Better IoT Principles Wiki
- https://github.com/betteriot/betteriot-principles (most recent)
Know Cards & Poster
- https://github.com/betteriot/betteriot-knowcards/raw/master/iotmark_poster_principles.pdf (Download)
Workshops, talks & articles
DZone interview with Alexandra Deschamps-Sonsino, 03.2019
ThingsCon Salon Cologne talk
PAIR UX Symposium 2018 Zürich talk
TheThingsConference 2018 Amsterdam workshop
Ada_conf 2017 Malmö talk
ThingsConAMS 2017 Amsterdam workshop
Securing consumer trust in the IoT, Principles and Recommendations 2017 - Connectivity and inclusion; Information and transparency; Ownership and use; Security and safety; Liability; Data protection and privacy online; Complaints handling and redress; Competition and choice; Lifecycle
Everyware Principles - Do no harm; Default to harmlessnes; Be self-disclosing; Be conservative of face; Be conservative of time; Be deniable
A Trustmark for IoT - Good data practices; Good security practices; Openness; Lifecycle management; Establishing that the producing organization is trustworthy
Proclamation of user rights - Curiosity; Independence; Association; Longevity; Transfer; Discourse; Privacy; Security
IoT Mark Landscape of 30+ similar initiatives
Doteveryone Ethical Tech Initiatives Directory
The BSI Kitemark for The Internet of Things - Generate trust in your brand
Rapid evidence assessment on labelling schemes and implications for consumer IoT security (referencing IoTMark)
A trustmark for the Internet of Things
IETF Golden Rules - Be liberal in what you accept, and conservative in what you send; Do not munge forwarded data; Modify as late as possible; Leave nothing undefined; Cause no harm; Keep it simple, stupid; No voting, rough consensus; Plain ASCII text is enough
And while software might love a standard, real life is messier and more extraordinary than any product backlog gives it credit for. We can’t solve this simply through process, by automating tests for “Ethical Acceptance” or creating simple “if this then that” rules; there isn’t a simple check and balance to make before a product or feature goes out the door— as an industry, we need to be continually monitoring, and thinking deeply and strategically, about the consequences of the decisions we make. We need to take responsibility.
Change is made through better day-to-day decisions
We believe that good ethics are good for business
We’re proposing a trustmark for IoT that increases transparency and empowers consumers to make better decisions.
The approach of "self-assessed but veriﬁable" opens up trustmark-carrying products to public scrutiny in a similar way that open source software can be peer reviewed. Compliance with the trustmark is proven by providing publicly available documentation to answer (in a structured way) the questions that determine a product's compliance.
A simple reference model for connected products - Connected product; Device; Gateway; Backend; Client
IoT reference model - including physical/virtual interaction
Mapping the IoT Toolkit
the term privacy means very different things to people […] Solitude; Intimacy; Anonymity; Reserve
The right to informational self-determination is not only granted for the sake of the individual, but also in the interest of the public, to guarantee a free and democratic communication order
potentially harmful activities: Information collection; Information processing; Information dissemination; Distortion; Invasion
The Strava debacle shows that individualized "informed consent" is not sufficient for data privacy. Given the complexity, companies cannot fully inform us, and thus we cannot fully consent. Data privacy is more a public good.
Privacy is a human right. There can be no ethical model of discrimination based on any non-consensual invasion of privacy. Privacy is not something I should pay to have. You should not design products that reduce my rights. GDPR requires privacy-by-design and data protection by default. Now is that chance for IoT manufacturers to lead that shift towards higher standards.
Guide to the General Data Protection Regulation (GDPR)
GDPR rights poster - The right to view your data; The right to be informed; The right to be forgotten; The right to move your data; The right to say no; The right to limit how your data is used; The right to make changes to your data; Th right to human-made decision making
Data Subject Rights: Breach Notification; Right to Access; Right to be Forgotten; Data Portability; Privacy by Design; Data Protection Officers
Europe’s new data protection rules export privacy standards worldwide
GDPR for Things - ThingsCon Amsterdam 2017
Fiona Mc Andrew - Designing for privacy & ethics
chart of Fortune 100 privacy policies
Aza Raskin's Privacy Icons
Apple iOS privacy icon
Privacy-by-Design Framework for Assessing Internet of Things Applications and Platforms
Find out what GDPR means for your SME.
OMGDPR a GPDR-themed event in Berlin
GDPR And IoT – The Problem Of Consent
PrivacyScore can only report on technical security and privacy measures that can be analyzed automatically. In particular, we do not analyze privacy policies, whether informed consent was obtained, etc. This may change in the future.
blocks spying ads and invisible trackers.
10 principles and practices for building data privacy into modern technological systems. […] Fairness; Transparency; Collection Limitation and Minimisation; Individual Control; Data Integrity and Quality; Data Security; Data Retention and Disposal; Privacy Enhancement; Management and Accountability; Risk Management
Despite the benefits that consumers will derive from IoT devices, there are also risks. One such risk is a change to how we see privacy. For the purposes of this report, privacy is defined as: the ability for people to selectively share, to determine how information about them is collected, used, and passed along; the ability to retreat from the gaze of and interactions with others; the right to be let alone, to create solitude and reserve from others; the ability to control the degree to which one is identifiable when undertaking online or offline activities; and the ability to control the data impression one gives off.
