Assessing the Assessments

When companies settle FTC charges, they often agree to extended periods of oversight by the Agency. The FTC requires companies to be regularly assessed by an outside firm during the oversight period. In my forthcoming book, I argue that this assessment model is inapt for the Commission for several reasons. The 2014 assessment report by TRENDnet that I recently obtained under the Freedom of Information Act illustrates some of the deficits of the assessment model.

The FTC’s matter against TRENDnet is especially important for the emerging Internet of Things (IoT). TRENDnet is a major maker of internet-connected devices, including routers, modems, and IP-based cameras. Its cameras used access software called “SecurView” and were labeled with a lock and “secure.” However, the FTC found that at least since 2010, TRENDnet used a series of inadequate protections for securing cameras, including sending passwords in the clear and a misconfigured settings program that caused users’ camera feeds to be exposed to public view. As a result, in 2012, someone discovered the vulnerability and posted the live feeds of hundreds of cameras.

In the consent order with TRENDnet, the FTC specified that the company’s assessment report should:

  • Be completed by a qualified, objective, independent third-party professional. The FTC specified that a Certified Secure Software Lifecycle Professional (CSSLP) or Certified Information System Security Professional (CISSP) with domain expertise would be necessary.
  • Specify technological, administrative, and physical safeguards, and explain how these safeguards are appropriate.
  • Explain how the safeguards meet a series of obligations, including risk identification and mitigation, testing of controls, and vetting of third party service providers.
  • Certify that respondent’s program is operating with sufficient effectiveness to provide reasonable assurance of device and information security.

The FTC’s requirements are weighty. The FTC sought to have TRENDnet answer the question of whether it can be trusted by consumers. Yet, when one reads the TRENDnet 2014 report, more questions are raised than answered. For instance:

  • No one appears to have certified an assessment of TRENDnet’s systems.
  • There is no contact information for the company hired to test TRENDnet’s system—it is listed only as “Institute for Information Industry.”
  • The company’s CEO states that Certified Information System Security Professionals developed their compliance system, but these experts are not identified.
  • The FTC called for CSSLP or CISSP-performed evaluations, but it appears to be done by someone who claims, “Be a one of security specialist within SEAL, I, with Certified Ethical Hacker {CEH} and ISO 27001 Lead Auditor certificates, in charge of security enabling project and prepared a set of security-related policies, guidance, and procedures for TRENDnet, aiming to assist TRENDnet in mitigating security risks target on organization and promoting products quality and security level.”
  • While the report includes pages and pages of training material and policies, there is no attempt to explain how these meet the various obligations of risk identification and mitigation required by the settlement.
  • While the consent decree identifies TRENDnet as a California corporation, the security tester lists it as a Taiwan-based entity.

The TRENDnet submission includes a device security testing report prepared by the Institute for Information Industry. The testing report found a few vulnerabilities in TRENDnet’s camera. However understood in context, these security problems are not high risk, because they require the attacker to have physical or network-level access to the device to be exploited. The testers recommended that these vulnerabilities be fixed, but the assessment report makes no mention of whether the vulnerabilities will be remedied.

It has been a year since TRENDnet filed this 2014 report, and in this period, there have been no further public actions against the company. Presumably, TRENDnet’s report was accepted by the Commission.

The TRENDnet report highlights several weaknesses of the FTC’s assessment approach to oversight. The TRENDnet report—and reports filed by other companies—are full of confusing jargon. The report presents security information that is difficult for a lawyer to understand (even I had to check in with my colleague Nick Weaver to ensure that the confusing language used by the security firm referred only to network-access-level exploits).

TRENDnet’s is just one of over 100 such reports that the FTC is receiving nowadays under its supervision of data privacy and security cases. The FTC is aware that it cannot effectively supervise all the companies under consent decree. Thus, in many cases, companies are required to perform an assessment but not required to submit it to the Agency. Doing so allows the FTC to avoid having knowledge of a problematic practice that is disclosed in an assessment, but not fully understood by the staff who review assessments.