On Tuesday, the U.S. Federal Trade Commission (FTC) announced that seven rent-to-own (RTO) companies including the franchisees of Aaron’s, ColorTyme, and Premier Rental Purchase, and DesignerWare, a software company that licensed software to rent-to-own stores, have agreed to settle FTC complaints that they spied on consumers.
According to the FTC, the RTO stores used software for “capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers.” In addition, the pictures included people in various states of undress as well as engaged in intimate activities.
The FTC stated (pdf) that the seven RTO stores (the full list of stores can be found here) licensed a software product from DesignerWare called “PC Rental Agent” which was designed to help the stores track down rented computers that weren’t returned as required by the contract or were stolen. It also had a “kill switch” that could render the computer inoperable, as well as a capability to wipe the hard drives clean when a computer was turned in and rented out again. So far, so good.
However, there was also an application embedded within PC Rental Agent that was called “Detective Mode.” The FTC states that, “At the request of an RTO store, DesignerWare would remotely complete the Detective Mode installation process on an individual computer and activate ‘the Detective.’ Detective Mode would surreptitiously log the computer user’s keystrokes, capture screenshots, and take pictures with the computer’s webcam and send the data to DesignerWare’s servers. Neither DesignerWare nor the RTO stores who have used Detective Mode disclosed to computer users that they were being monitored in this manner.”
Furthermore, RTO stores used Detective Mode to send renters “fake ‘software registration’ forms” in order to deceive them into providing their contact and location information. The stores also used a featured added by DesignerWare in September 2011 to PC Rental Agent that allowed the stores to “to track the physical location of rented computers via WiFi hotspot locations.” The FTC said the stores wanted the information in order to keep track of their computers in case they were stolen, but it was also used to keep track of computer renters in case the stores needed to collect debts or repossess the computers.
The information captured by DesignWare software included, “private and confidential details about computer users, such as their passwords for access to email accounts, social media websites, and financial institutions. Other confidential information was also captured, including medical records, private emails to doctors, employment applications containing Social Security numbers, bank and credit card statements, and discussions of defense strategies in a pending lawsuit.” It also captured photos of renters’ and their families or friends personal activities.
The FTC says that the seven RTO stores and DesignWare agree to stop using monitoring software and using deception to gather any information from renters. They also agree to stop using geolocation tracking without the consent of renters. They also cannot use any information so far gathered for debt collection purposes, and must delete all information captured unless prohibited by court order or some other legal prohibition (e.g., a lawsuit). The FTC intends to monitor the agreement for 20 years.
It will be interesting to see how soon the lawsuits get filed by RTO computer customers, especially given that the FTC stated that, “Consumers are actually harmed by DesignerWare’s unwarranted invasion into their homes and lives and its capture and disclosure of the private details of individual and family life.”
You may recall a school district in suburban Philadelphia did something similar a few years back when it spied on students and their families through school-issued Apple laptops, and eventually paid out $610,000 to settle two lawsuits.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.