Better IoT
A questionnaire developed between 2017 and 2019 by a global community of practitioners to help internet of things startups and product managers consider different aspects of design (interoperability, openness, data governance, lifecycle, security) early on. Details of contributors at https://betteriot.org

Sign in to Google to save your progress. Learn more
Interoperability
Do you allow third parties to connect clients to your product’s backend?
Ideally you will have developed a client-specific backend API and have published documentation on how to use it on your website.
Clear selection
Do you grant third party clients the same functional scope on your backend as your own clients?
You might think about how to prove that the functionality of the product using someone else’s back end works as well as your own. This might entail filming the product working with both and posting it online on your developer documentation.
Clear selection
Do you allow third parties to connect your devices to their backend?
Ideally you will have developed a device-specific backend API and have published documentation on how to use it on your website.
Clear selection
Do you allow third parties to communicate directly with your devices, without going through the backend?
Ideally you will have developed a device communication interface and have published documentation on how to use it on your website.
Clear selection
Openness
Have you published the device firmware source code under an open source license?
Ideally you will have licensed your firmware’s source code using the MIT License, Apache 2, GPLv3 or at least a license compliant with the 2007 Open Source Definition (https://opensource.org/osd). That code would be posted on a public source code repository or available as a downloadable .zip file.
Clear selection
Have you published the device hardware designs under an open hardware license?
Ideally you will share hardware design files (schema files, PCB layouts, and any other materials that would support the recreation of the product by the user or a third party). You should also license this in compliance with the Open Source Hardware Definition (https://www.oshwa.org/definition/) .Those files would be posted on a public source code repository or available as a downloadable .zip file.
Clear selection
Have you published the backend source code under an open source license?
Ideally you will have licensed your firmware’s source code using the Apache 2,  AGPLv3 or at least a license compliant with the 2007 Open Source Definition (https://opensource.org/osd). That code would be posted on a public source code repository or available as a downloadable .zip file.
Clear selection
Have you published the client source code under an open source license?
Ideally you will have licensed your firmware’s source code using the MIT License, Apache 2, GPLv3 or at least a license compliant with the 2007 Open Source Definition (https://opensource.org/osd). That code would be posted on a public source code repository or available as a downloadable .zip file.
Clear selection
Data governance
Do you allow your users to turn off the connection from the device to the backend?
Ideally you would provide a link on your website to documentation that explains how to turn off the connection from the device to the backend.
Clear selection
Do you make explicit to your users the legal implications of substantially changing the way they use the device?
Ideally you would provide a link on your website to documentation that explains the secondary legal implications of changing how the device is used, or diconnecting it.
Clear selection
Do you allow users to stop automated decisions being made about them through their collected data especially if there are personal, legal or significant consequences?
Ideally you have a link on your website to help a user stop automated decisions and get a customer support representative (not an automated process) to re-evaluate the decision.
Clear selection
Permissions & ownership
Do you allow your users to reset the device (also known as a factory reset).
Ideally you would provide a link on your website to documentation that explains how to reset the product, either with a reset button, or on the digital user interface.
Clear selection
Do you allow your users to transfer ownership of the device to someone else?
Ideally you would provide a link on your website to documentation that explains how to transfer ownership of a device to another user.
Clear selection
Do you actively prevent new users from accessing previous user's data when ownership of the device is transferred?
Ideally you would provide a link on your website to documentation that explains how to do this. This might be done in a number of ways but a hard reset button on your device might be one way of doing this.
Clear selection
Do you make sure to ask permission from users before changing the terms of service?
Ideally you would make sure to communicate any changes in terms & conditions to users and document their explicit agreement with these changes.
Clear selection
Do you make sure to inform your users about substantial firmware upgrades?
Ideally you keep a publicly available auditable trail of firmware revisions on a blog, RSS feed or other.
Clear selection
Do you allow users to access their collected data, free of charge?
Part of the compliance with the European Commission’s 2018 General Data Protection Act makes you liable for a fine if you don’t do this for your European customers. Ideally you would offer your customers a link explaining to them how to export collected data, and you will include this in your terms and conditions.
Clear selection
Do you make it clear to your users how data that is collected is used?
Part of the compliance with the European Commission’s 2018 General Data Protection Act makes you liable for a fine if you don’t do this for your European customers. Ideally you offer details on a dedicated privacy policy.
Clear selection
Do you allow users to delete their collected data?
Part of the compliance with the European Commission’s 2018 General Data Protection Act makes you liable for a fine if you don’t do this for your European customers. Ideally you offer details on how to do this on a link on your website.
Clear selection
Do you allow your users to migrate their collected data to another backend?
Part of the compliance with the European Commission’s 2018 General Data Protection Act makes you liable for a fine if you don’t do this for your European customers. Ideally you offer details on how to do this on a link on your website.
Clear selection
Do you allow your users to easily opt-out of direct marketing based on their collected data?
Part of the compliance with the European Commission’s 2018 General Data Protection Act makes you liable for a fine if you don’t do this for your European customers. Ideally you offer details on how to do this on a link on your website.
Clear selection
Do you allow users to restrict the use of their collected data?
Part of the compliance with the European Commission’s 2018 General Data Protection Act makes you liable for a fine if you don’t do this for your European customers. Ideally you offer details on how to do this on a link on your website.
Clear selection
Do you allow users to update their collected data?
Part of the compliance with the European Commission’s 2018 General Data Protection Act makes you liable for a fine if you don’t do this for your European customers. Ideally you offer details on how to do this on a link on your website.
Clear selection
Security
Do you make sure to implement security practices in your business processes?
This might mean demonstrating personal training, regular security assessment, security requirements for your suppliers or threat intelligence. You would also ideally provide a link to a security@yourcompany.com email address for your customers with adequate turn around.
Clear selection
Have you implemented ‘security by design’ during the development of your connected product?
This might mean defining security requirements, implementing strong cryptographic policies, provide security support via over the air updates, integrate the security of dependencies, and secure firmware updates.
Clear selection
Have you implemented a ‘security by default’ approach for your connected product?
This would mean that users need to change the password on first use of the product. It also implies that the produce doesn’t use unencrypted communication nor does it use unnecessary open services.
Clear selection
Have you assessed the risk of well known threats on your connected product?
You would fill in and publish a risk assessment of the security of the device and its backend. We recommend using the framework published by OWASP (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)
Clear selection
Lifecycle
Do you make explicit to your user the expected duration of your terms of service?
Ideally you would provide a link on your website the terms of service which have to include a "best before" expiration date.
Clear selection
Do you actively avoid degrading or change the core functionality of the connected product over its lifetime?
By core functionality we mean the functionality that is declared in your public marketing materials when the customer purchases it. We encourage you not to degrade the use of this functionality through changes in firmware or remotely bricking the produce remotely.
Clear selection
Do you offer documentation for parts that a user can repair using common tools and skills?
Ideally you would provide a link on your website to visual or multilingual documentation that explains how repairs can be done. If applicable, 3D printed design files in .stl format should be made available for download.
Clear selection
Do you supply spare parts on request during the lifecycle of the product?
Ideally you would provide a form on your website that a user can fill in to request these parts. Information about this service should be included as part of the packaging or online marketing materials.
Clear selection
Submit
Clear form
GoogleForms
This form was created inside of Designswarm Industries Ltd.