“When You Promise Security, You Need to Deliver Security”
"Tech companies should remember the basics – when you promise security, you need to deliver security.” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection
If your company is marketing any smart device, particularly if the device is involved with home security and collects personal information from users, it’s time to pay attention to the story of Tapplock.
Tapplock, Inc. (“Tapplock”), is a Canadian Internet of Things (“IoT”) company that sells fingerprint-enabled padlocks that are connected to the Internet (“smart locks”). The company raised hundreds of millions of dollars in crowdfunding for its connected, fingerprint-secured smart lock that security researchers discovered were neither smart, nor secure as advertised. Tapplock recently settled with the Federal Trade Commission (the “FTC”) over allegations that Tapplock had deceived consumers with false claims that their smart locks were “unbreakable” and that they had taken reasonable precautions to secure the data collected from users.
Tapplock, through its smart lock companion mobile application, collected and stored usernames, e-mail addresses, profile photos, location history, and the precise geolocation of a user’s smart lock.
The FTC complaint alleged that, contrary to Tapplock’s advertising claims that their locks were “sturdy” and “secure,” Tapplock in fact “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information.”
The complaint noted that Tapplock did not have a security program in place prior to discovery of the vulnerabilities discussed below, and specifically noted that Tapplock:
- failed to identify reasonably foreseeable risks to the security of its smart locks or the security of customers’ personal accounts, such as through vulnerability or penetration testing, and assess the sufficiency of any safeguards in place to control those risks;
- failed to employ sufficient measures to detect and prevent users from bypassing the authentication procedures in Respondent’s API to gain access to other users’ accounts;
- failed to adopt and implement written data security standards, policies, procedures, or practices; and
- failed to implement adequate privacy and security guidance or training for its employees responsible for designing, testing, overseeing, and approving software specifications and requirements.
The bottom line: “We allege that Tapplock promised that its Internet-connected locks were secure,” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, says, “but in fact the company failed to even test if that claim was true.”
According to the complaint, researchers discovered the following vulnerabilities in Tapplock’s application programming interface that easily could have been avoided:
- Researchers were able to bypass account authentication and gain full access to user information, including usernames, email addresses, profile photos, location history and the precise geolocation of smart locks;
- Researchers were able to lock and unlock any nearby smart lock because Tapplock did not encrypt the flow of data between the smart lock and the app; and
- Users who had provided other users access to their smart lock were later unable to effectively revoke that access.
The FTC complaint alleged that as a result of Tapplock’s failures, consumers’ personal information was exposed and consumers’ personal property was put at risk. The FTC argued that this failure, when viewed in light of Tapplock’s advertising claims regarding the security of their smart locks, constituted a violation of Section 5(a) of the Federal Trade Commission Act that prohibits “unfair or deceptive acts or practices in or affecting commerce.”
As part of the settlement with the FTC, Tapplock must implement a comprehensive security program (including employee training). In addition, Tapplock must participate in biennial third-party assessments of its information security program and certify compliance annually. The settlement also bans Tapplock from making further misrepresentations about its privacy and security practices.
This settlement should serve as a reminder to companies of their obligations pursuant to California’s Assembly Bill No. 1906 and Senate Bill No. 327 (the “California Legislation”), which went into effect in January 2020 and will have a national impact on companies in the IoT space. As a refresher, the California Legislation requires manufacturers to equip their connected devices with reasonable security features that are “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and are] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
In Tapplock’s case, we see a nexus between the nature of the FTC complaint and the conduct required by companies under the California Legislation, which places a responsibility on IoT companies to consider and implement security measures that are “appropriate to the nature and function” of their products. Similarly, the FTC complaint alleged that Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information.”
Following the Tapplock settlement, it is reasonable to expect similar enforcement actions from the FTC in the future. If your business makes products that work in the IoT space, you will want to consider whether you have taken reasonable measures to secure your product tailored to the nature and function of your product and the information it collects, and whether those measures accurately align with your company’s claims about its security and privacy practices. If you make claims, make sure that you have a security and privacy program in place that is defensible in support of those claims – and make sure it is tested.
For a more in depth discussion of the California Legislation and its national implications on IoT policy, be sure to re-visit our Mintz viewpoint on the subject.