The US Federal Trade Commission has again acted on its serious concerns about data privacy and security in the Internet of Things (IoT). This time D-Link webcams and routers are the focus. Stephen Cobb puts this latest FTC move in context.
The US Federal Trade Commission yesterday announced that it was charging Taiwan-based computer networking equipment manufacturer D-Link Corporation and its American subsidiary with putting consumers’ privacy at risk “due to the inadequate security of its computer routers and cameras.” This article explains what this action means and puts it in the wider context of data privacy and security in the US, particularly as it applies to the Internet of Things or IoT.
While “IoT” still has a futuristic ring to it, this latest move by the FTC is not the first time the federal privacy and security watchdog has taken issue with a company over what it sees as weaknesses in IoT security. In February of last year, ASUS settled FTC charges that “critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk”. Basically, domestic routers are the hub of IoT in the home and a gateway to the internet, from which they can, and are, attacked.
And this is the second time that internet-connected cameras have featured in an FTC action, the first being that of TRENDnet SecurView cameras, settled in 2013. At that time, the agency described the case as its first action “against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the ‘Internet of Things.’” The point here is that the FTC has long signaled its intent to police data privacy and security in the IoT space. Companies failing to heed the agency’s IoT guidance – documented in a number of formats such as the 70-page staff report it issued two years ago (PDF accessible here) – should not be surprised if they come under scrutiny. Bear in mind that any consumer or consumer advocacy group can request an FTC investigation.
Standard of due care?
Another thing to bear in mind is that yesterday’s action against D-Link was not a settlement, and the company can respond to the charges and defend itself. However, given the FTC’s success rate in previous cases, it is pretty clear the agency does not bring charges lightly. According to the FTC’s complaint against D-Link, it alleges the company promoted the security of its routers on the company’s website with headlines like “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” Over the last 15 years the FTC has been pretty clear that it has to the right to assess the veracity of such inducements to purchase.
After investigation, the agency alleges that the company’s product claims were not supported and it had “failed to take steps to address well-known and easily preventable security flaws”. For example, hard-coded login credentials were used in some web camera software (like username “guest” and password “guest”), a design decision that made unauthorized access to a camera’s live feed fairly trivial. Here is how the FTC described three additional flaws:
- a “command injection” software flaw enabled remote attackers to potentially take control of consumers’ routers by sending them unauthorized commands over the Internet;
- a private key code used to sign into D-Link software was openly available on a public website for six months; and
- a decision to store users’ login credentials for D-Link’s mobile app in cleartext on the mobile device, “even though there is free software available to secure the information”.
Notice the pattern here? The FTC is pointing out that the company failed to observe some established and inexpensive “best practices” and so, it can be argued, they failed the standard of due care.
The case will be adjudicated by a federal district court judge, however, the usual course of events goes like this: the FTC and the accused company reach a settlement. For example, D-Link may deny wrongdoing but promise to improve security of its products and submit to outside scrutiny. Here are some verbatim snippets from the TRENDnet settlement to give you an idea of what this outcome looks like:
- TRENDnet is prohibited from misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit.
- The company is barred from misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit.
- TRENDnet also is required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices.
- The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.
- The settlement requires TRENDnet to notify customers about the security issues with the cameras and the availability of a software update to correct them, and to provide customers with free technical support for the next two years to assist them in updating or uninstalling their cameras.
Data privacy, security, and the FTC
So where do actions like these fit into the whole scheme of data privacy and protection in the US? I will try to explain, in bullet points and then with some references, but I would be the first to admit that it’s a bit convoluted. It goes like this, with apologies to any readers who happen to be actual lawyers:
- the FTC polices unfair business practices;
- you claim your product uses advanced security to protect private data;
- a reasonable person would conclude the security is not advanced;
- so you have made an unjustified product claim;
- that is unfair to other vendors who might be more honest;
- hence, you engaged in an unfair business practice.
Now let’s look at that in a broader context (for a really broad context you might try this ESET white paper on data privacy). The data privacy interests of individuals in the US are protected in a wide range of situations, from education records to financial records to video rental records; however, the protection is far from universal. For example, there is no explicit federal privacy protection for an individual’s airline reservation data or library borrowing records. Whole categories of data – like the customer and prospect databases widely used in sales and marketing – lack explicit protection under federal law, despite the fact that unauthorized access to them is potentially harmful to the data subjects.
These gaps in protection have led some privacy advocates to make unfavorable comparisons between US data protection legislation and that of European countries where all personal data is protected by default and there is a national office of data protection to whom individuals can turn for redress. Such criticism may be warranted, but some critics tend to underestimate the FTC’s role as America’s privacy watchdog, a role demonstrated in the D-Link case.
Overlooking this aspect of privacy protection in the US is perhaps understandable because there’s nothing in the name Federal Trade Commission that suggests a focus on privacy. Furthermore, there is no mention of privacy in the legislation under which that FTC role has evolved. The Federal Trade Commission Act of 1914 (FTCA, as amended by the Wheeler-Lea Act of 1938) charged the agency with protecting businesses and consumers from unfair competition and unfair or deceptive commercial practices.
