Canadian Maker of Smart Locks Settles FTC Allegations That it Deceived Consumers about its Security Practices

A Canadian company has settled Federal Trade Commission allegations that it deceived consumers by falsely claiming that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.

The settlement requires Tapplock, Inc. to, among other things, implement a comprehensive security program and obtain independent biennial assessments of the program.

“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Tech companies should remember the basics—when you promise security, you need to deliver security.”

Tapplock sells fingerprint-enabled, Internet-connected padlocks, and has touted in its advertisements that its smart locks were “Bold. Sturdy. Secure,” according to the FTC’s complaint. The company’s smart locks interact with a companion mobile app that allows users to lock and unlock their locks when they are within Bluetooth range.

The Tapplock app collects personal information including usernames, email addresses, profile photos, and the precise location of users’ smart locks. In addition to touting the security of its locks, Tapplock also claimed in its privacy policy that it took “reasonable precautions” to secure the data it collected.

The FTC, however, alleged that contrary to its representations to consumers, the company’s locks were not secure and that Tapplock failed to take reasonable precautions or follow industry best practices to protect the consumer data it collected.

Security researchers identified both physical and electronic vulnerabilities that allowed them to unlock Tapplock’s smart locks by, for example, unscrewing the product’s back panel or exploiting the unencrypted Bluetooth connection between the app and the lock. Other electronic vulnerabilities prevented consumers from effectively revoking access to their locks and allowed researchers to bypass the account authentication process and access Tapplock user accounts, including their usernames, email addresses, profile photos, location history, and precise location of the lock.

The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.

In addition to the security program provision, the proposed settlement prohibits Tapplock from misrepresenting its privacy and security practices. Tapplock also is required to obtain third-party assessments of its information security program every two years. In addition, the Commission has authority to approve the assessor for each two-year assessment period.

The Commission voted 5-0 to issue the proposed administrative complaint and to accept the consent agreement with the company. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,280.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

IR Press

Recent Posts

OCC Announces Enforcement Actions for November 2024

WASHINGTON—The Office of the Comptroller of the Currency (OCC) today released enforcement actions taken against…

4 days ago

Remarks by Secretary of the Treasury Janet L. Yellen on the 30th Anniversary of the Community Development Financial Institution Fund

As Prepared for Delivery Good afternoon. It’s an honor to welcome President Clinton to Treasury today…

5 days ago

Treasury Sanctions Gazprombank and Takes Additional Steps to Curtail Russia’s Use of the International Financial System

Treasury imposes sanctions on dozens of Russian banks, securities registrars, and finance officials; OFAC issues…

5 days ago

Acting Comptroller Testifies on State of the Federal Banking System

WASHINGTON—Acting Comptroller Michael J. Hsu today testified on the state of the federal banking system…

5 days ago

Remarks by Assistant Secretary for International Finance Brent Neiman on the U.S. Cross-Border Payments Agenda

As Prepared for Delivery Thank you very much for the opportunity to be here today, and…

7 days ago