Throughout 2015, the Online Trust Alliance (“OTA”) (a U.S.-based non-profit organization which originated in 2005 as an informal industry working group drawn largely from the technology and marketing communities) has been working on a so-called “Trust Framework” for the Internet of Things. An earlier post covered the release of the first discussion draft in August.

After a public comment period, the OTA issued a “last call” draft in October, and followed up with a “pre-release” draft on December 3, 2015.

Although this draft is described as “pre-release”, the OTA’s consultation process for the framework appears to be over now. The organization seems to be turning its attention to implementation and adoption.  It plans to develop a voluntary code of conduct and certification program, based on the framework.[1]

The new pre-release draft framework consists of 30 numbered elements (some of which seem to themselves consist of more than one obligation), which are classified as either “required” or “recommended”[2] for each of the scope categories of “connected home” and “wearable tech”.  The draft has been structured to allow a given specification to be required for connected home devices, but only recommended for wearable devices, or vice versa; but currently the classifications are identical.

The specifications have been re-ordered and grouped under headings of “Security”, “User Access & Credentials”, and “Privacy, Disclosures & Transparency”.

The pre-release draft is less prescriptive and generally somewhat weaker than the initial discussion draft. For example:

Specific design-oriented requirements like the obligation to provide for individual user profiles or parental controls have been dropped; The obligation to conduct penetration testing now seems to apply only to support sites, and not to the devices themselves;[3] The requirement to adopt “best practices” for encryption has been loosened to “current generally accepted security standards”;[4] and The express obligation to provide mechanisms for transfers of ownership has been replaced with an obligation to disclose “if and how” device ownership may be transferred.[5]

However, some obligations have been strengthened. For example, the organization’s breach response and consumer notification plan must now be tested at least annually, rather than merely reviewed semi-annually.[6]  Also, a new obligation to “Ensure all IoT devices and associated software, have been subjected to a rigorous, standardized software development lifecycle process including unit, system, acceptance, regression testing and threat modeling” has been added.[7]  These are helpful additions which, if adopted, should tend to improve product quality and, ultimately, consumer confidence.

Furthermore, some of the “additional recommendations” of the discussion draft have become requirements. For example, the obligation to allow consumers to return products (potentially subject to retail exchange policies) after reviewing privacy terms is now mandatory, albeit with an added caveat that it only applies where the terms are not “conspicuously disclosed prior to purchase”.[8]

The lead-in to the new draft now also expressly clarifies that compliance with the framework does not mean compliance with applicable law.  As previously discussed, the framework is based on the same “Fair Information Practice Principles” that Canadian privacy law draws upon. The basic concepts are therefore similar and broadly compatible.  But the framework is intended as practical guidance, based on a rough consensus across different industry sectors and jurisdictions.  It is not a substitute for understanding the legal obligations that apply in particular markets.