Governance

This working group is dedicated to editing the governance section of the certification mark and as of June 16th on draft 0.1 reads as:

NB: The keywords “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”,  “MAY”, and “OPTIONAL” are used as described in RFC 2119.

 

We recommend a soft start with a self-declared flexible set of principles/definition for use of the mark, and a review point later that would allow for formalising in the future. This serves to allow for emergence, learning, and a broad adoption (rather than building top-down, but potentially ignored institutions).

More detail & background in this document.

Soft start:

  • a website to showcase the mark, how it was made, what it means, and a list of products/services/organisations using it
  • a graphic mark (optionally registered as a trademark),
  • a group of advisors/coordinators (starting with the people in this group), who hang out on:
    • a mailing list or slack,
    • a soft self-declared modular and potentially multilevel standard, where those who wish to certify products notify us via a form, and have public docs available to justify their use of the mark and relevant levels/modules.
      • (We have a list of examples of what sort of things might be documented to justify the use of the mark, below).  
      • The more fields/categories are filled in the higher the thing scores; TBD: is there going to be a qualitative analysis that’s translated into scores (example: 1 point for answering that there are best practice security procedures in place; 15 points for a detailed documentation; etc.)
      • Could be gold/silver/bronze, or up to 10 stars, point rating, etc, to indicate degrees of compliance/quality
    • Members of the public can challenge use of marks (by reporting)
  • Governance during this phase is by “those who show up” in the online forum (IETF model), to allow for a broad intake of stakeholders

An attempt should be made to reach other stakeholders not in the room today to get input on our ideas and anyone who is interested can join the advisor community.

 

And we review in, say, a year, see who is using the mark, how well the standard fits real products/services, what consumer value is, and do refinements etc and potentially formalise anything that looks formalisable. A meeting like today’s, in a year, could be informed by surveys of purchasers of certified items, surveys of companies who have tried to use the mark, etc.  This allows us to iterate and be agile in response to consumer and tech-maker needs, and to experiment and learn.

More background

We discussed 3 models, and a variety of key functions that might need to be carried out and factors to think about.  We evaluated pros and cons for each of the 3.  We then looked at what might be plausible as steps forward from where we are today, considering the breadth of IOT and resourcing.  


A formal registration of a mark would be a trademark plus associated bits to link the regulation to it, probably a total cost of £3k-£5k. If someone moved ahead and used the graphic mark without our registering it, we’d have to challenge it…

 

3 models explored in more detail:

 

A: A pledge

B: Self-declared with central policing org

C: Fully audited, backed by legal framework

 

 

 

Image: Pros and Cons of various models

 

Where we are and how we could move forward with implementation:

 

 

Image: A proposed organic approach, starting with a relatively low-barrier self-declaration of characteristics. This allows for a learning period that can formalise over time.

 

Things that might be documented as justification for use of the mark:

 

 

Image: Example characteristics to provide declaration/documentation about. Since the range of [even just] consumer IoT is extremely broad, the applicable categories and implementation depends on the context of each product/service.

 

The producer of any product or service MUST explain which categories apply and MUST provide appropriate documentation about the handling/implementation of these characteristics. They MUST provide their documentation in an easy-to-find and easy-to-access location online and SHOULD register their intent/link to their documentation on a central website or database, maintained by the Open IoT Certification org.

Authors on June 16th 2017 @ ZSL London Zoo by Laura James and Peter Bhr