designed responsibly, which ones deserve their trust. After all, too often IoT devices are essentially black boxes that are hard interrogate and that might change with the next over-the-air software update.

So, what to do? One concept I’ve grown increasingly fond of is consumer labeling as we know from food, textiles, and other areas. But for IoT, that’s not simple. The networked, data-driven, and dynamic nature of IoT means that the complexity is high, and even seemingly simple questions can lead to surprisingly complex answers. Still, I think there’s huge potential there to make huge impact.

I was very happy when Mozilla picked up on that idea and commissioned us to explore the potential of consumer labels. Mozilla just made that report publicly available:

Read the report: “A Trustmark for IoT” (PDF, 93 pages)

I’m excited to see where Mozilla might take the IoT trustmark and hope we can continue to explore this topic.

Increasingly, in order to have agency over their lives, users need to be able to make informed decisions about the IoT devices they invite into their lives. A trustmark for IoT can significantly empower users to do just that.

Below, you’ll find the beginning of the report including the executive summary.

///

A Trustmark for IoT

Building consumer trust in the Internet of Things by empowering users to make smarter choices. A ThingsCon report commissioned by Mozilla’s Open IoT Studio.

ThingsCon is a global community of IoT practitioners that fosters the creation of a human-centric & responsible IoT.

Mozilla’s Open IoT Studio seeks to advance responsible open IoT through professional practices and a network of IoT practitioners who conduct research, make prototypes and build meaningful collaborations.

Author: Peter Bihr (ThingsCon, The Waving Cat).
Cover design: Martin Skelly
Version 1.0, 13 September 2017

Published by ThingsCon
under Creative Commons (CC BY International 4.0).

Table of Contents

  1. Executive summary
  2. Recommendations & opportunities
  3. About this report
  4. Introduction: We need a trustworthy Internet of Things
  5. Transparency & Trust: The case for trustmarks
  6. Landscape of existing relevant certifications, labels & marks
  7. What to label & how to verify
  8. Potential collaborators
  9. References
“A lack of transparency results in distrust and a deep sense of insecurity.”
— Dalai Lama

Executive Summary

We are increasingly surrounded by connected devices that have an impact on every aspect of our lives. This Internet of Things (IoT) thrives on data. It brings us a great many services, but it also provides new and significant challenges. As the Internet reaches into our physical world, so does the fight for Internet health. We now essentially live inside a computer—and it is essential that we can trust it.

All the marks of a healthy Internet also need apply to the Internet of Things: Openness, inclusion, decentralization, privacy and safety, as well as literacy. However, in the world of IoT, some of these aspects are in ever stronger danger than in the rest of the Internet. And here, users are even less equipped to make smart, healthy and sustainable choices.

We propose a trustmark for IoT, a label for consumers to decide which devices they choose to trust and—more importantly—which devices deserve their trust. This empowers consumers to make informed decisions on how to vote with their money and for producers of IoT products to show their commitment to good practices and IoT health.

Why a trustmark for IoT, and why now?

The Internet of Things with its dizzying array of connected products and services is hard to navigate. Consumers have little insight into what any one connected product does, what it even might be capable of, or if the company employs good, responsible data practices. This is not an oversight on the consumers’ side. Rather it has to do with the way connected products work (they’re complex hybrids of hardware and software), as well as an overall lack of transparency in both data practices and business models.

A trustmark for IoT offers a way to empower consumers to make better decisions.

IoT faces a number of specific challenges and risks that go beyond other digital services, including surveillance, risk to physical safety, and that a remote software update can change devices in unexpected ways. Having these risks in mind allows us to better consider IoT trustmarks.

The discussion around consumer IoT trustmarks is extremely salient right now, and it moves quickly. Consumer trustmarks are discussed at all levels, from the European Commission to industry and grassroots initiatives. The term trustmark is often used interchangeably with other terms like certification mark, or consumer label: We recommend using the term for a consumer label with the explicit intent of increasing (justified) consumer trust.

Trustmarks are effective and enjoy high levels of trust by consumers. From other critical consumer protection areas like food and electronics safety we know that trustmarks can both increase consumer trust and provide an incentive for responsible organizations to clearly communicate their commitment to a higher standard. They enjoy high levels of trust by consumers. For commercial and non-commercial entities alike, an easy-to-understand labeling system for responsible IoT would allow them to make better, more responsible product and business decisions.

