[Federal Register Volume 85, Number 69 (Thursday, April 9, 2020)]
[Notices]
[Pages 19947-19949]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-07499]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 192 3011]
Tapplock, Inc.; Analysis To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement; request for comment.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis to Aid Public Comment describes both
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.
DATES: Comments must be received on or before May 11, 2020.
ADDRESSES: Interested parties may file comments online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``Tapplock, Inc.; File
No. 192 3011'' on your comment, and file your comment online at https://www.regulations.gov by following the instructions on the web-based
form. If you prefer to file your comment on paper, mail your comment to
the following address: Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
Washington, DC 20580, or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC
20024.
FOR FURTHER INFORMATION CONTACT: Jared Ho (202-326-3463), Bureau of
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue
NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC website (for March 30, 2020), at this web
[[Page 19948]]
address: https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before May 11, 2020.
Write ``Tapplock, Inc.; File No. 192 3011'' on your comment. Your
comment--including your name and your state--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the https://www.regulations.gov website.
Due to the public health emergency in response to the COVID-19
outbreak and the agency's heightened security screening, postal mail
addressed to the Commission will be subject to delay. We strongly
encourage you to submit your comments online through the https://www.regulations.gov website.
If you prefer to file your comment on paper, write ``Tapplock,
Inc.; File No. 192 3011'' on your comment and on the envelope, and mail
your comment to the following address: Federal Trade Commission, Office
of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
Washington, DC 20580; or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC
20024. If possible, submit your paper comment to the Commission by
courier or overnight service.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure your comment does not include any sensitive or confidential
information. In particular, your comment should not include any
sensitive personal information, such as your or anyone else's Social
Security number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure your comment does not include
sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the public FTC website--as legally required by FTC Rule
4.9(b)--we cannot redact or remove your comment from the FTC website,
unless you submit a confidentiality request that meets the requirements
for such treatment under FTC Rule 4.9(c), and the General Counsel
grants that request.
Visit the FTC website at http://www.ftc.gov to read this Notice and
the news release describing it. The FTC Act and other laws that the
Commission administers permit the collection of public comments to
consider and use in this proceeding, as appropriate. The Commission
will consider all timely and responsive public comments that it
receives on or before May 11, 2020. For information on the Commission's
privacy policy, including routine uses permitted by the Privacy Act,
see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (``Commission'') has accepted, subject
to final approval, an agreement containing a consent order from
Tapplock, Inc. (``Tapplock'' or ``Respondent'').
The proposed consent order (``proposed order'') has been placed on
the public record for thirty (30) days for receipt of comments by
interested persons. Comments received during this period will become
part of the public record. After thirty (30) days, the Commission again
will review the agreement and the comments received, and will decide
whether it should withdraw from the agreement or make final the
agreement's proposed order.
Tapplock is a Canadian Internet of Things (``IoT'') company that,
among other things, sells internet-connected, fingerprint-enabled
padlocks (``smart locks'') to U.S. consumers. The company advertises to
U.S. consumers through its website, www.tapplock.com, and has
previously advertised through the online crowd-funding website
Indiegogo.com. Respondent's smart locks interact with a companion
mobile application (``app'') that U.S. users are able to download onto
their mobile devices. This app logs usernames, email addresses, profile
photos, location history, and the precise geolocation of a user's smart
lock, and it allows users to lock and unlock their smart locks when
they are within Bluetooth range.
In June 2018, security researchers identified critical physical and
electronic vulnerabilities with Respondent's smart locks. With respect
to physical security, some of Respondent's smart locks could be opened
within a matter of seconds, simply by unscrewing the back panel. With
respect to electronic security, one vulnerability in Respondent's API
could have been exploited to bypass the account authentication process
in order to gain full access to the accounts of all Tapplock users and
their personal information, including usernames, email addresses,
profile photos, location history, and precise geolocation of smart
locks. Because Respondent failed to encrypt the Bluetooth communication
between the lock and the app, a second vulnerability could have allowed
a bad actor to lock and unlock any nearby Tapplock smart lock. Finally,
a third vulnerability prevented users from effectively revoking access
to their smart lock once they had provided other users access to that
lock.
The Commission's proposed two-count complaint alleges that
Respondent violated Section 5(a) of the Federal Trade Commission Act.
The first count alleges that Respondent misrepresented to consumers
that their smart locks were secure. Contrary to this claim, as
described above, Respondent's locks were not secure.
The second count alleges that Respondent deceived consumers about
its data security practices by falsely representing that it took
reasonable precautions and followed industry best practices to protect
the personal information provided by consumers. Contrary to this claim,
the proposed complaint alleges that Respondent failed to take
reasonable precautions and follow industry best practices. For example,
the proposed complaint alleges that Respondent: (1) Failed to identify
reasonably foreseeable risks to the security of its smart locks or the
security of customers' personal accounts, such as through vulnerability
or penetration testing, and assess the sufficiency of any safeguards in
place to control those risks; (2) failed to employ sufficient measures
to detect and
[[Page 19949]]
prevent users from bypassing the authentication procedures in
Respondent's API to gain access to other users' accounts; (3) failed to
adopt and implement written data security standards, policies,
procedures, or practices; and (4) failed to implement adequate privacy
and security guidance or training for its employees responsible for
designing, testing, overseeing, and approving software specifications
and requirements.
The proposed order contains provisions designed to prevent
Respondent from engaging in the same or similar acts or practices in
the future. Part I of the proposed order prohibits Respondent from
misrepresenting the extent to which it maintains and protects: (1) The
security of a Covered Device; or (2) the privacy, security,
confidentiality, or integrity of Personal Information.
Part II of the proposed order requires Respondent to establish and
implement, and thereafter maintain, a comprehensive security program
(``Security Program'') that that protects: (1) The security of Covered
Devices; and (2) the security, confidentiality, and integrity of
Personal Information.
Part III of the proposed order requires Respondent to obtain
initial and biennial data security assessments for twenty years.
Part IV of the proposed order requires Respondent to disclose all
material facts to the assessor and prohibits Respondent from
misrepresenting any fact material to the assessments required by Part
II.
Part V of the proposed order requires Respondent to submit an
annual certification from a senior corporate manager (or senior officer
responsible for its information security program) that Respondent has
implemented the requirements of the Order and is not aware of any
material noncompliance that has not been corrected or disclosed to the
Commission.
Parts VI through IX of the proposed order are reporting and
compliance provisions, which include recordkeeping requirements and
provisions requiring Respondent to provide information or documents
necessary for the Commission to monitor compliance. Part X states that
the proposed order will remain in effect for 20 years, with certain
exceptions.
The purpose of this analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the complaint or proposed order, or to modify in any
way the proposed order's terms.
By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2020-07499 Filed 4-8-20; 8:45 am]
BILLING CODE 6750-01-P