Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Trustable Technology Mark (3 August 2018)


Published on

Sharing updates on the Trustable Tech mark, ThingsCon's IoT trustmark initiative. Presented at ThingsCon Salon Cologne, 3 August 2018)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Trustable Technology Mark (3 August 2018)

  1. 1. Peter Bihr This work is created as part of a Mozilla Fellowship. Unless otherwise noted, Creative Commons BY-SA 4.0. Draft / July 2018. Trustable Technology Mark A trustmark for the Internet of Things is an 
 initiative by ThingsCon e.V. 
 with support from Mozilla. ThingsCon Salon Cologne
 3 August 2018
  2. 2. The Trustable Technology mark empowers consumers to make informed decisions & 
 enables companies to prove their connected products are trustworthy.
  3. 3. Peter Bihr ThingsCon Mozilla Fellow Project lead
 @peterbihr Jason Schultz NYU Law Mozilla Fellow Legal
 @lawgeek Peter Thomas University of Dundee Design
  4. 4. The Internet of Things increasingly touches all aspects of our lives, but mostly it consists of black boxes. We need to make sure that we can trust them. Consumers have little insight into how any one connected product works, what it even might be capable of, or if the company employs good, responsible data practices. This is not an oversight on the consumers' side: We lack the tools to find out. Why do we need a trustmark? Amazon Echo. Image: Frmorrison, CC (BY-SA 3.0)
  5. 5. 4 questions that we should be able to answer for every connected device. But for connected products, these are very hard questions to answer. A simple litmus test Source: The Waving Cat (CC BY) Does it do anything I wouldn’t expect? Is the organization trustworthy? Is it made using trustworthy processes? Does it do what I expect it to do?
  6. 6. The trustmark is aspirational and aims to raise the bar at the top of the pyramid. This work is driven by values, not pragmatism. This needs to exist in order to get to a better IoT, and a better society. We believe that good ethics are good for business. Our Goal A trustmark to aim higher. - find out more on Trustmark Baseline certification Great Good Bad
  7. 7. The trustmark is aspirational and aims to raise the bar at the top of the pyramid. This work is driven by values, not pragmatism. This needs to exist in order to get to a better IoT, and a better society. We believe that good ethics are good for business. Characteristics Peter Bihr (CC-BY-SA) Hard to earn Valuable/Meaningful Easy to apply The trustmark should be
  8. 8. A trustmark for IoT Building consumer trust in the Internet of Things by empowering users to make smarter choices. A ThingsCon Report commissioned by Mozilla’s Open IoT Studio. Open IoT Studio Our 2017 trustmark research has received great feedback and reach. Among other things it was quoted extensively in Brazil’s National IoT Plan. Now we want to put our research into action. Early feedback & successes Find out more trustmark-for-iot
  9. 9. Why should a company sign up? Fairphone Image by Fairphone, CC (BY-SA 2.0) This trustmark communicates a company’s commitment to a higher standard, and allows them to prove their connected products are trustworthy. The trustmark increases consumer trust by demonstrating commitment to exemplary levels of transparency, openness and responsibility. The trustmark will attract talent: We believe that only the best companies attract the best talent, and strong vision & values are a key aspect.
  10. 10. We’re proposing a trustmark for IoT that increases transparency and empowers consumers to make better decisions. It takes a holistic approach that goes beyond just the device and includes procedural and organizational aspects. The prototype phase will focus on voice-enabled IoT (smart speakers, etc.) How will it work? Find out more trustmark-for-iot Evaluates 5 key dimensions Is pledge-based (self-certification) Verified through publicly accessible documentation (Mostly) decentralized Openly licensed and free to use
  11. 11. The trustmark evaluates compliance with 5 dimensions that we identified in our initial research* as most crucial for consumers Dimensions *See A Trustmark for IoT (2017), p. 56 Privacy & Data Practices
 How respectful of privacy? Is it designed using best data practices? Transparency
 Is it obvious to users what the device does and how data might be used? Security
 Is it designed and built using best security practices and safeguards? Openness
 How open are device and manufacturer? Is open data used or generated? Stability
 How robust? How long a lifecycle to expect?
  12. 12. What will we evaluate? Input What goes into making a product? 
 In the textile world, Bluesign is a trustmark that demonstrates that an apparel manufacturer uses sustainable, eco- friendly materials Process How is a product made?
 Fairtrade with their strong focus on sustainable farming practices and good labour conditions Output What is the product like when it’s finished? 
 CE certification confirms that the final product fulfills certain EU quality and safety requirements Trust
  13. 13. The trustmark documentation shall be provided in a standardized form to allow for third parties to offer services on top of this foundation, like editorials, ratings & reviews. In year 1 we will learn and prototype, to develop the concept to a stage of maturity to be launch-ready. The foundation of an ecosystem
  14. 14. Self-assessment tool Trustmark readiness Trustmark • Doubles to assess readiness and to verify compliance • Internal use only until passed • Once passed, the trustmark can be used and the evaluation is published • 3rd party advisory services like security consultancy • Non-public / between companies and their advisors • Consumer-facing trustmark is glanceable • Underlying assessment (results of self-evaluation tool) is available online 3rd party services • Open licensing of the self-assessments enable 3rd party services (analysis, rankings, etc.) Out of scope (3rd parties) In scope (project core) Out of scope (3rd parties) Elements of a trustmark system
