Risk
9/26/2012
10:36 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

FTC Wrist Slaps PC Rental Firms For Spying

Seven rent-to-own businesses secretly captured webcam images and personal information of late-paying customers, but face no fines or criminal charges.

Seven rent-to-own businesses secretly captured webcam images and personal information of late-paying customers, but face no fines or criminal charges.

The Federal Trade Commission Tuesday announced proposed settlements with seven businesses offering rent-to-own PCs that used spyware installed on the computers to monitor customers. According to the agency, the software captured "intimate activities" of people in their homes, including images of "partially undressed individuals," children, and private data such as Social Security numbers and private communications with doctors.

The related FTC complaint also lists Pennsylvania-based software development company DesignerWare, which sells PC Rental Agent software for recovering rented PCs, which includes a "detective mode" for spying on customers. As of August 2011, the software had been used by about 1,617 rent-to-own stores in the United States, Canada, and Australia, and installed on 420,000 computers.

According to the FTC, the rent-to-own companies named in its complaint broke the law--engaging in fraudulent, deceptive, and unfair business practices--"by secretly collecting consumers' confidential and personal information and using it to try to collect money from them." The PC Rental Agent software also offered rent-to-own companies the option of launching fake Microsoft Windows, Internet Explorer, Microsoft Office, and Yahoo Messenger registration screens to trick users into divulging personal data, which the businesses then used for debt collection purposes.

[ Beware of Twitter direct messages containing links. See Twitter Direct Messages Disguise Trojan App Attack. ]

"An agreement to rent a computer doesn't give a company license to access consumers' private emails, bank account information, and medical records, or even worse, webcam photos of people in the privacy of their own homes," said FTC chairman Jon Leibowitz in a statement. "The FTC orders today will put an end to their cyber spying."

The FTC Tuesday also announced settlements with the seven rent-to-own businesses named in its complaints: Aspen Way Enterprises, B. Stamper Enterprises (a franchisee of Premier Rental Purchase), C.A.L.M. Ventures (a franchisee of Premier Rental Purchase), J.A.G. Rents (a franchisee of ColorTyme), Red Zone (a franchisee of ColorTyme), Showplace (a.k.a. Showplace Rent-to-Own), and Watershed Development (a franchisee of Aaron's), as well as a settlement with DesignerWare and its principals, Timothy Kelly and Ronald P. Koller.

The FTC said it conducted its investigation with the Office of the Illinois Attorney General. Tuesday, Illinois Attorney General Lisa Madigan announced that her office had filed its own action against Watershed Development, which operates multiple rent-to-own furniture and electronics stores in northwest Illinois. Madigan accused Watershed Development of using the DesignerWare software's Detective Mode to spy on customers, violating their personal privacy as well as the Illinois Consumer Fraud Act.

According to an email written by DesignerWare's Kelly that's included in the FTC's complaint, it's unlikely that PC users would have spotted the PC Rental Agent software running on their computer. "The way the Detective [Detective Mode] works is like many spyware/malware programs," wrote Kelly. "The Agent [PC Rental Agent] runs outside the user session so it is not detectable by antivirus programs, etc. However, when you turn on the Detective, the Agent takes an executable and inject[s] it into the user session and hooks the screen, keyboard, and mouse so it can spy on the user and gather information. A similar program could be launched to steal credit cards or someone's information."

The FTC's proposed settlements--open for public comment until October 25, 2012--would prohibit the seven named rent-to-own businesses from surreptitiously monitoring their customers. According the FTC, "the settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers." In addition, "DesignerWare will be barred from providing others with the means to commit illegal acts, and the seven rent-to-own stores will be prohibited from using information improperly gathered from consumers in connection with debt collection."

For the next 20 years, all firms named in the complaint would be required to keep records that prove their compliance with the FTC settlement. Furthermore, the firms would be allowed to track the location of a PC only after it had been reported stolen, and only with a customer's prior consent.

But if these rent-to-own businesses have been using commercial spyware to track and spy on consumers, why are they getting off with nary a fine or criminal wiretap violation charge? "Probably due to terms of agreement that renters signed ... I'll bet it said renters consented to spying," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," in a Twitter post. He characterized the FTC action as a mere "slap on the wrist."

The FTC complaint also draws a sharp line between using the DesignerWare software to remotely disable a PC--the software includes a "kill switch" that can be activated should the PC be stolen, or if a customer fails to make their payments on time--which it finds is acceptable, versus surreptitiously monitoring customers using the software's Detective Mode. Notably, that setting allowed businesses to track the location of an Internet-connected PC--and therefore a consumer--every two hours. It also let them record keystrokes, recover screen grabs, and capture images using a built-in webcam.

The FTC complaint mirrors a case that came to light last year, involving a female substitute teacher who'd purchased a laptop from a student, which turned out to have been stolen. The laptop contained remote-recovery software from Absolute Software, which also offers a recovery service, and after the owner reported the laptop as missing, Absolute captured sexually explicit messages and images of the teacher and her boyfriend, which it shared with police in Springfield, Ohio.

But a judge ruled that Absolute Software's recovery activities overstepped legal boundaries, and that the company had illegally intercepted the communications--per the Electronic Communications Privacy Act. The judge also found that both Absolute Software and the police had violated the privacy rights of the teacher and her boyfriend, and suggested that a jury might reasonably find that the police were liable for having used illegally obtained communications, backed by no warrants, in the course of their investigation.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web