A home-security camera maker was cited by the Federal Trade Commission for poor security and false security promises, when the cameras could easily be hijacked over the Internet, allowing voyeurs and plotters to spy inside the houses of camera-using consumers. This month the FTC announced a proposed settlement with TRENDnet, a company that markets routers, modems and Internet Protocol cameras to home users and businesses to monitor their homes or businesses. The FTC’s complaint alleges that TRENDnet failed to implement reasonable security measures, and as a result the live feeds for nearly 700 cameras were available to the public on the Internet. The live feeds displayed private areas of the users’ homes, including images of sleeping infants, young children playing and other daily activities of consumers.
According to the FTC’s complaint, TRENDnet marketed its products as “secure” and used the trade name “SecurView.” But the FTC claims that TRENDnet failed to use reasonable security measures by engaging in the following practices:
- Transmitting and storing user login credentials over the Internet and on mobile devices in clear, readable text;
- Failing to implement a process to actively monitor security vulnerability reports from third-parties;
- Failing to employ reasonable security in the design and testing of its software; and
- Offering a faulty setting that purported to give users the option to require login credentials to access the camera.
Under the proposed terms of the FTC settlement, TRENDnet is prohibited from misrepresenting the security of its products and the information that its products transmit, and the extent to which a consumer can control the security of any information the devices store or transmit. The company must notify affected consumers and provide free technical support to consumers over the phone and email for the next two years. TRENDnet must also create a comprehensive security program and undergo third-party audits for the next 20 years.
The action against TRENDnet marks the FTC’s first action against a marketer of so-called “Internet of Things,” which the FTC describes as an “everyday product with interconnectivity to the Internet and other mobile devices.” The FTC has stated that the regulation of the Internet of Things is a top priority for the agency. To avoid an FTC enforcement action, a company selling devices that connect to the Internet should carefully review its products and data security policies to ensure that present practices adequately protect consumer privacy.