Risk
10/5/2012
02:38 PM
50%
50%

Cyber Spying Justice: Unserved

After toothless FTC judgment against rent-to-own PC companies in spying case, Congress needs to make surveillance of customers in their own homes illegal.

Was the punishment meted out to seven rent-to-own businesses that literally spied on their customers--via webcam footage, browser screen-grabs, and location-tracking technology, courtesy of surveillance software known as PC Rental Agent--sufficient?

Well, punishment is too strong a word. All seven businesses, together with the two principals of software development firm DesignerWare, which created PC Rental Agent, recently agreed to settle--without admitting or denying any wrongdoing--a Federal Trade Commission complaint made against them. The settlements impose two requirements: the businesses have agreed to never spy on customers, and they must keep records to document their compliance for the next 20 years.

In other words, despite rent-to-own businesses having literally spied on their customers at will, catching them in what the FTC described as "intimate moments," the businesses' managers and offending employees are getting off with a slap on the wrist.

For this case, it's not the first time that justice hasn't been served or consumer privacy rights clearly protected. To briefly recap, Wyoming-based couple Crystal and Bryan Byrd last year had filed a class action lawsuit against DesignerWare, as well as rent-to-own businesses Aaron's and Aaron's franchisee Aspen Way. (DesignerWare and Aspen Way were also named in the FTC complaint.) Their suit was triggered by an Aspen Way store manager showing them a picture of Bryan Byrd that had been surreptitiously taken with the couple's rent-to-own PC's webcam by store employees, who believed--wrongly--that the couple had missed a payment, which would have allowed Aspen Way to repossess it.

[ Privacy is a hot topic. See California Passes Tough Social Media Privacy Laws. ]

The Byrds' lawsuit alleged that customers' privacy rights--as well as federal wiretapping laws and the Computer Fraud and Abuse Act--had been violated. Furthermore, since the PC Rental Agent software was installed on numerous PCs, they requested that the federal judge overseeing the case immediately block any further use of the software to spy on employees.

But the presiding judge "declined to issue an injunction," recounts "Dissent," which is the handle of the privacy advocate and data breach information blogger who maintains DataBreaches.net, and who's been following this case since last year. That was despite a DesignerWare principal telling the court that in the prior six months, the software had been installed on 92,000 PCs. Instead, U.S. District Court judge Sean McLaughlin and U.S. magistrate Susan Baxter found that "it is purely conjecture that the other members of the putative class will be subjected to remote access of personal information," and questioned the merits of the case.

To summarize: Rent-to-own businesses can spy on their customers at will, and without the threat of any penalties, at least until after the first time they're caught. Furthermore, a federal judge doesn't think that giving a business the ability to surreptitiously record webcam footage of its customers--or perhaps their children--in their homes, and in various states of undress, or capture their keystrokes, or screen-grab copies of their bank statements, is obviously illegal.

When I first saw the FTC's cyber-spying case settlement, my reaction was: Surely the FTC could have done more, such as fining the companies involved? But as Dissent told me, and an FTC spokeswoman and others confirmed, the FTC isn't authorized to fine first-time offenders.

"Unfortunately, the FTC Act does not give the commission the authority to issue fines for initial violations of the Act," David Jacobs, consumer protection fellow at the Electronic Privacy Information Center, told me via email. "What the FTC can do is enter into consent agreements with the violator that basically say 'don't do that again.'"

On the upside, businesses that agree to a settlement must then toe the line--or else. "If the agreement is breached, then the FTC can issue fines," Jacobs says. "This is what the FTC did in the case of Google: entered into a consent agreement requiring Google to follow certain rules, and then fined the company $22.5 million when they breached the agreement."

If the outcome of the FTC's settlement with the seven rent-to-own businesses and DesignerWare seems lacking, justice may yet be served. For starters, the FTC can refer any case to the Department of Justice for potential criminal prosecution. Did the agency do so in this cyber spying case? When I put that question to an FTC spokeswoman, she declined to comment.

Furthermore, the class action lawsuit and state investigations appear to have already driven DesignerWare out of business. As InformationWeek first reported, DesignerWare is the subject of an active investigation by the Florida Attorney General's office. In addition, the company's March 2012 bankruptcy filing by its two owners suggested that the company was also being investigated by attorneys general in California and Texas.

Bankrupt surveillance software developers aside, one takeaway from this cyber-spying case is clear: Pending legal changes, avoid rent-to-own PC businesses at all costs. Or if you simply must work with one, don't do anything in the presence of your PC that you wouldn't do in public, and avoid using it to conduct Internet banking or relay any personal or sensitive communications.

Takeaway number two involves this memo to Congress and state legislators: Please make spying on consumers, especially in their own homes, clearly illegal. And Congress, give the FTC--which, it must be said, has in recent weeks scored some great wins against scareware artists and telemarketing scammers--the power to penalize businesses and individuals who flagrantly violate consumers' privacy rights.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/9/2012 | 7:00:09 PM
re: Cyber Spying Justice: Unserved
The outcome should be frightening to anyone. I guess the next logical step is placement of cameras in dressing rooms and public toilets in commercial clothing outlets where pilferage is a realistic problem? Allowing the type of spying described should be considered equivalent. A good idea not to identify this "presiding judge" to protect his/her privacy. Sometimes, you just have to think multitasking (the judge obviously was) is not for everyone.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.