August 8, 2020

Volume X, Number 221

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

Smart Lock Manufacturer Settles Alleged False Security Claims with FTC

Canadian company Tapplock, Inc. sells smart locks to the U.S. market that the company advertised as “sturdy,” “secure,” and even “unbreakable.” Tapplock’s assurances that the locks were strengthened with “double-layered lock design” and made with “anti-shim and anti-pry technologies” could be quite an enticement for consumers looking for top-of-the-line connected home security. There was a small problem with Tapplock’s claims, however: three researchers hacked into the locks using several methods – one simply by unscrewing the product’s back panel in a few seconds. The locks are not so smart after all, according to the Federal Trade Commission (FTC), which issued a complaint alleging the company’s locks contained vulnerabilities that made them anything but unbreakable.

Tapplock’s padlocks are fingerprint enabled and open via a mobile app when the user is within Bluetooth range. The app logs usernames, email addresses, profile photos, location history, and geolocation of a user’s smart lock. But researchers found several serious flaws that compromised security. In one case, researchers were able to bypass the account authentication process, gaining full access to the accounts of all Tapplock users and their personal information without being re-directed to the login page. Another vulnerability was the company’s failure to encrypt the Bluetooth communication between the lock and the app, which allowed researchers to lock and unlock nearby Tapplock smart locks. The app also had a flaw that prevented users from effectively revoking access by third parties who were previously authorized.

The FTC alleged that these flaws could have been easily fixed had Tapplock taken reasonable steps to identify possible risks. Standard security measures include conducting vulnerability or penetration testing; taking sufficient measures to detect and prevent users from bypassing authentication procedures to gain access to other users’ accounts; adopting and implementing written data security standards, policies, procedures, or practices; and providing privacy and security training for employees.

Under the proposed settlement terms, Tapplock must implement a comprehensive data security plan that is assessed by an independent third party biennially. The order also prohibits the company from misrepresenting its privacy and security practices.

The FTC’s proposed settlement agreement serves as a reminder that smart device manufacturers must ensure that privacy and security measures are part of the design and that security measures are described accurately. Overselling data security may attract customers in the short term but attracting this kind of attention from the FTC is anything but smart.

© 2020 Keller and Heckman LLPNational Law Review, Volume X, Number 105


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association