Onity Wins: Hotels That Bought Their Easily-Hacked Door Lock Can't Sue According To Court
from the locked-in dept
A couple years back, I wrote about the curious case of Onity, a company that makes door locks for hotel rooms. Thing is, their locks fail to do the one thing they're supposed to do, as shown when one man at a Black Hat security conference used a cheap device to access the lock's dataport and cause it to unlock. The idea was that a lock that is defeated by equipment that costs pocket change isn't so much a lock as it is a decoration. Onity, in the company's infinite wisdom, claimed the long term fix, a new system board, was available to its customers...for a price.A class action's worth of hotels weren't satisfied with paying twice for the same product just to make it work, so they filed a lawsuit. That filing was recently rejected by a judge using some awfully strange logic.
The court’s decision turns on three key facts. First, the plaintiffs didn’t allege any actual security breaches; the courts says they are suing “only for the costs of preventing future unauthorized access.” Second, each lock still works in the sense that it “still performs the functions of locking the door upon closing it and unlocking it upon insertion of a properly-coded key card….the locks do not begin to fail on their own upon installation, nor are they all ‘doomed to fail’ eventually.” Third, the court says any future security breaches “could occur only if third parties engaged in criminal conduct to enter Plaintiffs’ hotel rooms.”Let's deal with these in order. Onity's lock has a gaping security hole that's laughably easy to exploit. For anyone with fifty dollars in their pockets, the lock might as well not be there at all. The very nature of the condition of the product is a breach and, in any case, at least is easily understandable as a product that doesn't perform its basic functions, which is what makes the second claim by the judge so galling. Deciding the lock "works" by the most childish evaluation possible is insane. The lock either performs to industry standards or it doesn't, and this one doesn't. As for the argument that a cheap lockpick can also defeat a hardware lock, there is an important difference here, I think. A hardware lock is limited in terms of a fix by its very nature, whereas Onity is proclaiming that an electronic fix does exist for its electronic lock, it only wants hotels to pay for the pleasure of having their product work properly.
As for that last claim: in what sort of insane world do we live in when a manufacturer that makes a product designed to prohibit illegal behavior can get out of paying to repair its product that doesn't stop illegal behavior because the behavior its product isn't stopping is illegal? An alarm system that fails to alarm when criminals break into a building isn't protected by the fact that the break-in is illegal.
The whole ruling appears to be a case of an ill-informed judge, one that may have unfortunate consequences in other areas of the law.
The court instead analogized Onity’s situation to data breach cases like Reilly v. Ceredian, where consumers’ personal data is stolen but consumers can’t show directly attributable adverse consequence from this theft. I understood the analogy: just like consumers might fear future harm from identity theft, hotels might fear harm from future breaches of their locks. However, this analogy doesn’t work very well. While there aren’t many actions consumers can take to proactively protect their data after a data security breach (even credit monitoring isn’t particularly useful), everyone benefits if the hotels proactively remediate this problem.Thankfully the ruling is being appealed, so hopefully a future court will get this corrected, but keep in mind that all this is the result of a lock company that makes locks that do not lock if someone comes along with fifty dollars worth of low-end technology. Happy traveling, readers....
This ruling could help defendants in future privacy violation cases. First, if lock buyers lack standing when a physical object fails to perform its basic function, plaintiffs with more abstract data-related risks shouldn’t either. Second, if the risk of future third party criminal behavior doesn’t count as an injury, data breach victims’ purported concerns about future data misuse (like identity theft) are also irrelevant.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: digital locks, hotels, locks, security
Companies: onity
Reader Comments
Subscribe: RSS
View by: Time | Thread
"works"
The same logic is applied to punish hackers who are able to bypass ineffective security measures. Ask Weev about it.
The same logic is applied to hackers who try to circumvent ineffective copyright protection methods. Ask the people behind 2600 about it.
[ link to this | view in chronology ]
Comparing a lock system to a data breach is akin to those people who opt to sue Google when a website makes them sad.
Google has nothing to do with it, but because Google is synonymous in many peoples minds for a catchall for the internet in general they proceed.
Onity has pretty much made sure that they aren't going to continue to have Hotels as customers, and one would expect that future contracts will have specific terms talking about upgrades, costs, and the limitation of how long they will provide those upgrades.
