The new chairwoman of the Federal Trade Commission said Thursday she wants to rein in the agency’s more aggressive data security actions, and lawyers for the latest electronics maker the FTC is suing for poor cybersecurity are calling on her to withdraw the case.
“I will make sure our enforcement actions address concrete consumer injury,” Maureen Ohlhausen said in a speech at a consumer law conference in Atlanta. Ohlhausen, who was designated acting chairwoman by President Donald Trump last month, added that “the agency should not focus on speculative injury, or on subjective types of harm.”
Her remarks were welcomed by lawyers for D-Link Systems, which last year was sued by the FTC over charges that its internet routers and webcams left customers vulnerable to hackers. The lawyers, from anti-regulation crusaders Cause of Action, have argued that the agency’s action should be dismissed because it cannot show any actual injury to consumers — or even a successful hack of the company’s products.
The eventual outcome of the D-Link case will help decide where the liability lines lie in the forthcoming legal battles over the internet of things — billions of web-connected devices that can be weaponized by hackers into massive botnets capable of crippling the internet.
The industrial-scale compromise of Internet of Things devices like routers and webcams fueled the Mirai botnet, which brought marquee internet sites to their knees briefly last year through a massive Distributed Denial of Service, or DDoS, attack.
Many experts believe a DDoS apocalypse can only be averted by regulatory action to impose cybersecurity standards and best practices on device makers and software vendors.
FTC lawyers argue in the suit that D-Link had a yearslong history of ignoring security best practices and shipping products with default hard-coded administrator passwords or unfixed and well-known software vulnerabilities. The company’s mobile app stored usernames and passwords that gave remote access in plaintext, and the supposedly private encryption key D-Link engineers used to sign software updates was left on a public website for six months.
But the Tapei-based company and its U.S. subsidiary hit back this week, in a motion to dismiss filed by their Cause of Action lawyers. “This is a case of government overreach, without justification or any evidence of consumer injury in violation of D-Link Systems’s due process rights, which should be dismissed,” the motion states.
At the heart of the dispute: what should be expected of manufacturers; and what can the FTC do to enforce those expectations
In the Wyndham hotel chain case, the FTC established its authority to penalize companies breached by hackers if their security failed to meet a reasonable standard — without having to show direct injury to consumers.
But in the D-Link case, the agency seeks the authority to act without even having to demonstrate any actual breach — solely on the basis that D-Link promoted its products as secure while failing to meet reasonable industry-wide standards for security.
‘Less sure ground’
D-Link is not the first complaint the FTC has brought related to the IoT. The agency has also brought cases against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras. But both companies settled, so no legal precedent was established.
Ohlhausen, a Republican, opposed the decision to bring the D-Link case, but was outvoted 2-1 by her fellow commissioners, both Democrats. She hasn’t publicly commented on the case, and didn’t directly on Thursday, but her remarks might help illuminate the thinking behind her vote.
“Our data security cases are on their strongest legal and policy footing when they address clear and concrete consumer injury,” Ohlhausen said. “But the FTC has ventured onto less sure ground” recently, she added, by bringing cases where it did not demonstrate “objective, concrete harms such as monetary injury [or] unwarranted health and safety risks.”
“When the FTC has strayed from a focus on actual harm, it has struggled, both in influence and in the courts,” she said.
Cause of Action’s assistant vice president, Patrick Massari, applauded her comments Thursday in a statement to CyberScoop.
“As the chairwoman rightly noted, over the last several years, the FTC has strayed from its mission … FTC should only focus on enforcement actions involving plausible actual or likely substantial ‘concrete consumer injury,’ rather than vague and unsubstantiated allegations such as those alleged against D-Link Systems,” he said.
The agency “issued its complaint against our client without asserting a single data breach of any product … and without a single instance of actual or likely substantial consumer harm … the D-Link Systems matter should be dismissed with prejudice now, as a bellwether harboring a new day at the FTC,” he said.
The FTC’s press office declined comment to CyberScoop, but it seems certain that the D-Link case will continue at least for the time being. It takes a majority vote of commissioners to withdraw a case, just as it does to launch one. Even after outgoing Chairwoman Edith Ramirez leaves the commission next week, the vote on D-Link would still be tied 1-1 between Ohlhausen and her remaining fellow commissioner Terrell McSweeny — and the timeline for the appointment of new commissioners is unclear.