A California district court judge dismissed three of six complaints the Federal Trade Commission (FTC) had lodged against D-Link for lax router security.
“The FTC does not identify a single incident where a consumer’s financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the DLS devices,” wrote the judge, who also gave the commission until October 20 to amend its complaint. “The absence of any concrete facts makes it just as possible that DLS’s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor.”
The FTC had accused D-Link of not protecting its devices, saying in its initial complaint that “defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including by failing to protect against flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007.”
The ruling could put limits on the FTC’s unfairness authority and will likely affect issues around the Internet of Things (IoT).