Once upon a time, I swear, companies would do the right thing without requiring lawsuits to attempt to make it happen. Now one has to think of all of the possible angles that one can sue over.
[ link to this | view in chronology ]
Re:
It seems to me that's the most important outcome here, more important than how this case is determined. These hotel chains should make sure to spread the word, and not just to hotels, that nobody should ever buy Onity products because A) they suck and B) Onity doesn't stand behind them.
[ link to this | view in chronology ]
Re:
and I think this is a good reason why the free market capitalistic solution isn't necessarily a bad thing to allow to happen without necessarily involving the courts. If your products and services suck you will get that sort of reputation and you will lose customers.
To address the OP
"The very nature of the condition of the product is a breach"
I think this really depends on how the product was advertised. Hard locks aren't perfectly secure and, for a cheap price, they can reasonably easily be circumvented. They can be picked and doors can be broken into. Though at least breaking in leaves evidence of forced entry which can alert someone returning to their apartment that someone might still be in there so that they can call the cops and it can warn someone already inside that someone is trying to break in giving them time to respond and call the police/hotel security. In this case someone might be able to get in without leaving evidence or perhaps even sneak in quietly and sneak up on people.
Then again it's also shady for a company to have a defect in their product and charge to have their product fixed. That's kinda like a car manufacturer having a defect and then charging drivers to fix it (and the extent that the law requires the manufacturer to provide a free fix may depend on the jurisdiction and nature of the defect. If it's a safety issue the government will require the manufacturer to recall and fix it free of charge. If it's something minor with the radio the law may not care).
I guess in this case the defect is in the core function of the product. Technically it may even involve safety (someone being able to sneak in your room without leaving evidence). But I think it really goes back to how the product was advertised and what kinda disclaimers were included in the fine print.
"As for the argument that a cheap lockpick can also defeat a hardware lock"
Again this goes back to how the product is advertised. If the product is advertised as being more secure than a hard lock and it's really not then I would consider that a breach of contract. If, however, it was advertised as simply being a more convenient replacement for hard locks without necessarily being more secure (but being about as secure) then maybe not (then again who will advertise it like that?). You promised a product and didn't deliver your product. It's possible the product comes with some sorta agreement that no one reads or if anyone working at the hotel reads it they figure if there is a problem they will deal with it when it happens (ie: by exercising their ability to not buy from this manufacturer in the future if they don't reasonably correct problems with their product).
[ link to this | view in chronology ]
Re: Re:
Except, of course, that the courts are there to get you back the money you paid for products not up to the advertised task. It's just that the judge here doesn't grasp what the task of a lock is.
"I think this really depends on how the product was advertised. Hard locks aren't perfectly secure and, for a cheap price, they can reasonably easily be circumvented. They can be picked and doors can be broken into."
Both of which requires a certain degree of effort and know-how.
By that notion, hotels would all have primitive old keys which a standard piece of wire could defeat. After all, the judge clearly believes that the locks in a hotel are only there to thwart people too drunk to remember their room number, not actual thieves.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Up Next...
[ link to this | view in chronology ]
What the hotel's contractor did with the hotel's approval was go to the lowest bidder and install accordingly.
What the hotel wanted was the expensive model at the cheap price.
What the judge did was to verify that you get what you pay for.
[ link to this | view in chronology ]
Re:
From what I can tell, Onity is one of the major players in hotel locks (they also get used in student dorms on college campuses), so even if they are the cheapest, it's not like they were buying crap from someone selling knock-offs out of the back of his car.
But hey, it's easier to blame the victim and make assumptions than to actually check this stuff out, right?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
That would be very difficult to prove. If everything is working correctly you have to actually demonstrate your claims in court, not just state them.
[ link to this | view in chronology ]
Re: Re:
Wait until someone actually breaks into someone's room, and THEN sue. The court essentially found that, because nobody had actually broken into anyone's room yet, they didn't have standing. Under this logic, a lock manufacturer could sell you a paperclip, and you wouldn't be able to sue them unless you actually tried to use it as a lock and someone defeated it.
Or they should appeal, because the ruling makes no sense. The court says this is different from a case where a consumer has a defective car that hasn't actually injured them yet, because the resale value of the car drops due to the safety defect. Well, doesn't the resale value of a hotel that has locks that need replacing go down? (It shouldn't matter whether any particular hotel is looking to sell at the moment - class action lawsuits against auto makers don't require that every plaintiff be looking to sell their car at the moment either.)
