Attacks/Breaches
10/1/2012
12:04 PM
Connect Directly
RSS
E-Mail
50%
50%

Florida AG Confirms PC Surveillance Tool Investigation

DesignerWare, company behind rental PC spyware that earned FTC's attention, also faces other state investigations and ongoing class-action lawsuit.

DesignerWare, a software development firm that created a surveillance tool used by rent-to-own businesses to spy on their customers, is the subject of at least one ongoing state investigation into its activities.

"The Florida Attorney General's Office currently has an investigation involving DesignerWare," said Jenn Meale, a spokeswoman for the attorney general's office, via email.

Last week, DesignerWare and seven rent-to-own businesses agreed to settle--without admitting any wrongdoing--a Federal Trade Commission complaint that they'd spied on their customers, capturing "intimate activities" via webcam as well as copies of customers' bank account and medical information via screen grabs. As part of the settlement, DesignerWare and the seven businesses that used its software have agreed to never spy on customers, and to keep records to document their compliance for the next 20 years.

[ For more background in the DesignWare case, see FTC Wrist Slaps PC Rental Firms For Spying. ]

Legally, the FTC can't fine first-time offenders. But some of the businesses engaged in what FTC chairman Jon Leibowitz dubbed "cyber-spying" against rent-to-own customers are already facing not just further investigations, but economic repercussions. The two owners of DesignerWare, for example, filed for bankruptcy in March 2012 after being named in a class-action lawsuit--together with rent-to-own businesses Aaron's and Aaron's franchisee Aspen Way--by Wyoming-based couple Crystal and Bryan Byrd.

Interestingly, DesignerWare's bankruptcy filing listed the following creditors as holding the largest unsecured claims against it: the Florida Office of the Attorney General Economic Crimes Division, Brian and Crystal Byrd, the California Attorney General Office, the California Department of Justice eCrime Unit, the Texas Office of the Attorney General Consumer Protection Division, and the Federal Trade Commission.

In other words, DesignerWare appears to be, or to have been, the subject of multiple states' investigations, and at least one of those investigations remains ongoing. Reached by phone, a spokesman for the California Attorney General's Office said that the state typically wouldn't confirm or deny any current or prior investigations.

The class-action lawsuit against Aaron's and Aspen Way, meanwhile, remains ongoing. How did the suit begin? The Byrds had a rent-to-own agreement with Aaron's for a Dell laptop, and Aaron's moved to repossess the laptop after believing--wrongly--that the couple had missed a payment. When a store manager showed up at their house and demanded the laptop, he showed them a photograph of Bryan Byrd using the computer, which had been surreptitiously taken with the PC's built-in webcam.

In response, the Byrds filed suit, accusing the three businesses of having violated their privacy rights and broken federal wiretapping laws. While the suit didn't specify damages, it said that federal privacy law allows for fines of $10,000, or $100 per day, for every violation, as well as damages and legal fees.

After the suit was filed, Aaron's initially denied that it spied on its customers, claiming in a statement reported The Atlanta Journal-Constitution that "Aaron's respects its customers' privacy and has not authorized any of its corporate stores to install software that can activate a customer's webcam, capture screenshots, or track keystrokes."

But one of the DesignerWare co-owners confirmed in court last year that 500 out of 1,140 Aaron franchisees had purchased its PC Rental Agent software. As reported Erie Times-News, he said that the software had been used for active surveillance on less than 1% of the 92,000 PCs on which it had been installed over the prior six months. The DesignerWare official, himself an owner of several rent-to-own stores, told the court that as a result of the negative publicity from the Byrds' lawsuit, DesignerWare's annual revenues had dropped from $800,000 to $250,000.

Later, Aaron's officials confirmed that some of its franchises had used DesignerWare's PC Rental Agent to track customers. They claimed, however, that stores activated the surveillance features only if a laptop was reported stolen or a customer missed a payment, to help the store remotely lock and then recover the laptop.

The Erie Times-News, however, reported that former Aaron's sales manager Chastity Hittinger told a federal judge that the surveillance capabilities weren't activated only for stolen laptops or missed payments. Hittinger said that some managers also kept copies of the captured information. "They would just sit around and joke about it," she said, noting that the items they'd obtained included a picture of a woman smoking a marijuana water pipe, as well as screen grabs of people's bank account statements and department store bills.

The PC Rental Agent case echoes a 2010 episode at Lower Merion School District in Pennsylvania, involving school officials activating webcams on laptops issued to students. In that case, officials said they used the software only after laptops had been reported stolen. But that assertion turned out to be false, and helped spark a criminal investigation by the U.S. Attorney's Office and FBI.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rogerwabbit
50%
50%
rogerwabbit,
User Rank: Apprentice
10/2/2012 | 7:42:59 PM
re: Florida AG Confirms PC Surveillance Tool Investigation
Data mining gone wild. Rental stores capturing your banking information and private moments.

I've been trying for years to warn people about data mining. One of my pet peeves is having to show Food City (fill in any store name that uses a "membership" plan) my Food City card. They not only know what items you purchase, but it's tied to your phone number, bank account and SS number. Their records go back years. But mostly I get a "so what?" response from friends who don't seem to mind being spied upon by a grocery store. They don't realize that these stores sell access to their databases to anyone with the cash to make a buy, including but not restricted to religious organizations, political fund raising committees, marketing programs and on and on.

One religious zealot raising money for Romney's campaign was able to narrow down potential donors to several million people who had purchased a religious book or responded on any survey that they read the Bible and if they owned a boat or pickup truck and owned a house worth over $100,000.

In one case I read about, Target knew a young woman was pregnant before anyone else in her family did because of her purchase record, she stopped buying tampons right after buying an early pregnancy test kit. They started sending her ads promoting baby and nursery items.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.