Judge Gives D-Link Partial Win In FTC Case Over Vulnerable Devices

Back in January, the Federal Trade Commission filed a case against D-Link, a company that makes networking equipment and connected-home devices. It alleged that D-Link deceptively marketed its products as advanced and safe when they were vulnerable to attacks that range from stealing personal information to peeping through security cameras. This week, a judge dismissed three of the counts from the FTC’s case, noting that the agency didn’t present any consumers who were actually harmed. 

Not the latest wireless security features

In the FTC’s original complaint against D-Link [PDF], the Commission alleged that the gadget-maker “engaged in unfair or deceptive acts or practices” by selling routers, webcams, and other connected products that had known problems that were easily fixed, promoting them as using “the latest wireless security features.”

Some of these vulnerabilities had been known to hackers for the better part of a decade. Leaving connected devices and routers vulnerable makes it possible that the devices could be recruited for a botnet, part of a zombie computer army used to stage attacks on any target that the hacker wishes.

“Simple annoyance and inconvenience”

The judge noted in his opinion [PDF] that if the FTC had focused on the deception claim in its complaint against D-Link, the case would have had a better chance. Instead, the agency focused on how D-Link left open vulnerabilities in its devices, which could have potentially harmed millions of consumers in the United States.

Here’s the problem: The FTC didn’t provide specific examples of harm done to consumers for the judge to evaluate, or specific instances when the products were breached. It’s possible that someone’s devices were exploited or broken into, but it’s also possible that no devices were broken into at all.

The judge wrote in his opinion dismissing the case that without proof as part of the case that actual consumers were harmed, the case doesn’t hold up. However, he did spell out how the FTC could revise it.

“The FTC does not identify a single incident where a consumer’s financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the [D-Link] devices,” he wrote. “The absence of any concrete facts makes it just as possible that [D-Link]’s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor.”

In a statement, the Cause of Action Institute, a nonprofit representing D-Link in this case, called the charges “baseless” and called the judge’s order to dismiss the case a “well-reasoned decision.”

The FTC had no comment yet on this result when Consumerist contacted the agency today.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.