Judge Kills FTC Lawsuit Against D-Link for Flimsy Security

Earlier this year, the Federal Trade Commission filed a complaint against network equipment vendor D-Link saying inadequate security in the company's wireless routers and internet cameras left consumers open to hackers and privacy violations. The FTC, in a complaint filed in the Northern District of California charged that "D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras." For its part, D-Link Systems said it "is aware of the complaint filed by the FTC." Fast forward nine months, a judge has dismissed the FTC's case, claiming that the FTC failed to provide enough specific examples of harm done to consumers, or specific instances when the routers in question were breached. From a report: "The FTC does not identify a single incident where a consumer's financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the [D-Link] devices," wrote the Judge. "The absence of any concrete facts makes it just as possible that [D-Link]'s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor."

Re: Sounds about right...

Excellent precedent to cite should I ever get pulled for dangerous driving...

Re:Sounds about right...

[dgatwood]

IMO, the judge is wrong in this case. This sort of action shouldn't require showing harm to individuals, because the harm isn't necessarily to the individual device owners. Most of the harm is to the people in aggregate.

Devices with security holes on the public Internet invariably eventually turn into botnets that attack systems in a distributed fashion, which harms the companies being attacked and the users that get locked out of their accounts. The harm to the owners is negligible, because they lose just a tiny bit of bandwidth. But the harm to society is huge.

And even in cases where the harm is to the individual owner, the harm could be impossible to prove, because you could never realistically be certain whether a password shared by several websites got stolen from one of those websites or from the unencrypted copy of the password on the user's router. But that doesn't mean that users weren't harmed. In effect, if this judge's opinion is allowed to stand, the government will be unable to prosecute the vast majority of cases in which consumers are harmed en masse by security-related negligence, and that's a bad thing.

Re:Sounds about right...

[dgatwood]

Lawsuits are for righting wrongs. If you can't show anyone was wronged, then there is nothing to right.

But there's ample proof that people were harmed by the Mirai botnet, and much of that harm was the direct result of D-Link routers getting p0wn3d. What they lacked was proof that the owners of the devices were harmed, and the judge incorrectly jumped from "the owners weren't harmed" to "no one was harmed", when in fact that is clearly not the case.