This is a set of principles that we think any connected product manufacturer, team or founder would use to make a responsible, secure, well designed connected product.
These are the principles of the Open Internet of Things Mark as of June 13th 2018. This work by iotmark.org is licensed under Creative Commons BY-SA 4.0.
- Allow users to access their collected data, free of charge.
- Make clear to users how the collected data is used.
- Allow users to delete their collected data.
- Allow users to migrate their collected data to another backend.
- Allow users to easily opt out of direct marketing based on their collected data
- Allow users to restrict the use of their collected data.
- Allow users to update their collected data.
- Allow users to stop automated decisions being made, if there are personal legal or significant consequences.
- Allow users to transfer ownership of the device.
- Ensure new users do not have access to previous user’s data after transferring ownership.
NICE TO HAVE
- Allow users to turn off the connection from the device to the backend.
- Make explicit the legal implications of substantially changing device usage.
- Make explicit the expected duration of the terms of service.
- Ask permission from users before changing the terms of service.
- Inform users about substantial firmware upgrades.
- Implement security in your business processes.
- Implement security by design for the connected product.
- Assess the risk of well known IoT threats on the connected product.
NICE TO HAVE
- Implement security by default for the connected product.
- Allow users to factory reset the device.
- Be clear about the expected service lifetime of the connected product.
- Be clear about the levels of user support provided during the lifetime of the connected product.
NICE TO HAVE
- Do not degrade or change the core functionality of the connected product over its lifetime.
- Document any parts that a user can repair using common tools and skills.
- Supply spare parts on request during the lifecycle of the product.
NICE TO HAVE
- Allow third parties to connect clients to your backend.
- Grant third party clients the same functional scope on the backend as your own clients.
- Allow third parties to communicate directly with your devices, without going through the backend.
- Allow third parties to connect devices to your backend.
- Publish the device firmware source code under an open source license.
- Publish the device hardware designs under an open hardware license.
- Publish the backend source code under an open source license.
- Publish client source code under an open source license.
This is a work in progress and you may comment freely, join the conversation on Slack, sign up to our newsletter or give us feedback in writing (alex at iot dot london) or on our monthly open calls.
Contributors to this latest version:
Alexandra Deschamps-Sonsino (@iotwatch), Thomas Amberg (@tamberg), Chackshu Saharan (@Ignius_IoT), Laura James (@LaurieJ), Albrecht Kurze (@AlbrechtKurze), Victor Petersson (@vpetersson), Alasdair Allan (@aallan), Duncan Wilson (@djdunc), Dominique Guinard (@domguinard), Geusseppe Gonzalez (@GeuseppeGC), Dries De Roeck (@driesderoeck), Konrad Komorowski, Alison Powell (@a_b_powell), Mark Setrem (@ukmoose), Louise Hugen (@louisehugen), Funda Ustek-Splida (@fundaustek), Cédric Lévy-Bencheton (@clevybencheton)
Privacy: Mark Simpkins (@marksimpkins),
Interoperability: Andy Stanford-Clark (@andysc), Boris Adryan (@borisadryan), Peter Robinson (@nullr0ute), Bob van Luijt (@bobvanluijt), Thomas Amberg (@tamberg)
Openness: Thomas Amberg (@tamberg)
Data Governance: Dr. Alison Powell, Mark Simpkins (@marksimpkins), Selena Nemorin (@digiteracy)
Permissions & Ownership: Martin Dittus (@dekstop), Mark Simpkins (@marksimpkins), Selena Nemorin (@digiteracy)
Transparency: Pilgrim Beart (@pilgrimbeart)
Security: Mark Carney (@LargeCardinal), Graham Markall (@gmarkall), Jan-Peter Kleinhans (@JPKleinhans), Alasdair Allan (@aallan), Cédric Lévy-Bencheton (@clevybencheton)
Lifecycle: Alasdair Allan (@aallan), Chris Adams (@mrchrisadams), Adrian McEwen (@amcewen), Dries De Roeck (@driesderoeck), Matthew Macdonald-Wallace (@mbconsultinguk), Joanna Montgomery (@joannasaurusrex), Gavin Starks (@agentGav)
March 2018 version contributors: Alasdair Allan (@aallan), Anthony James Munns (@bitshiftmask), Albrecht Kurze (@AlbrechtKurze), Thomas Amberg (@tamberg), Chris Adams (@mrchrisadams), Alexandra Deschamps-Sonsino (@iotwatch)