Submission + - Tech Firms, Retailers Propose Security, Privacy Rules for Internet of Things (securityledger.com)
chicksdaddy writes: As the Obama Administration and the rest of the federal bureaucracy hem and haw about whether- and how to regulate the fast-growing Internet of Things, a group representing private sector firms has come out with a framework for ensuring privacy and security protections in IoT products that is lightyears ahead of anything under consideration inside the Beltway.
The Online Trust Association (https://otalliance.org/) — a group made up of such staunch civil liberties and privacy advocates as Target Stores (?), Microsoft and home security firm ADT — on Tuesday released a draft of its IoT Trust Framework (PDF here: https://otalliance.org/system/...), which offers voluntary best practices in security, privacy and what OTA calls "sustainability" (read "lifecycle management") for home automation wearable health & fitness technologies.
So how is it? Pretty damned good, according to this post at The Security Ledger.(https://securityledger.com/2015/08/tech-retail-firms-propose-privacy-standards-for-internet-of-things/)
"The OTA guidelines set a high bar for IoT device makers. On the security front, the framework calls on manufacturers to employ end-to-end encryption, including device connections to mobile devices and applications and wireless communications to the cloud or other devices. Device makers should include features that force the retirement of default passwords after their first use and to configure multiple user roles with separate passwords for administrative and end-user access.
"Privacy policies must be made available to potential buyers prior to product purchase and disclose the consequences of declining to opt in or out of policies, such as data collection. And, in a nod to consumer advocates' complaints about long and legalistic end-user license agreements (EULA) and privacy policies that are the prevalent today, device makers would be required to 'maximize readability.'
"Beyond that, manufacturers must conspicuously disclose all personally identifiable data types and attributes collected. A health or fitness band would need to inform potential buyers that it harvests data such as their physical location and biometric data like heart rate, pulse, blood pressure and so on."
The standards also address issues such as lifecycle management for IoT devices. Craig Spiezle, Executive Director and President of OTA notes that many home appliances have life spans that are measured in decades, not months or years. Under the framework, device makers should have a plan for supporting and updating them during that time, or risk creating a population of insecure, off-warranty endpoints that are subject to tampering and attack.
Spiezle said that such questions and issues are currently "uncharted waters" in the consumer space. And, in fact, issues related to data collection and disclosure in connection to smart appliances have already come to the fore. In 2014, device maker LG issued a firmware update for its SmartTVs that disabled the "connected" features of the device if users would not agree to lengthy new Terms of Service and Privacy Agreements. The revised documents granted LG permission to monitor and record their viewing habits and their interactions with the device, including voice commands. (https://securityledger.com/2014/05/bad-actor-with-update-lg-says-no-monitoring-no-smart-tv/)
The Online Trust Association (https://otalliance.org/) — a group made up of such staunch civil liberties and privacy advocates as Target Stores (?), Microsoft and home security firm ADT — on Tuesday released a draft of its IoT Trust Framework (PDF here: https://otalliance.org/system/...), which offers voluntary best practices in security, privacy and what OTA calls "sustainability" (read "lifecycle management") for home automation wearable health & fitness technologies.
So how is it? Pretty damned good, according to this post at The Security Ledger.(https://securityledger.com/2015/08/tech-retail-firms-propose-privacy-standards-for-internet-of-things/)
"The OTA guidelines set a high bar for IoT device makers. On the security front, the framework calls on manufacturers to employ end-to-end encryption, including device connections to mobile devices and applications and wireless communications to the cloud or other devices. Device makers should include features that force the retirement of default passwords after their first use and to configure multiple user roles with separate passwords for administrative and end-user access.
"Privacy policies must be made available to potential buyers prior to product purchase and disclose the consequences of declining to opt in or out of policies, such as data collection. And, in a nod to consumer advocates' complaints about long and legalistic end-user license agreements (EULA) and privacy policies that are the prevalent today, device makers would be required to 'maximize readability.'
"Beyond that, manufacturers must conspicuously disclose all personally identifiable data types and attributes collected. A health or fitness band would need to inform potential buyers that it harvests data such as their physical location and biometric data like heart rate, pulse, blood pressure and so on."
The standards also address issues such as lifecycle management for IoT devices. Craig Spiezle, Executive Director and President of OTA notes that many home appliances have life spans that are measured in decades, not months or years. Under the framework, device makers should have a plan for supporting and updating them during that time, or risk creating a population of insecure, off-warranty endpoints that are subject to tampering and attack.
Spiezle said that such questions and issues are currently "uncharted waters" in the consumer space. And, in fact, issues related to data collection and disclosure in connection to smart appliances have already come to the fore. In 2014, device maker LG issued a firmware update for its SmartTVs that disabled the "connected" features of the device if users would not agree to lengthy new Terms of Service and Privacy Agreements. The revised documents granted LG permission to monitor and record their viewing habits and their interactions with the device, including voice commands. (https://securityledger.com/2014/05/bad-actor-with-update-lg-says-no-monitoring-no-smart-tv/)
Tech Firms, Retailers Propose Security, Privacy Rules for Internet of Things More Login
Tech Firms, Retailers Propose Security, Privacy Rules for Internet of Things
Slashdot Top Deals