The document discusses the Trustable Technology Mark, an initiative aimed at empowering consumers to make informed choices about connected products in the Internet of Things (IoT) by establishing a trustmark for trustworthiness. It emphasizes the importance of transparency, responsible data practices, and ethical standards to enhance consumer trust and promote better practices among companies. The document outlines the self-assessment process for companies seeking the trustmark, focusing on privacy, security, and ethical considerations in product development.

1. Peter Bihr
This work is created as part of a
Mozilla Fellowship. Unless otherwise
noted, Creative Commons BY-SA 4.0.
Draft / July 2018.
Trustable Technology Mark
A trustmark for the Internet of Things
trustabletech.com is an
initiative by ThingsCon e.V.
with support from Mozilla.
ThingsCon Salon Cologne
3 August 2018

2. The Trustable Technology mark
empowers consumers to make
informed decisions &
enables companies to prove their
connected products are trustworthy.

3. Peter Bihr
ThingsCon
Mozilla Fellow
Project lead
thingscon.com
thewavingcat.com
@peterbihr
Jason Schultz
NYU Law
Mozilla Fellow
Legal
theendofownership.com
its.law.nyu.edu
@lawgeek
Peter Thomas
University of Dundee
Design
tompigeon.com
dundee.ac.uk/djcad

4. The Internet of Things increasingly touches
all aspects of our lives, but mostly it consists
of black boxes. We need to make sure that
we can trust them.
Consumers have little insight into how any
one connected product works, what it even
might be capable of, or if the company
employs good, responsible data practices.
This is not an oversight on the consumers'
side: We lack the tools to find out.
Why do we need
a trustmark?
Amazon Echo.
Image: Frmorrison, CC (BY-SA 3.0)

5. 4 questions that we should be able to answer
for every connected device.
But for connected products, these are very
hard questions to answer.
A simple
litmus test
Source: The Waving Cat (CC BY)
Does it do anything I
wouldn’t expect?
Is the organization
trustworthy?
Is it made using
trustworthy processes?
Does it do what I expect
it to do?

6. The trustmark is aspirational and aims to
raise the bar at the top of the pyramid.
This work is driven by values, not
pragmatism. This needs to exist in order to
get to a better IoT, and a better society.
We believe that good ethics are good for
business.
Our Goal
A trustmark to aim higher. -
find out more on medium.com
Trustmark
Baseline certification
Great
Good
Bad

7. The trustmark is aspirational and aims to
raise the bar at the top of the pyramid.
This work is driven by values, not
pragmatism. This needs to exist in order to
get to a better IoT, and a better society.
We believe that good ethics are good for
business.
Characteristics
Peter Bihr (CC-BY-SA) Hard to earn
Valuable/Meaningful
Easy to apply
The trustmark
should be

8. A trustmark
for IoT
Building consumer trust in the
Internet of Things by empowering
users to make smarter choices.
A ThingsCon Report commissioned
by Mozilla’s Open IoT Studio.
Open IoT Studio
Our 2017 trustmark research has received
great feedback and reach.
Among other things it was quoted extensively
in Brazil’s National IoT Plan.
Now we want to put our research into action.
Early feedback
& successes
Find out more
https://www.thingscon.com/report-a-
trustmark-for-iot

9. Why should a
company sign up?
Fairphone
Image by Fairphone, CC (BY-SA 2.0)
This trustmark communicates a
company’s commitment to a higher
standard, and allows them to prove their
connected products are trustworthy.
The trustmark increases consumer trust
by demonstrating commitment to
exemplary levels of transparency,
openness and responsibility.
The trustmark will attract talent: We
believe that only the best companies
attract the best talent, and strong vision
& values are a key aspect.

10. We’re proposing a trustmark for IoT that
increases transparency and empowers
consumers to make better decisions.
It takes a holistic approach that goes beyond
just the device and includes procedural and
organizational aspects. The prototype phase
will focus on voice-enabled IoT (smart
speakers, etc.)
How will it work?
Find out more
https://www.thingscon.com/report-a-
trustmark-for-iot
Evaluates 5 key dimensions
Is pledge-based (self-certification)
Verified through publicly accessible
documentation
(Mostly) decentralized
Openly licensed and free to use

11. The trustmark evaluates compliance with 5
dimensions that we identified in our initial
research* as most crucial for consumers
Dimensions
*See A Trustmark for IoT (2017), p. 56
Privacy & Data Practices
How respectful of privacy? Is it designed using best data practices?
Transparency
Is it obvious to users what the device does and how data might be used?
Security
Is it designed and built using best security practices and safeguards?
Openness
How open are device and manufacturer? Is open data used or generated?
Stability
How robust? How long a lifecycle to expect?

12. What will
we evaluate?
Input
What goes into making a
product?
In the textile world,
Bluesign is a trustmark
that demonstrates that
an apparel manufacturer
uses sustainable, eco-
friendly materials
Process
How is a product made?
Fairtrade with their
strong focus on
sustainable farming
practices and good
labour conditions
Output
What is the product like
when it’s finished?
CE certification confirms
that the final product
fulfills certain EU quality
and safety requirements
Trust

13. The trustmark documentation shall be
provided in a standardized form to allow for
third parties to offer services on top of this
foundation, like editorials, ratings & reviews.
In year 1 we will learn and prototype, to
develop the concept to a stage of maturity to
be launch-ready.
The foundation of
an ecosystem