[ link to this | view in chronology ]
Re: Re: Re:
Or because no one used this method to break into anyone's room yet.
and the precedent to sue for actual, and not hypothetical, damages is a very longstanding precedent that often does make sense.
I suppose if someone does break in and takes something or causes damage the tenant harmed would have to sue the hotel and then the hotel would have to sue the lock manufacturer. I'm not so sure that's the best legal setup, for the law to require the hotels to wait for something to happen before being able to recover damages. First of all the person suing the hotel will sue on the grounds that the hotel knew this thing had a flaw and didn't act to correct it ahead of time. The court will rule in favor of the tenant under the grounds that the hotel should have fixed the problem ahead of time because they knew there was a problem. True, but the problem is with the manufacturer so it should have been the manufacturer that fixed it ahead of time but the law is not requiring that either. Kinda contradictory on the part of the law. Another problem with this is if someone can sneak in and take something without anyone knowing how do you prove damages? How do you prove something was stolen and that this flaw is the cause (I suppose you can use security cameras, fingerprints, etc.. in some situations but security cameras may not be everywhere and there are problems with trying to use fingerprints to prove someone came in to steal something in a hotel room that probably had many guests and has everyone's fingerprints everywhere).
[ link to this | view in chronology ]
Re: Re: Re: Re:
and the reason this is contradictory on the part of the law is because it kinda requires that the hotels suffer the cost of repairing the flaw to avoid liability without being recouped those costs. Yes the hotel maybe able to sue the manufacturer after being sued but what if the manufacturer went out of business by then? Even if they didn't suing the manufacturer requires an expensive lawsuit and is risky because they still run the risk of losing or being unable to collect even if they win. The only sure way to avoid liability and risk is for the hotel to pay for the flaw ahead of time.
That's not to say I disagree with the ruling (I have mixed feelings about it). I also think there could be many potential problems with the courts ruling in favor of the hotels as well in the kinda precedent it could set for other cases.
[ link to this | view in chronology ]
http://ecx.images-amazon.com/images/I/41psjQIp5qL.jpg
[ link to this | view in chronology ]
Re:
This seems to be an interesting example of people overrating their own importance: the judge, in effect, is claiming that mere fear of the justice system ("Watch out, I'll throw the book at anyone who hacks those locks!") should be sufficient to secure a hotel room door.
[ link to this | view in chronology ]
Implied Warranty Anybody?
https://en.wikipedia.org/wiki/Implied_warranty
Saith wiki:
In common law jurisdictions, an implied warranty is a contract law term for certain assurances that are presumed to be made in the sale of products or real property, due to the circumstances of the sale. These assurances are characterized as warranties irrespective of whether the seller has expressly promised them orally or in writing. They include an implied warranty of fitness for a particular purpose, an implied warranty of merchantability for products, implied warranty of workmanlike quality for services, and an implied warranty of habitability for a home.
[ link to this | view in chronology ]
Scumbags and greedsters REJOICE!
Wow this is the next big thing if patent trolling fails. Do crappy work and get rewarded, totally legal.
[ link to this | view in chronology ]
Re: Scumbags and greedsters REJOICE!
If no specific level of security was specified, then yes, it would be perfectly acceptable to have no security on the database.
[ link to this | view in chronology ]
Sauron and the one lock
[ link to this | view in chronology ]
This surprises anyone that has worked in the Computer Industry how?
[ link to this | view in chronology ]
Re: This surprises anyone that has worked in the Computer Industry how?
This lock company doesn't have that excuse. It's totally their lock, and it's not just a problem with an incompatible door or something.
Microsoft also expressly disclaims, in its licensing agreement, all warranties including fitness for a particular purpose. (Not sure how it's legal to tell the customer about a disclaimer AFTER they've paid money, but that's a topic for another day.)
AND, Microsoft provides free security updates when it finds a security problem in its OS, rather than charging a fee like this company.
[ link to this | view in chronology ]
Re: Re: This surprises anyone that has worked in the Computer Industry how?
Every Microsoft license I've bothered to read (I don't read them all, but I do read the odd one every once in a while; they also recently released a new set) also has language, probably required by Law, pointing out that some States don't allow some disclaimers, so they may have rights other than those outlined.
[ link to this | view in chronology ]
Re: Re: This surprises anyone that has worked in the Computer Industry how?
