This post is a short riff on the recently issued Online Trust Alliance’s IoT Framework that sets out thirty guidelines related mostly to sustainability, security and privacy surrounding connected devices. Though these are “just” guidelines, we expect most leading IoT device manufacturers will be influenced by them.
The following guideline No.3 immediately stood out to the China lawyers in my law firm, as it directly relates to many of the problems we see with our IoT clients that use third party Chinese manufacturers to make their connected devices:
Establish and maintain processes and systems to receive, track and promptly respond to external vulnerabilities reports from third parties including the research community. Remediate post product release design vulnerabilities and threats in a publicly responsible manner either through remote updates and/or through actionable consumer notifications, or other effective mechanism(s).
Our China attorneys often get called in only after there is already a binding contract between the foreign IoT company and its more experienced Chinese manufacturer, and that contract does not provide any privacy safeguards against the Chinese manufacturer. We then point out to our new client the problems they might have if it is later discovered that the Chinese manufacturer is tracking the customers of the connected device and the foreign IoT company has nothing in writing showing that it ever even cared about such a thing.
I would urge everyone involved in IoT or really any kind of tech to read this new Framework for the simple reason that it serves as an excellent checklist on various things of which you should be aware.
Along these same lines, I urge you to check out the following: