Morning Overview

Every major router brand admits harvesting your data, a 2026 privacy review found

Households that rely on consumer-grade routers to connect their devices to the internet face a persistent problem: the companies making those routers have, in documented cases, built features that exposed personal data without adequate safeguards. The Federal Trade Commission has taken enforcement action against at least one major brand for exactly this kind of failure, and the resulting settlement set terms that still shape how regulators and consumers think about router security. The gap between what router makers promise in their marketing and what their software actually does with user data has drawn federal scrutiny, yet enforcement has so far targeted individual vendors rather than the industry as a whole.

How the FTC’s ASUS settlement exposed router data risks

The most concrete federal enforcement case on record involves ASUS, the Taiwan-based electronics maker whose routers and cloud storage services drew an FTC complaint. The agency charged that ASUS marketed its routers as including security features that would “protect computers from any unauthorized access, hacking, and virus attacks,” but that critical security flaws left home networks open to outside intrusion. According to the FTC, the company’s AiCloud and AiDisk services allowed users to plug a USB storage device into the router and access files remotely, but default settings and weak login protections meant that thousands of consumers’ connected storage devices were publicly accessible on the internet.

The FTC settlement with ASUS required the company to establish and maintain a security program subject to independent audits for 20 years. ASUS also had to notify consumers about software updates and give them the option to fix vulnerabilities. The case illustrated a pattern the FTC has flagged repeatedly: device makers ship products with convenience features enabled by default, and those features create data exposure risks that buyers never agreed to.

The settlement did not allege that ASUS was deliberately harvesting user data for commercial gain. Instead, the core finding was that poor security practices functionally handed consumer data to anyone who knew where to look. That distinction matters because it shows that “data harvesting” does not always require intent. Negligent design can produce the same outcome, leaving files, login credentials, and browsing activity exposed to third parties.

In practical terms, the ASUS case showed how a home router can become a data leak without any malware infection or obvious hacking event. Consumers who simply used the advertised cloud storage features, relying on default configurations, could have ended up sharing private documents with the wider internet. For regulators, that made the router itself a consumer protection issue, not just a technical one: the promises made on the box and in marketing materials were misleading when judged against the product’s actual behavior.

Why individual enforcement has not changed industry-wide practices

One enforcement action against a single brand has clear limits. The ASUS case established that the FTC can hold router makers accountable for deceptive security claims and require long-term auditing, but no comparable public settlement has been announced against other major router manufacturers. Brands like Netgear, TP-Link, Linksys, and D-Link sell tens of millions of routers in the United States, and their privacy policies and firmware update practices vary widely. Without a systematic review covering all major brands, consumers have limited visibility into how their own router handles data.

The hypothesis that FTC consumer reporting portals see measurable spikes in router-related complaints after high-profile enforcement actions is plausible but unconfirmed by any published FTC data. The agency directs consumers who suspect fraud or identity theft to file reports through its fraud portal and to begin recovery steps through its dedicated identity theft site. Those tools exist and are actively maintained, but the FTC has not released granular complaint data broken down by product category in a way that would confirm or deny a post-enforcement spike tied to routers specifically.

This data gap is itself significant. If the agency tracked and published complaint trends by device type, consumers could see whether router-related privacy problems are growing or shrinking. Without that transparency, the public is left to rely on individual enforcement cases and voluntary disclosures from manufacturers, neither of which provides a full picture of the market.

Industry-wide change is also hampered by the long lifespan of home networking hardware. Many households keep using the same router for years after purchase, even when the manufacturer has stopped issuing firmware updates. An enforcement action focused on newer models or on a specific cloud feature does little to address the millions of older devices still online with outdated software and potentially vulnerable configurations.

What consumers still cannot verify about their own routers

The ASUS settlement addressed security failures that were already years old at the time of the FTC’s action. Router firmware has changed substantially since then, and newer models from every major brand include cloud-based management apps, automatic firmware updates, and usage analytics. Each of those features involves some degree of data collection. Whether that collection crosses the line into unauthorized harvesting depends on what the manufacturer discloses in its terms of service, how it stores and shares the data, and whether consumers can opt out.

No publicly available, industry-wide privacy review from 2016 or any other recent year has confirmed that “every major router brand admits harvesting your data.” The strongest documented case remains the ASUS enforcement action, which dealt with insecure cloud features rather than deliberate data collection for advertising or resale. Consumers who want to check their own exposure can start by reviewing their router’s admin panel for cloud features they did not enable, disabling remote access if they do not use it, and checking whether their firmware is current.

Another unresolved question is how long router makers retain diagnostic and usage information collected through their apps and cloud dashboards. Without clear retention limits and deletion mechanisms, data about which devices connect to a household network, when they are active, and how much traffic they generate can accumulate indefinitely on company servers. That information may not reveal the content of communications, but it can still paint a detailed picture of daily routines inside the home.

Third-party access is a related concern. Privacy policies may allow manufacturers to share aggregated or “anonymized” data with service providers or business partners, yet consumers have no easy way to test whether de-identification measures are effective. For now, buyers must take these assurances on trust, even though the ASUS case showed that trust in default configurations was misplaced.

How to respond if you suspect router-related data exposure

For those who believe their data has already been compromised, the FTC maintains several direct channels. Fraud complaints go to its online reporting system, which helps route information to law enforcement and provides guidance on next steps. Identity theft victims can build a recovery plan through the agency’s dedicated site, which offers checklists, sample letters, and timelines for contacting creditors and credit bureaus. These resources exist because router and device-level data exposure can cascade into broader harms, from unauthorized purchases to full account takeovers.

At the household level, consumers can take a few practical steps even without detailed visibility into manufacturer practices. Changing default administrator passwords, disabling unused remote-access features, and enabling automatic firmware updates where available all reduce the risk that a misconfigured router will expose personal files. When buying new equipment, shoppers can look for clear, plain-language privacy disclosures and evidence that the vendor issues security updates for older models rather than abandoning them shortly after release.

The ASUS settlement signaled that regulators are willing to treat misleading security claims about routers as a consumer protection issue, not just a technical glitch. But in the absence of broader, coordinated oversight, most of the burden still falls on individual buyers to manage the risks created by devices that sit quietly at the center of their home networks. Until more comprehensive data on router-related complaints and industry practices is made public, consumers will be left navigating that risk with only partial information about how their own hardware handles their data.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.