Header graphic for print
Global Media and Communications Watch The International Legal Blog for the Tech, Media and Telecoms Industry
Posted in Data Protection & Privacy, Internet, Policy & Regulation Conor Ward

FTC takes enforcement action regarding data security and IoT

As legislators across the world grapple with the thorny issue of suppliers’ liability for digital content and online services, the Federal Trade Commission (FTC) in the U.S. has used its existing powers under the Federal Trade Commission Act, 15 U.S.C. to address the liability of equipment manufacturers in relation to the Internet of Things.

ASUSTeK Computer, Inc (“ASUS“), is a Taiwanese hardware manufacturer that, among other things, sells routers, and related software and services, intended for consumer use.  In August 2012, ASUS introduced and began marketing a feature known as AiCloud on its routers. ASUS publicized AiCloud as a “private personal cloud for selective file sharing” that featured “indefinite storage and increased privacy”.  However, the AiCloud web application included multiple vulnerabilities that would allow attackers to gain unauthorized access to consumers’ files and router login credentials. In order to exploit these vulnerabilities, an attacker would only need to know the router’s IP address – information that was easily discoverable.

In an Administrative Complaint, the FTC claimed that thousands of ASUS routers were compromised as hackers, using readily available tools to locate the IP addresses, compromised the routers. The hackers then posted online a list of IP addresses for 12,937 vulnerable ASUS routers as well as the login credentials for 3,131 AiCloud accounts, further exposing these consumers to potential harm.

The FTC alleged four counts of misrepresentation to consumers and one count of unfair or deceptive acts or practices by failing to take reasonable steps to secure the software for its routers.

With no admission of liability on the part of ASUS, the FTC has announced that the parties agreed to settled the charges that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk.   The FTC’s proposed Consent Order will require ASUS to establish and maintain a comprehensive security program designed to (1) address security risks related to the development and management of new and existing “Covered Devices”, and (2) protect the privacy, security, confidentiality, and integrity of “Covered Information”.  The program will be subject to independent audits for the next 20 years.

This is an important action by the FTC and highlights product liability issues that may arise in relation to connected devices and the Internet of Things. The Consent Order represents a useful checklist for manufacturers of connected devices of the steps required to minimise the risk of liability for the security of connected devices and the IOT.