It’s rare we get Shakespearean on you, but a letter the FTC staff just sent to Verizon Communications reminds us of the quote from Julius Caesar, “The fault, dear Brutus, is not in our stars, but in ourselves. . . ” When it comes to the FTC’s now-closed investigation of Verizon, the staff says the fault wasn’t in the stars, but in the default.
The investigation focused on – among other things – Verizon’s practice of shipping routers to DSL and FiOS customers with the default security set to an outdated encryption standard, Wired Equivalent Privacy (WEP). WEP was a big deal when it was introduced in 1999, but by 2004, security shortcomings led the Institute of Electrical and Electronics Engineers to reject WEP in favor of Wi-Fi Protected Access (WPA), and later, Wi-Fi Protected Access 2 (WPA2). (To use IEEE’s terminology, it “deprecated [WEP] in favor of new security features.”)
And yet a decade later, Verizon was still shipping some routers with the WEP encryption standard. As a result, many Verizon customers have routers set to the outdated WEP standard, leaving them vulnerable to hackers. The staff investigation considered whether Verizon’s failure to reasonably secure those routers was a deceptive or unfair practice.
The staff decided to close the investigation, but the rationale explained in the closing letter is worth a read. Among the factors the staff considered were “Verizon’s overall data security practices related to its routers, along with efforts by Verizon to mitigate the risk to its customers’ information.” Specifically, Verizon has pulled all WEP-defaulted routers from its distribution centers and set them to WPA2, ensuring that all routers sent out from here on in will be set to WPA2 by default. In addition, the staff cited Verizon’s outreach campaign targeting customers currently using WEP (or no encryption at all) and asking them to update to WPA2. What about customers with older routers incompatible with WPA2? Verizon is giving them the opportunity to upgrade – something the staff encourages people to do.
What’s the message for other companies? The closing letter spells out why security isn’t a one-and-done deal:
We continue to emphasize that data security is an ongoing process. As risks, technologies, and circumstances change over time, companies must adjust security practices accordingly. In the past, defaulting consumer routers to WEP may not have been unreasonable, given concerns about compatibility with older computing devices. However, what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them. As most all consumer devices on the market today are compatible with WPA2, it would likely be unreasonable for ISPs or router manufacturers to continue to default consumer routers to WEP encryption. We hope and expect that all companies that provide consumers with these products will ensure reasonable and appropriate default security settings.
The letter ends with the usual caveat about closing letters: “The closing of this investigation is not to be construed as a determination that a violation may not have occurred, just as the pendency of an investigation should not be construed as a determination that a violation has occurred. The Commission reserves the right to take such further action as the public interest may require.”
Triple negatives aside, it’s a timely reminder for all companies to consider the default security settings they select for their products.