Daily Vaper

FDA’s Poor Database Security Puts Manufacturers At Risk Of Corporate Espionage, Or Worse

Photo via Shutterstock

Carl V. Phillips Contributor
Font Size:

The FDA has officially announced a 12-day delay in the deadline for vapor product manufacturers to register all their products in the FDA Unified Registration and Listing System. The announcement, like the FDA tweets that preceded it, implies that the only problems are the occasional inability to log on and system outage. However, as previously reported, manufacturers attempting to use FDA’s online registration system have experienced numerous other problems, and new problems continue to be reported by system users. FDA’s submission and data handling system appears to be badly broken.

In addition to the problems adding to what is already a major regulatory burden (despite it being merely a registration), manufacturers are becoming increasingly worried about system security. The information currently being submitted is not terribly sensitive, and most or all of it could be obtained by pouring through a manufacturer’s catalog. But next year e-liquid manufacturers must submit their ingredients list, information that could be used to recreate their proprietary products. FDA presumably plans to use the same submission and database software.

Manufacturers are particularly bothered by cases where they have found another company’s data in their own files. They have discovered this upon receiving an email message that part of their submission had been rejected due to errors. Upon checking, they found that the page with the supposed errors was someone else’s. At least seven such cases have been reported in a Facebook group devoted to helping manufacturers navigate this process. A copy of one email obtained by The Daily Vaper contained an unsecured spreadsheet of the (other company’s) submitted data as an attachment.

Presumably the seven reports collected in one social media thread are only the tip of the iceberg. It also might be some companies’ data is being replaced but they do not know because the erroneous data did not trigger a rejection notice.

The rejected submissions leave manufacturers hoping that their data will be accepted upon resubmission and wondering who has their information. This and other problems have also led to speculation that the system lacks sufficient cybersecurity to guard against corporate espionage or other data breaches.

Several vaping supporters with expertise in computer systems and security share the manufacturers’ concerns. Steven Raith, a career systems administrator who is familiar with similar projects observes, “they really didn’t do a good job of scoping out the requirements, expected load, nor did they understand the breadth of the market and products they expected to be regulating.” The likely explanations for this are, “poor project management, including late-stage changes, and implementation of a platform not flexible enough to manage such changes.” The mixed up records probably result from poor database design or session handling.

John Summers, associate member of the New Nicotine Alliance and a senior IT consulting engineer, offers a similar assessment. He observes that there is “an obvious lack of testing, user approval, and project management.”

Both experts warn that only FDA has enough information to say anything more specific about what has gone wrong and how worried manufacturers should be. Summers points out, “it is not possible know what has gone wrong at the site without seeing the code.” There is no indication that anyone other than those who allowed the problems to happen in the first place will be allowed to audit or test the code.

Contacted for more information about what has gone wrong and what will be done about the problems, an FDA spokesman provided the following reply:

“The FDA takes very seriously the security of information submitted by industry. The agency operates a system management center that continuously monitors, triages, troubleshoots and escalates all reported or potential security incidents, performance issues, enterprise services and infrastructure operations. This includes the Center for Tobacco Products’ Tobacco Registration and Listing Module in the FDA’s Unified Registration and Listing System (FURLS). We will continue to monitor and make improvements to our systems as needed.”

The statement did not specifically respond to the observations presented above, which FDA was made aware of. Nor did it respond to the specific question of whether FDA was even aware of the breadth of problems beyond those they cited in their announcement.

It is possible that every flaw in the system has been detected (i.e., experienced by users) and reported, and that FDA will accurately assess the reasons for each failure and create robust fixes that do not themselves cause new problems. If so, the next round of filings will go smoothly. That, however, is not the way that troubleshooting of complex computer systems tends to play out.

It seems likely problems will persist if FDA does not thoroughly test their system performance with a series of realistic simulations of actual usage volume and behaviors. This is an extremely labor-intensive endeavor, even without introducing intentional attempts to breach the system. Without such an effort, it seems likely that the vapor industry will again be forced to become FDA’s involuntary troubleshooters.

