October update of the Trustable Tech Mark overview. Learn more at http://trustabletech.org

1. Trustable Technology Mark
A trustmark for the Internet of Things
10 October 2018
Peter Bihr (@peterbihr)
This work is created as part of a
Mozilla Fellowship. Unless otherwise
noted, Creative Commons BY-SA 4.0.
trustabletech.org is an
initiative by ThingsCon e.V.
with support from Mozilla.

2. The Trustable Technology mark
empowers consumers to make
informed decisions &
enables companies to prove their
connected products are trustworthy.

3. Peter Bihr
ThingsCon
Mozilla Fellow
Project lead
thingscon.com
thewavingcat.com
@peterbihr
Jason Schultz
NYU Law
Mozilla Fellow
Legal
theendofownership.com
its.law.nyu.edu
@lawgeek
Peter Thomas
University of Dundee
Logo & Brand
tompigeon.com
dundee.ac.uk/djcad

4. The Internet of Things increasingly touches
all aspects of our lives, but mostly it consists
of black boxes. We need to make sure that
we can trust them.
Consumers have little insight into how any
one connected product works, what it even
might be capable of, or if the company
employs good, responsible data practices.
This is not an oversight on the consumers'
side: We lack the tools to find out.
Why do we need
a trustmark?
Amazon Echo.
Image: Frmorrison, CC (BY-SA 3.0)

5. 4 questions that we should be able to answer
for every connected device.
But for connected products, these are very
hard questions to answer.
A simple
litmus test
Source: The Waving Cat (CC BY)
Does it do anything I
wouldn’t expect?
Is the organization
trustworthy?
Is it made using
trustworthy processes?
Does it do what I expect
it to do?

6. The trustmark is aspirational and aims to
raise the bar at the top of the pyramid.
This work is driven by values, not
pragmatism. This needs to exist in order to
get to a better IoT, and a better society.
We believe that good ethics are good for
business.
Our Goal
A trustmark to aim higher. -
find out more on medium.com
Trustable Tech mark
Baseline certification
Great
Good
Bad

7. Those companies who already build
trustworthy products have already done the
“hard” work. For them, documenting their
work is easy and quick.
However, if a company just isn’t there yet,
they need to go back and put in more effort.
Characteristics
Peter Bihr (CC-BY-SA) Hard to earn
Valuable/Meaningful
Easy to apply
The trustmark
should be

8. A trustmark
for IoT
Building consumer trust in the
Internet of Things by empowering
users to make smarter choices.
A ThingsCon Report commissioned
by Mozilla’s Open IoT Studio.
Open IoT Studio
Our 2017 trustmark research has received
great feedback and reach.
Among other things it was quoted extensively
in Brazil’s National IoT Plan.
Now we want to put our research into action.
Early feedback
& successes
Find out more
https://www.thingscon.com/report-a-
trustmark-for-iot

9. Why should a
company sign up?
Fairphone
Image by Fairphone, CC (BY-SA 2.0)
This trustmark communicates a
company’s commitment to a higher
standard, and allows them to prove their
connected products are trustworthy.
The trustmark increases consumer trust
by demonstrating commitment to
exemplary levels of transparency,
openness and responsibility.
The trustmark will attract talent: We
believe that only the best companies
attract the best talent, and strong vision
& values are a key aspect.

10. We’re proposing a trustmark for IoT that
increases transparency and empowers
consumers to make better decisions.
It takes a holistic approach that goes beyond
just the device and includes procedural and
organizational aspects. The prototype phase
will focus on voice-enabled IoT (smart
speakers, etc.)
How will it work?
Find out more
https://www.thingscon.com/report-a-
trustmark-for-iot
Evaluates 5 key dimensions
Is pledge-based (self-certification)
Verified through publicly accessible
documentation
(Mostly) decentralized
Openly licensed and free to use

11. The trustmark evaluates compliance with 5
dimensions that we identified in our initial
research* as most crucial for consumers
Dimensions
*See A Trustmark for IoT (2017), p. 56
Privacy & Data Practices
How respectful of privacy? Is it designed using state of the art data
practices?
Transparency
Is it obvious to users what the device does and how data might be used?
Security
Is it designed and built using state of the art security practices and
safeguards?
Stability
How robust? How long a lifecycle to expect?
Openness
How open are device and manufacturer? Is open data used or generated?

