Slashdot Mirror
Judge Kills FTC Lawsuit Against D-Link for Flimsy Security (dslreports.com)
Earlier this year, the Federal Trade Commission filed a complaint against network equipment vendor D-Link saying inadequate security in the company's wireless routers and internet cameras left consumers open to hackers and privacy violations. The FTC, in a complaint filed in the Northern District of California charged that "D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras." For its part, D-Link Systems said it "is aware of the complaint filed by the FTC." Fast forward nine months, a judge has dismissed the FTC's case, claiming that the FTC failed to provide enough specific examples of harm done to consumers, or specific instances when the routers in question were breached. From a report: "The FTC does not identify a single incident where a consumer's financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the [D-Link] devices," wrote the Judge. "The absence of any concrete facts makes it just as possible that [D-Link]'s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor."
Excellent precedent to cite should I ever get pulled for dangerous driving...
Could be viewed as a failure on the FTCs part I guess, but does anyone have any examples of consumers being harmed by D_Link being cheap POS hardware with poor security?
Possibly a failure to realize that they had a difficult case to make. While it is clear the there were deficiencies, this type of lawsuit requires harm to be shown. If a person was knowingly harmed due to this security lapse, I think we would have heard about it.
Excellent precedent to cite should I ever get pulled for dangerous driving...
If you ever get sued for dangerous driving, even though you didn't actually harm someone, it might help. But it has nothing to do with breaking the law.
IMO, the judge is wrong in this case. This sort of action shouldn't require showing harm to individuals, because the harm isn't necessarily to the individual device owners. Most of the harm is to the people in aggregate.
Devices with security holes on the public Internet invariably eventually turn into botnets that attack systems in a distributed fashion, which harms the companies being attacked and the users that get locked out of their accounts. The harm to the owners is negligible, because they lose just a tiny bit of bandwidth. But the harm to society is huge.
And even in cases where the harm is to the individual owner, the harm could be impossible to prove, because you could never realistically be certain whether a password shared by several websites got stolen from one of those websites or from the unencrypted copy of the password on the user's router. But that doesn't mean that users weren't harmed. In effect, if this judge's opinion is allowed to stand, the government will be unable to prosecute the vast majority of cases in which consumers are harmed en masse by security-related negligence, and that's a bad thing.
Check out my sci-fi/humor trilogy at PatriotsBooks.
D-Link PR material consistently claimed the highest security standards.
Seems like they should have gone after them for fraud and false advertising, given the abysmal lack of security in the systems that were sold for the purpose of making networks secure.
Check your premises.
IMO, the judge is wrong in this case. This sort of action shouldn't require showing harm to individuals, because the harm isn't necessarily to the individual device owners. Most of the harm is to the people in aggregate.
The harm to the owners is negligible, because they lose just a tiny bit of bandwidth. But the harm to society is huge.
Why is he wrong if the burden is on the plaintiff to show actual harm, and the plaintiff could not show actual harm? Would the judge have been right to not require evidence?
Lawsuits are for righting wrongs. If you can't show anyone was wronged, then there is nothing to right.
Protecting people in aggregate is what statutes are for, and neither the FTC nor the judge can create a statute.
The judge ruled correctly.
Since the Judge doesn't believe that the blatant existence of shitty default security can and often will lead to data breaches, I suggest we force the Judge to install the hardware inside every room of their personal home.
If the Judge thinks it's so fucking secure, then put your privacy where your ruling is.
The Judge made the right call. No evidence means no proof. No proof means they're innocent, even if they're guilty as hell.
There was plenty of evidence to show that the default security was absolute shit.
What was lacking here was common fucking sense that confirms when default security is absolute shit, data breaches are usually the end result.
Validation of that fact is likely strewn across decades of case law, so it was hiding about as well as an elephant herd in the room.
Pretty much the first test of any civil lawsuit is whether there was any harm. If you can't demonstrate that, there is no case.
So.. You can now sue for negligence without having to prove any harm was actually done?
How on earth do you establish damages if you don't have evidence you where damaged in some way?
The judge did the right thing. The FTC dropped the ball and didn't have their ducks in a row. Sorry, go try again people...
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Had people been injured from others who were doing dangerous driving. The FTC if showed harm from similar products from similar vulnerabilities then they may had a case.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
But there was actual harm. The Mirai botnet attacked other computers on the Internet, and as a part of that botnet, D-Link's routers probably did tens of millions of dollars of economic damage to the Internet as a whole. So there was very clearly harm. It just wasn't directed specifically at the owners of the devices. Rather, the owners of the devices were unknowingly being complicit in that harm to others.
Check out my sci-fi/humor trilogy at PatriotsBooks.
But there's ample proof that people were harmed by the Mirai botnet, and much of that harm was the direct result of D-Link routers getting p0wn3d. What they lacked was proof that the owners of the devices were harmed, and the judge incorrectly jumped from "the owners weren't harmed" to "no one was harmed", when in fact that is clearly not the case.
Check out my sci-fi/humor trilogy at PatriotsBooks.
What seems 'off' about this case is that the FTC legal department's lawyers surely understood basic civil law, but yet did not prepare their case with the requisite evidence of harm any such case has to demonstrate.
It makes me think maybe the FTC just wanted to *look like* they were "taking serious action" here when in reality they wanted the problem to quietly go away because of regulatory-capture/crony-capitalism.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
So now the legal standard is, "as long as no one ever got hurt, it's fine?" What if I build a cheap, shoddy bridge using unsafe practises? So long as it doesn't fall apart before the lawsuit, I'm not at fault? What a shitty country this is. I hope this gets appealed and overruled.
You bring up an interesting point. If you build a bridge using unsafe practices you would violate close and be subject to enforcement actions. Absent a law definingbminimum standards for routers then building one with poor security doesn't open you up to lawsuits until someone can prove actual damages. That's been part of the law for a long time, hypothetical future harms are not reason enough to be able to sue. To build on your bridge example, if you paint the entrance to look wider then it is someone can't sue you simply because they may hit a post if the drive over it. An interesting question is if you know dLink makes poor products but continue to use them how much liability do you assume when a breach does occur?
I'm a consultant - I convert gibberish into cash-flow.
More likely he's an experienced judge who understands the law.
Suppose I walk past your house and see that one of the front steps is loose. Can I sue you for potentially harming me if I had tripped on that step (but didn't)?
The law doesn't change because it's on the internet.
"Probably" isn't good enough in a criminal case, where the standard is "beyond a reasonable doubt." This is, or was, a civil case where the standard is "the preponderance of evidence." That means that if the plaintiff can persuade the jury that there's a 51% chance that they're right, they win.
Good, inexpensive web hosting
There are craploads of examples of dangerous driving harming people.
OK. I agree. So what difference does that make? How many people have been sued for dangerous driving when nobody was harmed?