The Federal Trade Commission recently settled with online security provider TRENDnet related to charges that the company’s inadequate security practices led to the public disclosure of private video feeds from networked security cameras that TRENDnet marketed as “secure.”
While the settlement included no fines, it signals some important implications for the security industry as it moves increasingly into more sophisticated, technology-based applications.
Inside the Case
TRENDnet manufactures and sells a variety of networking hardware, including Internet-connected surveillance cameras. According to the FTC’s complaint, the company marketed its internet-accessible home (and business) surveillance camera as “secure” and marketed some products under the trade name “Securview.”
The FTC claimed a hacker discovered a web address that supported the sharing of camera feeds. A flaw in TRENDNet’s security settings allegedly allowed the hacker to access to all live feeds, regardless of whether users made them public. The hacker disclosed this vulnerability and posted links to hundreds of live feeds online — some of which allegedly revealed private areas, including nurseries and bedrooms.
The FTC claimed two failures in TRENDNet’s security program that led to this unauthorized access:
- First, TRENDNet failed to employ reasonable and appropriate security during the design and testing of consumer software, including a security architecture review, vulnerability and penetration testing, reasonable code review and testing, and reasonable guidance or training for employees responsible for its product’s security.
- Second, TRENDNet failed to monitor third-party security vulnerability reports, of which the FTC has emphasized the importance of reviewing.
Given these alleged security deficiencies, the FTC claimed TRENDNet engaged in unfair or deceptive trade practices because it sold cameras claiming they were secure, yet exposed consumers to substantial risk of injury.
The settlement restricts TRENDnet’s ability to market its hardware, and requires that the company notify all of its customers of the security breach, establish a comprehensive security program, and obtain independent privacy audits of that program manually for the next 20 years (terms similar to those the FTC recently imposed on internet giants Facebook and Google).
The Security Industry Ramifications
Besides the obvious fact that the FTC continues to be interested enforcing security standards, the settlement also suggests the FTC may be adopting a more expansive view of what constitutes “sensitive data.” In its 2012 Privacy Report, the FTC identified “sensitive data” includes Social Security numbers, precise geolocation data, financial records, health information and information about children. For those types of data, the FTC recommended that organizations should obtain affirmative express consent from consumers prior to collection.
The FTC recognized that other types of data might be viewed as sensitive by some individuals, but it did not recommend adopting heightened consent mechanisms; however, in the 2013 Mobile Privacy report, it seemingly adopted a subjective notion of sensitive data and advocated obtaining affirmative express consent prior to collecting data that “many consumers would find sensitive in many contexts.”
In the TRENDNet complaint, the FTC states that the live feeds themselves constitute sensitive information. It is likely that some of the live feeds revealed information about children or possibly even health or financial information. In certain instances, it may have been possible to determine a camera’s precise location from the feed. And consumers would likely find many of the feeds to be sensitive. But the FTC complaint does not appear to distinguish live feeds that reveal such sensitive data from feeds containing innocuous data.