Online Trust Alliance Releases IoT Trust Framework v2.0

January 31, 2017
Online Trust Alliance Releases IoT Trust Framework v2.0

The Online Trust Alliance (OTA), an informal industry working group with the mission to enhance online trust and user empowerment while promoting innovation and the vitality of the Internet, released version 2.0 of its Internet of Things (IoT) Trust Framework at the 2017 Consumer Electronics Show.  The OTA describes the IoT Trust Framework v2.0 as providing a baseline set of requirements and recommendations which address the privacy, security, and sustainability of IoT devices (e.g., connected home, wearable technologies, etc.) The impetus behind the Framework is to provide a path for the private sector to demonstrate its commitment to security and privacy in IoT devices by adhering to the voluntary principles of the Framework.

The OTA has segmented the 37 principles of the Framework into four categories:

  • Security
    • The Security principles (1-9) apply to both pre-market security (e.g., software development security processes, supply chain management, penetration testing, etc.) and post-market security (e.g., lifecycle security patching, security principles for secure data storage and transmission, responding to vulnerabilities, etc.).
  • User Access and Credentials
    • The User Access and Credentials principles (10-14) include requirements for encrypting and ensuring the uniqueness of passwords and usernames, as well as password recovery/reset processes (e.g., multi-factor authentication, out-of-band notices, etc.) and mechanisms to prevent cryptanalytic attacks, such as brute-force attacks.
  • Privacy, Disclosures, and Transparency
    • The Privacy, Disclosures, and Transparency principles (15-30) include requirements for clearly disclosing privacy, security, data retention, and support policies (e.g., on product packaging, point-of-sale, online, etc.) both prior to and after sale, as well as any changes related thereto.
  • Notifications and Related Best Practices
    • The Notifications and Related Best Practices principles (31-37) include requirements directed toward the adoption of authentication protocols to help prevent spear fishing and spoofing, the implementation of a breach/cyber response and consumer notification plan, and the development of communications processes for notifying users of security/privacy issues, end-of-life notifications, and recalls.
Notable changes from v1.0 of the Framework include:

  • Devices should include mechanisms to reliably authenticate their backend services and supporting applications.
  • Automated (vs. automatic) updates provide users the ability to approve, authorize, or reject updates.
  • Devices should ship with reasonably current software and/or push automatic updates to address any known critical vulnerabilities upon first boot.
  • Develop communications processes to maximize user awareness of any potential security or privacy issues, end-of life notifications, and possible product recalls, including in-app notifications.
The associated Resource Guide of the IoT Trust Framework provides additional context and resources for developers and manufacturers in implementing and adopting responsible privacy practices consistent with the Framework.

Read Ice Miller’s IoT Smart Connections guide here.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 


View Full Site View Mobile Optimized