Asus Complaint Opens Door To Torts For Internet Of Shit Insecurity

Asus recently settled with the United States Federal Trade Commission over complaints related to the appalling security and security related instructions of its wireless home network routers. The complaint was sparked by an incident in February 2014 where numerous parties discovered a text file disclosing their router's status as open to exploitation by anyone were placed on hard drives attached to the routers for the purpose of shared storage. The attached hard drives serving as shared cloud storage for the entire world was contrary to expectations set in marketing literature for the devices. The action following the complaint which lead to this settlement creates a precedent for civil suits against various Internet of Shit device makers for their security lapses and negligent instructions provided to users. The potential for these torts to collide with backdoors created for "law enforcement"when those backdoors fall into public use is an exciting legal frontier. The full text of the consent order is presented below:

UNITED STATES OF AMERICA
FEDERAL TRADE COMMISSION
__________________________________________
In the Matter of

ASUSTeK Computer, Inc.,
a corporation.

)
)
)
)
)
)
)

AGREEMENT CONTAINING
CONSENT ORDER
FILE NO. 142 3156

The Federal Trade Commission (“Commission”) has conducted an investigation of
certain acts and practices of ASUSTeK Computer, Inc. (“proposed respondent”). Proposed
respondent, having been represented by counsel, is willing to enter into an agreement containing
a consent order resolving the allegations contained in the attached draft complaint. Therefore,
IT IS HEREBY AGREED by and between ASUSTeK Computer, Inc., by its duly
authorized officers, and counsel for the Federal Trade Commission that:
1.

Proposed respondent ASUSTeK Computer, Inc. is a Taiwanese corporation with its
principal office or place of business at 15, Li-Te Rd., Peitou, Taipei 11259, Taiwan.

2.

Proposed respondent neither admits nor denies any of the allegations in the draft
complaint, except as specifically stated in this order. Only for purposes of this action,
proposed respondent admits the facts necessary to establish jurisdiction.

3.

Proposed respondent waives:

4.

A.

Any further procedural steps;

B.

The requirement that the Commission’s decision contain a statement of findings
of fact and conclusions of law; and

C.

All rights to seek judicial review or otherwise to challenge or contest the validity
of the order entered pursuant to this agreement.

This agreement shall not become part of the public record of the proceeding unless and
until it is accepted by the Commission. If this agreement is accepted by the Commission,
it, together with the draft complaint, will be placed on the public record for a period of
thirty (30) days and information about it publicly released. The Commission thereafter
may either withdraw its acceptance of this agreement and so notify proposed respondent,
in which event it will take such action as it may consider appropriate, or issue and serve
its complaint (in such form as the circumstances may require) and decision in disposition
of the proceeding.

5.

This agreement contemplates that, if it is accepted by the Commission, and if such
acceptance is not subsequently withdrawn by the Commission pursuant to the provisions
of Section 2.34 of the Commission’s Rules, the Commission may, without further notice
to proposed respondent, (1) issue its complaint corresponding in form and substance with
the attached draft complaint and its decision containing the following order in disposition
of the proceeding, and (2) make information about it public. When so entered, the order
shall have the same force and effect and may be altered, modified, or set aside in the
same manner and within the same time provided by statute for other orders. The order
shall become final upon service. Delivery of the complaint and the decision and order to
proposed respondent’s address as stated in this agreement by any means specified in
Section 4.4(a) of the Commission’s Rules shall constitute service. Proposed respondent
waives any right it may have to any other manner of service. The complaint may be used
in construing the terms of the order. No agreement, understanding, representation, or
interpretation not contained in the order or the agreement may be used to vary or
contradict the terms of the order.

6.

Proposed respondent has read the draft complaint and consent order. Proposed
respondent understands that it may be liable for civil penalties in the amount provided by
law and other appropriate relief for each violation of the order after it becomes final.
ORDER
DEFINITIONS

For purposes of this order, the following definitions shall apply:
1.

Unless otherwise specified, “respondent” shall mean ASUSTeK Computer, Inc.,
corporation, and its subsidiaries and divisions in the United States, and successors and
assigns.

2.

“Clear(ly) and conspicuous(ly)” means that a required disclosure is difficult to miss (i.e.,
easily noticeable) and easily understandable by ordinary consumers, including in all of
the following ways:
A.

In any communication that is solely visual or solely audible, the disclosure must
be made through the same means through which the communication is presented.
In any communication made through both visual and audible means, such as a
television advertisement, the disclosure must be presented simultaneously in both
the visual and audible portions of the communication, even if the representation
requiring the disclosure is made in only one means.

B.

A visual disclosure, by its size, contrast, location, the length of time it appears,
and other characteristics, must stand out from any accompanying text or other
visual elements so that it is easily noticed, read, and understood.
2

C.

