Attacks/Breaches
10/1/2012
12:04 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Florida AG Confirms PC Surveillance Tool Investigation

DesignerWare, company behind rental PC spyware that earned FTC's attention, also faces other state investigations and ongoing class-action lawsuit.

DesignerWare, a software development firm that created a surveillance tool used by rent-to-own businesses to spy on their customers, is the subject of at least one ongoing state investigation into its activities.

"The Florida Attorney General's Office currently has an investigation involving DesignerWare," said Jenn Meale, a spokeswoman for the attorney general's office, via email.

Last week, DesignerWare and seven rent-to-own businesses agreed to settle--without admitting any wrongdoing--a Federal Trade Commission complaint that they'd spied on their customers, capturing "intimate activities" via webcam as well as copies of customers' bank account and medical information via screen grabs. As part of the settlement, DesignerWare and the seven businesses that used its software have agreed to never spy on customers, and to keep records to document their compliance for the next 20 years.

[ For more background in the DesignWare case, see FTC Wrist Slaps PC Rental Firms For Spying. ]

Legally, the FTC can't fine first-time offenders. But some of the businesses engaged in what FTC chairman Jon Leibowitz dubbed "cyber-spying" against rent-to-own customers are already facing not just further investigations, but economic repercussions. The two owners of DesignerWare, for example, filed for bankruptcy in March 2012 after being named in a class-action lawsuit--together with rent-to-own businesses Aaron's and Aaron's franchisee Aspen Way--by Wyoming-based couple Crystal and Bryan Byrd.

Interestingly, DesignerWare's bankruptcy filing listed the following creditors as holding the largest unsecured claims against it: the Florida Office of the Attorney General Economic Crimes Division, Brian and Crystal Byrd, the California Attorney General Office, the California Department of Justice eCrime Unit, the Texas Office of the Attorney General Consumer Protection Division, and the Federal Trade Commission.

In other words, DesignerWare appears to be, or to have been, the subject of multiple states' investigations, and at least one of those investigations remains ongoing. Reached by phone, a spokesman for the California Attorney General's Office said that the state typically wouldn't confirm or deny any current or prior investigations.

The class-action lawsuit against Aaron's and Aspen Way, meanwhile, remains ongoing. How did the suit begin? The Byrds had a rent-to-own agreement with Aaron's for a Dell laptop, and Aaron's moved to repossess the laptop after believing--wrongly--that the couple had missed a payment. When a store manager showed up at their house and demanded the laptop, he showed them a photograph of Bryan Byrd using the computer, which had been surreptitiously taken with the PC's built-in webcam.

In response, the Byrds filed suit, accusing the three businesses of having violated their privacy rights and broken federal wiretapping laws. While the suit didn't specify damages, it said that federal privacy law allows for fines of $10,000, or $100 per day, for every violation, as well as damages and legal fees.

After the suit was filed, Aaron's initially denied that it spied on its customers, claiming in a statement reported The Atlanta Journal-Constitution that "Aaron's respects its customers' privacy and has not authorized any of its corporate stores to install software that can activate a customer's webcam, capture screenshots, or track keystrokes."

But one of the DesignerWare co-owners confirmed in court last year that 500 out of 1,140 Aaron franchisees had purchased its PC Rental Agent software. As reported Erie Times-News, he said that the software had been used for active surveillance on less than 1% of the 92,000 PCs on which it had been installed over the prior six months. The DesignerWare official, himself an owner of several rent-to-own stores, told the court that as a result of the negative publicity from the Byrds' lawsuit, DesignerWare's annual revenues had dropped from $800,000 to $250,000.

Later, Aaron's officials confirmed that some of its franchises had used DesignerWare's PC Rental Agent to track customers. They claimed, however, that stores activated the surveillance features only if a laptop was reported stolen or a customer missed a payment, to help the store remotely lock and then recover the laptop.

The Erie Times-News, however, reported that former Aaron's sales manager Chastity Hittinger told a federal judge that the surveillance capabilities weren't activated only for stolen laptops or missed payments. Hittinger said that some managers also kept copies of the captured information. "They would just sit around and joke about it," she said, noting that the items they'd obtained included a picture of a woman smoking a marijuana water pipe, as well as screen grabs of people's bank account statements and department store bills.

The PC Rental Agent case echoes a 2010 episode at Lower Merion School District in Pennsylvania, involving school officials activating webcams on laptops issued to students. In that case, officials said they used the software only after laptops had been reported stolen. But that assertion turned out to be false, and helped spark a criminal investigation by the U.S. Attorney's Office and FBI.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rogerwabbit
50%
50%
rogerwabbit,
User Rank: Apprentice
10/2/2012 | 7:42:59 PM
re: Florida AG Confirms PC Surveillance Tool Investigation
Data mining gone wild. Rental stores capturing your banking information and private moments.

I've been trying for years to warn people about data mining. One of my pet peeves is having to show Food City (fill in any store name that uses a "membership" plan) my Food City card. They not only know what items you purchase, but it's tied to your phone number, bank account and SS number. Their records go back years. But mostly I get a "so what?" response from friends who don't seem to mind being spied upon by a grocery store. They don't realize that these stores sell access to their databases to anyone with the cash to make a buy, including but not restricted to religious organizations, political fund raising committees, marketing programs and on and on.

One religious zealot raising money for Romney's campaign was able to narrow down potential donors to several million people who had purchased a religious book or responded on any survey that they read the Bible and if they owned a boat or pickup truck and owned a house worth over $100,000.

In one case I read about, Target knew a young woman was pregnant before anyone else in her family did because of her purchase record, she stopped buying tampons right after buying an early pregnancy test kit. They started sending her ads promoting baby and nursery items.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web