This post was also written by Frederick Lah.
Earlier this year, we wrote about the FTC’s plan to hold a November 2013 public workshop over concerns with the “Internet of Things,” the dramatically growing capacity of smart devices to communicate information through the Internet. In advance of the workshop, the FTC has entered into a consent decree with a marketer of Internet-connected video cameras, marking the Commission’s first foray into the Internet of Things.
The marketer in this case was a provider of home security video cameras that allowed consumers to monitor their homes remotely. According to the complaint, a hacker exploited a security flaw in the marketer’s system and posted live feeds to approximately 700 home cameras, displaying babies asleep in their cribs, young children playing, and adults going about their daily lives. While the marketer did alert customers of the security flaw and offered them a security patch, the FTC alleged that the marketer had failed to use reasonable security to design and test its software, including a setting for the cameras’ password requirement. The FTC also alleged that the marketer had transmitted user login credentials in clear, readable text over the Internet, even though free software was available to secure such transmissions.
Under the terms of its settlement, the marketer is prohibited from misrepresenting the security of its cameras and the information that its cameras transmit. The marketer is also prohibited from misrepresenting the extent to which a consumer can control the security of information captured by the cameras. The FTC voted 4-0 to accept a consent agreement and the proposed order. The agreement will be subject to public comment for 30 days through October 4, 2013, after which the FTC will decide whether to make the proposed settlement final.
This case is an important one for all companies that offer products connected to the Internet, whether they’re offering home appliances, automobiles, or even products with “smart” labels. The FTC relied upon a “reasonable” standard in bringing this action, which can always be a tricky one for companies to interpret. As a baseline, companies need to follow industry security standards and implement protections that are commensurate with the type of data they collect and transmit. As a best practice, companies should take a Privacy by Design approach and consider privacy and security as early as possible during product development. Still, no system can ever be 100 percent secure from malicious hackers, even if the company has taken extensive measures to protect its data assets; and just because a company has been the victim of a malicious hack does not by itself prove that the company was not acting reasonably.
The FTC’s workshop on the privacy and security of the Internet of Things will be held November 19, 2013. According to the FTC’s website, the workshop will address issues related to the increasingly prevalent ability of everyday devices to communicate with each other and with people.