In its first enforcement action against a company operating in the emerging market known as the “Internet of Things”, the FTC has secured a settlement agreement with a company that markets Internet-connected video cameras designed to allow consumers to remotely monitor their homes.
The increasing connectivity of consumer devices, such as cars, appliances, and medical devices, and the capability for these devices to communicate with other such devices, is commonly referred to as the Internet of Things. Many of the devices connected through the Internet of Things have the capability to communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.
But the benefits of such connectivity also present potential privacy and security risks, as the FTC’s latest action illustrates.
In its complaint the FTC alleged that the company, TRENDnet, employed lax security practices which exposed the private lives of hundreds of consumers on the Internet. Although the company claimed in product descriptions that the service was “secure” the FTC asserted that the company’s Internet-connected cameras used faulty software that permitted anyone with access to basic information to view the cameras’ video and audio feeds online. The FTC also alleged that the company failed to use reasonable security to design and test its software, including basic password requirements. These facts were discovered by a hacker who exploited these flaws and posted links to live feeds of nearly 700 interconnected cameras.
Rather than contest these allegations TRENDnet entered into a settlement agreement with the FTC. The settlement prohibits the company from misrepresenting the security of its cameras or the security, privacy, confidentiality or integrity of the information that the cameras or related devices transmit. The settlement also requires the company to establish a comprehensive information security program to address security risks, to notify customers about these issues, and to provide customer with free technical support for the next two years.
The implications for other entities operating in this emerging market of Internet-connected devices, such as appliances, medical devices and (possibly) cars, are significant. The very connectivity that defines this new market, also presents heightened privacy and security risks. Therefore, entities operating in this market should take immediate steps to ensure that privacy and security protocols are consistent with industry standards, as well as representations made in marketing and other materials.
FTC Chairwoman Ramirez noted in a recent speech that these issues require “more diligence” from regulators and consumers. Notably, this enforcement action precedes the agency’s plan to convene a workshop on November 19th to study privacy and security risks posed by the emergence of the Internet of Things. Thus, these issues are likely to remain on the agency’s radar for the foreseeable future.