Categories
news

The Trustable Technology Mark is wrapping up, Trustable Technology lives on

We’ll be wrapping up the Trustable Technology Mark prototype. We want to use this opportunity to reflect, share what we learned, and look ahead to new opportunities around Trustable Technology.

Note: This is cross-posted from the Trustable Technology site.

What’s happening?

After about two years, we’ll be wrapping up the Trustable Technology Mark: This prototype officially comes to an end, and we will not be developing it further under the trustmark model. We closed the application form and won’t be issuing any further licenses. So at this point we’d like to share some of the things we learned along the way, and look at what’s next: We’ll keep exploring Trustable Technology in other formats going forward.

For context, just the quickest of history: In 2017, we did a deep dive into trust and technology and trustmarks which culminated in the report A Trustmark for IoT. Building on that report, and with support from Mozilla Foundation, we developed and launched as a the Trustable Technology Mark, a prototype trustmark scheme for consumer IoT. With the Trustable Technology Mark we aimed to offer an alternative to baseline certification schemes (that weed out the really bad) and demonstrate that there’s a wider spectrum here by highlighting excellence instead.

Why is this wrapping up, and who’s impacted?

We’re wrapping up for multiple reasons: We didn’t reach the critical mass to support the project long-term; we couldn’t find an appropriate way to financially support the project in a sustainable way in the long run; and as a volunteer project we lack the people power to grow and review the project. Still, we learned a lot, which makes this time extremely well spent — and the environment has evolved in ways that leave us very hopeful for the future of consumer IoT.

We do not expect that any of our licensees will be negatively impacted, but have reached out to them to make sure we can make sure it’s all smooth sailing.

Some impacts of the Trustable Technology Mark

The most important bit is, of course, the impact this project has generated.

While there’s always a somber component to wrapping up a project, we’re happy with how the Trustable Technology Mark has been having impact in many areas beyond the Trustmark itself.

Just after launch, I wrote that “I’m convinced the underlying principles of the Trustmark can be adapted for other contexts and have meaningful impact. After all, the Trustmark is a means to an end: It’s a way to make technology more trustworthy - one product or policy at a time.” It has done that, in many ways.

For example: Snips, one of our initial proof-of-concept Trustmark licensees, are no longer in business because they were acquired by Sonos. Through this acquisition, though, Snips’ privacy-first approach to digital voice control now informs Sonos, a major player in the world of smart speakers. The Trustmark license does not transfer from one legal entity to the other, but to see the importance of a privacy-first approach recognized by these much larger companies is great and gives me hope for the future.

This is also reflective of the evolving landscape in which consumers (and lawmakers!) have been demanding better protection of their rights. The baseline of what’s been happening in that regard has been rising — even though there’s still plenty of room to grow and improve.

This shift in interest is also mirrored in the immense media attention the Trustmark got throughout its lifetime from media outlets around the globe.

Finally, the spirit of our Trustmark lives on in a range of places, sometimes through formal collaborations or inputs, sometimes through informal conversations in backchannels or at workshops, and sometimes purely through parallel evolution. To name just a few: Mozilla have their Minimum Security Guidelines for IoT; we’ve been asked for input and collaboration by a number of organizations that work with smart city policy, where procurement guidelines turn out to offer promising leverage to enforce trustworthiness, which is where our trust indicators have been turning out useful; there are now a number of excellent design guidelines and frameworks for better and more trustworthy consumer IoT products such as the ones by long-time friends and collaborators Doteveryone and BetterIoT (formerly known as #iotmark, which was a continuation of the 2012 Open Internet of Things Assembly event), both of which also started out as research into trustmark or certification schemes and went this more actionable route instead.

The OpenDoTT PhD project will continue their academic research into the potential and role of trustmarks for IoT.

And, maybe most importantly, we see a much higher awareness of digital rights — as well as technology’s potential impact on civil and human rights.

To us, this makes for a thorough win.

Some things we learned

The second-most important thing for us is what we learned over the last couple of years, and are happy to share for whomever it might be useful for.

So what did we learn? A lot of things, some of which we expected going in and some more surprising. In no particular order:

  1. As a general note, we found that the trustmark model can be strong and appropriate for the context of consumer IoT, even though there are many complexities and challenges. Consumers are still looking for guidance of which products respect their rights and which don’t.
  2. There is widespread interest in the trustmark approach at the political level, and experts across the board see its potential. As recently as early 2020, Nesta published a report (that also references our Trustmark work) and that “the creation of a digital trustmark is a vacuum waiting to be filled – and that, if a trusted institution acting for the public good doesn’t introduce one soon, the gap would likely be filled by commercially-driven and less accountable certification initiatives.” That report focuses on the digital space more generally, and also highlights the importance of having specific trustmarks (like for IoT) as building blocks for a more comprehensive “umbrella” trustmark that covers the full digital experience.
  3. Organizational and financial sustainability is a real challenge. We started the trustmark as a volunteer effort (the development was graciously supported by Mozilla Foundation). There are hard time constraints if your volunteer pool consists of leading experts and tasks cover a range as wide as outreach, fundraising, reviewing applications, evolving the application process, and handling licensing questions (to name just a few). We simply couldn’t sustain the level of time commitment this would have required going forward. To scale up, a trustmark efforts requires long-term backing by an organization either by becoming part of their work or through a long-term financial commitment — preferably both.
  4. A project like this needs a tight governance structure. As a prototype, a lot of the decision-making power sat with me as the project lead. For a prototype, that’s ok. But to run and evolve this over time, this needs a broader perspective and governance safeguards. Which in turn means more volunteer people power. We weren’t able to set up these structures and networks in a way that seemed sustainable to us as we wanted to be very respectful of our volunteer experts’ time: As project lead, one of the key responsibilities is to protect volunteer team members by not asking for commitments beyond their capabilities.
  5. In the application pool, small as it was in total, we saw a staggering breadth of quality in our applications. Even though we tried to focus the Trustmark to consumer products (meaning that we already excluded a huge range of possible applications) we still saw so many edge cases. Does it have to be a commercial product? What about open source? What about this component, or this backend product? Also, the quality of the applications was hugely diverse, ranging from very promising (but maybe out of scope for our purposes) to individual examples that couldn’t have been more problematic if we had set up a honeypot. It was enlightening, and showed just how relevant this approach could be if it reached a certain scale.
  6. Critical mass is key. A trustmark is only truly impactful if consumers rely on it; consumers will only be familiar enough with a trustmark to rely on it if it covers a big part of the market. It’s a catch-22: Without applications, the trustmark cannot gain the necessary traction. Without traction, the trustmark won’t be relevant enough for companies to apply with their products.
  7. The framing of the evaluation criteria is tricky, and needs to be designed to evolve. Even the best products and applications can fulfill all conditions we asked for but still be incomplete under certain circumstances: One of the proof of concept licensed products we launched with was Snips, a privacy-first digital voice assistant. When they were acquired by Sonos, they shut down the DIY component of their product. The core product still worked as promised, but this non-core offering was switched off: Yet another edge case. The only way to handle these things is to keep evolving the catalog of evaluation criteria.
  8. Our list of trust indicators held up well. The five categories we highlighted in our research included Privacy & Data Practices; Transparency; Security; Stability; and Openness. These categories have proven useful here and in many other context beyond the Trustmark.

What’s next?

We’re starting an internal process to explore what the next opportunities are, and we’ll share more once we’re further in our deliberations. Here’s what we’re currently thinking about:

First of all, we want to ensure that our work around the Trustmark — i.e. the review & license part —  can be as useful going forward as possible. Concretely, we’ll continue to take our findings and apply them to other areas such as smart city procurement and policy (if and where it makes sense). We’ll continue to support the OpenDoTT project (for which I’m also an industry PhD supervisor). Of course we’ll archive our findings, the questionnaire, and as much of the website, etc., as possible.

Also, we’ll continue to share our learnings with consumer protection and research organizations wherever it makes sense. If you think you might know a way to evolve the Trustmark itself in its original spirit, and would like for your organization to become its steward going forward, please get in touch so we can discuss options.

Second, we believe that even without the Trustmark, there are great opportunities around Trustable Technology. We’ll be exploring those over the coming months with the ThingsCon community and see what shape(s) this might take. There are many potential formats that could be useful, many directions worth exploring. We’ll share more once we know more, including how to get involved.

And of course we’ll be keeping all lines of communication open so that others can reach out easily. If you have any idea or feedback, please let us know (email: info@thingscon.org; @thingscon on Twitter).

Thank you

Last but not least, thank you’s are in order: There are many people and organizations without whom this project could have never come together. Thank you to my collaborators Jason Schultz for providing the legal foundation for everything we did, to Pete Thomas for the ace brand and design work, and to Ame Elliott for all her input to security and UX questions. Thank you to the ThingsCon team and community who didn’t just indulge this project but shaped it into what it is, and kept it honest through tireless input, feedback and shared insight. Thank you to the good folks at Mozilla Foundation who kindly and graciously supported the Trustmark by inviting me to become a Mozilla Fellow and through countless other ways. Thank you to Alexandra Deschamps-Sonsino and Dr. Laura James for the countless times they shared their insights, and their encouraging words along the way. We’re especially grateful to Alexandra Deschamps-Sonsino’s and Usman Haque’s work with Better IoT and the Open IoT Assembly event it built on as both formed the basis for most of our work on the Trustmark. Thank you to Jan-Peter Kleinhans for brainstorming governance models and improved review processes, and tons of input on IoT security questions. And finally, thank you to the companies who took a chance on our fledgling initiative, and the countless others for their input, feedback and support.

Thank you.