A recent action by the Federal Trade Commission (FTC) against an internet of things (IoT) device manufacturer in the Northern District of California is a significant development in the IoT space and data security law. The action will ultimately test the FTC’s regulatory power over IoT device manufacturers because the complaint is based on alleged security vulnerabilities rather than actual harm to consumers.
The complaint was filed against D-Link and its US subsidiary. The IoT devices at issue are D-Link’s consumer routers, Internet Protocol (IP) cameras, and related software that allow consumers to monitor their homes remotely, including through the use of a mobile app.
The thrust of the complaint is that D-Link failed to take reasonable steps to protect its devices from “widely known and reasonably foreseeable risks of unauthorized access.” The FTC argues that D-Link deceptively promoted the security features of its products to consumers but failed to address common and preventable security flaws, which constitutes unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act.
Examples of easily preventable security flaws that the FTC alleges D-Link failed to address include the following:
- “Hard-coded” user credentials, other backdoors, and command injection flaws in the software that could allow remote attackers to gain control of a device or that could allow unauthorized access to a camera’s live feed
- Failure to maintain the confidentiality of a private key used to sign the software, resulting in the key being available for six months on a public website
- Failure to use free software, available since 2008, to secure the mobile app login credentials of users, resulting in such credentials being stored in readable text on users’ mobile devices
Interestingly, the FTC complaint does not allege that any of these security flaws caused actual harm to consumers. The complaint asserts that thousands of consumers are at risk from the routers and cameras because of their vulnerability to attack, thereby subjecting sensitive personal information to unauthorized access.
D-Link initially responded to the action in an online statement, calling the allegations “vague and unsubstantiated” and noting the lack of an allegation that the security of any product was actually breached. According to the statement, D-Link plans to “vigorously defend” itself against the charges. To that end, D-Link moved to dismiss the complaint in its entirety. D-Link argues, among other things, that the FTC’s complaint “is a case of government overreach, without justification or any evidence of consumer injury.” It argues that the complaint pleads “legal conclusions couched as hypothetical, speculative factual allegations” and that the “‘unfairness’ claim independently fails because the FTC’s standardless ex post ‘we know ‘unfair’ data security when we see it’ case-by-case approach to enforcing Section 5 violates [D-Link’s] due process right to fair notice of prohibited or required conduct.” D-Link also argues that the court should dismiss the “deception” claims “for failure to meet the heightened pleading standards” required by the Federal Rules of Civil Procedure.
The FTC action against D-Link is an important case to monitor. The lack of a claim of actual harm to consumers would mean that, if the action is successful, IoT device manufacturers could face liability for simply having security vulnerabilities in their products. Therefore, the outcome of the case will be crucial for the IoT industry and for determining the scope of the FTC’s regulatory authority. In addition, if the FTC is successful, then the action could create greater importance for the FTC’s guidance on security and privacy best practices issued in early 2015.
We will continue to monitor this case and update our readers on key developments.