Donate
Do You Want Privacy With That? Thumbnail
‹ Back
Privacy 12 February 2019

Do You Want Privacy With That?

Megan Kruse
By Megan KruseBusiness Director, Online Trust Alliance

You may have heard about CloudPets being pulled off shelves for recording kids’ voices and that data being leaked, or the EU recalling kids’ smart watches for giving away children’s location in real time. If you’re shopping for any sort of Internet-connected device, you should be worried about your privacy and investigating how much data your new gadget is collecting. That’s why we’ve joined Mozilla in calling on big retailers in the US like Target, Walmart, Best Buy, and Amazon to publicly endorse and apply our minimum security and privacy guidelines and stop selling insecure connected devices.

From the letter: “Given the value and trust that consumers place in your company, you have a uniquely important role in addressing this problem and helping to build a more secure, connected future. Consumers can and should be confident that, when they buy a device from you, that device will not compromise their privacy and security. Signing on to these minimum guidelines is the first step to turn the tide, and build trust in this space.”

In total, the letter is co-signed by 11 organizations: Mozilla, Internet Society, Consumers International, ColorOfChange, Open Media & Information Companies Initiative, Common Sense Media, Story of Stuff, Center for Democracy and Technology, Consumer Federation of America, 18 Million Rising, Hollaback

5 Minimum Security Standards for IoT Devices

Encrypted communications
The product must use encryption for all of its network communications functions and capabilities. This ensures that all communications are not eavesdropped or modified in transit.

Security updates
The product must support automatic updates for a reasonable period after sale, and be enabled by default. This ensures that when a vulnerability is known, the vendor can make security updates available for consumers, which are verified (using some form of cryptography) and then installed seamlessly. Updates must not make the product unavailable for an extended period.

Strong passwords
If the product uses passwords for remote authentication, it must require that strong passwords are used, including having password strength requirements. Any non unique default passwords must also be reset as part of the device’s initial setup. This helps protect the device from vulnerability to guessable password attacks, which could result in device compromise.

Vulnerability management
The vendor must have a system in place to manage vulnerabilities in the product. This must also include a point of contact for reporting vulnerabilities or an equivalent bug bounty program. This ensures that vendors are actively managing vulnerabilities throughout the product’s lifecycle.

Privacy Practices
The product must have a privacy policy that is easily accessible, written in language that is easily understood and appropriate for the person using the device or service. Users should at minimum be notified about substantive changes to the policy. If data is being collected, transmitted or shared for marketing purposes, that should be clear to users and, as in line with the EU’s General Data Protection Regulation (GDPR), there should be a way to opt-out of such practices. Users should also have a way to delete their data and account. Also in line with GDPR, this should include a policy setting standard retention periods wherever possible.

These five are a subset of our IoT Trust Framework, a more comprehensive set of principles manufacturers, resellers, and policymakers can use to help secure IoT devices and their data.

We hope that this letter opens the discussion with large retailers so that we can work together to increase consumer confidence that the devices they bring into their lives will not do them harm. We’re committed to helping improve the safety and trustworthiness of all types of IoT products.

Here’s What You Can Do Today

  • Check out our #GetIoTSmart page for consumer and enterprise IoT safety checklists and to keep up to date on our latest IoT activity for news and tips
  • Reach out to your favorite retailer to (1) share our tips and advice, (2) express your thoughts on privacy and security, and (3) ask them to commit to endorsing minimum security standards in the products they sell. — Tell them to #GetIoTSmart!
‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Privacy First for Security Companies
Privacy First for Security Companies
Privacy15 April 2019

Privacy First for Security Companies

Privacy has become a major issue around the world. Hopeful presidential candidates, such as Elizabeth Warren, have proposed privacy legislation...

Consumer Electronics Show: Everything's Connected, But What About Security and Privacy?
Consumer Electronics Show: Everything's Connected, But What About Security and Privacy?
Internet of Things (IoT)18 January 2019

Consumer Electronics Show: Everything’s Connected, But What About Security and Privacy?

We spent last week at the Consumer Electronics Show (aka CES) in Las Vegas, with over 180,000 of our closest...

Consumers International Summit: Making IoT Privacy and Security a Priority
Consumers International Summit: Making IoT Privacy and Security a Priority
Internet of Things (IoT)26 April 2019

Consumers International Summit: Making IoT Privacy and Security a Priority

Each day, more and more of us buy products that connect to the Internet, such as personal assistants, fitness monitors,...

Join the conversation with Internet Society members around the world