We find value in Alan Westin’s classic definition of privacy as “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.”
And, though it may be worn possibly to the point of being threadbare, Warren and Brandeis’ conception of privacy as a ‘right to be let alone’ is still useful to bear in mind, especially as they envisioned this right to encompass thoughts, emotions and sentiments, which is particularly germane to the IoT. We also find useful Westin’s view that privacy protects four ‘states’: solitude, intimacy, anonymity, and reserve. That said, these views are predicated in part on harms resulting from invasion. We argue at different points in this report that the IoT threatens to decompose the notion of privacy invasion because of increasingly omnipresent sensors and because many IoT devices will be invited into our lives.
It’s not likely that medical device interoperability is a part of the everyday vocabulary of American consumers—and frankly, we hope it stays that way. At CDRH, we want patients and consumers to have confidence that medical devices work as intended without concern over how these devices operate together. But, in working with manufacturers to bring innovative medical devices to patients who need them, interoperability is an indispensable concept.
An [Apache 2.0 licensed] SDK for commercial device makers to integrate Alexa directly into connected products.
The Open Definition makes precise the meaning of “open” with respect to knowledge, promoting a robust commons in which anyone may participate, and interoperability is maximized.
Summary: Knowledge is open if anyone is free to access, use, modify, and share it — subject, at most, to measures that preserve provenance and openness.
The Open Source Definition - Open source doesn't just mean access to the source code. The distribution terms of open-source software must comply with the following criteria: Free Redistribution; Source Code; Derived Works; Integrity of The Author's Source Code; No Discrimination Against Persons or Groups; No Discrimination Against Fields of Endeavor; Distribution of License; License Must Not Be Specific to a Product; License Must Not Restrict Other Software; License Must Be Technology-Neutral
Open source hardware is hardware whose design is made publicly available so that anyone can study, modify, distribute, make, and sell the design or hardware based on that design.
The Open Source Hardware Association Certification was created in response to overwhelming demand for a clearer and more transparent method of identifying and marketing open source hardware products.
Encouraging open sourceness but not imposing it. This will polarise many in the open source hardware community but the strength of the mark will be in being able to be adopted in a commercial environment where people do have to make money, either through their IP over the hardware or the software. We have to be able to inspire people to do things in a better way, but not force them to.
Ecosystems are the key to succeeding in the IoT. Our IoT platform leverages open source and standards.
Open Source Software for Industry 4.0
Safecast data is published under a CC0 designation […] hardware developed by Safecast is open source […] software is licensed under the MIT license unless otherwise specified
applying the open source philosophy to our patents will strengthen rather than diminish Tesla’s position
The Data Spectrum helps you understand the language of data: Closed; Shared; Open (CC BY, theodi.org)
Tech law is taking over your your home and garage
Midata.coop enables citizens to securely store, manage and control access to their personal data by helping them to establish and own national/regional not-for-profit MIDATA cooperatives.
Government-backed initiative to empower individuals [with] control over the use of their own data.
Das Recht am eigenen Bild […] besagt, dass jeder Mensch grundsätzlich selbst darüber bestimmen darf, ob und in welchem Zusammenhang Bilder von ihm veröffentlicht werden.
Security Checklist for the Internet of Things - Device Protocol Security (end-to-end); Hardware and Device Security; Cloud Security; Physical Security; Company Policies
IoT Security Foundation - Establishing Principles for Internet of Things Security: Does the data need to be private? Does the data need to be trusted? Is the safe and/or timely arrival of data important? Is it necessary to restrict access to or control of the device? Is it necessary to update the software on the device? Will ownership of the device need to be managed or transferred in a secure manner? Does the data need to be audited?
Properties of Highly Secure Devices - Hardware-based Root of Trust; Small Trusted Computing Base; Defense in Depth; Compartmentalization; Certificate-based Authentication; Renewable Security; Failure Reporting
ENISA Baseline Security Recommendations for IoT - Technical Measures: Hardware security; Trust and Integrity Management; Strong default security and privacy; Data protection and compliance; System safety and reliability; Secure Software / Firmware updates; Authentication; Authorisation; Access Control - Physical and Environmental security; Cryptography; Secure and trusted communications; Secure Interfaces and network services; Secure input and output handling; Logging; Monitoring and Auditing
The Technical Foundations of IoT - Security Characteristic: Confidentiality; Integrity; Availability; Authentication; Access control; Non-repudiation
Why is consumer IoT insecure? No one even thinks about security, or assumes that someone else in the supply chain addressed it; We’ll fix the problem once it’s shipped; We don’t have any money left for security; Do you recall the product and go bust, or carry on shipping regardless?; A lack of standards and guidance; IoT vendors that don’t care about security
Information Technology - security requirements for IoT devices within small Business - home environment
IETF, A Firmware Update Architecture for Internet of Things Devices
The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things
Principles of IoT Security
Industrial Internet Consortium Endpoint Security Best Practices
Building Code for Medical Device Software Security
OWASP Automated Threat Handbook for Web Applications
Cyber Independent Testing Lab, goals: Remain independent of vendor influence; Automated, comparable, quantitative analysis; Act as a consumer watchdog; Always bring data to the conversation
Practical IoT Crypto on the Espressif ESP8266
Updating a device while ensuring others can’t; Controlling a device while ensuring others can’t; Protecting data sent from a device; Ensuring data from a device is genuine
Securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder—manufacturers, hospitals, health care providers, cybersecurity researchers and government entities – all have a unique role to play in addressing these modern challenges.
