Florida AG Confirms PC Surveillance Tool Investigation

DesignerWare, a software development firm that created a surveillance tool used by rent-to-own businesses to spy on their customers, is the subject of at least one ongoing state investigation into its activities.

"The Florida Attorney General's Office currently has an investigation involving DesignerWare," said Jenn Meale, a spokeswoman for the attorney general's office, via email.

Last week, DesignerWare and seven rent-to-own businesses agreed to settle--without admitting any wrongdoing--a Federal Trade Commission complaint that they'd spied on their customers, capturing "intimate activities" via webcam as well as copies of customers' bank account and medical information via screen grabs. As part of the settlement, DesignerWare and the seven businesses that used its software have agreed to never spy on customers, and to keep records to document their compliance for the next 20 years.

[ For more background in the DesignWare case, see FTC Wrist Slaps PC Rental Firms For Spying. ]

Legally, the FTC can't fine first-time offenders. But some of the businesses engaged in what FTC chairman Jon Leibowitz dubbed "cyber-spying" against rent-to-own customers are already facing not just further investigations, but economic repercussions. The two owners of DesignerWare, for example, filed for bankruptcy in March 2012 after being named in a class-action lawsuit--together with rent-to-own businesses Aaron's and Aaron's franchisee Aspen Way--by Wyoming-based couple Crystal and Bryan Byrd.

Interestingly, DesignerWare's bankruptcy filing listed the following creditors as holding the largest unsecured claims against it: the Florida Office of the Attorney General Economic Crimes Division, Brian and Crystal Byrd, the California Attorney General Office, the California Department of Justice eCrime Unit, the Texas Office of the Attorney General Consumer Protection Division, and the Federal Trade Commission.

In other words, DesignerWare appears to be, or to have been, the subject of multiple states' investigations, and at least one of those investigations remains ongoing. Reached by phone, a spokesman for the California Attorney General's Office said that the state typically wouldn't confirm or deny any current or prior investigations.

The class-action lawsuit against Aaron's and Aspen Way, meanwhile, remains ongoing. How did the suit begin? The Byrds had a rent-to-own agreement with Aaron's for a Dell laptop, and Aaron's moved to repossess the laptop after believing--wrongly--that the couple had missed a payment. When a store manager showed up at their house and demanded the laptop, he showed them a photograph of Bryan Byrd using the computer, which had been surreptitiously taken with the PC's built-in webcam.

In response, the Byrds filed suit, accusing the three businesses of having violated their privacy rights and broken federal wiretapping laws. While the suit didn't specify damages, it said that federal privacy law allows for fines of $10,000, or $100 per day, for every violation, as well as damages and legal fees.

After the suit was filed, Aaron's initially denied that it spied on its customers, claiming in a statement reported The Atlanta Journal-Constitution that "Aaron's respects its customers' privacy and has not authorized any of its corporate stores to install software that can activate a customer's webcam, capture screenshots, or track keystrokes."

But one of the DesignerWare co-owners confirmed in court last year that 500 out of 1,140 Aaron franchisees had purchased its PC Rental Agent software. As reported Erie Times-News, he said that the software had been used for active surveillance on less than 1% of the 92,000 PCs on which it had been installed over the prior six months. The DesignerWare official, himself an owner of several rent-to-own stores, told the court that as a result of the negative publicity from the Byrds' lawsuit, DesignerWare's annual revenues had dropped from $800,000 to $250,000.

Later, Aaron's officials confirmed that some of its franchises had used DesignerWare's PC Rental Agent to track customers. They claimed, however, that stores activated the surveillance features only if a laptop was reported stolen or a customer missed a payment, to help the store remotely lock and then recover the laptop.

The Erie Times-News, however, reported that former Aaron's sales manager Chastity Hittinger told a federal judge that the surveillance capabilities weren't activated only for stolen laptops or missed payments. Hittinger said that some managers also kept copies of the captured information. "They would just sit around and joke about it," she said, noting that the items they'd obtained included a picture of a woman smoking a marijuana water pipe, as well as screen grabs of people's bank account statements and department store bills.

The PC Rental Agent case echoes a 2010 episode at Lower Merion School District in Pennsylvania, involving school officials activating webcams on laptops issued to students. In that case, officials said they used the software only after laptops had been reported stolen. But that assertion turned out to be false, and helped spark a criminal investigation by the U.S. Attorney's Office and FBI.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)