14. Self-assessment
tool
Trustmark
readiness
Trustmark
• Doubles to assess
readiness and to verify
compliance
• Internal use only until
passed
• Once passed, the
trustmark can be used
and the evaluation is
published
• 3rd party advisory
services like security
consultancy
• Non-public / between
companies and their
advisors
• Consumer-facing
trustmark is
glanceable
• Underlying
assessment (results of
self-evaluation tool) is
available online
3rd party
services
• Open licensing of the
self-assessments
enable 3rd party
services (analysis,
rankings, etc.)
Out of scope
(3rd parties)
In scope
(project core)
Out of scope
(3rd parties)
Elements of a
trustmark system

15. How does it
work?
Self-
assessment
Company fills in the self-
assessment tool, a
questionnaire that
consists of yes/no
questions to tick but
requires further
explanations for each
question.
Trustmark
If the indicative score is high
enough, a human in the
company determines: Do we
really fulfill these
conditions?
If they decide yes, then the
assessment tool results are
fully published on their
website (and aggregated)
and they use the trustmark.
Indicative
scoring
The tool provides an
indicative scoring based on
checked boxes.
If the score is lacking, the
company has identified
weaknesses to improve. The
results are not published but
for their internal use only.
Tool provides
indicative
scoring
“89/100”
Self-assessment
is published
The company’s trustmark
self-assessment
documentation is published
in full on their website (/
trustmark) along with a code
snippet. All companies’
assessment documentations
are aggregated on
trustabletech.com.
The step by step explainer.
The company itself is the
final judge if they fulfill or
do not yet fulfill the
trustmark criteria.
The stick is in the public
accountability once the
company decides to use
the trustmark and the self-
assessment results are
published in full.
1 2 3 4

16. Format &
examples
The format for the checklist is standardized
as checkbox [Yes/No/Not Applicable) plus a
text field to elaborate. If the answer is Yes or
Not Applicable then the text field must be
filled in with an explainer. (No always means 0
points.)
The evolving checklist is available for review
and input (via comments) here.
Privacy & Data Practices
Do you employ Privacy-by-Design best practices?
Is your product GDPR compliant?
Do you have an easy-to-understand privacy and
data policy?
Can users easily perform a factory reset?
Can users easily export their data?
Some example questions. This checklist
partially builds on the “Open #iotmark
principles” (iotmark.org, CC BY-SA 4.0).

17. A the core of the process is a self-
assessment tool: A questionnaire that helps
organizations assess their trustmark
readiness.
This tool is aligned with the product
development process, so it can also double
as a checklist to help along the process of
developing a trustworthy connected product.
Self-Assessment
Tool
Trustable Tech Self-Assessment Tool
question sample (draft)
Adds to
indicative
score
Neutral score
(not taken
into account)
Scored 0

18. Format &
examples
This is what a sample extract of the published
documentation would look like.
Privacy & Data Practices
☑ Do you employ Privacy-by-Design best practices?
We strictly follow privacy-by-design practices. We also prioritize privacy
at every step of the process and in all our decision-making: We strictly
minimize the data we collect from users, and never keep non-essential
data. For example, during the device setup users are by default opted
out of every non-essential data collection option, even if this comes at
the expense of personalization options. We further have offer a privacy-
navigator feature that helps users better understand what happens with
their voice and location data should they decide to opt in. Furthermore,
we have a strict policy that makes sure that in case of bankruptcy or an
acquisition, user data is not part of the companies assets that might be
transferred to new ownership but deleted unless users specifically opt-
in to having their data transferred. This policy is available here:
product.com/datapolicy.
☑ Can users easily export their data?
A full data export of all user data, including all inferred data and
explanations, is available prominently from the user account page
(product.com/useraccount). The data can be exported in JSON or
XML, or a simple HTML dump. Should new industry standards for this
kind of data emerge and gain traction, we guarantee to make them an
export option as well within two months.

19. What does a
trustmark mean
legally?
THE CERTIFICATION MARK, AS USED BY PERSONS AUTHORIZED BY CERTIFIER,
CERTIFIES THAT, IN THE OPINION OF APPLICANT'S RATING OR APPEALS BOARDS, MOST
AMERICAN PARENTS WILL CONSIDER THE MOTION PICTURE INAPPROPRIATE FOR
VIEWING BY ANYONE UNDER THE AGE OF 18, BY REASON OF ITS DEPICTION OR
TREATMENT OF VIOLENCE OR SEX OR ABERRATIONAL BEHAVIOR OR DRUG ABUSE, OR
A COMBINATION OF THESE OR OTHER ELEMENTS.
The certification mark, as used by persons authorized by the certifier, certifies that the goods and
services provided are in compliance with Kosher dietary food preparation and handling standards.
The Code of Jewish Law, as codified by Rabbi Yosef Karo with the glosses of Moses Isserles
(The Rema) and other authorities, is the standard by which the certifier certifies that the goods and
services are in compliance with Kosher dietary food preparation and handling standards.

20. This is a project in an early stage. We’re
looking in a number of areas. Particularly
we’re looking for…
Pathways to
partnerships &
participation
Academic partners to accompany the
development of this trustmark
Commercial partners to help us test
our requirements list against their
existing or upcoming products
Non-profit and media partners who
can help us understand what they
need in order to build third-party
offerings on top of a trustmark

21. We have a lot of upcoming activities across
the ThingsCon network including:
Upcoming
activities
Field trip to Shenzhen: 15-20 October
Organized by Stichting ThingsCon Amsterdam
ThingsCon Annual Conference
Rotterdam: 6-7 December
Organized by Stichting ThingsCon Amsterdam
Learn more at thingscon.com/events

22. Peter Bihr
peter@thewavingcat.com
ThingsCon e.V.
thingscon.com
trustabletech.com
Thank you.
Questions? Please get in touch.