Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)

253 views

Published on

October update of the Trustable Tech Mark overview. Learn more at http://trustabletech.org

Published in: Technology
  • Be the first to comment

  • Be the first to like this

ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)

  1. 1. Trustable Technology Mark A trustmark for the Internet of Things 27 October 2018 Mozfest London Peter Bihr (@peterbihr) This work is created as part of a Mozilla Fellowship. Unless otherwise noted, Creative Commons BY-SA 4.0. trustabletech.org is an 
 initiative by ThingsCon e.V. 
 with support from Mozilla.
  2. 2. The Trustable Technology mark empowers consumers to make informed decisions & 
 enables companies to prove their connected products are trustworthy.
  3. 3. Peter Bihr ThingsCon Mozilla Fellow Project lead thingscon.com
 thewavingcat.com
 @peterbihr Jason Schultz NYU Law Mozilla Fellow Legal theendofownership.com
 its.law.nyu.edu
 @lawgeek Peter Thomas University of Dundee Logo & Brand tompigeon.com
 dundee.ac.uk/djcad
  4. 4. The Internet of Things increasingly touches all aspects of our lives, but mostly it consists of black boxes. We need to make sure that we can trust them. Consumers have little insight into how any one connected product works, what it even might be capable of, or if the company employs good, responsible data practices. This is not an oversight on the consumers' side: We lack the tools to find out. Why do we need a trustmark? Amazon Echo. Image: Frmorrison, CC (BY-SA 3.0)
  5. 5. 4 questions that we should be able to answer for every connected device. But for connected products, these are very hard questions to answer. A simple litmus test Source: The Waving Cat (CC BY) Does it do anything I wouldn’t expect? Is the organization trustworthy? Is it made using trustworthy processes? Does it do what I expect it to do?
  6. 6. The trustmark is aspirational and aims to raise the bar at the top of the pyramid. This work is driven by values, not pragmatism. This needs to exist in order to get to a better IoT, and a better society. We believe that good ethics are good for business. Our Goal A trustmark to aim higher. - find out more on medium.com Trustable Tech mark Baseline certification Great Good Bad
  7. 7. Those companies who already build trustworthy products have already done the “hard” work. For them, documenting their work is easy and quick. However, if a company just isn’t there yet, they need to go back and put in more effort. Characteristics Peter Bihr (CC-BY-SA) Hard to earn Valuable/Meaningful Easy to apply The trustmark should be
  8. 8. A trustmark for IoT Building consumer trust in the Internet of Things by empowering users to make smarter choices. A ThingsCon Report commissioned by Mozilla’s Open IoT Studio. Open IoT Studio Our 2017 trustmark research has received great feedback and reach. Among other things it was quoted extensively in Brazil’s National IoT Plan. Now we want to put our research into action. Early feedback & successes Find out more https://www.thingscon.com/report-a- trustmark-for-iot
  9. 9. Why should a company sign up? Fairphone Image by Fairphone, CC (BY-SA 2.0) This trustmark communicates a company’s commitment to a higher standard, and allows them to prove their connected products are trustworthy. The trustmark increases consumer trust by demonstrating commitment to exemplary levels of transparency, openness and responsibility. The trustmark will attract talent: We believe that only the best companies attract the best talent, and strong vision & values are a key aspect.
  10. 10. We’re proposing a trustmark for IoT that increases transparency and empowers consumers to make better decisions. It takes a holistic approach that goes beyond just the device and includes procedural and organizational aspects. The prototype phase will focus on voice-enabled IoT (smart speakers, etc.) How will it work? Find out more https://www.thingscon.com/report-a- trustmark-for-iot Evaluates 5 key dimensions Is pledge-based (self-certification) Verified through publicly accessible documentation (Mostly) decentralized Openly licensed and free to use
  11. 11. The trustmark evaluates compliance with 5 dimensions that we identified in our initial research* as most crucial for consumers Dimensions *See A Trustmark for IoT (2017), p. 56 Privacy & Data Practices
 How respectful of privacy? Is it designed using state of the art data practices? Transparency
 Is it obvious to users what the device does and how data might be used? Security
 Is it designed and built using state of the art security practices and safeguards? Stability
 How robust? How long a lifecycle to expect? Openness
 How open are device and manufacturer? Is open data used or generated?
  12. 12. Security, Transparency, Privacy & Data Practices, Stability are required conditions of trustworthiness. We treat Openness as a strong indicator of trustworthiness. Building blocks of trust See Trustable Tech Mark “Theory of Trust” https://www.thingscon.com/ blog/2018/9/4/trustable-tech-mark- our-theory-of-trust
  13. 13. What will we evaluate? Input What goes into making a product? 
 In the textile world, Bluesign is a trustmark that demonstrates that an apparel manufacturer uses sustainable, eco- friendly materials Process How is a product made?