premarket guidance identifies issues manufacturers should consider in the design and development of their medical device to ensure their product adequately addresses cybersecurity vulnerabilities.
postmarket guidance outlines a risk-based framework manufacturers should use to ensure they can quickly and adequately respond to new cybersecurity threats once a device is in use.
Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (v1.0, Oct 2018)
Secure by Design - The Government's Code of Practice for Consumer Internet of Things (IoT) Security for manufacturers, with guidance for consumers on smart devices at home
"Internet of Things Consumer Tips to Improve Personal Security Act of 2017", or "IOT Consumer TIPS Act of 2017"
Cyber Security for Consumer Internet of Things
https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-security/code-of-practice-for-consumer-iot-security (DE, ES, IT, ...) https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf
No default passwords; Implement a vulnerability disclosure policy; Keep software updated; Securely store credentials and security-sensitive data; Communicate securely; Minimise exposed attack surfaces; Ensure software integrity; Ensure that personal data is protected; Make systems resilient to outages; Monitor system telemetry data; Make it easy for consumers to delete personal data; Make installation and maintenance of devices easy; Validate input data
Mapping of IoT security recommendations, guidance and standards
A California lawmaker is making the state the 18th in the country to consider legislation that would make it easier to fix your things.
[EU motion] on a longer lifetime for products: benefits for consumers and companies (2016/2272(INI)) Designing robust, durable and high-quality products; Promoting repairability and longevity; Operating a usage-oriented economic model and supporting SMEs and employment in the EU; Ensuring better information for consumers; Measures on planned obsolescence; Protecting consumers against software obsolescence
Why We Must Fight for the Right to Repair Our Electronics
Could ‘Right to Repair’ heighten the risk for IoT and smart devices?
The framework is [a] way of looking at IoT projects and their impact; it does not claim to be the most comprehensive or the most illustrative and it focuses only on the most prominent SDG being addressed by a given project.
Fairphone 2 modular smartphone
- Lifecycle: https://support.fairphone.com/hc/en-us/articles/211437743 (Fairphone 2 repair price list & FAQ), https://www.ifixit.com/smartphone-repairability (Fairphone 2 got iFixit repairability score 10/10)
TheThingsNetwork LoRaWAN infrastructure
- Openness: https://github.com/TheThingsNetwork/ttn (open hardware device & gateway, open source device, gateway & backend)
- Interoperability: https://www.thethingsnetwork.org/docs/ (documented API, standard protocols), https://www.thethingsnetwork.org/docs/devices/bestpractices.html (Best practices for device development)
Safecast radiation sensor
- Openness: https://blog.safecast.org/faq/licenses/ (open hardware, open source, open data)
Philips Hue connected lamp
- Privacy: http://www2.meethue.com/en-us/privacy-policy/
- Security: http://www.lighting.philips.com/main/company/about/product-security.html
- Interoperability: https://www.developers.meethue.com/philips-hue-api, https://www.developers.meethue.com/documentation/terms-use and http://www2.meethue.com/en-us/friends-of-hue/, but also http://hackaday.com/2015/12/15/philips-says-no-internet-of-things-for-you/ (now reverted)
- Ownership http://www2.meethue.com/en-us/privacy-policy/ > Your Rights
- Business model: "Sell lamps", plus "We may share personal data with service providers, business partners and other trusted affiliates of Philips Lighting, consistent with applicable law and Philips Privacy Rules."
Logitech Harmony Hub
- Security: https://opensource.logitech.com/opensource/index.php/Logitech_Harmony_Hubs (open source compliance)
Mycroft Voice Assistant
- Openness: https://github.com/MycroftAI, "The open answer to Amazon Echo and Google Home. Mycroft brings you the power of voice while maintaining privacy and data independence."
- Security: https://www.amazon.com/gp/help/customer/display.html?nodeId=201626480 (device open source compliance)
- Interoperability: https://developer.amazon.com/alexa-skills-kit (build custom skills), https://developer.amazon.com/alexa-voice-service (integrate other devices with backend)
- Security: https://www.amazon.com/gp/help/customer/display.html?nodeId=200203720 (open source compliance)
Eero WiFi System