We believe that the current situation poses significant challenges to consumers—and see a tremendous opportunity for Mozilla and its community to have a massive positive societal impact and provide thought leadership. Maybe more importantly, in this debate Mozilla is in a unique position to host this debate and demonstrate leadership as a trusted organization. Mozilla’s input and leadership is both possible and very much needed.

The special trust challenge of IoT

“Trust is a critical challenge and a necessity for a thriving Internet of Things ecosystem.”
—Gérald Santucci (DG CONNECT)

The capability of IoT products to remotely receive software updates are one of IoT’s biggest strengths, but it is also one of its biggest weaknesses because a) if there are changes to the producing company (e.g. change of ownership, new strategy, bankruptcy), the products can cease operation and b) software updates can significantly change the product itself, for example by enabling or disabling features or sensors. Increasingly, consumers even face “hidden IoT” devices: Products that are not sold as “smart” yet are ready to be connected and/or contain sensors that could be activated with the next software update.

For consumers it’s nearly impossible to know the exact capabilities of the connected products in their lives. This extends to professional product reviewers, too. To make matters worse, even a comparatively secure device can be compromised if it is paired with a less secure one. Hence, the health of IoT is only as strong as the weakest link in the network.

Consumers must be able to make an informed decision on IoT products, and transparency is an essential first step. We believe that a much higher level of transparency is both essential and possible.

At any given time, consumers should have a clear answer to four simple questions:

  1. “Does it do what I expect it do do?”
  2. “Is the organization trustworthy?”
  3. “Are the processes trustworthy?”
  4. “Does it do anything I wouldn’t expect?”

An IoT trustmark can help answer these questions.

It’s worth taking a moment to ask what constitutes trustworthy technology. We consider tech trustworthy when it considers all stakeholders, takes a long view and sustainable approach, focuses on value creation rather than extraction, and if in doubt, it errs on the side of openness and empowerment. In IoT, a device’s trustworthiness doesn’t depend only on the device itself: It also depends on other factors like the device’s readability and understandability, the trustworthiness of the producing organization and their business model, societal impact, service and maintenance guarantees, and others. The multi-dimensional nature of IoT is part of why it is such a challenging space for consumers and producers alike.

“Trust arrives by foot and leaves by horse.” —Dutch saying

Trustmarks have beneficial side effects that go beyond the primary intent of verifying and promoting consumer trust. They can increase consumer awareness and literacy, and they offer producers of IoT services and products a way to distinguish their products. Furthermore they have shaping power by highlighting best practices for others to follow and by validating good design decisions and data practices.

A trustmark creates a virtuous cycle. The trustmark allows developers of IoT products to differentiate themselves by “doing the right thing”. It allows consumers to make smarter choices and to put pressure on all developers to follow suit. This creates a virtuous cycle in favor of a trustworthy IoT.

What to label & how to verify

There are many different possible approaches to labeling, so it is essential to answer what to label for, who verifies and how, and how can the trustmark be communicated. In order to be effective, the IoT trustmark needs a clear focus. In our research we identified the following core themes:

  • Good data practices: privacy, security, data protection, putting users in control over data capture and processing
  • Good security practices: checklists, openness, giving users control over fallback mechanisms
  • Openness: transparency, hackability, open source, compatibility
  • Lifecycle management: service guarantees, repairability, ease of reverse-engineering and/or hacking, having a strategy in place for end-of-life
  • Establishing that the producing organization is trustworthy and knows how to handle itself

At the core, transparency helps consumers understand and navigate the complexities of networked technologies. This can only work if a label is verifiable, and trustworthy. In the literature we reviewed as well as in many conversations with experts we encountered a great range of characteristics, principles, or aspects to consider for labels, which we explore in the chapter “What to label & how to verify”. There is a wide spectrum of types of consumer protection labels or trustmarks, from self-labeling to third party certification. A successful IoT trustmark needs to balance between widespread adoption (promoted by a low barrier-to-entry in terms of cost and bureaucracy) and trustworthiness (promoted by a reliable verification process). Based on our research, we recommend aiming for a relatively light-weight trustmark approach. We believe an IoT trustmark should tend towards the self-assessed and voluntary while being verifiable through context-appropriate “View Source” privileges.

