Hacked Toy Company VTech’s TOS Now Says It’s Not Liable for Hacks
Looks like VTech wants to make sure it can’t be sued if it suffers another data breach in the future.
Last Friday, parents and kids who own the internet-connected toys made by VTech finally received some much-awaited news: The company's app store and learning portal was back online after being shut down for more than two months following the embarrassing data breach that exposed the personal data of more than 6 million children.
"After further strengthening our data protection, the Learning Lodge® service is now back online," VTech's president King Pang wrote in an email to customers, which a parent shared with Motherboard. "We are committed to the privacy and protection of the information you entrust with VTech."
What Pang didn't say in the email, however, is that VTech seems to be trying to skirt any responsibility for a future hack, deflecting the blame to its own customers.
In its Terms and Conditions for the Learning Lodge, VTech now includes the following ominous language in all-caps:
"YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES."
It's unclear when this language was added, but the document says it was updated on December 24 of last year.
A VTech spokesperson said that since the breach, the company "as worked hard" to improve its security, but "no company that operates online can provide a 100% guarantee that it won't be hacked."
"The Learning Lodge Terms and Conditions, like the T&Cs for many online sites and services, simply recognize that fact by limiting the company's liability for the acts of third parties such as hackers," VTech spokesperson Grace Pang told Motherboard in an emailed statement. "Such limitations are commonplace on the Web."
Pang also said "key functions" of the Learning Lodge came back online on January 23.
But security and privacy experts are concerned that this could be an attempt to skirt lawsuits in case of a future data breach—and they believe consumers should be aware of the move to avoid liability, especially considering that VTech is now getting in the house monitoring business.
Rik Ferguson, the vice president of security research at Trend Micro, said the clause is "outrageous, unforgivable, ignorant, opportunistic, and indefensible," and likened it to "weasel words." Despite this surprising change—a British law professors told me he's "never seen a clause like that before"—legal experts doubt the provision has any real value.
The clause is "outrageous, unforgivable, ignorant, opportunistic, and indefensible."
"This ass-covering doesn't really work in the [European Union]," Ot Van Daalen, a privacy lawyer in the Netherlands who used to be the director of digital rights group Bits of Freedom, told Motherboard. "Under EU law you have an obligation to secure data and you cannot waive this by putting something like this in the terms and conditions that you have with your consumers."
The UK's data protection agency, the Information Commissioner's Office, declined to comment on VTech's terms and conditions. The agency is reportedly investigating the breach and the extent of VTech's responsibility in it.
Angela Campbell, a professor of law at Georgetown University, who specializes in privacy and consumer protections, explained that this clause probably wouldn't be valid in the United States either. Campbell told me that the Children's Online Privacy Protection Act, also known as COPPA, says that websites and companies who collect children's data have to inform parents of the data they collect, and have an obligation to "establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children."
But not everyone is shocked by VTech's words. James Denaro, a computer scientist and attorney who founded the firm CipherLaw, said that many sites have similarly-worded disclaimers.
"They need to invest in better security instead of trying to restrict liability."
"It comes off a bit awkwardly for them here, in light of being hacked, but it is a perfectly reasonable provision in a [Terms of Service] otherwise because nobody could promise they are perfectly secure," he told Motherboard.
In any case, Troy Hunt, a security expert who reviewed some of the VTech data stolen by the hacker, chastised VTech in a blog post on Monday, accusing the company of trying to absolve itself of any responsibility for an eventual future hack.
"Apparently they now feel customers should wear all the risk for shortcomings in their systems, he wrote. "If they honestly don't feel they're not up to the task of protecting personal information then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the 'zero accountability' clause."
Van Daalen echoed some of Hunt's feelings, saying that he wasn't sure VTech has learned from its "mistakes."
"They need to invest in better security instead of trying to restrict liability," he added.
This story has been updated to add a new statement from a VTech spokesperson.