 Fairtrade with their strong focus on sustainable farming practices and good labour conditions Output What is the product like when it’s finished? 
 CE certification confirms that the final product fulfills certain EU quality and safety requirements Trust
  14. 14. The trustmark documentation shall be provided in a standardized form to allow for third parties to offer services on top of this foundation, like editorials, ratings & reviews. In year 1 we will learn and prototype, to develop the concept to a stage of maturity to be launch-ready. The foundation of an ecosystem
  15. 15. Self-assessment tool Trustmark readiness Trustmark • Doubles to assess readiness and to verify compliance • Our experts review applications and follow up for clarification if necessary • 3rd party advisory services like security consultancy • Non-public / between companies and their advisors • Once passed, the trustmark can be used and the evaluation is published • Underlying assessment (results of self-evaluation tool) is available online 3rd party services • Open licensing of the self-assessments enable 3rd party services (analysis, rankings, etc.) Out of scope (3rd parties) In scope (project core) Out of scope (3rd parties) Elements of a trustmark system
  16. 16. How does it work? Self- assessment Company fills in the self- assessment tool, an online application form that consists of yes/no questions plus explanations. Should the company find it hard to answer questions, they have identified a weakness. Application review Trustmark issued If the application passes, the results are fully published online. If contested questions cannot be resolved, the trustmark is not issued and the results will not be published. The step by step explainer. The company itself is the final judge if they fulfill or do not yet fulfill the trustmark criteria. The stick is in the public accountability once the company decides to use the trustmark and the self- assessment results are published in full. 1 2 3 There’s always a human in the loop. Our experts review the application. If necessary, they follow up for clarification.
  17. 17. Format & examples The format for the checklist is standardized as checkbox [Yes/No/Not Applicable) plus a text field to elaborate. If the answer is Yes or Not Applicable then the text field must be filled in with an explainer. (No always means 0 points.) The evolving checklist is available for review and input (via comments) here. Privacy & Data Practices Do you employ Privacy-by-Design best practices? Is your product GDPR compliant? Do you have an easy-to-understand privacy and data policy? Can users easily perform a factory reset? Can users easily export their data? Some example questions. This checklist partially builds on the “Open #iotmark principles” (iotmark.org, CC BY-SA 4.0).
  18. 18. A the core of the process is a self- assessment tool: A questionnaire that helps organizations assess their trustmark readiness. This tool is aligned with the product development process, so it can also double as a checklist to help along the process of developing a trustworthy connected product, and to identify potential weaknesses. Self-Assessment Tool Trustable Tech Self-Assessment Tool question sample (draft)
  19. 19. Format & examples This is what a sample extract of the published documentation would look like. Privacy & Data Practices ☑ Do you employ Privacy-by-Design best practices? We strictly follow privacy-by-design practices. We also prioritize privacy at every step of the process and in all our decision-making: We strictly minimize the data we collect from users, and never keep non-essential data. For example, during the device setup users are by default opted out of every non-essential data collection option, even if this comes at the expense of personalization options. We further have offer a privacy- navigator feature that helps users better understand what happens with their voice and location data should they decide to opt in. Furthermore, we have a strict policy that makes sure that in case of bankruptcy or an acquisition, user data is not part of the companies assets that might be transferred to new ownership but deleted unless users specifically opt- in to having their data transferred. This policy is available here: product.com/datapolicy. ☑ Can users easily export their data? A full data export of all user data, including all inferred data and explanations, is available prominently from the user account page (product.com/useraccount). The data can be exported in JSON or XML, or a simple HTML dump. Should new industry standards for this kind of data emerge and gain traction, we guarantee to make them an export option as well within two months.
  20. 20. This is a project in an early stage. We’re looking in a number of areas. Particularly we’re looking for… Pathways to partnerships & participation Academic partners to accompany the development of this trustmark Commercial partners to help us test our requirements list against their existing or upcoming products Non-profit and media partners who can help us understand what they need in order to build third-party offerings on top of a trustmark
  21. 21. Peter Bihr peter@thewavingcat.com ThingsCon e.V. thingscon.com trustabletech.com Thank you. Questions? Please get in touch.

×