PREMIUM ARTICLE: Subscribe To Keep Reading

Sign up

By subscribing you agree to our Terms of Use

You're signed up!

Sign up

By subscribing you agree to our Terms of Use

You're signed up!
Sign up

By subscribing you agree to our Terms of Use

You're signed up!

Sign up

By subscribing you agree to our Terms of Use

You're signed up!
Sign up

By subscribing you agree to our Terms of Use

You're signed up!

Sign Up

By subscribing you agree to our Terms of Use

You're signed up!
Sign up

By subscribing you agree to our Terms of Use

You're signed up!
Sign up

By subscribing you agree to our Terms of Use

You're signed up!
BENEFITS READERS PASS PATRIOTS FOUNDERS
Daily and Breaking Newsletters
Daily Caller Shows
Ad Free Experience
Exclusive Articles
Custom Newsletters
Editor Daily Rundown
Behind The Scenes Coverage
Award Winning Documentaries
Patriot War Room
Patriot Live Chat
Exclusive Events
Gold Membership Card
Tucker Mug

What does Founders Club include?

Tucker Mug and Membership Card
Founders

Readers,

Instead of sucking up to the political and corporate powers that dominate America, The Daily Caller is fighting for you — our readers. We humbly ask you to consider joining us in this fight.

Now that millions of readers are rejecting the increasingly biased and even corrupt corporate media and joining us daily, there are powerful forces lined up to stop us: the old guard of the news media hopes to marginalize us; the big corporate ad agencies want to deprive us of revenue and put us out of business; senators threaten to have our reporters arrested for asking simple questions; the big tech platforms want to limit our ability to communicate with you; and the political party establishments feel threatened by our independence.

We don't complain -- we can't stand complainers -- but we do call it how we see it. We have a fight on our hands, and it's intense. We need your help to smash through the big tech, big media and big government blockade.

We're the insurgent outsiders for a reason: our deep-dive investigations hold the powerful to account. Our original videos undermine their narratives on a daily basis. Even our insistence on having fun infuriates them -- because we won’t bend the knee to political correctness.

One reason we stand apart is because we are not afraid to say we love America. We love her with every fiber of our being, and we think she's worth saving from today’s craziness.

Help us save her.

A second reason we stand out is the sheer number of honest responsible reporters we have helped train. We have trained so many solid reporters that they now hold prominent positions at publications across the political spectrum. Hear a rare reasonable voice at a place like CNN? There’s a good chance they were trained at Daily Caller. Same goes for the numerous Daily Caller alumni dominating the news coverage at outlets such as Fox News, Newsmax, Daily Wire and many others.

Simply put, America needs solid reporters fighting to tell the truth or we will never have honest elections or a fair system. We are working tirelessly to make that happen and we are making a difference.

Since 2010, The Daily Caller has grown immensely. We're in the halls of Congress. We're in the Oval Office. And we're in up to 20 million homes every single month. That's 20 million Americans like you who are impossible to ignore.

We can overcome the forces lined up against all of us. This is an important mission but we can’t do it unless you — the everyday Americans forgotten by the establishment — have our back.

Please consider becoming a Daily Caller Patriot today, and help us keep doing work that holds politicians, corporations and other leaders accountable. Help us thumb our noses at political correctness. Help us train a new generation of news reporters who will actually tell the truth. And help us remind Americans everywhere that there are millions of us who remain clear-eyed about our country's greatness.

In return for membership, Daily Caller Patriots will be able to read The Daily Caller without any of the ads that we have long used to support our mission. We know the ads drive you crazy. They drive us crazy too. But we need revenue to keep the fight going. If you join us, we will cut out the ads for you and put every Lincoln-headed cent we earn into amplifying our voice, training even more solid reporters, and giving you the ad-free experience and lightning fast website you deserve.

Patriots will also be eligible for Patriots Only content, newsletters, chats and live events with our reporters and editors. It's simple: welcome us into your lives, and we'll welcome you into ours.

We can save America together.

Become a Daily Caller Patriot today.

Signature

Neil Patel