Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/5/2012
02:38 PM
50%
50%

Cyber Spying Justice: Unserved

After toothless FTC judgment against rent-to-own PC companies in spying case, Congress needs to make surveillance of customers in their own homes illegal.

Was the punishment meted out to seven rent-to-own businesses that literally spied on their customers--via webcam footage, browser screen-grabs, and location-tracking technology, courtesy of surveillance software known as PC Rental Agent--sufficient?

Well, punishment is too strong a word. All seven businesses, together with the two principals of software development firm DesignerWare, which created PC Rental Agent, recently agreed to settle--without admitting or denying any wrongdoing--a Federal Trade Commission complaint made against them. The settlements impose two requirements: the businesses have agreed to never spy on customers, and they must keep records to document their compliance for the next 20 years.

In other words, despite rent-to-own businesses having literally spied on their customers at will, catching them in what the FTC described as "intimate moments," the businesses' managers and offending employees are getting off with a slap on the wrist.

For this case, it's not the first time that justice hasn't been served or consumer privacy rights clearly protected. To briefly recap, Wyoming-based couple Crystal and Bryan Byrd last year had filed a class action lawsuit against DesignerWare, as well as rent-to-own businesses Aaron's and Aaron's franchisee Aspen Way. (DesignerWare and Aspen Way were also named in the FTC complaint.) Their suit was triggered by an Aspen Way store manager showing them a picture of Bryan Byrd that had been surreptitiously taken with the couple's rent-to-own PC's webcam by store employees, who believed--wrongly--that the couple had missed a payment, which would have allowed Aspen Way to repossess it.

[ Privacy is a hot topic. See California Passes Tough Social Media Privacy Laws. ]

The Byrds' lawsuit alleged that customers' privacy rights--as well as federal wiretapping laws and the Computer Fraud and Abuse Act--had been violated. Furthermore, since the PC Rental Agent software was installed on numerous PCs, they requested that the federal judge overseeing the case immediately block any further use of the software to spy on employees.

But the presiding judge "declined to issue an injunction," recounts "Dissent," which is the handle of the privacy advocate and data breach information blogger who maintains DataBreaches.net, and who's been following this case since last year. That was despite a DesignerWare principal telling the court that in the prior six months, the software had been installed on 92,000 PCs. Instead, U.S. District Court judge Sean McLaughlin and U.S. magistrate Susan Baxter found that "it is purely conjecture that the other members of the putative class will be subjected to remote access of personal information," and questioned the merits of the case.

To summarize: Rent-to-own businesses can spy on their customers at will, and without the threat of any penalties, at least until after the first time they're caught. Furthermore, a federal judge doesn't think that giving a business the ability to surreptitiously record webcam footage of its customers--or perhaps their children--in their homes, and in various states of undress, or capture their keystrokes, or screen-grab copies of their bank statements, is obviously illegal.

When I first saw the FTC's cyber-spying case settlement, my reaction was: Surely the FTC could have done more, such as fining the companies involved? But as Dissent told me, and an FTC spokeswoman and others confirmed, the FTC isn't authorized to fine first-time offenders.

"Unfortunately, the FTC Act does not give the commission the authority to issue fines for initial violations of the Act," David Jacobs, consumer protection fellow at the Electronic Privacy Information Center, told me via email. "What the FTC can do is enter into consent agreements with the violator that basically say 'don't do that again.'"

On the upside, businesses that agree to a settlement must then toe the line--or else. "If the agreement is breached, then the FTC can issue fines," Jacobs says. "This is what the FTC did in the case of Google: entered into a consent agreement requiring Google to follow certain rules, and then fined the company $22.5 million when they breached the agreement."

If the outcome of the FTC's settlement with the seven rent-to-own businesses and DesignerWare seems lacking, justice may yet be served. For starters, the FTC can refer any case to the Department of Justice for potential criminal prosecution. Did the agency do so in this cyber spying case? When I put that question to an FTC spokeswoman, she declined to comment.

Furthermore, the class action lawsuit and state investigations appear to have already driven DesignerWare out of business. As InformationWeek first reported, DesignerWare is the subject of an active investigation by the Florida Attorney General's office. In addition, the company's March 2012 bankruptcy filing by its two owners suggested that the company was also being investigated by attorneys general in California and Texas.

Bankrupt surveillance software developers aside, one takeaway from this cyber-spying case is clear: Pending legal changes, avoid rent-to-own PC businesses at all costs. Or if you simply must work with one, don't do anything in the presence of your PC that you wouldn't do in public, and avoid using it to conduct Internet banking or relay any personal or sensitive communications.

Takeaway number two involves this memo to Congress and state legislators: Please make spying on consumers, especially in their own homes, clearly illegal. And Congress, give the FTC--which, it must be said, has in recent weeks scored some great wins against scareware artists and telemarketing scammers--the power to penalize businesses and individuals who flagrantly violate consumers' privacy rights.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/9/2012 | 7:00:09 PM
re: Cyber Spying Justice: Unserved
The outcome should be frightening to anyone. I guess the next logical step is placement of cameras in dressing rooms and public toilets in commercial clothing outlets where pilferage is a realistic problem? Allowing the type of spying described should be considered equivalent. A good idea not to identify this "presiding judge" to protect his/her privacy. Sometimes, you just have to think multitasking (the judge obviously was) is not for everyone.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.