Attacks/Breaches
10/1/2012
12:04 PM
50%
50%

Florida AG Confirms PC Surveillance Tool Investigation

DesignerWare, company behind rental PC spyware that earned FTC's attention, also faces other state investigations and ongoing class-action lawsuit.

DesignerWare, a software development firm that created a surveillance tool used by rent-to-own businesses to spy on their customers, is the subject of at least one ongoing state investigation into its activities.

"The Florida Attorney General's Office currently has an investigation involving DesignerWare," said Jenn Meale, a spokeswoman for the attorney general's office, via email.

Last week, DesignerWare and seven rent-to-own businesses agreed to settle--without admitting any wrongdoing--a Federal Trade Commission complaint that they'd spied on their customers, capturing "intimate activities" via webcam as well as copies of customers' bank account and medical information via screen grabs. As part of the settlement, DesignerWare and the seven businesses that used its software have agreed to never spy on customers, and to keep records to document their compliance for the next 20 years.

[ For more background in the DesignWare case, see FTC Wrist Slaps PC Rental Firms For Spying. ]

Legally, the FTC can't fine first-time offenders. But some of the businesses engaged in what FTC chairman Jon Leibowitz dubbed "cyber-spying" against rent-to-own customers are already facing not just further investigations, but economic repercussions. The two owners of DesignerWare, for example, filed for bankruptcy in March 2012 after being named in a class-action lawsuit--together with rent-to-own businesses Aaron's and Aaron's franchisee Aspen Way--by Wyoming-based couple Crystal and Bryan Byrd.

Interestingly, DesignerWare's bankruptcy filing listed the following creditors as holding the largest unsecured claims against it: the Florida Office of the Attorney General Economic Crimes Division, Brian and Crystal Byrd, the California Attorney General Office, the California Department of Justice eCrime Unit, the Texas Office of the Attorney General Consumer Protection Division, and the Federal Trade Commission.

In other words, DesignerWare appears to be, or to have been, the subject of multiple states' investigations, and at least one of those investigations remains ongoing. Reached by phone, a spokesman for the California Attorney General's Office said that the state typically wouldn't confirm or deny any current or prior investigations.

The class-action lawsuit against Aaron's and Aspen Way, meanwhile, remains ongoing. How did the suit begin? The Byrds had a rent-to-own agreement with Aaron's for a Dell laptop, and Aaron's moved to repossess the laptop after believing--wrongly--that the couple had missed a payment. When a store manager showed up at their house and demanded the laptop, he showed them a photograph of Bryan Byrd using the computer, which had been surreptitiously taken with the PC's built-in webcam.

In response, the Byrds filed suit, accusing the three businesses of having violated their privacy rights and broken federal wiretapping laws. While the suit didn't specify damages, it said that federal privacy law allows for fines of $10,000, or $100 per day, for every violation, as well as damages and legal fees.

After the suit was filed, Aaron's initially denied that it spied on its customers, claiming in a statement reported The Atlanta Journal-Constitution that "Aaron's respects its customers' privacy and has not authorized any of its corporate stores to install software that can activate a customer's webcam, capture screenshots, or track keystrokes."

But one of the DesignerWare co-owners confirmed in court last year that 500 out of 1,140 Aaron franchisees had purchased its PC Rental Agent software. As reported Erie Times-News, he said that the software had been used for active surveillance on less than 1% of the 92,000 PCs on which it had been installed over the prior six months. The DesignerWare official, himself an owner of several rent-to-own stores, told the court that as a result of the negative publicity from the Byrds' lawsuit, DesignerWare's annual revenues had dropped from $800,000 to $250,000.

Later, Aaron's officials confirmed that some of its franchises had used DesignerWare's PC Rental Agent to track customers. They claimed, however, that stores activated the surveillance features only if a laptop was reported stolen or a customer missed a payment, to help the store remotely lock and then recover the laptop.

The Erie Times-News, however, reported that former Aaron's sales manager Chastity Hittinger told a federal judge that the surveillance capabilities weren't activated only for stolen laptops or missed payments. Hittinger said that some managers also kept copies of the captured information. "They would just sit around and joke about it," she said, noting that the items they'd obtained included a picture of a woman smoking a marijuana water pipe, as well as screen grabs of people's bank account statements and department store bills.

The PC Rental Agent case echoes a 2010 episode at Lower Merion School District in Pennsylvania, involving school officials activating webcams on laptops issued to students. In that case, officials said they used the software only after laptops had been reported stolen. But that assertion turned out to be false, and helped spark a criminal investigation by the U.S. Attorney's Office and FBI.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rogerwabbit
50%
50%
rogerwabbit,
User Rank: Apprentice
10/2/2012 | 7:42:59 PM
re: Florida AG Confirms PC Surveillance Tool Investigation
Data mining gone wild. Rental stores capturing your banking information and private moments.

I've been trying for years to warn people about data mining. One of my pet peeves is having to show Food City (fill in any store name that uses a "membership" plan) my Food City card. They not only know what items you purchase, but it's tied to your phone number, bank account and SS number. Their records go back years. But mostly I get a "so what?" response from friends who don't seem to mind being spied upon by a grocery store. They don't realize that these stores sell access to their databases to anyone with the cash to make a buy, including but not restricted to religious organizations, political fund raising committees, marketing programs and on and on.

One religious zealot raising money for Romney's campaign was able to narrow down potential donors to several million people who had purchased a religious book or responded on any survey that they read the Bible and if they owned a boat or pickup truck and owned a house worth over $100,000.

In one case I read about, Target knew a young woman was pregnant before anyone else in her family did because of her purchase record, she stopped buying tampons right after buying an early pregnancy test kit. They started sending her ads promoting baby and nursery items.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?