But the regulatory approach remains controversial – privacy and civil rights organizations say government involvement will inevitably lead to online government surveillance even more insidious than it is now.
Zach Lanier, director of research at Cylance, said having government involved in the internet more than it already is, “would be a threat both to Net Neutrality and the free market simultaneously.”
So, why not more lawsuits, using government regulations that already exist? The FTC has steadily developed a track record of success in bringing actions against companies for security failures, ranging from a breach of the Wyndham Hotel chain, to TRENDNet over flaws in its security cameras, to computer hardware maker ASUSTek over flaws in its routers and cloud services.
Those cases all ended in consent agreements that looked mild on the surface, since they didn’t involve any fines or liability.
In most cases, the agreements simply required the company to, “establish and maintain a comprehensive security program subject to independent audits for the next 20 years.”
But they did establish FTC authority and oversight, which is seen by many experts as a powerful tool.
Cigital CTO Gary McGraw, in a September 2015 blog post on the company website, wrote that the FTC's 170 settlement agreements since 1997, “are functionally equivalent to a body of common law … (and) about as close to ‘rules’ as you might want … Their rulings are effectively the law of the land for businesses that deal with personal information.”
FTC relies on legal prohibition
In most cases, the FTC relies on the legal prohibition of, “unfair or deceptive acts …” to bring actions against IoT device vendors – they are accused of the “deception” of promising security but not delivering it.
Over time, the FTC has also moved from invoking not just company promises, but also “reasonable” consumer security expectations.
The agency’s most recent complaint, against D-Link uses that template – “the failure to take reasonable steps to secure the routers and internet-protocol cameras they designed for, marketed and sold to United States consumers.”
In other words, consumers have a right to expect – whether there is an explicit promise or not – that their device can’t be used to do malicious things such as spy on them, steal their identity or become part of a botnet used to attack other targets, including the internet backbone.
The FTC declined to comment on whether it intends to ramp up its enforcement actions. A spokeswoman would only point to the agency website, which says that the FTC has the, “authority to seek relief for consumers, including injunctions and restitution, and in some instances to seek civil penalties from wrongdoers.”
Sign up for CIO Asia eNewsletters.