Laptop Rental Provider Sued For Spying On Renters Via Surreptitious Webcam Software

from the this-again? dept

You would think after last year's attention-grabbing lawsuit about the Lower Merion School district using some surreptitious monitoring software to activate webcams and snap photos of kids at home that others would be a lot more careful about their use of such software. After all, the school district ended up having to pay out $610,000 to settle the lawsuit filed against it.

However, in a similar story, a Wisconsin couple has apparently sued Aaron's Inc. for spying on them. Aaron's is a giant "rent-to-own" retailer, offering furniture, electronics and computers on a rent-to-own basis. In this case, the couple had rented a Dell laptop from the company, and later discovered that it had sneaky monitoring software on it which they were unaware of... but which was used to turn on the laptop's webcam and take pictures of the family without them knowing about it.

The only way they found out was that a store manager came to take back the computer, incorrectly believing the couple had not paid their bill (they had). When he showed up, he showed them a photo he had, which was taken from the webcam, which (understandably) freaked out the couple. They asked him how he got the photo, and his response was that he wasn't supposed to show them the photo. Well, that's comforting. Apparently, the product that was used to do this monitoring was hardware based as well, meaning that it couldn't be detected or turned off via software.

The couple and their lawyers are seeking to turn this into a class action for all renters of computers from Aaron's that have this tracking technology. Also, the couple contacted the police, who apparently still have the computer, so I guess there's at least some review of whether or not this is a criminal matter. The AP article (linked in the paragraph above) has a short discussion on whether or not this effort violated either ECPA or the CFAA:
Two attorneys who are experts on the relevant computer privacy laws, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, said it's difficult to tell if either was broken, though both agree the company went too far.

Peter Swire, an Ohio State professor, said using a software "kill switch" is legal because companies can protect themselves from fraud and other crimes.

"But this action sounds like it's stretching the self-defense exception pretty far," Swire said, because the software "was gathering lots of data that isn't needed for self-protection."

Further, Swire said the Computer Fraud and Abuse Act "prohibits unauthorized access to my computer over the Internet. The renter here didn't authorize this kind of access."

Fred Cate, an information law professor at Indiana University agrees that consent is required but said the real question might be: "Whose consent?"
It's no secret that both ECPA and CFAA have their problems, but it seems like this might be the type of case that those laws were more designed to cover -- though, that definitely depends on some of the details which haven't come out yet.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, computer, ecpa, rental, spying, webcam
Companies: aaron's


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    :Lobo Santo (profile), 5 May 2011 @ 11:44am

    Rent to pwn

    Those f*cking "Rent to own" places operate on the gray edge of legal anyhow.

    They sell the same thing to 10 different people, and even if nobody ever pays it off, they've made pack the purchase price 50x over.

    But, I guess as long as it's not illegal to prey on consumer stupidity they'll just keep at it...


    Also, if I "rented" the laptop; I'd've first installed Linux in order to give their spyware a big middle finger.

    link to this | view in thread ]

  2. identicon
    sidewinder, 5 May 2011 @ 11:58am

    Hardware-based??

    Does this mean that Dell built this ability into the laptop?

    link to this | view in thread ]

  3. icon
    Squirrel Brains (profile), 5 May 2011 @ 12:03pm

    The real thing ECPA and CFAA are meant to do is to help big business prevent people from doing things they don't like. The only question is: Is Arron's a big business? If so, then they get a free pass. Also, if they are a big business, they probably have a cause of action against the couple for revealing the existence of the software/hardware.

    link to this | view in thread ]

  4. identicon
    PRMan, 5 May 2011 @ 12:04pm

    Re: Rent to pwn

    "I'd've first installed Linux"

    That would have shown their hardware-based spyware...

    link to this | view in thread ]

  5. identicon
    PRMan, 5 May 2011 @ 12:04pm

    Re:

    The cops have the laptop, so apparently not big enough...

    link to this | view in thread ]

  6. identicon
    scootlykins, 5 May 2011 @ 12:04pm

    aaron's

    Concerning the recent allegations regarding customer privacy and Aaron’s, Robin Loudermilk, CEO and President of Aaron’s issued the following statement:

    "Aaron’s cares about our customers – this is the value we’ve built our business on for more than 55 years. Aaron’s customers can be assured that we’re taking this allegation very seriously. We are conducting a thorough investigation and diligently reaching out to our customers to address any of their concerns."