So Windows 8 was free? How about Windows 7? What about all the feature packs released over the course of a products life? Isn't the decision to charge for new stuff kinda arbitrary?
[ link to this | view in chronology ]
Re: Re: Re: This surprises anyone that has worked in the Computer Industry how?
I didn't realize those were considered security updates...
[ link to this | view in chronology ]
Don't agree
The lock in question was picked. But instead or revealing a physical technique to defeat the lock, a logical technique was revealed. Thing is, physical techniques are difficult to master, while logical techniques can be represented in source code that is trivial to copy, distribute, and alter. This is a type of freedom. It also increases the risks associated with locks subject to logical exploits.
Is it the fault of the manufacturer that a risk was presented that was ultimately exploited? Absolutely. To the point of liability? I'm not certain. How likely was the risk, to whom, and to what degree? Can you hold someone liable for failing to predict the future? And if so, to what degree?
Hotels that relied on the manufacturer to understand the risk are at fault for failing their due diligence.
[ link to this | view in chronology ]
Re: Don't agree
I'm not sure I buy that. How does the hotel know that the lock has a security flaw? Should they hire their own security expert to examine the lock before they use it? Do you really think that this sort of extraordinary diligence is "due"?
[ link to this | view in chronology ]
Re: Re: Don't agree
Humans are terrible at evaluating risk. This is just another example of it.
[ link to this | view in chronology ]
Re: Re: Don't agree
If they are serious about security, then yes. The best bet would be to hire a security consultancy/contractor company to advise on and install an appropriate level of security lock. Then, if the lock fails like this, you sue that security consultant/contractor, as they were the ones who should have done due diligence on the lock.
[ link to this | view in chronology ]
Re: Don't agree
Bump keys, skeleton keys, wax molds, and about 100 other ways have been used to defeat regular locks. When in doubt, a boot or a properly used crow bar does the trick. It is just as easy to teach someone how to use a crowbar to pry a door open, and certainly many of the other techniques could be shown in a video or handed out in instructions that could be practices and mastered by most people.
In all cases (including the Onity lock) it requires that you take steps beyond ordinary operations to "pick" the lock. Onity's lock does what it is suppose to do in normal day to day use. Nobody can just open the door.
The judge correctly determined that while the lock was not the most secure product, that isn't in itself a defect. If you could just take the handle and jiggle it a bit and have the door open, that would be a defect. The difference is clear as it gets.
[ link to this | view in chronology ]
Re: Re: Don't agree
The lock works, it's just not a high security lock.
It'd be like a hotel that uses standard tumbler pin locks suing the lock company because a bumpkey can defeat them.
[ link to this | view in chronology ]
Re: Don't agree
[ link to this | view in chronology ]
Re: Re: Don't agree
Or did you mean by Customer, the Hotel firm who hired the construction firm that installed the shit locks?
[ link to this | view in chronology ]
Re: Don't agree
[ link to this | view in chronology ]
Re: Don't agree
[ link to this | view in chronology ]
Really?
Onity's lock has a gaping security hole that's laughably easy to exploit. For anyone with fifty dollars in their pockets, the lock might as well not be there at all.
You missed one point, very important: they have to have intention to break in. Door lock, no door lock, whatever - they need to have the intent to break the law and break in. Blaming the door lock company for people's bad intentions is blatant misdirection.
Deciding the lock "works" by the most childish evaluation possible is insane.
Does the lock do all the things it said it would do? Does it lock? Does it unlock? You may think it's childish to use the basic standards of a door lock, but there you go. See your first point, the lock only fails when people have bad intentions and are willing to take specific steps to break in. Otherwise, the lock works fine. By your definition, any door manual door lock in the world that isn't a shielded dead bolt is defective because you can open most of them with a credit card or similar. Are all of those locks defective as well?
in what sort of insane world do we live in when a manufacturer that makes a product designed to prohibit illegal behavior can get out of paying to repair its product that doesn't stop illegal behavior because the behavior its product isn't stopping is illegal?
You have a basic flaw in your logic here. Door locks don't prohibit illegal behavior, they at best can slow down, delay, or otherwise make it harder to commit an illegal act. However, almost any normal hotel room door can be kicked down or pried open with a crowbar. Again by your logic, the makers of the doors, the hinges, and the strike plates would all be legally responsible because an illegal activity can circumvent their product.
