This working group is dedicated to editing the ownership, permissions and entitlement section of the certification mark and as of June 16th 2017 on draft 0.1 reads as:
NB: The keywords “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are used as described in RFC 2119.
Principles – high level / recommendation
- Transparency: A provider of an IoT product or service must be transparent about the ownership of all layers of the product (hardware, software, service, data). Which party owns and has control over each aspect? What are the associated entitlements, responsibilities, and liabilities? This information must be provided in a “Crystal Marked” manner: presented so that it is easy to understand by a layperson.
- Auditability: As a consumer, I have the right to gain access to information about the use of my data from the IoT provider (e.g how the data is processed, insights generated from my data, like a personal audit) when this was not made transparent initially.
- Portability: As a consumer, I have the right to transfer ownership of hardware, to export my data, and to migrate service providers, within the boundary of my ownership agreement.
- Closure: As a consumer, I have the right to delete my data and metatada from the system.
Principles – Low level
- As a consumer, I can selectively withdraw permissions of use of my data (entitlements) temporarily or permanently. In response to this, as a manufacturer, I can selectively withdraw access to select services to consumers based on the entitlement level that a consumer provided
- As a consumer, I can have an entitlement to continue using the IoT product even after the provider goes bust or gets acquired. As a manufacturer/provider, I provide an escrow agreement to support continuation of use after provider goes bust or gets acquired
Authors on June 16th 2017 @ ZSL London Zoo Martin Dittus, @dekstop, Mark Simpkins @marksimpkins