Reflections on June 2017 IOTMark event

The IOTMark event on 16th June explored what open IOT might mean, and how a certification mark might enable more of it. It was good to come back to this topic 5 years after the OpenIOT Definition event, review related work, to refresh the definition and to move towards a practical implementation. (It’s also very relevant for me, as I’m exploring trust and certification marks at Doteveryone, as part of our work to get more responsible digital technologies.)

First up, it was interesting to hear how the 2012 work had actually influenced IOT development and strategy since then. We’d collaboratively created a definition over the two days back then, but it was hard to see how the ideas might translate into practice, and it felt like momentum was lost after the event. Nonetheless, Bosch had taken the ideas of openness on board in their IOT strategy, which was great to see.

We talked about Woolmark. It’s a nice example of a registered mark but had the luxury of being created by a pre-existing funded industry body, and applying to a comparatively simple domain — wool products are straightforward to evaluate. Interestingly, the group behind Woolmark use advocacy and support woolmakers as an industry, as well as being a consumer protection brand.

Many things were discussed in the morning session — privacy and personal information, security and safety, ethics and inclusion. It was particularly good that we covered the idea of social or collective good, and side effects on those who do not directly buy or use IOT products, as well as individual protections for consumers. Another idea was that in some situations IOT should not be an option (for instance, in products which gather data for use in targeted marketing to sell things to children), and that there should be an opt-out.

Looking back, it might have been good to seek agreement on what values and ideas we were trying to cover in the mark first, as this would have helped shape priorities and the discussions later on. It might be worth reopening this with the broader community online now.

A related question here is — what sort of mark are we aiming for? A basic, this product is safe, reasonably secure and somewhat interoperable mark? A premium, this is an ethical and thoughtful product, offering good security and privacy mark, for which people might pay a higher price? The idea of a mark is to build trust with consumers, and to set a bar for what good IOT looks like, but we haven’t really talked about whether that bar is high or low. (Or whether that bar starts low, and gets higher as more IOT products and services meet the requirements, so that we can reasonably expect more from them.)

Different groups of people might be willing to pay for different features, too. I might be interested in buying a generally ethical product, with a sense of provenance and quality. A parent might pay more for a connected toy where they are sure their child’s privacy and data security will be respected. Might this suggest a modular system, perhaps more like “traffic light” labelling on foods, so you can get a sense of which particular aspects of a product are strong or lacking?

We also talked about quite a wide scope — consumer products mostly (but perhaps not exclusively — smart cities affect people but aren’t bought by them), and it wasn’t clear whether software-only services without physical products were included or not. Again, some shared understanding here would be good, to help the standards backing the mark develop. A few shared case studies of specific products/services/contexts might be useful as we develop the standard — such examples could be a useful frame for discussion and could help a diverse group explore issues more effectively. Despite these challenges, we made good progress on the day.

The IOT covers a wealth of things (ha!) — from apps and middleware and databases to devices, machines, networks. Even if we limit it for the case of this mark to consumer products, things regular folks buy and use, that’s still a lot of things, from hairbrushes to home thermostats, from cars to pacemakers. It is hard to see how a fixed set of standards and requirements could apply to all of these things, even if we allowed for many alternatives for different situations. So a hard standard, tested against specific requirements, seems unrealistic — even if we had more time than was possible in the afternoon drafting session.

So we’re proposing a loose set of requirements, which any product/service could declare compliance with, backed up by public documentation explaining how the product meets the standards in different ways. These requirements can be developed by working groups, building on the ideas shared at the event. This means the IOTmark can have a soft start, as companies see how it fits for them, and the requirements and governance can evolve to deliver consumer, sector and industry value.

The work continues in the community, (newcomers welcome), and hopefully we’ll reconvene in a year (if not sooner, online) to further develop the IOTmark, creating better internet of things products and services for people today and tomorrow. Many thanks to Alex Deschamps-Sonsino and Usman Haque for making this event happen!