On April 6, the Federal Trade Commission announced a settlement with Tapplock, Inc. for falsely claiming in its privacy policy that its fingerprint-sensing smart locks were “unbreakable” and that it followed “industry best practices” to ensure that a user’s personal information was protected. After three security researchers identified various physical and electronic vulnerabilities with the smart locks in June 2018, the FTC’s Bureau of Consumer Protection alleged that Tapplock – a Canadian company – violated Sections 4 and 5 of the Federal Trade Commission Act.
While Tapplock and the FTC agreed that the Internet of Things company neither admits nor denies any of the allegations in the complaint, the FTC specifically alleged several vulnerabilities that left a user’s personal information easily accessible and exposed even after the user revoked an intruder’s unauthorized access. In addition, the FTC alleged that Tapplock promised its Internet-connected, Morse-Code unlocking, and Bluetooth accessible smart locks were “secure,” yet the company “failed to take reasonable precautions” or even test that its claims were true.
Tapplock’s fingerprint-enabled smart locks boast enterprise-level encryption, proprietary anti-shim technology, and multiple cybersecurity protocols. Users can control the smart locks with a mobile app that collects personal information including usernames, email addresses, profile photos, location history, and the precise geolocation of the lock. Contrary to its claims that such information remained secure, the FTC alleged that a user could login to her account and then access another user’s account without that user’s credentials, circumventing Tapplock’s authentication procedures altogether. Another alleged vulnerability allowed a security researcher to lock and unlock any nearby smart lock via Tapplock’s unencrypted Bluetooth link.
The FTC unanimously voted 5-0 to issue the complaint and to accept the standard consent order that we have seen in similar cases that will last for at least 20 years. These standard terms require Tapplock to implement and maintain a comprehensive security program and to conduct periodic vulnerability and penetration testing to ensure the effectiveness of the new safeguards. Tapplock cannot misrepresent in any manner the extent to which it protects the security of its smart locks and users’ personal information. Tapplock must also procure assessments of the new security program from an independent third-party professional every two years and submit that assessment to the FTC for approval. Finally, Tapplock must certify its compliance annually, submit officer and employee acknowledgments of the order for 20 years, and create certain records subject to FTC inspection upon written request.