Please note: This is cross-posted from the trustabletech.org blog.
We're in the final stages of launching the Trustable Technology Mark, ThingsCon's trustmark for IoT. Today I wanted to share some updates on where we stand, some of the decisions that led us here, and what's going to happen next.
But first things first: Special thanks to the ThingsCon community for the priceless input, to Mozilla Foundation for their support in the form of a Mozilla fellowship, to collaborators Jason Schultz (NYU Law) for his fantastic support by taking the legal lead in this endeavor, as well as to Peter Thomas (University of Dundee) for the excellent branding work.
The Trustable Technology Mark is not a so-called baseline certification - it doesn't apply to all products and just weed out the really bad stuff, but rather aims to celebrate and highlight the really good stuff instead.
We consider the Trustable Technology Mark a badge of honor for those companies and their products that put users' rights and privacy first, and that go the extra mile to build responsible connected devices. In a field full of sketchy, insecure, and data hungry products, a hard-earned Trustmark is a unique selling point that raises these companies' profiles and allows consumers to make more informed choices when they vote with their feet (or rather, their money). Until now, there were not many external incentives to do the right thing. We hope to start a race to the top.
What is, and isn't, the Trustable Technology Mark?
The Trustmark is not a market surveillance mechanism that checks compliance with existing standards (the standards we needed for this do not yet exist at the level we need them). Instead, it serves to highlight the work of the companies that build outstandingly well-made products, where "well-made" equals respectful of privacy and user rights, committed to transparency, with excellent security standards. It's essentially a recognition of a company's commitment to a particularly strong commitment to responsible technology and transparency.
We chose a fairly holistic approach that touches on every level from product features to design processes and business models to legal commitments to guarantee certain user rights.
The process is built on a strong commitment to transparency. Concretely, it is modeled around information provided by the companies themselves in an extensive questionnaire that is then reviewed by a pool of experts from the ThingsCon network. Conversely, we do not independently assess the technology. This is an exercise in transparency, not a third party technology assessment.
Some notes on the process
The issues we look at are often not black or white but full of nuance. IoT is a field full of edge cases, as is privacy; combine both for the Trustmark and you get an idea of the complexity involved. Yet, in our testing we found that the review process is robust enough that even if there's some info missing or not 100% complete, cracks and gaps in the narrative that we receive from the companies become obvious quickly, and allow us to follow up and ask for clarification.
The process itself is as follows:
- Company fills out the Trustable Technology Mark application & assessment form
- Our experts review the answers and follow up for clarification if necessary.
- If the follow up doesn't solve the issues, the Trustmark is not issued.
- If the follow up solves the issues (i.e. the company provides missing information or changes something based on our feedback) then the Trustmark is issued.
- The content of the assessment form is published on trustabletech.org, along with a unique ID for the assessed product that the company can use in their communications.
- Should there be a complain that sheds reasonable doubt on the Trustmark status of a product that currently carries the Trustmark, we'll follow up with the company to clarify and update the results as follows, and go back to is this allowed to use the Trustmark [Y/N].
Where are we today?
So where do we stand now, in late November 2018?
We're in the final stages of preparing for the launch in December at ThingsCon Rotterdam (6-7 Dec). We consider it a soft launch, a beta, so to speak. Once public, there will be things to amend, to fix, to adjust: This is a living, breathing project.
Concretely this means:
- We froze the assessment form and set up the final version on ThingsCon's account as a Google Form. (Note: We're planning to move to a custom-built, non-Google hosted form as soon as possible. However, for purely pragmatic reasons this is what we'll start with while we're still gathering more feedback and learnings.)
- We're setting up partnerships with academic and policy partners who are interested in weaving the Trustmark into their teaching and research.
- We are identifying products that could pass the Trustable Technology Mark assessment. We expect there to be a small number initially, and that this number will grow dramatically over the next couple of years. After all, we intentionally set a very high bar in order to shape the market from the top to bottom rather than establishing a base line measurement. We want to best to shape the field, not the ones that are not-the-worst.
As part of that market shaping effort we identified that there is an essential educational aspect to our mission, and this is fully aligned with ThingsCon's overall mission: Even the companies that want to do the right thing can't always cover all the bases. So we aim to build a library of best practices and state of the art practices along the way so that if one company tries to work something out we could point them to others that have overcome a similar challenge, or maybe even get them in touch directly.
So that's where we are today. See you at the launch next week!