In the Matter of TRENDnet, Inc., F.T.C. File No. 122-3090, is the first legal action taken by the Federal Trade Commission (FTC) against “the marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the Internet of things." The FTC found that TRENDnet had violated Section 5(a) of the Federal Trade Commission Act by falsely advertising that IP Cameras it sold could transmit video on the internet securely. On January 16, 2014 the FTC issued a Decision and Order obliging TRENDnet, among other things, to cease misrepresenting the extent to which its products protect the security of live feeds captured and the personal information that is accessible through those devices.
Contents
The Respondent: TRENDnet, Inc.
TRENDnet is a California corporation that, among other things, sells networking devices, such as routers, modems, and IP security cameras that allow users to conduct remote surveillance of their homes and businesses over the Internet. It began selling digitally connected cameras under the trade name "SecurView" in 2010. It usually sells its IP cameras under the trade name "SecurView," and tells consumers that they may use the cameras to monitor "babies at home, patients in the hospital, offices and banks, and more."" By default, these IP cameras are subject to security settings such as a requirement to enter a username and password ("login credentials") in order to access the video and audio feeds ("live feeds") over the Internet." Between 2010 and 2012, TRENDnet’s “Secureview” line made $19 million in revenue, accounting for 10 percent of the company’s total revenue during that time period.
TRENDnet's Security Breach
The security breach was first exploited when a blogger named “SomeLuser” was able to identify the web addresses of live feeds coming from TRENDnet’s ATV-IP110w cameras. SomeLuser realized that the live stream of any camera could be accessed by making a “mjpg.cgi” request to the device’s IP address, thereby bypassing the need to enter login credentials. On January 10, 2012 SomeLuser uploaded this information into the Shodan search engine which immediately made 350 live feeds viewable by anyone. By the time the breach came to TRENDnet’s attention, over 700 cameras were accessible via Shodan.
"Among other things, these compromised live feeds displayed private areas of users’ homes and allowed the unauthorized surveillance of infants sleeping in their cribs, young children playing, and adults engaging in typical daily activities. The breach was widely reported in news articles online, many of which featured photos taken from the compromised live feeds or hyperlinks to access such feeds. Based on the cameras’ IP addresses, news stories also depicted the geographical location (e.g., city and state) of many of the compromised cameras." TRENDnet learned of the breach on January 13, 2012 when a customer who read about the breach contacted TRENDnet's technical support staff to report the issue. TRENDnet released a firmware update designed to rectify the software’s vulnerability, halted the shipping new products to market, and spent "substantive resources" notifying all previous customers.
The FTC's Complaint Against TRENDNET, Inc. - September 4, 2013
The FTC’s Complaint identified four “practices that, taken together, failed to provide reasonable security to prevent unauthorized access to sensitive information, namely the live feeds from the IP cameras.” The FTC alleged that TRENDnet misrepresented the adequacy of its security measures to consumers, even while it:
The Commission voted to accept the consent agreement package 4-0. “The FTC. does not have the legal authority to impose fines in such cases. But TRENDnet agreed to a consent order prohibiting similar practices, so the commission has the ability to seek penalties in the future.”
Case Settlement - January 16, 2014
"TRENDnet's settlement prohibits it from misrepresenting the security of its cameras or the security, privacy, confidentiality or integrity of the information that its devices transmit. Further, it cannot misrepresent consumer control over the security of information the devices store, capture, access or transmit; it must notify customers about security issues with the cameras and the availability of a firmware update; and it must provide customers with free tech support for updating or uninstalling their cameras for the next two years. Finally, TRENDnet must establish a comprehensive information security program designed to address security risks that could let hackers access or use its devices; protect the security, confidentiality and integrity of information stored, captured, accessed or transmitted by its devices; and get third-party security audits biennially for the next 20 years."
The Order will terminate on January 16, 2034.
Importance of Case
One commentator noted that the message to all companies developing products for the Internet of Things is that “the FTC is watching and has served notice that it intends to play an active role in enforcing its regulatory authority in that context.” This case, however shows how challenging it will be for the FTC to regulate this new industry. Ultimately this action was based on the misstatements of TRENDnet, rather than the security of the products themselves. On February 4, 2014, the FTC provided a statement to the United States Senate Committee on the Judiciary, stating that Section 5(a) of the Federal Trade Commission Act, codified at 15 U.S.C. §45(a) gives the agency the authority to regulate security standards. "If a company makes materially misleading statements or omissions about a matter, including data security, and such statements or omissions are likely to mislead reasonable consumers, they can be found to be deceptive in violation of Section 5." "Further, if a company’s data security practices cause or are likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or to competition, those practices can be found to be unfair and violate Section 5." Over the last decade, the FTC has used the authority to punish “unfair” and “deceptive” trade practices to investigate companies that collect, monitor, or use personal information about consumers. As it did in the TRENDnet case, the FTC frequently alleges violations of both provisions in data privacy investigations.
Other commentators have noted that this case may suggest that the FTC is adopting a more expansive view of what constitutes “sensitive data.” In the 2013 Mobile Privacy Report, the commission adopted a subjective notion of “sensitive data” by advocating that companies obtain express consent before collecting data that “many customers would find sensitive in many contexts." In this complaint, however, the FTC states that the live feeds, themselves, constitute “sensitive data.” While the streams likely revealed “sensitive data” (personal information about health, financial, or location), “the FTC complaint does not appear to distinguish live feeds that reveal such sensitive data from feeds containing innocuous data.”