Trustmarks, trustmarks everywhere. Let’s aim higher.

There’s a wave of new trustmark initiatives for connected products.

If you’re here, you probably know I’ve been researching trustmarks for IoT — consumer facing labels that indicate trustworthiness of connected products — for years. Concretely, for about 3 years, if we want to pinpoint it with the publication date of my report “A Trustmark for IoT”, which I wrote as part of a Mozilla commission. Even before, part of ThingsCon has always been to understand how to make connected stuff more responsibly, and hence more trustworthy, so years of implicit research went into that report already. And then, building on both, Mozilla invited me to become a fellow which allowed me to build from the ground up a trustmark under the ThingsCon umbrella, the Trustable Technology Mark which launched in 2018. (It’s currently on hiatus.)

I only bring this up for context, because it explains why I get invited to a lot of conversations and research interviews whenever some organization or another starts exploring this field: For better of worse, it’s hard not to stumble over my research in this space simply because I’ve been writing about it for a relatively long time, and this space is reasonably young. So, I get called by a lot of researchers and initiatives for input, and try to pitch in wherever I can.

Making connected systems more trustworthy is essential as we move deeper into the 21st century. And not just when we talk about consumer IoT, but also — and especially! — when we talk about automated decision making (ADM) systems, AI, smart cities: Areas where the power dynamics are more prominent, and potential damages worse, than a failing fitness tracker or smart speaker might be. (Note: Depending on the kind of failure, fitness trackers or smart speakers can also do a lot of damage.)

Over the last few months, a few things have become painfully apparent to me, based on these many conversations:

  • While we (ThingsCon) didn’t have the reach and critical mass to make a significant dent in the market of consumer IoT, turns out most actors in this space aren’t, and aren’t necessarily aware either.
  • I see nearly the exact struggles we went through replicated elsewhere, over and over. I’m not sure what to take from that. Maybe there’s not enough institutional learning? Maybe we didn’t document our issues well enough? Maybe some things are just hard? But either way it’d be good to move on to the next step.
  • But first and foremost, I see efforts to water down rather than raise standards in a great number of these initiatives.

I want to expand a little on that last point: Many IoT trust / trustmark initiatives aim not to significantly raise the standards that products/services need to earn in order to get their seal of approval (whatever shape that seal might take).

Now, for those not all too familiar with this terrain, there are a few important distinctions, roughly like this:

  • There is regulation, a legal rock bottom. This is what the law forbids you from doing, or requires you to do. Can’t go lower than that without breaking the law.
  • One step up, you might find what’s often referred to as baseline certification: This demonstrates a product is compliant with a certain standard. Such a certification might be required to enter the market and sell goods (like the CE mark) or be voluntary.
  • And then there are a wide range of less regulated trustmarks or consumer labels on top. These show that companies do something more than legally required, and they come in various levels of quality and concreteness. Fairtrade or organic food labels come to mind.

In other words, trustmarks that aim to communicate trustworthiness beyond the legal minimum requirements. In a market in which consumers have severe concerns about their data being leaked or misused, or their money spent on products that might stop working any day, this is desperately needed. And I repeat my mantra: We don’t need to increase trust, we need to increase trustworthiness. Not consumers have to change, companies (and maybe legal requirements) need to raise the standard.

So, these research interviews and calls I’ve been in for various IoT trust initiatives: Almost to a fault, they aim to keep company commitments what they are today, and yet find a way to add a “trustworthy” label.

One interviewer literally asked me if in order to allow companies to pursue this I thought the standards for this label should be higher or lower than the legal requirements. Just let that sink in: The options were “should a company really be forced to respect the law in order to gain this seal of approval.” (In case you’re wondering if I misheard: I did ask to clarify, and that was indeed the question they meant to ask.)

Luckily, other initiatives aim higher. Even there, often corporate members push hard to water things down to a level where it makes their lives easier. Where they compare trustmarks with baseline certifications rather than an extra gold medal to be earned. Where the focus is on consumer education rather than companies adhering to better standards.

It’s the usual playbook used by lobbyists across the globe: self-regulation, consumer education, individual responsibility.

Whenever you see these terms bandied around in a discussion about responsible tech, call them out: This is a model that has failed us in this space, as in others (cough cough financial markets cough cough) over and over again. These are dog whistles for companies that want to make their own rules, or soften the rules so that nothing gets into the way of a quick buck at the expense of others: consumers, society at large, the environment. But connected systems post systemic challenges, and they require systemic solutions. The burden mustn’t be on the individual.

If we want better outcomes, we cannot choose the same path that brought us here. We need to do better, and demand more. Giving out seals of trust more easily will not help anyone. If we can’t get tougher regulation in this space, then at the very least we can make sure that nobody gets an extra trustmark without putting in the effort.

For what it’s worth, this opinion represents my personal and professional opinion and that of my employer, which is also me. If you’re working on trustmarks that really require trustworthiness and aren’t just astroturfing, hit me up for some #realtalk.

Leave a Reply