On Tuesday, the Federal Trade Commission announced an important data security case involving routers.
Routers are the first line of defense for home networks and the backbone for connecting and operating our Internet-connected devices. The security of our routers is necessary for the security of the Internet of Things. If a router is insecure, it can create a significant vulnerability exposing our networks and all the information we have on them. Indeed, in this case, attackers could reconfigure vulnerable routers to control and redirect consumers’ Web traffic, and could gain unauthorized access to thousands of people’s personal files on attached storage devices.
There’s a lot at stake for consumers in this debate, because it could affect how companies secure the IoT products permeating our daily lives — the microphones, sensors and cameras in our homes, our connected cars, the fitness trackers we’re wearing and, of course, our phones.
There were several problems with the router manufacturer’s approach to security that led to these breaches — for example, the manufacturer allegedly did not perform reasonable security testing and did not have an adequate system for receiving and addressing vulnerability reports. Once the manufacturer knew about serious vulnerabilities in its products, it not only failed to remediate them, it also failed to notify customers of them. Moreover, in spite of marketing a cloud feature on its routers as “a way to safely secure and access your treasured data through your router,” the company allegedly failed to encrypt data in transit.
Over the last decade, the FTC has brought more than 50 data security consumer protection cases. These cases have shaped reasonable security measures for consumer products Encryption is one such measure. Earlier this year, the FTC brought a case against a company that makes software for dental practices that claimed it was using industry-standard encryption when it was not. The FTC also brought enforcement actions when encryption wasn’t configured properly, leaving consumers vulnerable to man-in-the-middle attacks, and where the agency alleges that information wasn’t kept securely throughout its life cycle.
The use of encryption and types of security measures in consumer products is getting a lot of attention due to the San Bernardino iPhone case. While the FTC has stopped short of dictating what type of technology companies should use to secure consumer information, it has pointed to encryption as a way that companies can store and transmit sensitive information securely. With good reason: Last year the FTC found that the IoT sector was rife with security risks. Our growing connectivity is putting wonderful innovations at our fingertips — but it can also make more of our private information vulnerable.
These issues are too important to be decided around the exigencies of one case.
So, is the FTC pushing companies to use strong security measures at the same time the FBI is taking them to court for doing so? The San Bernardino case involves the FBI asking for Apple’s help to create tools to disable features that strengthen the phone’s passcode security system. It raises the question of whether this type of request is reasonable for law enforcement to make. Among the issues in the policy debate swirling around the San Bernardino iPhone case are whether companies should be required to implement encryption in insecure ways. There is a lot at stake for consumers in this debate, because it could affect how companies secure the IoT products permeating our daily lives — the microphones, sensors and cameras in our homes, our connected cars, the fitness trackers we’re wearing and, of course, our phones. Chilling innovation in the security of these products would be unfortunate.
These issues are too important to be decided around the exigencies of one case. Some have suggested that the government should convene a commission made up of law enforcement, industry, technologists, civil liberties advocates and national security experts to make thoughtful recommendations. That may be a good approach — especially if it stops misguided attempts to require back doors or weaken the security of consumer products. A careful and balanced approach is necessary in order to avoid a major setback for consumer privacy and data security.
Terrell McSweeny is a commissioner at the Federal Trade Commission. Prior to joining the Commission, McSweeny served as Chief Counsel for Competition Policy and Intergovernmental Relations for the U.S. Department of Justice Antitrust Division. Her government service also includes her work as Sen. Joe Biden’s deputy chief of staff, and policy director in the U.S. Senate. The views expressed in this article are her own and do not necessarily reflect those of the Federal Trade Commission or any other commissioner. Reach her @TMcSweenyFTC.
This article originally appeared on Recode.net.