China and the Internet of Things, Part 3 of 228

The title is a joke, but a nod to my writing so often about China’s role in the Internet of Things and our plans to continue doing so. How can I not when so much of my law firm’s new China manufacturing work is coming from companies involved in the Internet of Things? And when I personally am such a massive fan of it (my lights, my home security, my fire alarms, my fitness devices, my doorbell, my . . . are all IoT devices). Plus I want to be on record now so that five years from now I can say, “I told you so.”

Anyway, today’s post is a short riff on the recently issued Online Trust Alliance’s IoT Framework that sets out thirty guidelines related mostly to sustainability, security and privacy surrounding connected devices. Though these are “just” guidelines, we expect most leading IoT device manufacturers to at least be influenced by them.

The following guideline No.3 immediately stood out to the China lawyers in my law firm, as it directly relates to so many of the problems we see with our IoT clients that use third party Chinese manufacturers to make their connected devices:

Establish and maintain processes and systems to receive, track and promptly respond to external vulnerabilities reports from third parties including the research community. Remediate post product release design vulnerabilities and threats in a publicly responsible manner either through remote updates and/or through actionable consumer notifications, or other effective mechanism(s).

As we have written many times previously, our China attorneys are far too often getting called in after there is already a binding contract between the Western IoT manufacturer and its more experienced Chinese manufacturer that does not provide any privacy safeguards against the Chinese manufacturer and in many instances, having this sort of protection never even occurred to our client. I usually don’t hesitate to point out to them the problems they might have if it is later discovered that the Chinese manufacturer is in some way tracking the customers of the connected device and the Western IoT company has no paper to show it ever even considered or cared about such a thing.

I would urge everyone involved in IoT to read this new Framework for the simple reason that it serves as an excellent checklist on various things of which you should be aware.

For more on China and the Internet of Things, please check out the following: