Risk
9/26/2012
10:36 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

FTC Wrist Slaps PC Rental Firms For Spying

Seven rent-to-own businesses secretly captured webcam images and personal information of late-paying customers, but face no fines or criminal charges.

Seven rent-to-own businesses secretly captured webcam images and personal information of late-paying customers, but face no fines or criminal charges.

The Federal Trade Commission Tuesday announced proposed settlements with seven businesses offering rent-to-own PCs that used spyware installed on the computers to monitor customers. According to the agency, the software captured "intimate activities" of people in their homes, including images of "partially undressed individuals," children, and private data such as Social Security numbers and private communications with doctors.

The related FTC complaint also lists Pennsylvania-based software development company DesignerWare, which sells PC Rental Agent software for recovering rented PCs, which includes a "detective mode" for spying on customers. As of August 2011, the software had been used by about 1,617 rent-to-own stores in the United States, Canada, and Australia, and installed on 420,000 computers.

According to the FTC, the rent-to-own companies named in its complaint broke the law--engaging in fraudulent, deceptive, and unfair business practices--"by secretly collecting consumers' confidential and personal information and using it to try to collect money from them." The PC Rental Agent software also offered rent-to-own companies the option of launching fake Microsoft Windows, Internet Explorer, Microsoft Office, and Yahoo Messenger registration screens to trick users into divulging personal data, which the businesses then used for debt collection purposes.

[ Beware of Twitter direct messages containing links. See Twitter Direct Messages Disguise Trojan App Attack. ]

"An agreement to rent a computer doesn't give a company license to access consumers' private emails, bank account information, and medical records, or even worse, webcam photos of people in the privacy of their own homes," said FTC chairman Jon Leibowitz in a statement. "The FTC orders today will put an end to their cyber spying."

The FTC Tuesday also announced settlements with the seven rent-to-own businesses named in its complaints: Aspen Way Enterprises, B. Stamper Enterprises (a franchisee of Premier Rental Purchase), C.A.L.M. Ventures (a franchisee of Premier Rental Purchase), J.A.G. Rents (a franchisee of ColorTyme), Red Zone (a franchisee of ColorTyme), Showplace (a.k.a. Showplace Rent-to-Own), and Watershed Development (a franchisee of Aaron's), as well as a settlement with DesignerWare and its principals, Timothy Kelly and Ronald P. Koller.

The FTC said it conducted its investigation with the Office of the Illinois Attorney General. Tuesday, Illinois Attorney General Lisa Madigan announced that her office had filed its own action against Watershed Development, which operates multiple rent-to-own furniture and electronics stores in northwest Illinois. Madigan accused Watershed Development of using the DesignerWare software's Detective Mode to spy on customers, violating their personal privacy as well as the Illinois Consumer Fraud Act.

According to an email written by DesignerWare's Kelly that's included in the FTC's complaint, it's unlikely that PC users would have spotted the PC Rental Agent software running on their computer. "The way the Detective [Detective Mode] works is like many spyware/malware programs," wrote Kelly. "The Agent [PC Rental Agent] runs outside the user session so it is not detectable by antivirus programs, etc. However, when you turn on the Detective, the Agent takes an executable and inject[s] it into the user session and hooks the screen, keyboard, and mouse so it can spy on the user and gather information. A similar program could be launched to steal credit cards or someone's information."

The FTC's proposed settlements--open for public comment until October 25, 2012--would prohibit the seven named rent-to-own businesses from surreptitiously monitoring their customers. According the FTC, "the settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers." In addition, "DesignerWare will be barred from providing others with the means to commit illegal acts, and the seven rent-to-own stores will be prohibited from using information improperly gathered from consumers in connection with debt collection."

For the next 20 years, all firms named in the complaint would be required to keep records that prove their compliance with the FTC settlement. Furthermore, the firms would be allowed to track the location of a PC only after it had been reported stolen, and only with a customer's prior consent.

But if these rent-to-own businesses have been using commercial spyware to track and spy on consumers, why are they getting off with nary a fine or criminal wiretap violation charge? "Probably due to terms of agreement that renters signed ... I'll bet it said renters consented to spying," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," in a Twitter post. He characterized the FTC action as a mere "slap on the wrist."

The FTC complaint also draws a sharp line between using the DesignerWare software to remotely disable a PC--the software includes a "kill switch" that can be activated should the PC be stolen, or if a customer fails to make their payments on time--which it finds is acceptable, versus surreptitiously monitoring customers using the software's Detective Mode. Notably, that setting allowed businesses to track the location of an Internet-connected PC--and therefore a consumer--every two hours. It also let them record keystrokes, recover screen grabs, and capture images using a built-in webcam.

The FTC complaint mirrors a case that came to light last year, involving a female substitute teacher who'd purchased a laptop from a student, which turned out to have been stolen. The laptop contained remote-recovery software from Absolute Software, which also offers a recovery service, and after the owner reported the laptop as missing, Absolute captured sexually explicit messages and images of the teacher and her boyfriend, which it shared with police in Springfield, Ohio.

But a judge ruled that Absolute Software's recovery activities overstepped legal boundaries, and that the company had illegally intercepted the communications--per the Electronic Communications Privacy Act. The judge also found that both Absolute Software and the police had violated the privacy rights of the teacher and her boyfriend, and suggested that a jury might reasonably find that the police were liable for having used illegally obtained communications, backed by no warrants, in the course of their investigation.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web