We recommend weighing the label slightly towards the device level, but taking into account at least the most salient aspects of a more systemic nature. Especially where data processing happens in the cloud, this is highly relevant for users to know. How exactly this can be implemented should be based on further research and input from a user survey and workshops with partner organizations.

Given the context of Internet of Things, where the information underlying any label will have to be flexible enough to account for future software updates, a dynamic mark seems most promising. If the mark links to deeper background content on the open web, then all relevant information can be publicly accessible and updated as needed. The information displayed on that URL should include the “top level” mark (for example, binary or traffic light) as well as the underlying information, like further documentation. In addition to being pragmatic and flexible enough, such an open web based model seems a particularly good fit for this context as well as Mozilla’s culture.

The success of a consumer label also depends on how easy it is to understand, and how actionable it is, without oversimplifying. Striking the right balance between accessibility and density is key for a successful, useful implementation of a trustmark. The look and feel of the final trustmark draft will require designers’ input. Nutritional labels and laundry labels can serve as inspiration from which the consumer IoT space can learn a lot.

Optimally, the IoT trustmark should convey at a glance the level of trustworthiness and allow for retrieval of more detailed background and context information.

The Landscape of existing relevant certifications, labels & marks

Trustmarks for IoT do not, and could not, exist in a vacuum. In the chapter “Landscape” we highlight several existing approaches. None of them solve the challenges we see for the IoT space, but all are for one reason or another particularly relevant for the context of IoT trustmarks. We looked at a wide range of labels and certifications including OSHWA’s Open Source Hardware Certificate, Creative Commons’ content licensing, the FCC’s Broadband Nutrition Labels, Carnegie Mellon University’s Privacy Nutrition Labels, the iFixit Reparability Score, CE certification, the German Blue Angel environmental label, Fairtrade, and laundry labels.

The open web was so successful because it was built on open interoperable layers. The same applies to labeling in the consumer IoT space: Trustmarks are one layer to apply alongside other layers and building blocks. Some of these building blocks might be other consumer labels or certifications, others might be technologies or protocols.

Current proposals and initiatives for IoT-related labels

The chapter “Current proposals” looks at proposals, drafts, and initiatives specifically for the realm of IoT. The landscape today looks relatively scattered. The majority of proposals focus on information provided by the producer of IoT products, but a few take a more centralized, top-down, regulatory approach. This seems to be representative of the equally scattered landscape of organizations and initiatives. We believe that Mozilla can play an instrumental role in convening these scattered initiatives and hosting this global conversation. Mozfest and the Internet Health Report both seem to be natural starting points.

As part of Europe’s push for a Digital Single Market, the European Commission identifies the need for consumer trust in IoT and proposes a labeling system. Europe emerges as a fierce proponent of consumer protection when it comes to digital services, and has been doubling down on IoT especially. With the General Data Protection Regulation (GDPR) about to go into effect in 2018 and the “Trusted IoT” initiative we see ever-stronger efforts to protect European consumers from commercial data exploitation. It seems that just like Silicon Valley is a global hotspot for disruptive innovation and for providing the means for global scaling of digital services, and like Shenzhen, China, is the world’s manufacturing epicenter, Europe increasingly claims a global leadership role in consumer rights, privacy, and data protection.

Potential collaborators

In our research, we identified a number of promising emerging proposals and initiatives, as well as potential collaborators and allies. The #iotmark initiative, Doteveryone, The Repair Project, Projects by IF (all UK), Just Things (Netherlands), Consumers International, The Digital Standard, and ThingsCon (all global) are all organizations and initiatives we strongly recommend working with.

About this report

This report is based on extensive research in and around the ThingsCon network, a community of IoT practitioners that fosters the creation of a responsible & human-centric Internet of Things. It aims to serve as a starting point for proposing and implementing a labeling system from which further feedback from consumers and industry can be gathered. Written by Peter Bihr, ThingsCon co-founder and managing director of research & strategy firm The Waving Cat, the report is based on interviews and workshops with expert practitioners including designers, developers, researchers, entrepreneurs and activists, conversations at relevant conferences like the London 2017 founding event of the #iotmark initiative (that the author is involved with), as well as extensive literature review.

///

I’d love to hear what you think, or if you’re working on similar projects, to see if there are ways to collaborate.

Disclosures: My wife works for Mozilla’s Open IoT Studio. I’m co-founder of ThingsCon. I’m also involved in the London #iotmark initiative.