    If you are a customer and have questions regarding your computer privacy at Aaron’s, call 1-888-333-3785.

    link to this | view in thread ]

  7. icon
    :Lobo Santo (profile), 5 May 2011 @ 12:09pm

    Re: Re: Rent to pwn

    Software. The word you were looking for there was "software".

    link to this | view in thread ]

  8. icon
    Squirrel Brains (profile), 5 May 2011 @ 12:13pm

    Re: aaron's

    I wonder if Aaron's knows about the discussion on Techdirt because they defected on of the users of their computer reading this story.

    link to this | view in thread ]

  9. icon
    Squirrel Brains (profile), 5 May 2011 @ 12:14pm

    Re: Re: Re: Rent to pwn

    A linux install probably wouldn't have the drivers for the hardware, unless it is totally isolated form the operating system. You'd have to be pretty dedicated at spying on your customers to do that.

    link to this | view in thread ]

  10. icon
    Chris-Mouse (profile), 5 May 2011 @ 12:19pm

    I'm just curious.
    This spying is done via a hardware based system that cannot be detected or turned off by software.
    The computer is sold on a rent-to-own basis, so presumably the computer will eventually become the property of the renter.
    Is the hardware eventually disabled without letting the owner know, or is this system now a permanent back door into every single computer this place has ever rented?
    If I were a lawyer involved in this, I'd like to see records of every system sold with this spy system, and how many of them are still active.

    link to this | view in thread ]

  11. icon
    Greg G (profile), 5 May 2011 @ 12:21pm

    Re: aaron's

    And if you call our toll free number with questions about your computer privacy, we'll make sure to take photos of everything you do in your home, so please make sure to always have the laptop open and placed so the camera gets a full view of the room in which you are occupying.

    Failure to occupy the same room as your laptop while we are attempting to take pictures of you and/or your family will result in Aaron's sending a store manager to your home to further question your blatant disregard of our right to know what you are doing at all times.

    Thank you for your cooperation.

    Robin Loudermilk, CEO and President

    PS. Please stop doing that, you'll go blind. And you're fat.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 5 May 2011 @ 12:24pm

    Re: Re: Re: Rent to pwn

    The article says it's hardware too. I can see how the linux would solve the problem, the webcam would stop working all together, even if you wanted it to haha

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 5 May 2011 @ 12:30pm

    Re:

    I think you've hit the nail on the head. I hope that if the class action suit moves forward this investigation takes place. I would think that any post-sale access of the "spying" hardware would constitute a breach of the law.

    link to this | view in thread ]

  14. identicon
    New Mexico Mark, 5 May 2011 @ 1:00pm

    Re: Re: Re: Re: Rent to pwn

    Yeah, yeah... :P~~~~~~~~ to you too.

    Actually, it is amazing how much hardware Linux DOES support. Vendors write drivers for Microsoft. Linux has to reverse engineer half the stuff that is supported, and the result is often as good or better than the proprietary solution.

    link to this | view in thread ]

  15. identicon
    New Mexico Mark, 5 May 2011 @ 1:15pm

    Security boo boo

    Putting a small Band Aid over that camer...er...security boo boo will make it feel much better.

    link to this | view in thread ]

  16. icon
    Wise (profile), 5 May 2011 @ 1:19pm

    The kill-switch mentioned above would be the only defense that Aaron's could claim. Of course the laptop would have to be equipped with a mobile card or have access to the internet in the first place to make it transmit the signal. Unless the computer user does a secure wipe of the HDD, they are liable to send over any and all information back to the company.

    This opens up an even greater case of privacy that is itself so boiled up in grey area all ready.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 5 May 2011 @ 3:35pm

    Re: aaron's

    "We are conducting a thorough investigation and diligently reaching out to our customers to address any of their concerns."

    "For instance, Bob, Bob Jones of Airsdale. You have a funny look on your face while reading this announcement. Don't worry, we take the matter very seriously. And don't make that face or it will freeze that way. And maybe you should clean up that pigsty you call a room once in a while eh?"

    "And you, Lisa Tennington. You should probably put some pants on. Our surveillance staff take their job very seriously and we don't want to have to fire them for technically looking at naked women at work."

    "Rest assured we will not stop reaching out to you, our loyal customers, especially Brenda, Jake, and Marcus. For god's sake Marcus, you need to shave. It's been 3 days and that stubble just does NOT look good on you."

    link to this | view in thread ]

  18. icon
    anymouse (profile), 5 May 2011 @ 4:20pm

    What about the bandwidth costs and the connection that is being 'stolen' by the hardware to transmit the images?

