A Canadian company has settled Â鶹´«Ã½ Trade Commission allegations that it deceived consumers by falsely claiming that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.
The settlement requires Tapplock, Inc. to, among other things, implement a comprehensive security program and obtain independent biennial assessments of the program.
“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Tech companies should remember the basics—when you promise security, you need to deliver security.”
Tapplock sells fingerprint-enabled, Internet-connected padlocks, and has touted in its advertisements that its smart locks were “Bold. Sturdy. Secure,” according to the FTC’s complaint. The company’s smart locks interact with a companion mobile app that allows users to lock and unlock their locks when they are within Bluetooth range.
The Tapplock app collects personal information including usernames, email addresses, profile photos, and the precise location of users’ smart locks. In addition to touting the security of its locks, Tapplock also claimed in its privacy policy that it took “reasonable precautions” to secure the data it collected.
The FTC, however, alleged that contrary to its representations to consumers, the company’s locks were not secure and that Tapplock failed to take reasonable precautions or follow industry best practices to protect the consumer data it collected.
Security researchers identified both physical and electronic vulnerabilities that allowed them to unlock Tapplock’s smart locks by, for example, unscrewing the product’s back panel or exploiting the unencrypted Bluetooth connection between the app and the lock. Other electronic vulnerabilities prevented consumers from effectively revoking access to their locks and allowed researchers to bypass the account authentication process and access Tapplock user accounts, including their usernames, email addresses, profile photos, location history, and precise location of the lock.
The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.
In addition to the security program provision, the proposed settlement prohibits Tapplock from misrepresenting its privacy and security practices. Tapplock also is required to obtain third-party assessments of its information security program every two years. In addition, the Commission has authority to approve the assessor for each two-year assessment period.
The Commission voted 5-0 to issue the proposed administrative complaint and to accept the consent agreement with the company. The FTC published a description of the . The agreement will be subject to public comment until May 11, 2020 after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments are in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,280.
The Â鶹´«Ã½ Trade Commission works to promote competition, and protect and educate consumers. You can and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on , follow us on , read our blogs, and subscribe to press releases for the latest FTC news and resources.
Contact Information
MEDIA CONTACT:
Juliana Gruenwald Henderson
Office of Public Affairs
202-326-2924
STAFF CONTACT:
Jah-Juin (Jared) Ho
Bureau of Consumer Protection
202-326-3463
Whitney Moore
Bureau of Consumer Protection
202-326-2645