In both consumer and industrial markets, reliance on the Internet of Things (IoT) is growing and new applications are continually emerging. The term IoT encompasses everything connected to the internet, but it is increasingly being used to define objects that "talk" to each other. As devices are connected and share data, the opportunities to integrate artificial intelligence (AI) and learn from the data opens up even more opportunities.
On the consumer side, IoT connected devices include everything from wearable fitness devices like the Fitbit and Apple watch to connected home devices like the Ring doorbell or Nest thermostats. On the industrial IoT (IIoT) side, sensors are used to monitor, collect, and share data in industries from manufacturing to automotive, healthcare, and agriculture to name a few.
According to Kaspersky, 61% of businesses already use IoT platforms, and the technology is benefiting businesses with savings, new income streams, and increased production efficiency.
However, COVID-19's hard economic reset has hit the industries IoT startups rely on particularly hard. Automotive, retail and wholesale trade, and transportation are among the hardest hit, according to an article in Forbes.
For every world-changing innovation, there are dozens of ways for IoT technologies and systems to fail or backfire unexpectedly; Postscapes tracks a list of failed IoT startups as a way to discover what has worked and what hasn’t in the IoT’s evolution.
“Failures in the connected product realm can keep consumers from purchasing smart gadgets,” states the Stacey on IoT blog. “The perception of expensive, short-lived gadgets haunts consumer IoT.” What happens when connected products fail? Is a company’s brand or perception of trust and quality products tarnished, or worse, permanently damaged?
Essentially, IoT companies need to realistically think about failure ahead of time and how they can take care of their customers – not to mention the companies that remarket or white label those services. How can the consumer IoT market be supported, allowing buyers keep their devices operational, even if their vendor goes belly up? Is there a way to mitigate the risks around third-party technology and at the same time protect the intellectual property (IP) from unauthorized disclosure?
Examples in the Market are a Reminder that Risks are Real
When an IoT connected device can no longer connect, it is referred to as an “orphaned” or “bricked” device. Two recent examples demonstrate how IoT vendors left customers with bricked devices.
An additional scenario is the community backlash around Sonos’ controversial recycle mode that rendered legacy devices inoperable in exchange for a discount, as outlined in The Verge. The company has recently reversed their policy, but this is another example that adds credence to the risk to brand and trust. As discussed in Stacy’s blog and elsewhere, its common for companies to place code in open source repositories for access by tech savvy early adopters that might keep the device operational. This process is not formalized or adopted widely as a best practice and is more a reaction at the time the company is closing its doors.
What if Companies Adopted a Best Practice to Store IP and Vital Support Information in Escrow?
In the B2B market and industrial IoT, we see escrow agreements employed to protect the technology that is used and embedded in products that deliver IoT services. In essence, a technology escrow agreement means that a trusted third party, such as Iron Mountain, will securely store a copy of your technology (such as software source code) in a secure, restricted location for recreating the software at some point in the future if needed. Keeping code in escrow is only part of the solution for IoT vendors, but it is a first step, and a launching off point to further develop solutions.
An article in Hackaday brings up escrow as a possible solution to the Best Buy situation. “In industry, large companies often require vendor-supplied software to employ source code escrow – a trusted third party holds private source code and can release it if the depositing company goes out of business or on some other trigger event. Perhaps we need a big cloud provider to offer ‘service escrow’ – a promise to light up a minimal system if the original provider goes out of business.”
Although escrow can’t answer all the questions that arise when a consumer IoT provider fails, the role of a neutral, trusted third party is key and has been leveraged successfully for decades. An escrow agent manages the source code and support materials (and even, at times, data) in secure storage with best-in-class chain of custody until it is needed. Here is how this solution is well suited to manage B2C IoT business failure issues.
First, storing code (proprietary or open source), know-how, other support materials for IoT products, and capturing cloud code and data, are all things that an experienced escrow agent can do today in the normal course of business. Let’s not forget that you can have application code and platform infrastructure, but you also need supporting information like build instructions, design documentation, run books and third-party tools. If you have a SaaS application running in AWS, things like root user credentials and CloudFormation templates are very useful. Managing this information, keeping it current, and then releasing it under the right contractual events (release conditions) are standard operating procedures.
A ZDNet article on the death of Nest’s smart home hub, brings up the idea of "Dead Man's Firmware" – a proposed solution related to escrow – for IoT vendors to consider. The author explains this concept would be for firmware code or software and would switch on in the event of a product being end-of-lifed, such as with the Revolv scenario (the smart hub company acquired by Nest) also profiled by ZDNet, or if a company that manufactures IoT devices meets its demise.
The article explains that software would essentially turn the device into a cloud-independent, standalone device. Upon death of the product and/or company, the firmware/software could be made available on an escrowed server, that is funded in perpetuity (or for a certain period of time after the company or product dies) or made available on a site run by an independent third party and would include apps or other software that would be open sourced to support it.
But who provides the support going forward? Escrow agents typically don't have the technical expertise to broadly support all the products that the IoT industry could deposit into escrow. However, we have seen many times on the B2B side that support consortiums are created by key developers from the defunct technology organization as a way to ease the transition after a shutdown. Alternatively, perhaps in larger bankruptcies, court appointed trustees could empower a new entity to legally take over the code and IP in escrow to support a community or sell it to drive cash in an attempt to pay off secured creditors.
The idea of winding down businesses gracefully is very valid, but it often does not happen that way. As outlined in this CRN article, a well-known case in point was the wind down of SaaS company Nirvanix, a cloud storage technology provider who went bankrupt and gave their customers only a short window of time to migrate their data and find other vendor alternatives. Although Nirvanix was an established company with well-known customers and partners, it did not think about a contingency plan to protect its customers in case of unforeseen challenges.
No one wants to think about failure – especially businesses who are just starting out. But when your customers depend on you, it’s important to think through all the contingencies and assure your customers they will be protected in the future if something happens to you as their vendor.
Software escrow solutions are often used by companies in the B2B space, including for industrial IoT applications. How can we successfully adopt this model for connected products in the consumer IoT space? We believe the escrow community could work with insurers, venture capitalists, and technology companies to develop a shared responsibility IoT protection model.
NCC Group Software Resilience has acquired Iron Mountain’s Intellectual Property Management (IPM) business. For more information on the acquisition, please visit our dedicated information hub, or contact Iron Mountain IPM.
