Last month, the FTC announced its settlement with technology company TRENDNet over charges that the company’s lax security practices led to the public exposure of private video feeds. TRENDNet manufactures a range of networking hardware, including Internet-accessible surveillance cameras. According to the FTC complaint, some of the feeds from these cameras were disclosed online without authorization. Under the terms of the settlement, TRENDNet is enjoined from misrepresenting the security and privacy features of its Internet-accessible products and their associated apps, and the company must establish a comprehensive security program subject to biennial third-party assessments. The FTC describes this settlement as the conclusion of the agency’s first enforcement action “against a marketer of an everyday product with interconnectivity to the Internet” – also known as the “Internet of Things.” As we describe below, the settlement provides insight into the FTC’s current approach to enforcing security standards and indicates that the FTC may be broadening its characterization of sensitive data.
TRENDNet markets a range of its networked cameras as “secure.” That security is supposedly provided by an authentication feature that allows users to access live feeds only after inputting their login credentials. The authentication feature is enabled by default, and users can choose to disable the feature and make their feeds available to the public. The FTC claims that in 2012, a hacker discovered a web address that supported the sharing of camera feeds that users had chosen to make public. A flaw in TRENDNet’s security settings allegedly allowed the hacker access to all live feeds, regardless of whether users had chosen to make them public. The hacker disclosed this vulnerability, and, as a result, links to hundreds of live feeds were posted online. Some of these feeds allegedly revealed private areas of consumers’ homes, including nurseries and bedrooms.
In its complaint, the FTC claimed that there were two failures with TRENDNet’s security program that led to unauthorized individuals gaining access to supposedly private video feeds:
- TRENDNet failed to employ reasonable and appropriate security during the design and testing of consumer software. The FTC claimed that TRENDNet failed to implement, among other things, a security architecture review, vulnerability and penetration testing, reasonable code review and testing, and reasonable guidance or training for employees responsible for its product’s security.
- TRENDNet failed to monitor third-party security vulnerability reports. It is worth noting that the FTC has previously emphasized the importance of reviewing vulnerability reports. Earlier this year, the FTC settled with HTC over allegations that the company’s security practices were unreasonable, and the failure to monitor vulnerability reports was one of the allegations at the heart of the FTC’s complaint.
Because TRENDNet’s security program allegedly contained these deficiencies, the FTC claimed that TRENDNet failed to “provide reasonable security to prevent unauthorized access.” And the FTC accused TRENDNet of engaging in unfair or deceptive trade practices in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).
The FTC alleged that TRENDNet’s practices were deceptive because in spite of the security failures described above, the company claimed that it offered secure products and services to its customers. TRENDNet described its cameras as secure and used the trade name SecurView for some of its products. Moreover, the company claimed that it provided consumers with an authentication feature that supposedly prevented unauthorized individuals from accessing live feeds. The FTC found that these representations misled consumers into believing that TRENDNet provided reasonable security.
The FTC claimed that TRENDNet’s practices were unfair because the company allegedly failed to provide reasonable security for security cameras marketed for the purpose of monitoring consumers’ homes and businesses. The lack of reasonable security, according to the FTC, exposed consumers to substantial risk of injury that could not be reasonably avoided and was not offset by sufficient benefits.
Beside indicating that the FTC continues to be interested enforcing security standards, the settlement also suggests that the FTC may be adopting a more expansive view of what constitutes “sensitive data.” In the 2012 Privacy Report, the FTC identified that “sensitive data” included Social Security numbers, precise geolocation data, financial records, health information and information about children. For those types of data, the FTC recommended that organizations should obtain affirmative express consent from consumers prior to collection. The FTC recognized that other types of data might be viewed as sensitive by some individuals, but it did not recommend adopting heightened consent mechanisms. In the 2013 Mobile Privacy report, the FTC seemingly adopted a somewhat subjective notion of sensitive data and advocated obtaining affirmative express consent prior to collecting data that “many consumers would find sensitive in many contexts.” In the TRENDNet complaint, the FTC states that the live feeds themselves constitute sensitive information. It is likely that some of the live feeds revealed information about children or possibly even health or financial information. In certain instances, it may have been possible to determine a camera’s precise location from the feed. And consumers would likely find many of the feeds to be sensitive. But the FTC complaint does not appear to distinguish live feeds that reveal such sensitive data from feeds containing innocuous data. On two occasions the FTC clarifies what is meant by “sensitive information” with the phrase “namely the live feeds from the IP cameras.”
Whether the FTC intends to adopt the view that all video feeds are sensitive information is unclear, but it does seem that the FTC is moving away from defining “sensitive information” in terms of certain categories of data. This will likely create uncertainty for organizations attempting to classify data during the design and implementation of security and privacy programs.
Soon after her appointment as Chairwoman of the FTC, Edith Ramirez signaled that the Internet of Things would be part of her privacy agenda. The TRENDNet settlement and the forthcoming November 19 Internet of Things Workshop confirm that the FTC is concerned about the privacy and security issues raised by the growth of connected devices. Companies developing products and services for the Internet of Things should take note of the potential for FTC scrutiny and take steps to ensure that reasonable privacy and security policies and practices are implemented.
James Denvil and Adam Solomon, associates in our Washington D.C. office, contributed to this post.