12. What will
we evaluate?
Input
What goes into making a
product?
In the textile world,
Bluesign is a trustmark
that demonstrates that
an apparel manufacturer
uses sustainable, eco-
friendly materials
Process
How is a product made?
Fairtrade with their
strong focus on
sustainable farming
practices and good
labour conditions
Output
What is the product like
when it’s finished?
CE certification confirms
that the final product
fulfills certain EU quality
and safety requirements
Trust

13. The trustmark documentation shall be
provided in a standardized form to allow for
third parties to offer services on top of this
foundation, like editorials, ratings & reviews.
In year 1 we will learn and prototype, to
develop the concept to a stage of maturity to
be launch-ready.
The foundation of
an ecosystem

14. Self-assessment
tool
Trustmark
readiness
Trustmark
• Doubles to assess
readiness and to verify
compliance
• Our experts review
applications and follow
up for clarification if
necessary
• 3rd party advisory
services like security
consultancy
• Non-public / between
companies and their
advisors
• Once passed, the
trustmark can be used
and the evaluation is
published
• Underlying
assessment (results of
self-evaluation tool) is
available online
3rd party
services
• Open licensing of the
self-assessments
enable 3rd party
services (analysis,
rankings, etc.)
Out of scope
(3rd parties)
In scope
(project core)
Out of scope
(3rd parties)
Elements of a
trustmark system

15. How does it
work?
Self-
assessment
Company fills in the self-
assessment tool, an online
application form that
consists of yes/no questions
plus explanations.
Should the company find it
hard to answer questions,
they have identified a
weakness.
Application
review
Trustmark
issued
If the application passes, the
results are fully published
online.
If contested questions
cannot be resolved, the
trustmark is not issued and
the results will not be
published.
The step by step explainer.
The company itself is the
final judge if they fulfill or
do not yet fulfill the
trustmark criteria.
The stick is in the public
accountability once the
company decides to use
the trustmark and the self-
assessment results are
published in full.
1 2 3
There’s always a human in
the loop.
Our experts review the
application. If necessary,
they follow up for
clarification.

16. Format &
examples
The format for the checklist is standardized
as checkbox [Yes/No/Not Applicable) plus a
text field to elaborate. If the answer is Yes or
Not Applicable then the text field must be
filled in with an explainer. (No always means 0
points.)
The evolving checklist is available for review
and input (via comments) here.
Privacy & Data Practices
Do you employ Privacy-by-Design best practices?
Is your product GDPR compliant?
Do you have an easy-to-understand privacy and
data policy?
Can users easily perform a factory reset?
Can users easily export their data?
Some example questions. This checklist
partially builds on the “Open #iotmark
principles” (iotmark.org, CC BY-SA 4.0).

17. A the core of the process is a self-
assessment tool: A questionnaire that helps
organizations assess their trustmark
readiness.
This tool is aligned with the product
development process, so it can also double
as a checklist to help along the process of
developing a trustworthy connected product,
and to identify potential weaknesses.
Self-Assessment
Tool
Trustable Tech Self-Assessment Tool
question sample (draft)

18. Format &
examples
This is what a sample extract of the published
documentation would look like.
Privacy & Data Practices
☑ Do you employ Privacy-by-Design best practices?
We strictly follow privacy-by-design practices. We also prioritize privacy
at every step of the process and in all our decision-making: We strictly
minimize the data we collect from users, and never keep non-essential
data. For example, during the device setup users are by default opted
out of every non-essential data collection option, even if this comes at
the expense of personalization options. We further have offer a privacy-
navigator feature that helps users better understand what happens with
their voice and location data should they decide to opt in. Furthermore,
we have a strict policy that makes sure that in case of bankruptcy or an
acquisition, user data is not part of the companies assets that might be
transferred to new ownership but deleted unless users specifically opt-
in to having their data transferred. This policy is available here:
product.com/datapolicy.
☑ Can users easily export their data?
A full data export of all user data, including all inferred data and
explanations, is available prominently from the user account page
(product.com/useraccount). The data can be exported in JSON or
XML, or a simple HTML dump. Should new industry standards for this
kind of data emerge and gain traction, we guarantee to make them an
export option as well within two months.

19. What does a
trustmark mean
legally?
THE CERTIFICATION MARK, AS USED BY PERSONS AUTHORIZED BY CERTIFIER,
CERTIFIES THAT, IN THE OPINION OF APPLICANT'S RATING OR APPEALS BOARDS, MOST
AMERICAN PARENTS WILL CONSIDER THE MOTION PICTURE INAPPROPRIATE FOR
VIEWING BY ANYONE UNDER THE AGE OF 18, BY REASON OF ITS DEPICTION OR
TREATMENT OF VIOLENCE OR SEX OR ABERRATIONAL BEHAVIOR OR DRUG ABUSE, OR
A COMBINATION OF THESE OR OTHER ELEMENTS.
The certification mark, as used by persons authorized by the certifier, certifies that the goods and
services provided are in compliance with Kosher dietary food preparation and handling standards.
The Code of Jewish Law, as codified by Rabbi Yosef Karo with the glosses of Moses Isserles
(The Rema) and other authorities, is the standard by which the certifier certifies that the goods and
services are in compliance with Kosher dietary food preparation and handling standards.

20. This is a project in an early stage. We’re
looking in a number of areas. Particularly
we’re looking for…
Pathways to
partnerships &
participation
Academic partners to accompany the
development of this trustmark
Commercial partners to help us test
our requirements list against their
existing or upcoming products
Non-profit and media partners who
can help us understand what they
need in order to build third-party
offerings on top of a trustmark

21. Peter Bihr
peter@thewavingcat.com
ThingsCon e.V.
thingscon.com
trustabletech.com
Thank you.
Questions? Please get in touch.