Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Microsoft Privacy Security The Internet

Tech Firms, Retailers Propose Security and Privacy Rules For Internet of Things 57

chicksdaddy writes: As the Obama Administration and the rest of the federal bureaucracy hem and haw about whether and how to regulate the fast-growing Internet of Things, a group representing private sector firms has come out with a framework for ensuring privacy and security protections in IoT products that is lightyears ahead of anything under consideration inside the Beltway. The Online Trust Alliance — a group made up of such staunch civil liberties and privacy advocates as Target Stores (?), Microsoft and home security firm ADT — on Tuesday released a draft of its IoT Trust Framework (PDF), which offers voluntary best practices in security, privacy and what OTA calls "sustainability" (read "lifecycle management") for home automation, and wearable health/fitness technologies.
This discussion has been archived. No new comments can be posted.

Tech Firms, Retailers Propose Security and Privacy Rules For Internet of Things

Comments Filter:
  • Trust Indeed (Score:3, Insightful)

    by garbut ( 1990152 ) on Wednesday August 12, 2015 @07:54AM (#50299967)

    We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders)...

  • by CaptBubba ( 696284 ) on Wednesday August 12, 2015 @08:02AM (#50299985)

    This is just an attempt to forestall real regulation in the area because they will have something to point to when someone proposes maybe keeping them accountable for real. What we need is a law with teeth that allows customers and the government to body slam any company which skims on protecting customer's data. Something along the lines of the type of penalties seen in copyright lawsuits I think. I mean surely the industry would never argue those are disproportionate...

    A customer data breach on the order of what happened at Target should rightly be a bankruptcy-level event.

    • by AmiMoJo ( 196126 )

      There is a lot of good stuff in there that a law could be based on. I'm actually quite surprised. The one thing it is lacking is a requirement to provide a human readable privacy policy.

      Ideally the government should design some icons, a bit like the Creative Commons ones, that quickly tell you how the company will treat your data. The full privacy policy would be made up of a few paragraphs, with the words standardized. No exceptions or additions allowed. That will both limit what companies can do and make

    • With PRISM compliant devices, there will always be a backdoor for the government to police your equipment for you citizen. You're in safe hands. No need to trouble you with such things from now on.

  • by rmdingler ( 1955220 ) on Wednesday August 12, 2015 @08:08AM (#50300001) Journal

    On the security front, the framework calls on manufacturers to employ end-to-end encryption, including device connections to mobile devices and applications and wireless communications to the cloud or other devices. Device makers should include features that force the retirement of default passwords after their first use and to configure multiple user roles with separate passwords for administrative and end-user access.

    Some good things are in the proposal.

    Beyond that, manufacturers must conspicuously disclose all personally identifiable data types and attributes collected. A health or fitness band would need to inform potential buyers that it harvests data such as their physical location and biometric data like heart rate, pulse, blood pressure and so on.

    That word, harvests, is becoming a maddeningly common place term to describe the taking of many different things that are not crops. It seems like a misleadingly benign way to describe taking private information, African animals, or human organs for transplant.

    • We don't mean to literally imply that consumers are crops; that would be silly. It's more of a metaphorical usage that captures our degree of respect for their moral personhood and preferred mode of economic relation with them. Please do not be alarmed, that would be a PR hassle.
    • Wait, why is someone who buys an electronic armband for the purpose of monitoring their heartrate and tracking their jogging route not already aware of the fact that it monitors their heartrate and tracks their jogging route?

      What's next, requiring car manufacturers to publicize the fact that the car might actually move you from one place to the next?

      • by Anonymous Coward

        Really? This needs explaining to you? (sigh)

        Ok. If I were stupid enough to waste money on such a thing, I know it tracks that data as part of its function. It is however unnecessary for it to share that data with the manufacturer and 'trusted partners' in order to perform that job, just as it is unnecessary for your car to keep a detailed log of where you've been in order to move you from point A to point B. These extra 'features' are what need disclosing and, at least if you're me, blocking.

    • The NSA will be very happy with this requirement:

      Manufacturers must provide secure recovery mechanisms for passwords.

  • by Anonymous Coward

    The Fox and Weasel Consortium has proposed standards for henhouse design and construction.

  • Lately, I have experience the greatest pain wasting enormous amounts of time flashing installing phones with different versions of Android, then different versions of Ubuntu touch. I also wasted time on small arm-based tv boxes and wanna-be-mini-pc-but-not arm-based boards. They all have something in common: kernel updates seem to require entire re-installs on their internal memory in order for them to behave as expected. THE BIGGEST PROBLEM is there are no consistent generic vanilla flavor kernels that

    • ARM is trying to crack down on that to some degree(mostly at the high end, in recent-design 64 bit devices designed to not be laughed out of the datacenter. Unfortunately, they decided that UEFI was clearly a good idea...

      As for the low end, the cost and minimal power budget are pretty attractive; but touching an ARM platform that lacks a robust community, a very competent BSP, or both, hurts. Sometimes a lot.
  • FFS, even the abhuman shitweasels over in 'behavioral advertising' have a ponderously longwinded, self-important, and oh-so-virtuous set of 'best practices' that they allegedly use to self-regulate.