    In the current climate, many users internet connections are limited, and I'm not sure about the size/volume of data being transmitted via this hardware spying, I see to possible issues.

    First this 'unauthorized access of a computer network' since the users didn't give permission for the pictures to be transmitted over their internet connection. This bogus claim has been used against multiple individuals for various computer related 'crimes' that weren't really crimes, so it should be applicable to Companies as well.... right?

    If this data put anyone over their ISP's limit and forced them to pay additional fees, there should be some sort of claim to recoup these costs. also they 'stole' the connection, so there has to be some payment for that (if you can steal a song, you can steal an internet connection, amIright?)

    I'm sure this would also all depend on who the laptop was rented to... I'm sure the laptop rented to the 18 year old female college swimsuit model was 'transmitting' a lot more pictures and video than the one rented to the 40 year old overweight balding middle aged man...

    Yes, I'm a cynic... but that doesn't mean I'm wrong

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 5 May 2011 @ 5:06pm

    Is this a case of outrageous privacy intrusions by greedy companies or a case of greedy lawyers trying to cash in with a class action suit and greatly exaggerating the invasion of privacy claims? There is not enough publicly available information to determine that right now. Discovery about how the system actually works will show how capable it was of invading privacy. The lawsuit takes partial information and guesses at the rest while assuming the worst.

    An overview:
    Designerware installs their PC Rental Agent software onto a computer intended for rental. This software works along with a CD or USB dongle, and maybe some additional hardware soldered onto the motherboard. The "agent" reports back to a Designerware server every two hours. Designerware gets paid only for rented computers that are in use so that two hour interval is probably only for a simple status report. Any data stored in the server about a computer is made available to Aaron's. According to Aaron's, only regional managers can access this data and change PC Rental Agent settings. The purpose of the agent software is, in case of payment default or theft, to prevent the use of the computer and to aid in recovery. When a renter defaults, an Aaron's manager can change the settings remotely to lockdown the computer until the user enters a special password known to Aaron's.

    Hardware based?
    The lawsuit says that some device from Designerware, the maker of the PC Rental Agent, was soldered onto the motherboard and/or is part of the Intel chipset. Really, part of the Intel chipset? (ROTFL!) It further explains that a "wand" is needed to deactivate this hardware/software system.
    My speculation is that, if there is something soldered into the motherboard, it is put there by Designerware to prevent both Aarons and the end-user from disabling the PC rental agent from running on the computer. I am skeptical because hand soldering a motherboard is both labor intensive and risky. Their business model of $1.95 for setup and 50 cents/month for use does not support such a risky and labor intensive step. Designerware's current product page describes a CD or USB dongle that is needed to unlock the computer. This is the only hardware described! The vast majority of the functionality of this agent is undoubtedly implemented via software.

    Can Aaron's disable the system?
    I am guessing that the system's normal, default, setting is to only collect status information, that the computer is in use. Aaron's regional managers can change the software settings. One would expect that Aaron's only changes the settings when the renter has stopped paying. What may be true is that Aaron's cannot disable the whole system from reporting to Designerware's servers. I think they do have control over what information, beyond status, is collected. This brings up the question as to how is the PC Rental Agent is removed if a user actually ends up buying the computer. I see two possible methods:
    1). the software stays installed, but is disabled remotely by Designerware and afterward does not send any data to their server and no longer requires the dongle.
    2). Aaron's must re-install the OS, presumably Windows. This eliminates the software, the need for a dongle, and all user data.
    Undoubtedly, a more common step is the user returns the computer without buying it. Here, the F3 key is used to reload Windows with an option to save user data. It is not clear if they mean re-installing Windows or simply rebooting Windows. Allowing a reboot of a locked system seems to be a security loophole allowing the machine to be used until it is locked again.

    What information can be collected?
    Software with administrative privileges has the potential to monitor and transmit information about everything you do on your computer. The lawsuit claims the Designerware system collects screenshots, webcam images, and keystrokes. It is clear a webcam photo can be taken and transmitted to the server. I think they are just speculating. What Ashton Kelly of Designerware describes is a pop-up window which, deceptively, asks for name, address, and telephone number because the Windows Registry requires it. When this information is entered the webcam takes a photo and all that data is sent to Designerware's central server. I think the plaitiff's lawyers are taking this and extrapolating to a much more intrusive capability. However, it is conceivable that Designerware has allowed a lot of information to be collected in order to recover a stolen computer or one with payments in default. It will be interesting to see these details come out.

