Tech Firms, Retailers Propose Security and Privacy Rules For Internet of Things 57
chicksdaddy writes: As the Obama Administration and the rest of the federal bureaucracy hem and haw about whether and how to regulate the fast-growing Internet of Things, a group representing private sector firms has come out with a framework for ensuring privacy and security protections in IoT products that is lightyears ahead of anything under consideration inside the Beltway. The Online Trust Alliance — a group made up of such staunch civil liberties and privacy advocates as Target Stores (?), Microsoft and home security firm ADT — on Tuesday released a draft of its IoT Trust Framework (PDF), which offers voluntary best practices in security, privacy and what OTA calls "sustainability" (read "lifecycle management") for home automation, and wearable health/fitness technologies.
Trust Indeed (Score:3, Insightful)
We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders)...
Re: (Score:2)
Yeah. It can't fuck with people who don't buy shiny eavesdropping devices. 1950's tech FTW as always! At least things from back then still work fine now.
Boycotting stuff doesn't work when your friends and other nearby people have shiny things that are recording the ambient audio etc.
Boycotting stuff also gets harder when there are no cars on sale (in reasonable price range) which don't include such devices. And it gets harder again when houses go that way.
Re: (Score:2)
Boycotting stuff doesn't work when your friends and other nearby people have shiny things that are recording the ambient audio etc.
Neither do privacy policies and terms following someone's preferred standards that are only agreed between the supplier and the immediate user. That's why, though these discussions are welcome, protecting privacy needs real laws with real teeth to be effective.
Boycotting stuff also gets harder when there are no cars on sale (in reasonable price range) which don't include such devices. And it gets harder again when houses go that way.
Precisely. If insurance companies are willing to pay a lot of hard cash for information from spyware-enabled vehicles, there is a big commercial incentive for every manufacturer of vehicles to go down that path. Since motor insurance is legally requir
Re: (Score:2)
Optimist. Remember, _not_ buying stuff is also interstate commerce (the core of wickard vs filburn [wikipedia.org]).
"voluntary best practices" mean nothing (Score:5, Insightful)
This is just an attempt to forestall real regulation in the area because they will have something to point to when someone proposes maybe keeping them accountable for real. What we need is a law with teeth that allows customers and the government to body slam any company which skims on protecting customer's data. Something along the lines of the type of penalties seen in copyright lawsuits I think. I mean surely the industry would never argue those are disproportionate...
A customer data breach on the order of what happened at Target should rightly be a bankruptcy-level event.
Re: (Score:1)
OMG, SB totally has to start selling that.
Re: (Score:2)
There is a lot of good stuff in there that a law could be based on. I'm actually quite surprised. The one thing it is lacking is a requirement to provide a human readable privacy policy.
Ideally the government should design some icons, a bit like the Creative Commons ones, that quickly tell you how the company will treat your data. The full privacy policy would be made up of a few paragraphs, with the words standardized. No exceptions or additions allowed. That will both limit what companies can do and make
Re: (Score:2)
Interesting (Score:3)
On the security front, the framework calls on manufacturers to employ end-to-end encryption, including device connections to mobile devices and applications and wireless communications to the cloud or other devices. Device makers should include features that force the retirement of default passwords after their first use and to configure multiple user roles with separate passwords for administrative and end-user access.
Some good things are in the proposal.
Beyond that, manufacturers must conspicuously disclose all personally identifiable data types and attributes collected. A health or fitness band would need to inform potential buyers that it harvests data such as their physical location and biometric data like heart rate, pulse, blood pressure and so on.
That word, harvests, is becoming a maddeningly common place term to describe the taking of many different things that are not crops. It seems like a misleadingly benign way to describe taking private information, African animals, or human organs for transplant.
Re: (Score:2)
Re: (Score:2)
Wait, why is someone who buys an electronic armband for the purpose of monitoring their heartrate and tracking their jogging route not already aware of the fact that it monitors their heartrate and tracks their jogging route?
What's next, requiring car manufacturers to publicize the fact that the car might actually move you from one place to the next?
Re: Interesting (Score:1)
Really? This needs explaining to you? (sigh)
Ok. If I were stupid enough to waste money on such a thing, I know it tracks that data as part of its function. It is however unnecessary for it to share that data with the manufacturer and 'trusted partners' in order to perform that job, just as it is unnecessary for your car to keep a detailed log of where you've been in order to move you from point A to point B. These extra 'features' are what need disclosing and, at least if you're me, blocking.
Re: (Score:1)
That is not a bad presumption to make. I sort of assume it will and thus wipe all new computers immediately and before connecting them.
Re: (Score:2)
Good luck with that [slashdot.org]
Re: (Score:1)
To be fair, I usually install Linux.
