This is a set of principles that we think an organisation—a connected product manufacturer, team or founder—would use to make a good, secure, ethical, product that also takes into account the upcoming General Data Protection Regulation (GDPR) directive. But also to push beyond the GDPR and look at the entire life cycle of a smart device. From manufacture, to final disposal.
The terminology is a bit technical, bear with us. We use MUST, SHOULD, and MAY because of a technical writing standard called RFC 2119. We use particular definitions of the terms device, gateway and backend.
These are the principles of the Open Internet of Things Mark as of March 9th 2018. This work by iotmark.org is licensed under Creative Commons BY-SA 4.0.
1. The device the organisation supplies MUST be GDPR compliant.
2. The organisation MUST NOT sell customer data without consent.
3. Their customer data MUST NOT be used for profiling, marketing or advertising
without transparent disclosure.
4. The organisation SHOULD allow third parties to connect clients to its backend.
5. The organisation MAY allow third parties to connect devices to its backend.
6. The organisation SHOULD grant third parties the same functional scope on the
backend as its own clients.
7. The organisation SHOULD allow third parties to communicate directly with its
devices without going through the backend.
8. The organisation MAY publish the device source code under an open source license.
9. The organisation MAY publish the device hardware designs under an open hardware
10. The organisation MAY publish the backend source code under an open source license.
11. The organisation SHOULD make it possible for customers to turn off the
connection to the backend, this might mean that functionality of the device is
12. The organisation SHOULD NOT degrade or change the current core functionality of
the device over the product lifetime.
Permissions & Ownership
13. The organisation MUST give users the ability to transfer ownership of the device.
14. When ownership of the device is transferred, the new user MUST NOT have access
to previous user’s data.
15. The organisation SHOULD offer users the ability to export their data.
16. The organisation MUST make explicit to the user what the implications of
substantially changing usage of the device are.
17. The organisation MUST be explicit as to the expected duration of terms of service.
18. If the organisation wants to change the length of the term of service, it MUST
first ask permission from the customer.
19. The organisation MUST inform the user about firmware upgrades.
20. The organisation MUST provide at least minimum cryptographic security on its
backend & secure configuration.
21. The organisation’s backend MAY implement additional secure setup options.
22. The organisation SHOULD implement reliable and appropriate backend patching
procedures which should be evidenced.
23. The organisation MUST enforce a strong user identity policy.
24. The device SHOULD use strong cryptographic schemes.
25. The device firmware MUST be compliant with industry security standards.
26. The organisation MUST have clear admin user management policies.
27. The organisation MUST offer the ability for a user to factory reset the device.
28. The organisation MUST be clear about the expected lifetime of the service
provided by the device and backend.
29. The organisation MUST be clear about the levels of customer support provided
during the lifetime of the product.
30. The organisation SHOULD document any parts that a customer can repair using
commonly accessible tools and skills.
31. The organisation SHOULD supply spare parts on request during the lifecycle of
32. The organisation SHOULD be able to list the geographic regions involved in the
33. The organisation SHOULD be able to list at least the first level of suppliers
involved in their supply chain.
This is a work in progress and you may comment freely, join the conversation on Slack, sign up to our newsletter or give us feedback in writing (alex at iot dot london) or on our monthly open calls.
Privacy: Mark Simpkins (@marksimpkins),
Interoperability: Andy Stanford-Clark (@andysc), Boris Adryan (@borisadryan), Peter Robinson (@nullr0ute), Bob van Luijt (@bobvanluijt), Thomas Amberg (@tamberg)
Openness: Thomas Amberg (@tamberg)
Data Governance: Dr. Alison Powell, Mark Simpkins (@marksimpkins), Selena Nemorin (@digiteracy)
Permissions & Ownership: Martin Dittus (@dekstop), Mark Simpkins (@marksimpkins), Selena Nemorin (@digiteracy)
Transparency: Pilgrim Beart (@pilgrimbeart)
Security: Mark Carney (@LargeCardinal), Graham Markall (@gmarkall), Jan-Peter Kleinhans (@JPKleinhans), Alasdair Allan (@aallan), Cédric Lévy-Bencheton (@clevybencheton)
Lifecycle: Alasdair Allan (@aallan), Chris Adams (@mrchrisadams), Adrian McEwen (@amcewen), Dries De Roeck (@driesderoeck), Matthew Macdonald-Wallace (@mbconsultinguk), Joanna Montgomery (@joannasaurusrex), Gavin Starks (@agentGav)
Current Version edit by: Alasdair Allan (@aallan), Anthony James Munns (@bitshiftmask), Albrecht Kurze (@AlbrechtKurze), Thomas Amberg (@tamberg), Chris Adams (@mrchrisadams), Alexandra Deschamps-Sonsino (@iotwatch)