The FTC’s emergence as the leading defender of the data privacy interests of individuals, shaping consumer privacy and commercial data security practices over the last 15 years, is well documented (Murphy, 2013; Serwin, 2014; Stevens, 2014). Along the way the agency has imposed numerous legal settlements, levied millions of dollars in fines, and overseen monetary reimbursements to consumers. A brief review of an early FTC action will illustrate the two legal doctrines by which the agency pursues its data privacy remit. The case of FTC v. Eli Lilly was settled in 2002 after the agency alleged that the pharmaceutical company failed to follow responsible code development practices and thereby exposed the identity of people who had expressed an interest in Prozac, an anti-depressant medication (FTC, 2002).
The breach of personally identifiable information resulted from a programming error. Research commissioned by the FTC and performed by the author and colleagues, determined that this error would have been remediated if standard IT practices – including preproduction testing – had been followed. While such practices were stipulated in the company’s own policies, research indicated that these policies had not yet been applied to web- and email-based marketing activities. From the FTC’s perspective, Lilly was culpable firstly of deceiving consumers by assuring them on its website that their interest in Prozac, and their personally identifiable information, would be kept private and secure. The FTC argued that such assurances to the data subjects were material to their decision to provide that information. Secondly, it was alleged that, by failing to live up to those privacy promises, Eli Lilly potentially caused harm to the persons who were exposed.
FTC cases are usually settled with no admission of wrongdoing by defendants. This might sound like a soft touch, but FTC consent orders – most of which follow the template forged in the Lilly case – impose a serious compliance burden (see the above list of requirements from the TRENDnet case). The FTC often requires the defendant to establish and execute a program of improvements to its data privacy and system security practices. The progress of this program is then subject to periodic outside audits by independent parties – such as CISSPs – for the length of the settlement period, which can be as long as 20 years. Furthermore, defendants must agree to pay fines to the FTC if the consent order is violated at any time during that period. For example, when the FTC determined that Lifelock, a vendor of identity protection services, had violated its 2010 consent order, the company had to pay a $100 million fine (FTC, 2015a).
The FTC clearly addresses some of the data privacy interests of individuals. Case law like FTC v. Wyndham has established the agency’s authority in the courts (FTC, 2015b; Serwin, 2015). However, the doctrine of harm that the agency has developed is not without problems, as Serwin suggests (2011). Absent a universal right to informational privacy, violation of which is defined as harmful, commercial data controllers culpable in a breach can argue there is no harm to the data subjects whose records have been exposed, unless they suffer a financial loss directly attributable to the breach. So far, US courts have been reluctant to agree with those who claim that the distress of an unauthorized stranger and/or criminal accessing an individual’s personal details is in itself harmful enough to warrant recompense. However, case law is continually evolving and the tort of intrusion upon seclusion has been successfully applied in Canadian data breach cases (Simard and Griffin, 2014). It is possible that similar cases could gain traction in the US at some point.
In the meantime the FTC continues to be vigilant when it comes the data privacy of individuals in an increasingly connected world. This has led to the FTC research and guidance on the security and privacy aspects of the Internet of Things referenced earlier, and to initiatives like the one we reported earlier this week. Many security professionals see the home router as a key component in the IoT, a domestic IoT hub as it were. That’s one reason we often talk about router security here on We Live Security (and why ESET introduced router security into its product line last year). Another reason you will find a lot of security articles dealing with routers on We Live Security is because more and more bad guys are targeting them. The same can be said of webcams, another topic featured frequently on We Live Security (and addressed in the ESET product line). In other words, the need for routers and webcams to become more secure is greater than ever, and hopefully this latest FTC action will move the tech industry in that direction.
- FTCA (1914) Federal Trade Commission Act of 1914, 15 U.S. Code § 41. Available at https://www.law.cornell.edu/uscode/text/15/41
- FTC (2002) FTC v. Eli Lilly, https://www.ftc.gov/enforcement/cases-proceedings/012-3214/eli-lilly-company-matter
- FTC (2015a) LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it Violated 2010 Order, https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated
- FTC (2015b) FTC v. Wyndham, https://www.ftc.gov/enforcement/cases-proceedings/1023142-x120032/wyndham-worldwide-corporation
- Murphy, E., 2013 ‘The Politics of Privacy in the Criminal Justice System: Information Disclosure, the Fourth Amendment, and Statutory Law Enforcement Exemptions. Michigan Law Review 111(4): 485-546
- Serwin, A. (2011) ‘The Federal Trade Commission and Privacy: Defining Enforcement and Encouraging the Adoption of Best Practices’ San Diego L. Rev. 48: 809-856
- Serwin, A. (2015) ‘The FTC v. Wyndham Reexamined – A True Test of the Contours of Unfairness’ The Lares Institute Blog, 28th September, http://www.laresinstitute.com/archives/4631
- Simard, A and Griffin, S. (2014) ‘Proactive Monitoring: Lack of Employee Oversight Leads to the Certification of the first Privacy Class Action based on the novel tort of “intrusion upon seclusion”’ Canadian Class Actions Monitor, 23 June, http://www.canadianclassactionsmonitor.com/2014/06/proactive-monitoring-lack-of-employee-oversight-leads-to-the-certification-of-the-first-privacy-class-action-based-on-the-novel-tort-of-intrusion-upon-seclusion/