Re: (Score:2)
Manufacturers must provide secure recovery mechanisms for passwords.
in other news (Score:1)
The Fox and Weasel Consortium has proposed standards for henhouse design and construction.
Re: (Score:2)
Re: (Score:2)
As for the low end, the cost and minimal power budget are pretty attractive; but touching an ARM platform that lacks a robust community, a very competent BSP, or both, hurts. Sometimes a lot.
Oh, this should be good... (Score:2)
Between the fact that these 'IoT' vendors have incentives dangerously similar to advertising and surveillance peddlers; and a track record for software quality that would make vendors of cheap crap routers cry; what possible reason for optimism is there?
Re: (Score:2)
FFS, even the abhuman shitweasels over in 'behavioral advertising' have a ponderously longwinded, self-important, and oh-so-virtuous set of 'best practices' that they allegedly use to self-regulate.
Pretty much this. There is no privacy on the internetz, and the Internet of thingz will be just too lucrative of a exploitation harvest source that there is absolutely no way in hell it won't be squeezed for every cent.
Regardless what the shitweasels and guvmint say, they'll all know how much preparation H and Qwell and Vagisil is in your medicine cabinet, and if you have Jeno's Pizza rolls in the freezer. And they will all have some rationale for need to know that stuff. Hopefully there will be adblock
Re: (Score:2)
There are more and less invasive implementations of this, of course; but if your internet of things isn't internetworking for some useful end, what's the point? Once you've done that, unless you are extremely elegant and careful(or it's a 100% in-house network), you've got something that a reasonably sophisticated attacker can draw all k
Needs two important indicators. (Score:2)
1 - a sticker that states, "will not work at all without internet" Home alarm systems that fail when the internet is out needs to have a huge red sticker warning customers away from them as a very very crap design.
I have been through several of these IOT security systems. So far the all are 100% crap if internet is down, you dont even get the siren going off.
I'm turning blue on the edge of my seat (Score:1)
Yeh, c'mon Lumpy, don't leave us hangin! Some of us have work to get back to!
Re: (Score:2)
It's a basic design issue of the it's in the cloud man. To many of these IoT either connect directly to wifi and call home or the bridge box does the same. Vera has it about right the logic is all local with the cloud doing the glue of getting mobile apps etc to work.
Really the IoT needs a two tier design a local controller that is fully functional and reasonably secure devices. That local controller should be expected to be updated and upgraded on a regular basis the devices themselves should not expect
Re: (Score:2)
Z-wave suppor
Re: (Score:2)
The zwave model for zwave updates works as in the smart controller updating simpler IoT devices. Something better than aes128 will be welcome for zwave. It's the direct to wifi call home stuff, hell every network connected printer nowadays tries to connect to the mothership.
How about.... (Score:2)
Internet of Things = Shit I Won't Buy (Score:4, Insightful)
I have no interest in having a single device in my house, other than my TV, my PC, my laptop, my phone and my tablet, on the internet.
See? I already have half a dozen devices on the net, that cover all of my use cases and probably already represent a security hazard to my privacy despite my best efforts.
I don't need or want a Nest(tm) on the net that some hacker can use to turn off the heat and freeze my pipes while I'm away. The programmable thermostat I have already, with no network, is enough to set up reasonable settings for intra-day, overnight, vacation, etc. and it is secure by design. Ditto for my oven, my stove, my refrigerator, my lights, and every other fucking thing in my house.
Pretty soon a baby rattle will be networked and hackable, which will make it a surveillance, and therefor governance, device. Just the kind of world no one with an ounce of sense wants to live in.
So to those wanting to make the "Internet of Things", I would just like to say: I don't trust your security as far as I can throw it, and I won't be buying any of the malware-ridden, passively surveillant, buggy, vulnerable, finichky, and above all privacy-invading shit your selling. Move on to the next Rube, and may you meet an early and unpleasant demise.
Two Simple Rules (Score:2)
Open Source and No Tivoization
It doesn't have to be Free Software, though that would be good. But if you buy any IoT devices without at minimum OSS and the ability to actually use the code, you're part of the problem
Def Con (Score:2)
If you don't know what 'running telnet' means, it means "don't trust the IoT."
Heres mine short and to the point (Score:2)
Certifiable (Score:2)
Some good stuff in there, and at the very least it's a starting point for manufacturers that actually care about consumer privacy and trust. Whether any such manufacturers exist is still an open question...
The only way this is going to turn into something consumers can use is if the Online Trust Alliance sets up a certification program. Certification would involve demonstrating that care has been taken to meet each of the points in the framework, and a passing grade gets you the right to paste a shiny "OT
About time (Score:2)
These systems have to be voluntary, policed by people in the industry/white hats, and highly adaptive.
Make it a government regulation and what is and is not security will be something lobbyists decide. Fuck that.