    Can privacy intrusion be justified?
    If the computer was stolen, there should be no question that the owner has the right to collect any information about the user in a stealthy manner. I'm not sure that a default in payment justifies collecting any and all information. I think the information collected from the pop-up window is justified, even if it is done deceptively because it is quite limited in scope. If such limited collection of information is legal then Aaron's collecting such information mistakenly, with no malevolent intent, is also legal. The question, in this case, is why was the PC Rental Agent software still active two months after the Byrd's had purchased the system. Does Aaron's ever move to deactivate this software when a computer is purchased?

    link to this | view in thread ]

  20. icon
    aldestrawk (profile), 5 May 2011 @ 5:11pm

    Re:

    i would like to take credit for the above post. It took a while to write and I got logged off meanwhile.

    link to this | view in thread ]

  21. icon
    Nom du Clavier (profile), 5 May 2011 @ 6:13pm

    Who owns

    If for the purposes of the law the renter is the owner when it comes to crimes committed using the computer, then the renter should also be the owner when it comes to trespass.

    Can't have it both ways.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 5 May 2011 @ 7:49pm

    Fourth Amendment Violation

    How is this clandestine spying on renters legal? The fourth amendment says, "The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, ..." Has respect for the US Constitution gone out of style or something? Spying on users with a clandestine webcam is the precise equivalent of the activities of peeping toms. There have been laws on the books making being a peeping tom illegal, for many decades. Why have the perps not been charged?

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 6 May 2011 @ 6:35am

    Screw sueing them, File criminal charges and send their arses to meet bubba!

    Justice Served

    link to this | view in thread ]

  24. icon
    Squirrel Brains (profile), 6 May 2011 @ 8:08am

    Re: Fourth Amendment Violation

    That only applies to government action. And of course, I use "applies" in the loosest sense possible.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 6 May 2011 @ 1:00pm

    Re: Re: Re: Re: Re: Rent to pwn

    Actually, I experienced that first hand. Used to have a laptop that required about an hour of drive searching in windows. Mandriva on the other hand had all the drivers out of the box.

    link to this | view in thread ]

  26. identicon
    Gene Cavanaugh, 6 May 2011 @ 5:29pm

    Web Cam monitoring

    Great article and analysis! Good job!
    Sounds like this falls under the area of law with respect to employers and employees. After all, the computer belongs to the rental agency (pseudo employer) with the renters being the pseudo "employees". Not sure how it would play out, I suspect it depends on the terms of the rental agreement and, as you said, other facts.

    link to this | view in thread ]

  27. icon
    btr1701 (profile), 6 May 2011 @ 6:02pm

    Re: Fourth Amendment Violation

    > How is this clandestine spying on renters legal? The fourth
    > amendment says, "The right of the people to be secure in
    > their persons, houses, papers and effects, against unreasonable
    > searches and seizures, shall not be violated

    The 4th Amendment doesn't apply to private individuals or businesses.

    This sort of misperception comes up so frequently in discussions of this nature that It really is disheartening how many people have no understanding of the basic fundamentals of our system of government.

    link to this | view in thread ]

  28. icon
    btr1701 (profile), 6 May 2011 @ 6:03pm

    Re: Web Cam monitoring

    > with the renters being the pseudo "employees"

    A renter is not an employee, pseudo or otherwise. A renter is a customer.

    link to this | view in thread ]

  29. identicon
    shipu, 5 Oct 2011 @ 11:19pm

    Free Aarons Laptop

    It’s actually a very nice list; most of the others online are not good at all. Thanks for sharing this! :)

    link to this | view in thread ]

  30. identicon
    shipu, 5 Oct 2011 @ 11:50pm

    Free Aarons Laptop

    Thanks for the great value you provide here. This is just amazing :)

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 23 Feb 2012 @ 2:49am

    I just found this article. Not sure if anyone will see this post and/or reply but... my girlfriend has bought 2 computers (one desktop, one laptop). Her desktop is paid off but she just recently acquired the laptop. Any idea how to either determine if the software is on any of the computers or if she can remove the software???

    link to this | view in thread ]

  32. identicon
    pwned Aaron's with Ubuntu, 6 Mar 2012 @ 6:01am

    Ubuntu 11.10
    Missed a payment by a few days they tried to kill the system.....FAIL
    I paid them they gave passkey but I told them kinda pointless as I never even used the windows partion

    link to this | view in thread ]

  33. identicon
    working on a solution, 1 Jun 2013 @ 12:55pm

    I have a couple of ideas where it may be located but each time I delete the files, windows won't boot. Ubuntu every time is its replacement. Or linux mint.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.