10:36 AM

FTC Wrist Slaps PC Rental Firms For Spying

Seven rent-to-own businesses secretly captured webcam images and personal information of late-paying customers, but face no fines or criminal charges.

Seven rent-to-own businesses secretly captured webcam images and personal information of late-paying customers, but face no fines or criminal charges.

The Federal Trade Commission Tuesday announced proposed settlements with seven businesses offering rent-to-own PCs that used spyware installed on the computers to monitor customers. According to the agency, the software captured "intimate activities" of people in their homes, including images of "partially undressed individuals," children, and private data such as Social Security numbers and private communications with doctors.

The related FTC complaint also lists Pennsylvania-based software development company DesignerWare, which sells PC Rental Agent software for recovering rented PCs, which includes a "detective mode" for spying on customers. As of August 2011, the software had been used by about 1,617 rent-to-own stores in the United States, Canada, and Australia, and installed on 420,000 computers.

According to the FTC, the rent-to-own companies named in its complaint broke the law--engaging in fraudulent, deceptive, and unfair business practices--"by secretly collecting consumers' confidential and personal information and using it to try to collect money from them." The PC Rental Agent software also offered rent-to-own companies the option of launching fake Microsoft Windows, Internet Explorer, Microsoft Office, and Yahoo Messenger registration screens to trick users into divulging personal data, which the businesses then used for debt collection purposes.

[ Beware of Twitter direct messages containing links. See Twitter Direct Messages Disguise Trojan App Attack. ]

"An agreement to rent a computer doesn't give a company license to access consumers' private emails, bank account information, and medical records, or even worse, webcam photos of people in the privacy of their own homes," said FTC chairman Jon Leibowitz in a statement. "The FTC orders today will put an end to their cyber spying."

The FTC Tuesday also announced settlements with the seven rent-to-own businesses named in its complaints: Aspen Way Enterprises, B. Stamper Enterprises (a franchisee of Premier Rental Purchase), C.A.L.M. Ventures (a franchisee of Premier Rental Purchase), J.A.G. Rents (a franchisee of ColorTyme), Red Zone (a franchisee of ColorTyme), Showplace (a.k.a. Showplace Rent-to-Own), and Watershed Development (a franchisee of Aaron's), as well as a settlement with DesignerWare and its principals, Timothy Kelly and Ronald P. Koller.

The FTC said it conducted its investigation with the Office of the Illinois Attorney General. Tuesday, Illinois Attorney General Lisa Madigan announced that her office had filed its own action against Watershed Development, which operates multiple rent-to-own furniture and electronics stores in northwest Illinois. Madigan accused Watershed Development of using the DesignerWare software's Detective Mode to spy on customers, violating their personal privacy as well as the Illinois Consumer Fraud Act.

According to an email written by DesignerWare's Kelly that's included in the FTC's complaint, it's unlikely that PC users would have spotted the PC Rental Agent software running on their computer. "The way the Detective [Detective Mode] works is like many spyware/malware programs," wrote Kelly. "The Agent [PC Rental Agent] runs outside the user session so it is not detectable by antivirus programs, etc. However, when you turn on the Detective, the Agent takes an executable and inject[s] it into the user session and hooks the screen, keyboard, and mouse so it can spy on the user and gather information. A similar program could be launched to steal credit cards or someone's information."

The FTC's proposed settlements--open for public comment until October 25, 2012--would prohibit the seven named rent-to-own businesses from surreptitiously monitoring their customers. According the FTC, "the settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers." In addition, "DesignerWare will be barred from providing others with the means to commit illegal acts, and the seven rent-to-own stores will be prohibited from using information improperly gathered from consumers in connection with debt collection."

For the next 20 years, all firms named in the complaint would be required to keep records that prove their compliance with the FTC settlement. Furthermore, the firms would be allowed to track the location of a PC only after it had been reported stolen, and only with a customer's prior consent.

But if these rent-to-own businesses have been using commercial spyware to track and spy on consumers, why are they getting off with nary a fine or criminal wiretap violation charge? "Probably due to terms of agreement that renters signed ... I'll bet it said renters consented to spying," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," in a Twitter post. He characterized the FTC action as a mere "slap on the wrist."

The FTC complaint also draws a sharp line between using the DesignerWare software to remotely disable a PC--the software includes a "kill switch" that can be activated should the PC be stolen, or if a customer fails to make their payments on time--which it finds is acceptable, versus surreptitiously monitoring customers using the software's Detective Mode. Notably, that setting allowed businesses to track the location of an Internet-connected PC--and therefore a consumer--every two hours. It also let them record keystrokes, recover screen grabs, and capture images using a built-in webcam.

The FTC complaint mirrors a case that came to light last year, involving a female substitute teacher who'd purchased a laptop from a student, which turned out to have been stolen. The laptop contained remote-recovery software from Absolute Software, which also offers a recovery service, and after the owner reported the laptop as missing, Absolute captured sexually explicit messages and images of the teacher and her boyfriend, which it shared with police in Springfield, Ohio.

But a judge ruled that Absolute Software's recovery activities overstepped legal boundaries, and that the company had illegally intercepted the communications--per the Electronic Communications Privacy Act. The judge also found that both Absolute Software and the police had violated the privacy rights of the teacher and her boyfriend, and suggested that a jury might reasonably find that the police were liable for having used illegally obtained communications, backed by no warrants, in the course of their investigation.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.