Default, Verizon . . .

Share This Page

It’s rare we get Shakespearean on you, but a letter the FTC staff just sent to Verizon Communications reminds us of the quote from Julius Caesar, “The fault, dear Brutus, is not in our stars, but in ourselves. . . ” When it comes to the FTC’s now-closed investigation of Verizon, the staff says the fault wasn’t in the stars, but in the default.

The investigation focused on – among other things – Verizon’s practice of shipping routers to DSL and FiOS customers with the default security set to an outdated encryption standard, Wired Equivalent Privacy (WEP). WEP was a big deal when it was introduced in 1999, but by 2004, security shortcomings led the Institute of Electrical and Electronics Engineers to reject WEP in favor of Wi-Fi Protected Access (WPA), and later, Wi-Fi Protected Access 2 (WPA2). (To use IEEE’s terminology, it “deprecated [WEP] in favor of new security features.”)

And yet a decade later, Verizon was still shipping some routers with the WEP encryption standard. As a result, many Verizon customers have routers set to the outdated WEP standard, leaving them vulnerable to hackers. The staff investigation considered whether Verizon’s failure to reasonably secure those routers was a deceptive or unfair practice.

The staff decided to close the investigation, but the rationale explained in the closing letter is worth a read. Among the factors the staff considered were “Verizon’s overall data security practices related to its routers, along with efforts by Verizon to mitigate the risk to its customers’ information.” Specifically, Verizon has pulled all WEP-defaulted routers from its distribution centers and set them to WPA2, ensuring that all routers sent out from here on in will be set to WPA2 by default. In addition, the staff cited Verizon’s outreach campaign targeting customers currently using WEP (or no encryption at all) and asking them to update to WPA2. What about customers with older routers incompatible with WPA2? Verizon is giving them the opportunity to upgrade – something the staff encourages people to do.

What’s the message for other companies?  The closing letter spells out why security isn’t a one-and-done deal:

We continue to emphasize that data security is an ongoing process. As risks, technologies, and circumstances change over time, companies must adjust security practices accordingly. In the past, defaulting consumer routers to WEP may not have been unreasonable, given concerns about compatibility with older computing devices. However, what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them. As most all consumer devices on the market today are compatible with WPA2, it would likely be unreasonable for ISPs or router manufacturers to continue to default consumer routers to WEP encryption. We hope and expect that all companies that provide consumers with these products will ensure reasonable and appropriate default security settings. 

The letter ends with the usual caveat about closing letters: “The closing of this investigation is not to be construed as a determination that a violation may not have occurred, just as the pendency of an investigation should not be construed as a determination that a violation has occurred. The Commission reserves the right to take such further action as the public interest may require.”

Triple negatives aside, it’s a timely reminder for all companies to consider the default security settings they select for their products.

 

Comments

Thank you very much it mean so much to me to be member or to have access in your channel I will be able to access information I had been longing for thank you again for assistance you have done for me.
Thank you for upgrading and listening to our concerns as voiced to tech serices i have enjoyed being with verizon these last 5。yrs 。。。thanks again
Would this effect any 4g on Samsung device's or tablets they sell? On any security issues because "they used WEP security?
The investigation focused just on the security of home routers that Verizon Communications provided to its home internet users.
Just so everyone knows, you don't have to use their router. If you just purchase internet from them you don't even need a coaxial connection. With Fios you can call their dupport and have them switch to Ethernet (instead of coaxial). Then you can use any store bought router. Here is an article walking you through it.
Thank you for inform me about Verizon these twenty years I have been great member but they are getting nasty to people and the bill is so dam high you can't talk to them it his been to long but I hope this matter get fix because I trying to be nice but they not nice to me.thank you And don't help people .

I have unethical billing from Verizon over lost devices; I reported two devices as lost. Yet, I was receiving billing for over extended data for those devices. Now, I have them established collection against me for a number of years now which hinders my going forward with my credit rating.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.