An audible disclosure, including by telephone or streaming video, must be
delivered in a volume, speed, and cadence sufficient for ordinary consumers to
easily hear and understand it.

D.

In any communication using an interactive electronic medium, such as the
Internet or software, the disclosure must be unavoidable.

E.

The disclosure must use diction and syntax understandable to ordinary consumers.

F.

The disclosure must comply with these requirements in each medium through
which it is received, including all electronic devices and face-to-face
communications.

G.

The disclosure must not be contradicted or mitigated by, or inconsistent with,
anything else in the communication.

3.

“Commerce” shall mean commerce among the several States or with foreign nations, or
in any Territory of the United States or in the District of Columbia, or between any such
Territory and another, or between any such Territory and any State or foreign nation, or
between the District of Columbia and any State or Territory or foreign nation, as defined
in Section 4 of the Federal Trade Commission Act, 15 U.S.C. § 44.

4.

“Covered Device” shall mean (a) any router, or device for which the primary purpose is
connecting other client devices to a network, developed by respondent, directly or
indirectly, that is marketed to consumers in the United States and (b) the software used to
access, operate, manage, or configure such router or other device subject to part (a) of
this definition, including, but not limited to, the firmware, web or mobile applications,
and any related online services, that are advertised, developed, branded, or provided by
respondent, directly or indirectly, for use with, or as compatible with, the router or other
device.

5.

“Covered Information” shall mean any individually- identifiable information from or
about an individual consumer collected by respondent through a Covered Device or input
into, stored on, captured with, accessed, or transmitted through a Covered Device,
including but not limited to (a) a first and last name; (b) a home or other physical address;
(c) an email address or other online contact information; (d) a telephone number; (e) a
Social Security number; (f) financial information; (g) an authentication credential, such
as a username or password; (h) photo, video, or audio files; (i) the contents of any
communication, the names of any websites sought, or the information entered into any
website.

6.

“Default Settings” shall mean any configuration option on a Covered Device that
respondent preselects, presets, or prefills for the consumer.

3

7.

“Software Update” shall mean any update designed to address a Security Flaw.

8.

“Security Flaw” is a software vulnerability or design flaw in a Covered Device that
creates a material risk of (a) unauthorized access to or modification of any Covered
Device, (b) the unintentional exposure by a consumer of Covered Information, or (c) the
unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of
Covered Information.
I.

IT IS ORDERED that respondent and its officers, agents, representatives, and
employees, directly or indirectly, in or affecting commerce, must not misrepresent in any
manner, expressly or by implication:
A.

The extent to which respondent or its products or services maintain and protect:
1.

The security of any Covered Device;

2.

The security, privacy, confidentiality, or integrity of any Covered
Information;

B.

The extent to which a consumer can use a Covered Device to secure a network;
and

C.

The extent to which a Covered Device is using up-to-date software.
II.

IT IS FURTHER ORDERED that respondent must, no later than the date of service of
this order, establish and implement, and thereafter maintain, a comprehensive security program
that is reasonably designed to (1) address security risks related to the development and
management of new and existing Covered Devices, and (2) protect the privacy, security,
confidentiality, and integrity of Covered Information. Such program, the content and
implementation of which must be fully documented in writing, must contain administrative,
technical, and physical safeguards appropriate to respondent’s size and complexity, the nature
and scope of respondent’s activities, and the sensitivity of the Covered Device’s function or the
Covered Information, including:
A.

The designation of an employee or employees to coordinate and be accountable
for the security program;

B.

The identification of material internal and external risks to the security of Covered
Devices that could result in unauthorized access to or unauthorized modification

4

of a Covered Device, and assessment of the sufficiency of any safeguards in place
to control these risks;
C.

The identification of material internal and external risks to the privacy, security,
confidentiality, and integrity of Covered Information that could result in the
unintentional exposure of such information by consumers or the unauthorized
disclosure, misuse, loss, alteration, destruction, or other compromise of such
information, and assessment of the sufficiency of any safeguards in place to
control these risks;

D.

At a minimum, the risk assessments required by Subparts B and C must include
consideration of risks in each area of relevant operation, including, but not limited
to: (1) employee training and management, including in secure engineering and
defensive programming; (2) product design, development, and research;
(3) secure software design, development, and testing, including for Default
Settings; (4) review, assessment, and response to third-party security vulnerability
reports, and (5) prevention, detection, and response to attacks, intrusions, or
systems failures;

E.

