Court Balks at FTC’s D-Link Complaint, Wants Proof of Harm

A federal judge in California put the brakes on the U.S. Federal Trade Commission’s complaint against D-Link Systems over lax security in its consumer routers and IP cameras, saying that the Commission needs to produce evidence of concrete harm to consumers.

A federal judge in California has put the brakes on the U.S. Federal Trade Commission’s complaint against D-Link Systems over lax security in its consumer routers and IP cameras, saying that the Commission needs to be more specific in tying the company’s misstatements about the security of its products – or producing evidence of concrete harm to consumers.

In the ruling, US District Judge James Donato of the US District Court for the Northern District of California denied three parts of a six part complaint against the router maker for selling insecure home routers. The complaint, filed in January, 2017, didn’t provide evidence of specific incidents of consumer harm resulting from the security failures, the Judge said in striking down FTC allegations that D-Link was engaged in unfair business practices and that it made false claims about the security features of its IP enabled cameras and home routers.

Inadequate Security Measures at Issue

D-Link IP Camera.
D-Link celebrated a Federal Judge’s determination that the FTC hadn’t proven harm to consumers from security flaws in its routers and cameras, though the case is ongoing.

The FTC in January filed a complaint in U.S. District Court for the Northern District of California, alleging that D-Link and its U.S. subsidiary, D-Link Systems, used “inadequate security measures” to protect its products, leaving its wireless routers and Internet cameras “vulnerable to hackers.” That put “U.S. consumers’ privacy at risk,” the complaint said. All the while, the company promoted its products as having “advanced network security” and being “easy to secure,” claims that the FTC says were not supported by the facts.

The ruling was touted as a victory by D-Link and the Cause of Action Institute (fka The Freedom Through Justice Foundation), a legal group that advocates for “limited government” and has pursued numerous cases against the FTC and FDA where it considers government agencies to be overreaching or infringing on individual liberties.  The group took up the D-Link case shortly after the FTC complaint was announced in January.

In a statement released to The Security Ledger, Cause of Action Institute (COA) Assistant Vice President Patrick Massari said that the organization considered the decision “well-reasoned.” “We oppose any administrative action that exceeds the bounds of an agency’s congressionally granted authority to inhibit industry creativity, competition, and innovation. We commend this precedent-setting opinion on harm under Section 5(n). Cause of Action Institute will continue to vigorously defend D-Link Systems against baseless and unwarranted allegations,” he said.

The FTC said in an email statement that it had no comment “at this point.”

Calls for more evidence

In his ruling, Judge Donato was dismissive of many of D-Link’s efforts to have the complaint dismissed: saying that the Commission clearly was within its rights to address data security, even though the Federal Trade Commission Act does not specifically name data security as part of the Commission’s purview. However, the Judge did side with D-Link in its contention that the Commission had not demonstrated instances of consumer harm stemming from the security flaws.

“The FTC does not identify a single incident where a consumer’s financial, medical or other sensitive personal information has been assessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the DLS devices,” the ruling says. “The absence of any concrete facts makes it just as possible that DLS’s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor.”

Still, the case against D-Link is still alive.  Three of the original six counts in the FTC complaint were not affected by the ruling, including counts dealing with D-Link’s deceptive claims about the security of its products. Furthermore, the Judge said that the Commission might amend its complaint to address the issues.

“If the FTC had tied the unfairness claim to the representations underlying the deception claims, it might have had a more colorable injury element. A consumer’s purchase of a device that fails to be reasonably secure — let alone as secure as advertised — would likely be in the ballpark of a “substantial injury,” particularly when aggregated across a large group of consumers,” he wrote.

Security Ledger wants to hear your thoughts! Leave a reply.