Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/5/2012
02:38 PM
50%
50%

Cyber Spying Justice: Unserved

After toothless FTC judgment against rent-to-own PC companies in spying case, Congress needs to make surveillance of customers in their own homes illegal.

Was the punishment meted out to seven rent-to-own businesses that literally spied on their customers--via webcam footage, browser screen-grabs, and location-tracking technology, courtesy of surveillance software known as PC Rental Agent--sufficient?

Well, punishment is too strong a word. All seven businesses, together with the two principals of software development firm DesignerWare, which created PC Rental Agent, recently agreed to settle--without admitting or denying any wrongdoing--a Federal Trade Commission complaint made against them. The settlements impose two requirements: the businesses have agreed to never spy on customers, and they must keep records to document their compliance for the next 20 years.

In other words, despite rent-to-own businesses having literally spied on their customers at will, catching them in what the FTC described as "intimate moments," the businesses' managers and offending employees are getting off with a slap on the wrist.

For this case, it's not the first time that justice hasn't been served or consumer privacy rights clearly protected. To briefly recap, Wyoming-based couple Crystal and Bryan Byrd last year had filed a class action lawsuit against DesignerWare, as well as rent-to-own businesses Aaron's and Aaron's franchisee Aspen Way. (DesignerWare and Aspen Way were also named in the FTC complaint.) Their suit was triggered by an Aspen Way store manager showing them a picture of Bryan Byrd that had been surreptitiously taken with the couple's rent-to-own PC's webcam by store employees, who believed--wrongly--that the couple had missed a payment, which would have allowed Aspen Way to repossess it.

[ Privacy is a hot topic. See California Passes Tough Social Media Privacy Laws. ]

The Byrds' lawsuit alleged that customers' privacy rights--as well as federal wiretapping laws and the Computer Fraud and Abuse Act--had been violated. Furthermore, since the PC Rental Agent software was installed on numerous PCs, they requested that the federal judge overseeing the case immediately block any further use of the software to spy on employees.

But the presiding judge "declined to issue an injunction," recounts "Dissent," which is the handle of the privacy advocate and data breach information blogger who maintains DataBreaches.net, and who's been following this case since last year. That was despite a DesignerWare principal telling the court that in the prior six months, the software had been installed on 92,000 PCs. Instead, U.S. District Court judge Sean McLaughlin and U.S. magistrate Susan Baxter found that "it is purely conjecture that the other members of the putative class will be subjected to remote access of personal information," and questioned the merits of the case.

To summarize: Rent-to-own businesses can spy on their customers at will, and without the threat of any penalties, at least until after the first time they're caught. Furthermore, a federal judge doesn't think that giving a business the ability to surreptitiously record webcam footage of its customers--or perhaps their children--in their homes, and in various states of undress, or capture their keystrokes, or screen-grab copies of their bank statements, is obviously illegal.

When I first saw the FTC's cyber-spying case settlement, my reaction was: Surely the FTC could have done more, such as fining the companies involved? But as Dissent told me, and an FTC spokeswoman and others confirmed, the FTC isn't authorized to fine first-time offenders.

"Unfortunately, the FTC Act does not give the commission the authority to issue fines for initial violations of the Act," David Jacobs, consumer protection fellow at the Electronic Privacy Information Center, told me via email. "What the FTC can do is enter into consent agreements with the violator that basically say 'don't do that again.'"

On the upside, businesses that agree to a settlement must then toe the line--or else. "If the agreement is breached, then the FTC can issue fines," Jacobs says. "This is what the FTC did in the case of Google: entered into a consent agreement requiring Google to follow certain rules, and then fined the company $22.5 million when they breached the agreement."

If the outcome of the FTC's settlement with the seven rent-to-own businesses and DesignerWare seems lacking, justice may yet be served. For starters, the FTC can refer any case to the Department of Justice for potential criminal prosecution. Did the agency do so in this cyber spying case? When I put that question to an FTC spokeswoman, she declined to comment.

Furthermore, the class action lawsuit and state investigations appear to have already driven DesignerWare out of business. As InformationWeek first reported, DesignerWare is the subject of an active investigation by the Florida Attorney General's office. In addition, the company's March 2012 bankruptcy filing by its two owners suggested that the company was also being investigated by attorneys general in California and Texas.

Bankrupt surveillance software developers aside, one takeaway from this cyber-spying case is clear: Pending legal changes, avoid rent-to-own PC businesses at all costs. Or if you simply must work with one, don't do anything in the presence of your PC that you wouldn't do in public, and avoid using it to conduct Internet banking or relay any personal or sensitive communications.

Takeaway number two involves this memo to Congress and state legislators: Please make spying on consumers, especially in their own homes, clearly illegal. And Congress, give the FTC--which, it must be said, has in recent weeks scored some great wins against scareware artists and telemarketing scammers--the power to penalize businesses and individuals who flagrantly violate consumers' privacy rights.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/9/2012 | 7:00:09 PM
re: Cyber Spying Justice: Unserved
The outcome should be frightening to anyone. I guess the next logical step is placement of cameras in dressing rooms and public toilets in commercial clothing outlets where pilferage is a realistic problem? Allowing the type of spying described should be considered equivalent. A good idea not to identify this "presiding judge" to protect his/her privacy. Sometimes, you just have to think multitasking (the judge obviously was) is not for everyone.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
CVE-2020-4377
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-4534
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...