The design and implementation of reasonable safeguards to control the risks
identified through risk assessment, including through reasonable and appropriate
software security testing techniques, such as (1) vulnerability and penetration
testing; (2) security architecture reviews; (3) code reviews; and (4) other
reasonable and appropriate assessments, audits, reviews, or other tests to identify
potential security failures and verify that access to Covered Devices and Covered
Information is restricted consistent with a user’s security settings;

F.

Regular testing or monitoring of the effectiveness of the safeguards’ key controls,
systems, and procedures;

G.

The development and use of reasonable steps to select and retain service providers
capable of maintaining security practices consistent with this order, and requiring
service providers by contract to implement and maintain appropriate safeguards
consistent with this order; and

H.

The evaluation and adjustment of respondent’s security program in light of the
results of the testing and monitoring required by Subpart F, any material changes
to respondent’s operations or business arrangements, or any other circumstances
that respondent knows or has reason to know may have a material impact on the
effectiveness of the security program.
III.

IT IS FURTHER ORDERED that, in connection with its compliance with Part II of this
order, respondent must obtain initial and biennial assessments and reports (“Assessments”) from
5

a qualified, objective, independent third-party professional, who uses procedures and standards
generally accepted in the profession. Professionals qualified to prepare such Assessments must
be: a person qualified as a Certified Secure Software Lifecycle Professional (CSSLP) with
experience programming secure Internet-accessible consumer-grade devices; or as a Certified
Information System Security Professional (CISSP) with professional experience in the Software
Development Security domain and in programming secure Internet-accessible consumer-grade
devices; or a similarly qualified person or organization approved by the Associate Director for
Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania
Avenue, NW, Washington, D.C. 20580. The reporting period for the Assessments must cover:
(1) the first one hundred eighty (180) days after service of the order for the initial Assessment;
and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the
biennial Assessments. Each Assessment must:
A.

Set forth the specific controls and procedures that respondent has implemented
and maintained during the reporting period;

B.

Explain how such safeguards are appropriate to respondent’s size and complexity,
the nature and scope of respondent’s activities, and the sensitivity of the Covered
Device’s function or the Covered Information;

C.

Explain how the safeguards that have been implemented meet or exceed the
protections required by Part II of this order; and

D.

Certify that respondent’s security program is operating with sufficient
effectiveness to provide reasonable assurance that the security of Covered
Devices and the privacy, security, confidentiality, and integrity of Covered
Information is protected and has so operated throughout the reporting period.

Each Assessment must be prepared and completed within sixty (60) days after the end of the
reporting period to which the Assessment applies. Respondent must provide the initial
Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal
Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been
prepared. All subsequent biennial Assessments must be retained by respondent until the order is
terminated and provided to the Associate Director of Enforcement within ten (10) days of
request. Unless otherwise directed by a representative of the Commission, the initial
Assessment, and any subsequent Assessments requested, must be emailed to Debrief@ftc.gov or
sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement,
Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, D.C. 20580. The subject line must begin: In re ASUSTek Computer Inc., FTC File
No. 142 3156.

6

IV.
IT IS FURTHER ORDERED that respondent must:
A.

B.

Notify consumers, Clearly and Conspicuously, when a Software Update is
available, or when respondent is aware of reasonable steps that a consumer could
take to mitigate a Security Flaw. The notice must explain how to install the
Software Update, or otherwise mitigate the Security Flaw, and the risks to the
consumer’s Covered Device or Covered Information if the consumer chooses not
to install the available Software Update or take the recommended steps to mitigate
the Security Flaw. Notice must be provided through at least each of the following
means:
1.

Posting of a Clear and Conspicuous notice on at least the primary,
consumer-facing website of respondent and, to the extent feasible, on the
user interface of any Covered Device that is affected;

2.

Directly informing consumers who register, or who have registered, a
Covered Device with respondent, by email, text message, push
notification, or another similar method of providing notifications directly
to consumers; and

3.

Informing consumers who contact respondent to complain or inquire about
any aspect of the Covered Device they have purchased.

Provide consumers with an opportunity to register an email address, phone
number, device, or other information during the initial setup or configuration of a
Covered Device, in order to receive the security notifications required by this
Part. The consumer’s registration of such information must not be dependent
upon or defaulted to an agreement to receive non-security related notifications or
any other communications, such as advertising. Notwithstanding this
requirement, respondent may provide an option for consumers to opt-out of
receiving such security-related notifications.
V.

IT IS FURTHER ORDERED that respondent must maintain and upon request make
available to the Federal Trade Commission for inspection and copying, a print or electronic copy
of:
A.

For a period of three (3) years after the date of preparation of each Assessment
required under Part III of this order, all materials relied upon to prepare the
Assessment, whether prepared by or on behalf of the respondent, including but
not limited to all plans, reports, studies, reviews, audits, audit trails, policies,
training materials, and assessments, and any other materials relating to
7

respondent’s compliance with Part III of this order, for the compliance period
covered by such Assessment;
B.

