For years, Verizon shipped WiFi routers that defaulted to an outdated encryption protocol, potentially exposing customers' data to hackers, according to the Federal Trade Commission.
The FTC called attention to Verizon's practice in a Nov. 12 letter to the company, which is posted on the agency's Web site. The FTC declined to bring charges against Verizon, but said in the letter that many customers “still have routers that are set to the outdated WEP standard, leaving them vulnerable to hackers.”
Specifically, Verizon used to ship potentially problematic routers to DSL and FiOS home broadband subscribers. Those routers had Wired Equivalent Privacy (WEP) encryption enabled by default, even though the Institute of Electrical and Electronics Engineers deprecated WEP 10 years ago, according to the FTC. The more current standard is WiFi Protected Access 2 (WPA2).
“Data security is an ongoing process,” Maneesha Mithal associate director of the FTC's Division of Privacy and Identity Protection, wrote to Verizon's counsel. “What constitutes reasonable security changes over time as new risks emerge and new tools become available to address them.
Mithal told the company that one reason it isn't facing charges is because it tried “to mitigate the risk to its customers' information” by resetting the default standards to a more current encryption.”
Verizon also reached out to customers still using the WEP standards and asked them to update their security settings to WPA2, according to the FTC.
A Verizon spokesperson says customers' “online security is critically important to us.” The spokesperson adds that the company provides “insight and tips to our customers for managing a safe online experience and maintaining a secure home network.”
The agency's closing letter signals that questions of privacy and security remain on the agency's radar, says Greg Boyd, a partner in the law firm Frankfurt Kurnit Klein & Selz.
“The FTC is very concerned that companies fulfill their privacy promises, and that people have their basic expectations met,” he says. “If a default setting on a router is an easily exploitable security standard, a consumer's basic expectations of privacy are not going to be met.”
Despite the FTC's stance, the extent of its authority to police security violations is still unclear. Wyndham Hotels currently is asking a federal appellate court to dismiss charges stemming from a data breach. The hotel chain argues that the FTC doesn't have the authority to bring enforcement actions for allegedly failing to take what it views as “reasonable” security measures.
That case, which is pending in the 3rd Circuit Court of Appeals, had drawn outside interest from outside groups including the U.S. Chamber of Commerce (which sides with Wyndham) and privacy organizations, which back the FTC's ability to sue.