Gergana and all, [ Feeling a bit ranty. Must be the coming Easter holidays? ] At 2017-04-13 12:57:02 +0200 Gergana Petrova <gpetrova@ripe.net> wrote:
On 13 January the European Commission organised and hosted a workshop in Brussels, the main purpose of which was ‘to discuss minimum baseline security and privacy requirements along the entire networked architecture and value chain similar in various sectors.’
It took them a while for them to publish a report, but it’s an interesting read for this group nonetheless, I imagine.
‘Participants were asked to come with, reflect and comment on concrete minimum IoT privacy and security principles to create a trusted IoT environment’
The results of the workshop can be found at https://ec.europa.eu/digital-single-market/en/news/internet-things-privacy-s...
(Was anyone on the list there btw?) Yes, I was there. The report you linked is a very good summary. Impression in the room was that the main goal (and challenge) is to create trust in the IoT market, which is lacking at the moment. However,
On 13/04/17 12:10, Bastiaan Goslings wrote: trust takes time, while it takes only one incident to bring the IoT market back to square one.
Thanks for your in-person observations! I had a quick look at the PDF (all the way through page 10 of 9). ;) While understandable, the goal of creating trust does point to slightly misplaced motivations. Surely we want products that are worthy of trust, rather than products that are trusted. (Consider how many people believe that homeopathic remedies have any value; these products are not worthy of trust, but marketing has made people trust them.) For an example in the IoT space, one could establish a non-transparent system where industry deals with security incidents. This could result in more trust, because people might never find out about vulnerabilities. However, it would possibly also be less secure than a system relying on full disclosure. To put it yet another way... for industry the problem is how to get people to buy their gear, and making it high-quality is only one possible way of achieving that end. :)
There was also a lot of talk about data ownership, not just control. Concerns were voiced that consumers might lose ownership of data they are generating. And also concerns that manifacturers don't provide consumers with enough choice, for example taking out the location tracking device in some car models is a hassle and for someone buying second hand - even more difficult.
This is great to hear! The model of throwing all data into the cloud and hoping for the best will probably have to be challenged because of this. :) It does seem like a pity that nothing was mentioned as far as open source or standards-based platforms (if we had something like EFI to boot up WiFi routers then we might have a lot more 3rd party operating systems and applications, which might have helped avoid a number of vulnerabilities). Oh well, thanks again for your personal observations. :) Cheers, -- Shane