Unless covered by V.A, for a period of five (5) years from the date of preparation
or dissemination, whichever is later, all other documents relating to compliance
with this order, including but not limited to:
1.

All advertisements, promotional materials, installation and user guides,
and packaging containing any representations covered by this order, as
well as all materials used or relied upon in making or disseminating the
representation;

2.

All notifications required by Part IV of this order; and

3.

Any documents, whether prepared by or on behalf of respondent, that
contradict, qualify, or call into question respondent’s compliance with this
order.
VI.

IT IS FURTHER ORDERED that respondent must deliver a copy of this order to all
current and future subsidiaries, current and future principals, officers, directors, and managers,
and to all current and future employees, agents, and representatives having supervisory
responsibilities relating to the subject matter of this order. Respondent must deliver this order to
such current subsidiaries and personnel within thirty (30) days after service of this order, and to
such future subsidiaries and personnel within thirty (30) days after the person assumes such
position or responsibilities. For any business entity resulting from any change in structure set
forth in Part VII, delivery must be at least ten (10) days prior to the change in structure.
VII.
IT IS FURTHER ORDERED that respondent must notify the Commission at least
thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations
arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or
other action that would result in the emergence of a successor corporation; the creation or
dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this
order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.
Provided, however, that, with respect to any proposed change in the corporation(s) about which
respondent learns fewer than thirty (30) days prior to the date such action is to take place,
respondent must notify the Commission as soon as is practicable after obtaining such knowledge.
Unless otherwise directed by a representative of the Commission, all notices required by this Part
must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to:
Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission,
600 Pennsylvania Avenue NW, Washington, D.C. 20580. The subject line must begin: In re
ASUSTek Computer Inc., FTC File No. 142 3156.
8

VIII.
IT IS FURTHER ORDERED that respondent, within sixty (60) days after the date of
service of this order, must file with the Commission a true and accurate report, in writing, setting
forth in detail the manner and form of its compliance with this order. Within ten (10) days of
receipt of written notice from a representative of the Commission, it must submit additional true
and accurate written reports.
IX.
This order will terminate twenty (20) years from the date of its issuance, or twenty (20)
years from the most recent date that the United States or the Commission files a complaint (with
or without an accompanying consent decree) in federal court alleging any violation of the order,
whichever comes later; provided, however, that the filing of such a complaint will not affect the
duration of:
A.

Any Part in this order that terminates in fewer than twenty (20) years;

B.

This order’s application to any respondent that is not named as a defendant in
such complaint; and

C.

This order if such complaint is filed after the order has terminated pursuant to this
Part.

Provided, further, that if such complaint is dismissed or a federal court rules that respondent did
not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld
on appeal, then the order as to such respondent will terminate according to this Part as though the
complaint had never been filed, except that the order will not terminate between the date such
complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date
such dismissal or ruling is upheld on appeal.

9

Signed this ________ day of __________, 2015.

ASUSTEK COMPUTER, INC.

Dated: _____

By: ____________________________________
JONATHAN TSANG, Vice Chairman and President
ASUSTeK Computer, Inc.

Dated: _____

By: ____________________________________
BRADLEY WASSER, Esq.
The Law Offices of David Balto
1325 G Street, NW, Suite 500
Washington, DC 20005
Attorney for Respondent

FEDERAL TRADE COMMISSION

Dated: _____

By: ____________________________________
NITHAN SANNAPPA
Counsel for the Federal Trade Commission

____________________________________
JARAD BROWN
Counsel for the Federal Trade Commission

10

ATTORNEYS FOR RESPONDENT

Dated: _____

By: ____________________________________
DAVID A. BALTO, Esq.
The Law Offices of David Balto
1325 G Street, NW, Suite 500
Washington, DC 20005
Attorney for Respondent

_________________________________________
BRADLEY WASSER, Esq.
The Law Offices of David Balto
1325 G Street, NW, Suite 500
Washington, DC 20005
Attorney for Respondent

11

APPROVED:

_________________________________
MARK EICHORN
Assistant Director
Division of Privacy and Identity Protection

_________________________________
MANEESHA MITHAL
Associate Director
Division of Privacy and Identity Protection

_________________________________
JESSICA RICH
Director
Bureau of Consumer Protection

12

3 thoughts on “Asus Complaint Opens Door To Torts For Internet Of Shit Insecurity

  1. Needs posted in ***ALTCOINS***.

    At least until we have a tag for Internet_Of_Shit.

  2. So basically they didn't get fined? Or even admit guilt?

Leave a Reply to prince_gbanga Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>