Most connected devices are a black box. When you buy a smart toaster, you don’t know how much of your data it’s beaming up to cloud or whether its lax security has allowed it to become part of a bot network (which happened in 2016). How are you supposed to know which smart lightbulb you can trust?
Enter the Trustable Technology Mark. It’s like being certified organic, but for the Internet of Things. Supported by the Mozilla Foundation, NYU Law, the University of Dundee, and other institutions, the trustmark–a phrase for a logo that signifies a certification of some kind–aims to recognize companies building connected devices that have stellar data and privacy practices, are transparent and secure, and have some guarantee of longevity.
In a world awash with sketchy technology that doesn’t communicate how personal data is being used, the Trustable Tech Mark is a way to give kudos to companies that are actually operating responsibly. Right now, there’s no way for consumers to know which products won’t put their data at risk–nor for companies to prove that they’re trustworthy.
“If you look at the market, there’s a little bit of a stick to avoid the biggest data breaches and scandals because it’s bad press,” says Peter Bihr, a Mozilla Fellow and cofounder of the responsible IoT nonprofit ThingsCon, who created the trustmark. “But there’s no carrot in the sense that if you build a more considerate product, you’re putting in a lot of work, making your life harder than the competition’s, but there’s no way for that to be recognized by consumers. We try to highlight the work of really outstanding companies that go the extra mile.”
That means that while the trustmark obviously can’t warn users that a company has bad data practices, it will point out which organizations are following best-practices in the field.
So far, two companies have been certified: a French smart assistant called Snips, and a German connected toy called Vai Kai. Both companies completed Trustable Tech’s self-assessment, which includes dozens of questions about product features, the development process, data management, and security by design practices. Once a company submits the assessment, Bihr and two colleagues–Jason Schultz, the team’s legal lead and director of NYU’s Technology Law and Policy Clinic, and Ame Elliott, the design director at nonprofit Simply Secure–will look over their answers and decide whether they uphold the trustmark’s principles of privacy, security, transparency, stability, and openness. These experts’ inclusion, along with the credibility of the institutions that the trustmark is associated with, lends the Trustable Tech Mark a degree of validity.
But the companies that sign on for the process don’t just get a nice logo to slap on their products and packaging. The Trustable Tech mark also requires the company to promise that consumers actually own the product they’re selling. Many products with software fall under an outdated copyright law that restricts consumers from modifying or even using a product they own how they want–like a digital book, where buying it doesn’t mean you can gift it to someone else like you could a physical one. Rather than owning the product, users basically own a license to use it in a limited way. But the application process for the Trustable Tech mark asks companies to make a legally binding promise that their customers own the product they buy and can do what they please with it. Bihr says that if the company reneges on the promise, it opens itself up to a class-action lawsuit.
Bihr readily acknowledges that the self-assessment is not a perfect process. But during his research into trustmarks, he realized that it was next to impossible to conduct third-party audits of companies’ proprietary software because it is so time-consuming and costly. Consumer Reports, for instance, does some very baseline testing of digital products, but it would be difficult to implement and scale the kind of rigorous process that Bihr wanted for the Trustable Tech Mark, one that would focus on highlighting the very best instead of trying to create low baseline bar that all companies should try to meet. Besides, ThingsCon, as a small nonprofit, didn’t have the resources to enforce a baseline certification of that kind.
“We don’t want to be in the business of running a certification body,” Bihr says. “We’re asking for a commitment to transparency. This is essentially one of the many building blocks that we hope can shape the debate in the design and product development process.”
That’s why self-assessment made more sense. But at the same time, it also means that companies might try to spin their tech to get the mark. Bihr says that while it is possible for a company to thoroughly lie on the application, he, Schultz, and Elliott are experts in the field and have been able to tell during testing whether something was fishy or not. Even if a company does manage to evade the expert team, Bihr has a plan: “If there’s any hint of cheating, we’ll launch the mother of all public shaming campaigns,” Bihr says.
But companies lying isn’t really a major concern, because Bihr thinks that only companies serious about building responsible tech will apply anyway. His main fear is something else: obscurity. He hopes to counteract the possibility that the trustmark won’t catch on through his leadership of the nonprofit ThingCon, which brings together thousands of people working in IoT. If some of these designers adopt the mark, it’ll have a better chance of survival.
Part of that adoption will include companies plastering the Trustable Tech Mark on their packaging and website. The logo, a ribbon-like emblem with the words “Trustable Technology” next to it, is self-explanatory. Even if a consumer has never heard of the initiative before, it’s obvious what it means, which is a necessity for trustmarks. If someone doesn’t recognize it and it’s not self-explanatory, the logo is meaningless.
Bihr says the institutions he’s partnered with, like NYU Law, are particularly interested to see if the Trustable Tech Mark will work, and if something like it could be applied to other areas of technology, like smart cities. But even if the Trustable Tech Mark doesn’t impact the development of IoT products, Bihr is confident that it won’t have been a waste. “If it failed and was an interesting data point, we’d still have learned a lot,” he says.
But given the changes in people’s attitudes toward technology in the last few years, the trustmark stands a chance. There are new data breaches every month, through which millions of people’s data is stolen. The European data rights law GDPR is now in place, elevating the requirements for how companies handle people’s personal information. Consumers are learning about the devastating effects of technology gone wrong from the tech giants. For the Trustable Tech Mark, the timing might be right.