  15. 15. How does it work? Self- assessment Company fills in the self- assessment tool, a questionnaire that consists of yes/no questions to tick but requires further explanations for each question. Trustmark If the indicative score is high enough, a human in the company determines: Do we really fulfill these conditions? If they decide yes, then the assessment tool results are fully published on their website (and aggregated) and they use the trustmark. Indicative scoring The tool provides an indicative scoring based on checked boxes. If the score is lacking, the company has identified weaknesses to improve. The results are not published but for their internal use only. Tool provides indicative scoring “89/100” Self-assessment is published The company’s trustmark self-assessment documentation is published in full on their website (/ trustmark) along with a code snippet. All companies’ assessment documentations are aggregated on The step by step explainer. The company itself is the final judge if they fulfill or do not yet fulfill the trustmark criteria. The stick is in the public accountability once the company decides to use the trustmark and the self- assessment results are published in full. 1 2 3 4
  16. 16. Format & examples The format for the checklist is standardized as checkbox [Yes/No/Not Applicable) plus a text field to elaborate. If the answer is Yes or Not Applicable then the text field must be filled in with an explainer. (No always means 0 points.) The evolving checklist is available for review and input (via comments) here. Privacy & Data Practices Do you employ Privacy-by-Design best practices? Is your product GDPR compliant? Do you have an easy-to-understand privacy and data policy? Can users easily perform a factory reset? Can users easily export their data? Some example questions. This checklist partially builds on the “Open #iotmark principles” (, CC BY-SA 4.0).
  17. 17. A the core of the process is a self- assessment tool: A questionnaire that helps organizations assess their trustmark readiness. This tool is aligned with the product development process, so it can also double as a checklist to help along the process of developing a trustworthy connected product. Self-Assessment Tool Trustable Tech Self-Assessment Tool question sample (draft) Adds to indicative score Neutral score (not taken into account) Scored 0
  18. 18. Format & examples This is what a sample extract of the published documentation would look like. Privacy & Data Practices ☑ Do you employ Privacy-by-Design best practices? We strictly follow privacy-by-design practices. We also prioritize privacy at every step of the process and in all our decision-making: We strictly minimize the data we collect from users, and never keep non-essential data. For example, during the device setup users are by default opted out of every non-essential data collection option, even if this comes at the expense of personalization options. We further have offer a privacy- navigator feature that helps users better understand what happens with their voice and location data should they decide to opt in. Furthermore, we have a strict policy that makes sure that in case of bankruptcy or an acquisition, user data is not part of the companies assets that might be transferred to new ownership but deleted unless users specifically opt- in to having their data transferred. This policy is available here: ☑ Can users easily export their data? A full data export of all user data, including all inferred data and explanations, is available prominently from the user account page ( The data can be exported in JSON or XML, or a simple HTML dump. Should new industry standards for this kind of data emerge and gain traction, we guarantee to make them an export option as well within two months.
  19. 19. What does a trustmark mean legally? THE CERTIFICATION MARK, AS USED BY PERSONS AUTHORIZED BY CERTIFIER, CERTIFIES THAT, IN THE OPINION OF APPLICANT'S RATING OR APPEALS BOARDS, MOST AMERICAN PARENTS WILL CONSIDER THE MOTION PICTURE INAPPROPRIATE FOR VIEWING BY ANYONE UNDER THE AGE OF 18, BY REASON OF ITS DEPICTION OR TREATMENT OF VIOLENCE OR SEX OR ABERRATIONAL BEHAVIOR OR DRUG ABUSE, OR A COMBINATION OF THESE OR OTHER ELEMENTS. The certification mark, as used by persons authorized by the certifier, certifies that the goods and services provided are in compliance with Kosher dietary food preparation and handling standards. The Code of Jewish Law, as codified by Rabbi Yosef Karo with the glosses of Moses Isserles (The Rema) and other authorities, is the standard by which the certifier certifies that the goods and services are in compliance with Kosher dietary food preparation and handling standards.
  20. 20. This is a project in an early stage. We’re looking in a number of areas. Particularly we’re looking for… Pathways to partnerships & participation Academic partners to accompany the development of this trustmark Commercial partners to help us test our requirements list against their existing or upcoming products Non-profit and media partners who can help us understand what they need in order to build third-party offerings on top of a trustmark
  21. 21. We have a lot of upcoming activities across the ThingsCon network including: Upcoming activities Field trip to Shenzhen: 15-20 October
 Organized by Stichting ThingsCon Amsterdam ThingsCon Annual Conference Rotterdam: 6-7 December
 Organized by Stichting ThingsCon Amsterdam Learn more at
  22. 22. Peter Bihr ThingsCon e.V. Thank you. Questions? Please get in touch.