Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/5/2012
02:38 PM
50%
50%

Cyber Spying Justice: Unserved

After toothless FTC judgment against rent-to-own PC companies in spying case, Congress needs to make surveillance of customers in their own homes illegal.

Was the punishment meted out to seven rent-to-own businesses that literally spied on their customers--via webcam footage, browser screen-grabs, and location-tracking technology, courtesy of surveillance software known as PC Rental Agent--sufficient?

Well, punishment is too strong a word. All seven businesses, together with the two principals of software development firm DesignerWare, which created PC Rental Agent, recently agreed to settle--without admitting or denying any wrongdoing--a Federal Trade Commission complaint made against them. The settlements impose two requirements: the businesses have agreed to never spy on customers, and they must keep records to document their compliance for the next 20 years.

In other words, despite rent-to-own businesses having literally spied on their customers at will, catching them in what the FTC described as "intimate moments," the businesses' managers and offending employees are getting off with a slap on the wrist.

For this case, it's not the first time that justice hasn't been served or consumer privacy rights clearly protected. To briefly recap, Wyoming-based couple Crystal and Bryan Byrd last year had filed a class action lawsuit against DesignerWare, as well as rent-to-own businesses Aaron's and Aaron's franchisee Aspen Way. (DesignerWare and Aspen Way were also named in the FTC complaint.) Their suit was triggered by an Aspen Way store manager showing them a picture of Bryan Byrd that had been surreptitiously taken with the couple's rent-to-own PC's webcam by store employees, who believed--wrongly--that the couple had missed a payment, which would have allowed Aspen Way to repossess it.

[ Privacy is a hot topic. See California Passes Tough Social Media Privacy Laws. ]

The Byrds' lawsuit alleged that customers' privacy rights--as well as federal wiretapping laws and the Computer Fraud and Abuse Act--had been violated. Furthermore, since the PC Rental Agent software was installed on numerous PCs, they requested that the federal judge overseeing the case immediately block any further use of the software to spy on employees.

But the presiding judge "declined to issue an injunction," recounts "Dissent," which is the handle of the privacy advocate and data breach information blogger who maintains DataBreaches.net, and who's been following this case since last year. That was despite a DesignerWare principal telling the court that in the prior six months, the software had been installed on 92,000 PCs. Instead, U.S. District Court judge Sean McLaughlin and U.S. magistrate Susan Baxter found that "it is purely conjecture that the other members of the putative class will be subjected to remote access of personal information," and questioned the merits of the case.

To summarize: Rent-to-own businesses can spy on their customers at will, and without the threat of any penalties, at least until after the first time they're caught. Furthermore, a federal judge doesn't think that giving a business the ability to surreptitiously record webcam footage of its customers--or perhaps their children--in their homes, and in various states of undress, or capture their keystrokes, or screen-grab copies of their bank statements, is obviously illegal.

When I first saw the FTC's cyber-spying case settlement, my reaction was: Surely the FTC could have done more, such as fining the companies involved? But as Dissent told me, and an FTC spokeswoman and others confirmed, the FTC isn't authorized to fine first-time offenders.

"Unfortunately, the FTC Act does not give the commission the authority to issue fines for initial violations of the Act," David Jacobs, consumer protection fellow at the Electronic Privacy Information Center, told me via email. "What the FTC can do is enter into consent agreements with the violator that basically say 'don't do that again.'"

On the upside, businesses that agree to a settlement must then toe the line--or else. "If the agreement is breached, then the FTC can issue fines," Jacobs says. "This is what the FTC did in the case of Google: entered into a consent agreement requiring Google to follow certain rules, and then fined the company $22.5 million when they breached the agreement."

If the outcome of the FTC's settlement with the seven rent-to-own businesses and DesignerWare seems lacking, justice may yet be served. For starters, the FTC can refer any case to the Department of Justice for potential criminal prosecution. Did the agency do so in this cyber spying case? When I put that question to an FTC spokeswoman, she declined to comment.

Furthermore, the class action lawsuit and state investigations appear to have already driven DesignerWare out of business. As InformationWeek first reported, DesignerWare is the subject of an active investigation by the Florida Attorney General's office. In addition, the company's March 2012 bankruptcy filing by its two owners suggested that the company was also being investigated by attorneys general in California and Texas.

Bankrupt surveillance software developers aside, one takeaway from this cyber-spying case is clear: Pending legal changes, avoid rent-to-own PC businesses at all costs. Or if you simply must work with one, don't do anything in the presence of your PC that you wouldn't do in public, and avoid using it to conduct Internet banking or relay any personal or sensitive communications.

Takeaway number two involves this memo to Congress and state legislators: Please make spying on consumers, especially in their own homes, clearly illegal. And Congress, give the FTC--which, it must be said, has in recent weeks scored some great wins against scareware artists and telemarketing scammers--the power to penalize businesses and individuals who flagrantly violate consumers' privacy rights.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/9/2012 | 7:00:09 PM
re: Cyber Spying Justice: Unserved
The outcome should be frightening to anyone. I guess the next logical step is placement of cameras in dressing rooms and public toilets in commercial clothing outlets where pilferage is a realistic problem? Allowing the type of spying described should be considered equivalent. A good idea not to identify this "presiding judge" to protect his/her privacy. Sometimes, you just have to think multitasking (the judge obviously was) is not for everyone.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...