IoT-EPI presents a practical toolkit for verifying trust in IoT Applications
Trust in IoT is one of the hot topics in the industry when it comes to digitization and inter- connectivity of devices. IoT-EPI is examining this topic from different angles. In this blog post we are focusing on a “Checklist for Trust” including various trust / security related questions across different domains of the IoT sector. Although the checklist was developed with IoT-EPI projects in mind, these concepts can be used as a guiding toolkit in the development of a broad range of IoT Applications. The checklist is grouped into five different categories, i.e. Trustworthiness, Transparency, Privacy, Compliance, Security.
“Trustworthiness” aims to question how issues regarding the sharing of personal as well as non-personal data are being addressed by each EPI project and what specific points regarding data sharing are especially relevant to this project. This category wants to elaborate how the projects aim to gain and maintain the trust of potential customers of their application.
“Transparency” has similar goals to the “Trustworthiness” category. It also aims to identify the projects’ strategies to gain and maintain trust. The focus of this category, however, is on gaining the trust of the end-user as opposed to the business customer in the previous category. Since this is achieved less by answering technical data sharing issues and more by making certain processes transparent to the end-user, we believe it is important to separate the two categories “Trustworthiness” and “Transparency”
“Privacy”, another important category, has gained significant interest among end-users with the onset of sensors & devices in various walks of life. Due to its significance among public, it seems fitting to create a separate category to underline its relevance. This category covers questions regarding the (de-)anonymization of data.
“Compliance” covers the legal questions which have to be addressed in the context of IoT applications. Furthermore, it tries to bring up the importance of certain standards in order to guarantee that users and providers are able to comply with data protection laws.
“Security” covers questions addressing technical solutions in order to protect the data sufficiently against malicious attacks. Furthermore, this section also covers how the situation can be handled if the protection is not sufficient - including the physical devices storing data.
Below is an excerpt of questions covered under each category:
- How can individuals trust in sharing personal data with 3rd parties?
- How do you proceed when the accuracy of the shared personal data is being challenged?
- How can transparency on what data is shared be achieved?
- How can de-anonymization risks be predicted and prevented?
- How can anonymization be guaranteed without losing data utility?
- How can liability for data and system integrity, security breaches etc be guaranteed?
- What data sovereignty laws are you subject to?
- How is the hardware controlled, audited, logged, backed up, patched and updated?
- How is the encryption handled and who has the keys?
In order to communicate the concepts effectively to the EPI projects, we came out with the “Trust Cards” which contain all questions belonging to the respective category. As an example, the card for “Trustworthiness” is shown below.
The trust cards give the IoT-EPI projects an opportunity to rate each individual question according to its relevance for their specific project from 1 to 3 (1 = Least Relevant and 3 = Most Relevant). On the basis of these ratings, it becomes possible to pinpoint which aspects of trust and security have the greatest impact on particular IoT-EPI projects. Also, the information collected is vital in isolating important areas that are not yet being addressed by a particular project / product. This can be further used to prioritize and determine suitable strategies to address the gaps that were identified as a result of Trust Cards.
The complete set of Trust Cards can be found here.