    Between the fact that these 'IoT' vendors have incentives dangerously similar to advertising and surveillance peddlers; and a track record for software quality that would make vendors of cheap crap routers cry; what possible reason for optimism is there?
    • FFS, even the abhuman shitweasels over in 'behavioral advertising' have a ponderously longwinded, self-important, and oh-so-virtuous set of 'best practices' that they allegedly use to self-regulate.

      Pretty much this. There is no privacy on the internetz, and the Internet of thingz will be just too lucrative of a exploitation harvest source that there is absolutely no way in hell it won't be squeezed for every cent.

      Regardless what the shitweasels and guvmint say, they'll all know how much preparation H and Qwell and Vagisil is in your medicine cabinet, and if you have Jeno's Pizza rolls in the freezer. And they will all have some rationale for need to know that stuff. Hopefully there will be adblock

      • There is also the aspect, which really doesn't help, that 'internet of things' isn't really 'internet of things' unless the things talk to one another in some useful way.

        There are more and less invasive implementations of this, of course; but if your internet of things isn't internetworking for some useful end, what's the point? Once you've done that, unless you are extremely elegant and careful(or it's a 100% in-house network), you've got something that a reasonably sophisticated attacker can draw all k
  • 1 - a sticker that states, "will not work at all without internet" Home alarm systems that fail when the internet is out needs to have a huge red sticker warning customers away from them as a very very crap design.

    I have been through several of these IOT security systems. So far the all are 100% crap if internet is down, you dont even get the siren going off.

    • It's a basic design issue of the it's in the cloud man. To many of these IoT either connect directly to wifi and call home or the bridge box does the same. Vera has it about right the logic is all local with the cloud doing the glue of getting mobile apps etc to work.

      Really the IoT needs a two tier design a local controller that is fully functional and reasonably secure devices. That local controller should be expected to be updated and upgraded on a regular basis the devices themselves should not expect

      • The devices themselves certainly need the ability to receive new firmware as well. Despite testing, these things can fail in odd little ways, and while I'd expect a manufacturer to replace devices with buggy firmware, I'd much prefer a firmware update to avoid the hassle of dropping a device from the net (and all scenes it was associated with as well), returning it, waiting for the replacement, and reinstalling it. Danfoss needed 4 iterations to finally get the firmware in their TRV right.

        Z-wave suppor
        • The zwave model for zwave updates works as in the smart controller updating simpler IoT devices. Something better than aes128 will be welcome for zwave. It's the direct to wifi call home stuff, hell every network connected printer nowadays tries to connect to the mothership.

  • ...actually securing transactions and the databases that house this information. Nobody gives a flying fuck about home automation, consumer health and fitness wearables, which is what this article is talking about. The problem Target faced was their transaction database was hacked. It wasn't about some lame internet consumer device.
  • by FreeUser ( 11483 ) on Wednesday August 12, 2015 @09:48AM (#50300631)

    I have no interest in having a single device in my house, other than my TV, my PC, my laptop, my phone and my tablet, on the internet.

    See? I already have half a dozen devices on the net, that cover all of my use cases and probably already represent a security hazard to my privacy despite my best efforts.

    I don't need or want a Nest(tm) on the net that some hacker can use to turn off the heat and freeze my pipes while I'm away. The programmable thermostat I have already, with no network, is enough to set up reasonable settings for intra-day, overnight, vacation, etc. and it is secure by design. Ditto for my oven, my stove, my refrigerator, my lights, and every other fucking thing in my house.

    Pretty soon a baby rattle will be networked and hackable, which will make it a surveillance, and therefor governance, device. Just the kind of world no one with an ounce of sense wants to live in.

    So to those wanting to make the "Internet of Things", I would just like to say: I don't trust your security as far as I can throw it, and I won't be buying any of the malware-ridden, passively surveillant, buggy, vulnerable, finichky, and above all privacy-invading shit your selling. Move on to the next Rube, and may you meet an early and unpleasant demise.

  • Open Source and No Tivoization

    It doesn't have to be Free Software, though that would be good. But if you buy any IoT devices without at minimum OSS and the ability to actually use the code, you're part of the problem

  • A good portion of the talks at Def Con were about hacking IoT devices. In some cases, it was as easy as accessing an open wifi access point on the device. Quite a number of devices were running telnet.

    If you don't know what 'running telnet' means, it means "don't trust the IoT."
  • Here,s mine, short and to the point. Free opt-out, Paid for opt-in. Why are we allowing business to tell us what we can and cant do and tell us its their data when its not? Want my data pay me for it when i PAY for a product.
  • Some good stuff in there, and at the very least it's a starting point for manufacturers that actually care about consumer privacy and trust. Whether any such manufacturers exist is still an open question...

    The only way this is going to turn into something consumers can use is if the Online Trust Alliance sets up a certification program. Certification would involve demonstrating that care has been taken to meet each of the points in the framework, and a passing grade gets you the right to paste a shiny "OT

  • These systems have to be voluntary, policed by people in the industry/white hats, and highly adaptive.

    Make it a government regulation and what is and is not security will be something lobbyists decide. Fuck that.

The last thing one knows in constructing a work is what to put first. -- Blaise Pascal