VTech: We Are Not Liable If We Fail to Protect Your Data, EFF: Oh Yes You Are!
If you are a company that collects customer data, it’s your job to protect it. Your customers expect it. You can’t dodge that responsibility by altering your terms and conditions, especially when finding them is equivalent to playing “Where’s Waldo?” on your website.
This is not only outrageous, but in EFF’s view, also not legally enforceable.
VTech, Hong Kong-based maker of many children’s digital toys, apparently doesn’t see things this way.
First, a little background. In November 2015, VTech was hacked and information of as many as 6.3 million children and 4.8 million parents was compromised. Data exposed by the breach consisted of children’s names, age, gender, photos, chat logs, and information linking them to their parents and their home addresses. After downplaying the extent of the hack, VTech finally came forward with the details, including an estimate of the number of victims by their country of residence.
The hack was remarkable because after a year of other high-profile breaches like Ashley Madison and OPM, VTech was found employing spectacularly outdated security practices and software. For instance, the site where user accounts were created had no SSL encryption, company was using severely weak MD5 hashes to scramble user passwords (weak hashes make the passwords easy to crack once the database is breached), and API calls were returning unrelated database queries when they should have been locked down, among others.
Since then, VTech has been working with experts to improve its security and it’s evident, especially in the now SSL encrypted webpages belonging to the company. However, given the company’s basically non-existent security just a few months ago, it’s surprising that its strategy of customer reassurance consists of disclaiming all responsibility for protecting user information.
In an obscure link, the company says this of its responsibility to protect user information:
We know that there’s no such thing as “perfect” security, but when you are caught with bad practices in a banner year for data breaches, you should be dedicated to securing your users’ information instead of hiring lawyers to sneakily limit your liability. Especially when that supposed exemption from liability is communicated to users by hiding it deep inside a mountain of text.
The near-complete opaqueness via which these changes in terms and conditions are communicated becomes even more obvious given their non-existence on the website that’s specifically designed to relay to parents the status of services affected by the breach. Instead, on that page, VTech paints a picture of working hard to protect user data and that parents and children can rest easy:
A mention or a link to VTech absolving itself of all responsibility in case of a breach would have been nice here.
Lastly, in two of VTech’s major markets, US and Europe, experts agree that these terms and conditions may be unenforceable. In Europe, there are data protection laws that require companies to secure their customers’ data.
In the United States, EFF’s view is that Children’s Online Privacy Protection Act (COPPA) requires that companies collecting data from children under 13 use reasonable means to protect it. This is what the first COPPA FAQ on the FTC website applicable to service providers says:
Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security
Given the new terms’ near unenforceability, significant lack of good faith in communicating them to users, and the ill will they are garnering from the Internet at large, VTech should do the right thing and get rid of them.
VTech’s resources would be better spent ensuring its customers’ sensitive data is secure, instead of finding ways to get out of that responsibility via legal trickery.
Recent DeepLinks Posts
Jul 29, 2016
Jul 29, 2016
Jul 29, 2016
Jul 22, 2016
Jul 21, 2016
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Fair Use and Intellectual Property: Defending the Balance
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Free Speech
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Know Your Rights
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- State-Sponsored Malware
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trade Agreements and Digital Rights
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- UK Investigatory Powers Bill
- Video Games