Look, I don't think it's really good that these guys made a product that is fairly easy to get around. However, there is a significant difference between knowingly putting out a defective product (ie, it didn't lock at all, or would refuse to open) with one that is perhaps easier for thieves to break into (say like early VW door locks, mid 90's Chrysler minivan door locks, etc).
[ link to this | view in chronology ]
Re: Really?
[ link to this | view in chronology ]
Re: Re: Really?
[ link to this | view in chronology ]
Re: Re: Really?
Same thing could be accomplished with a crow bar or your foot.
[ link to this | view in chronology ]
Re: Re: Re: Really?
In this case you would of course had paid for a security door and the door company would be able to fix it in 2 minutes, but told you that if you didn't want anything to happen to your stuff, you had to pay again to make the door work as you requested from the beginning.
The door performs its basic function: it opens and closes, locks and unlocks.
[ link to this | view in chronology ]
Re: Re: Re: Re: Really?
that would be entirely different, because as a door lock, it's a failure - it can be opened without any effort or ill intent.
The problem here is that as a door lock, their product works. It can only be opened if you are willing to "hack" it, using a tool to open it. It's not defective in normal use.
It's not just a question of the "basic function", it's the question of function is normal use. There is nothing in this that shows that this lock system doesn't work propertly.
Your example as a result is sort of meaningless, because this lock doesn't just open if you lean on it or just touch it. You have to willfully take steps to bypass it, similar to slipping a credit card between the door and the jam to force a lock. If you are willing to take physical steps to get around a lock, you can defeat almost all of them without spending very much money.
By what was alleged in this lawsuit, almost every door lock in existence is "defective" in some manner.
[ link to this | view in chronology ]
Re: Really?
Let's look at this a little more apologetically, shall we?
FTFY
[ link to this | view in chronology ]
Re: Really?
That is exactly what a lock is supposed to protect against.
[ link to this | view in chronology ]
Re: Really?
Why do you buy a door lock? Is it because it's a nice decoration? No, you buy it to stop people from breaking in. You do state that door locks may not be successful at stopping every criminal, but their main function is a deterrent. If I'm a burglar, standing on your porch for twenty minutes fiddling with your lock, or beating down your door with a crowbar, is a dead giveaway that I'm a burglar and I will be caught. This door lock can be thwarted in seconds by a $50 gadget (and any burglar knows he can get at least $50 worth of loot from one room) and is therefore ineffective as a deterrent. The product is defective and hotels should not have to pay twice for a door lock that works.
[ link to this | view in chronology ]
Re: Re: Really?
Most conventional locks can be opened in seconds with a bump key. What is the difference?
[ link to this | view in chronology ]
Traditional locks and bump keys?
[ link to this | view in chronology ]
Re: Traditional locks and bump keys?
Good question. Is there a difference? Does it matter that it's fairly well known that bump keys can open most locks? If that's the important difference then would a lawsuit have been appropriate soon after bump keys were made available (I don't know much about them or how long they've been around)?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Is this a surprise?
Now, it returns to bite them. Now the companies are getting the crap, and finding out that the laws they so determinedly gutted are now useless to protect their own interests.
This isn't the first time this happened and it wont't be the last: Remember the China companies selling adulterated wheat gluten to the pet food companies? Same thing.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The hotels wanted it that way, so they didn't have to pay for people's stuff burgled because they used poor quality locks and skipped such "superfluities" as security.
Now the hotels have been "burgled" by Onity and (Surprise!) Onity doesn't have to pay for the hotels' loss. What goes around comes around.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Pack your super-glue
[ link to this | view in chronology ]
Chances are the lock on the door on the front of your house has an easily exploitable security hole: a set of lock picks can be had very inexpensively and can be leveraged to open most common locks in short order. This doesn't mean the lock is flawed or unusable - it just means that it's not as secure as it could potentially be.
If someone found that the hotel door locks could be opened by inserting any blank key card or something like that, sure, they should be replaced at the manufacturer's expense, because they don't perform the intended function. That wasn't the case here - breaching the lock required specialized equipment, even if inexpensive, that most people do not have immediate access to or know how to use.
My dad was a locksmith and passed on an adage that has stayed with me throughout my life and is applicable here: Locks only keep honest people out.
[ link to this | view in chronology ]