No one individual company or government entity alone will be able to secure the potential security threats that internet of things (IoT) connected devices represent, according to the Online Trust Alliance (OTA). Rather, the OTA suggests in a new report that IoT security is a collaborative and shared responsibility.
The OTA report draws a comparison with global warming and connected device security. With global warming, no one individual or government alone can act to improve the entire situation, rather there is a need for shared responsibility and collaboration across multiple stakeholders around the world.
With the global warming crisis, there is a growing trend around the world for different types of 'carbon taxes' as a way to offset the costs of helping to improve the environment. However, there currently isn't any such item in IoT security.
"In certain cities if you do not recycle you are charged more for your garbage," OTA President and Executive Director, Craig Spiezle, told eWEEK. "If you spam someone your email might get blocked, but with IoT devices the user does not bear any responsibility for a device which might be impacting others."
The OTA report recommends that multiple groups, including retailers, developers, car dealers, internet service providers, policy makers and consumers all have active roles to play to promote and protect IoT device security and privacy.
In particular, the OTA suggests that retailers can choose to only sell products that take user privacy and security into account, much the same way that some retailers have chosen not to sell products that use materials from unsustainable forests. Spiezle even sees profit potential for retailers in embracing more secure IoT devices.
"Devices which are more secure might add to the bottom line of reduced returns and better online reviews," Spiezle said.
In terms of how retailers and other groups could determine the relative privacy and security of IoT devices, there are several different things that can be done. The OTA has an approach called the IoT Trust Framework that was updated on Jan. 5, providing guidance on how to develop secure IoT devices and assess risk. Spiezle said that retailers could make use of the IoT Trust Framework and have their vendors self-assert (via a legal signatory) their adoption and adherence to principles.
Consumer Reports recently announced that it will be taking security into account as part of its review process. Spiezle noted that Consumer Reports has had discussions with the OTA and they also provided input into the IoT Trust Framework.
"Anything that increases consumer awareness and demand for more secure devices and respect for privacy, is a good thing," Spiezle said.
Spiezle doesn't see the IoT Trust Framework as being something that can or should be legally enforced. However, he noted that it could become a so-called 'safe harbor' from regulatory action and class action suits if one can show they have adopted commercially reasonable best practices.
Ultimately, consumers have a great deal of power in helping to improve IoT security. The OTA recommends that consumers can and should keep devices fully patched and updated. Additionally, the OTA suggests that consumers review device vendors security and privacy policies before buying any new technology. If the policies aren't there or aren't adequate, the OTA advocates for consumers to simply look at another device or vendor.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.