Tech Firms, Retailers Propose Security and Privacy Rules For Internet of Things

chicksdaddy writes: As the Obama Administration and the rest of the federal bureaucracy hem and haw about whether and how to regulate the fast-growing Internet of Things, a group representing private sector firms has come out with a framework for ensuring privacy and security protections in IoT products that is lightyears ahead of anything under consideration inside the Beltway. The Online Trust Alliance — a group made up of such staunch civil liberties and privacy advocates as Target Stores (?), Microsoft and home security firm ADT — on Tuesday released a draft of its IoT Trust Framework (PDF), which offers voluntary best practices in security, privacy and what OTA calls "sustainability" (read "lifecycle management") for home automation, and wearable health/fitness technologies.

Trust Indeed

[garbut]

Microsoft:

We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders)...

"voluntary best practices" mean nothing

[CaptBubba]

This is just an attempt to forestall real regulation in the area because they will have something to point to when someone proposes maybe keeping them accountable for real. What we need is a law with teeth that allows customers and the government to body slam any company which skims on protecting customer's data. Something along the lines of the type of penalties seen in copyright lawsuits I think. I mean surely the industry would never argue those are disproportionate...

A customer data breach on the order of what happened at Target should rightly be a bankruptcy-level event.

Interesting

[rmdingler]

On the security front, the framework calls on manufacturers to employ end-to-end encryption, including device connections to mobile devices and applications and wireless communications to the cloud or other devices. Device makers should include features that force the retirement of default passwords after their first use and to configure multiple user roles with separate passwords for administrative and end-user access.

Some good things are in the proposal.

Beyond that, manufacturers must conspicuously disclose all personally identifiable data types and attributes collected. A health or fitness band would need to inform potential buyers that it harvests data such as their physical location and biometric data like heart rate, pulse, blood pressure and so on.

That word, harvests, is becoming a maddeningly common place term to describe the taking of many different things that are not crops. It seems like a misleadingly benign way to describe taking private information, African animals, or human organs for transplant.

Internet of Things = Shit I Won't Buy

[FreeUser]

I have no interest in having a single device in my house, other than my TV, my PC, my laptop, my phone and my tablet, on the internet.

See? I already have half a dozen devices on the net, that cover all of my use cases and probably already represent a security hazard to my privacy despite my best efforts.

I don't need or want a Nest(tm) on the net that some hacker can use to turn off the heat and freeze my pipes while I'm away. The programmable thermostat I have already, with no network, is enough to set up reasonable settings for intra-day, overnight, vacation, etc. and it is secure by design. Ditto for my oven, my stove, my refrigerator, my lights, and every other fucking thing in my house.

Pretty soon a baby rattle will be networked and hackable, which will make it a surveillance, and therefor governance, device. Just the kind of world no one with an ounce of sense wants to live in.

So to those wanting to make the "Internet of Things", I would just like to say: I don't trust your security as far as I can throw it, and I won't be buying any of the malware-ridden, passively surveillant, buggy, vulnerable, finichky, and above all privacy-invading shit your selling. Move on to the next Rube, and may you meet an early and unpleasant demise.