Laptop Rental Provider Sued For Spying On Renters Via Surreptitious Webcam Software
from the this-again? dept
You would think after last year's attention-grabbing lawsuit about the Lower Merion School district using some surreptitious monitoring software to activate webcams and snap photos of kids at home that others would be a lot more careful about their use of such software. After all, the school district ended up having to pay out $610,000 to settle the lawsuit filed against it.However, in a similar story, a Wisconsin couple has apparently sued Aaron's Inc. for spying on them. Aaron's is a giant "rent-to-own" retailer, offering furniture, electronics and computers on a rent-to-own basis. In this case, the couple had rented a Dell laptop from the company, and later discovered that it had sneaky monitoring software on it which they were unaware of... but which was used to turn on the laptop's webcam and take pictures of the family without them knowing about it.
The only way they found out was that a store manager came to take back the computer, incorrectly believing the couple had not paid their bill (they had). When he showed up, he showed them a photo he had, which was taken from the webcam, which (understandably) freaked out the couple. They asked him how he got the photo, and his response was that he wasn't supposed to show them the photo. Well, that's comforting. Apparently, the product that was used to do this monitoring was hardware based as well, meaning that it couldn't be detected or turned off via software.
The couple and their lawyers are seeking to turn this into a class action for all renters of computers from Aaron's that have this tracking technology. Also, the couple contacted the police, who apparently still have the computer, so I guess there's at least some review of whether or not this is a criminal matter. The AP article (linked in the paragraph above) has a short discussion on whether or not this effort violated either ECPA or the CFAA:
Two attorneys who are experts on the relevant computer privacy laws, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, said it's difficult to tell if either was broken, though both agree the company went too far.It's no secret that both ECPA and CFAA have their problems, but it seems like this might be the type of case that those laws were more designed to cover -- though, that definitely depends on some of the details which haven't come out yet.
Peter Swire, an Ohio State professor, said using a software "kill switch" is legal because companies can protect themselves from fraud and other crimes.
"But this action sounds like it's stretching the self-defense exception pretty far," Swire said, because the software "was gathering lots of data that isn't needed for self-protection."
Further, Swire said the Computer Fraud and Abuse Act "prohibits unauthorized access to my computer over the Internet. The renter here didn't authorize this kind of access."
Fred Cate, an information law professor at Indiana University agrees that consent is required but said the real question might be: "Whose consent?"
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, computer, ecpa, rental, spying, webcam
Companies: aaron's
Reader Comments
Subscribe: RSS
View by: Time | Thread
Rent to pwn
They sell the same thing to 10 different people, and even if nobody ever pays it off, they've made pack the purchase price 50x over.
But, I guess as long as it's not illegal to prey on consumer stupidity they'll just keep at it...
Also, if I "rented" the laptop; I'd've first installed Linux in order to give their spyware a big middle finger.
[ link to this | view in thread ]
Hardware-based??
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Rent to pwn
That would have shown their hardware-based spyware...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
aaron's
"Aaron’s cares about our customers – this is the value we’ve built our business on for more than 55 years. Aaron’s customers can be assured that we’re taking this allegation very seriously. We are conducting a thorough investigation and diligently reaching out to our customers to address any of their concerns."
If you are a customer and have questions regarding your computer privacy at Aaron’s, call 1-888-333-3785.
[ link to this | view in thread ]
Re: Re: Rent to pwn
[ link to this | view in thread ]
Re: aaron's
[ link to this | view in thread ]
Re: Re: Re: Rent to pwn
[ link to this | view in thread ]
This spying is done via a hardware based system that cannot be detected or turned off by software.
The computer is sold on a rent-to-own basis, so presumably the computer will eventually become the property of the renter.
Is the hardware eventually disabled without letting the owner know, or is this system now a permanent back door into every single computer this place has ever rented?
If I were a lawyer involved in this, I'd like to see records of every system sold with this spy system, and how many of them are still active.
[ link to this | view in thread ]
Re: aaron's
Failure to occupy the same room as your laptop while we are attempting to take pictures of you and/or your family will result in Aaron's sending a store manager to your home to further question your blatant disregard of our right to know what you are doing at all times.
Thank you for your cooperation.
Robin Loudermilk, CEO and President
PS. Please stop doing that, you'll go blind. And you're fat.
[ link to this | view in thread ]
Re: Re: Re: Rent to pwn
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Rent to pwn
Actually, it is amazing how much hardware Linux DOES support. Vendors write drivers for Microsoft. Linux has to reverse engineer half the stuff that is supported, and the result is often as good or better than the proprietary solution.
[ link to this | view in thread ]
Security boo boo
[ link to this | view in thread ]
This opens up an even greater case of privacy that is itself so boiled up in grey area all ready.
[ link to this | view in thread ]
Re: aaron's
"For instance, Bob, Bob Jones of Airsdale. You have a funny look on your face while reading this announcement. Don't worry, we take the matter very seriously. And don't make that face or it will freeze that way. And maybe you should clean up that pigsty you call a room once in a while eh?"
"And you, Lisa Tennington. You should probably put some pants on. Our surveillance staff take their job very seriously and we don't want to have to fire them for technically looking at naked women at work."
"Rest assured we will not stop reaching out to you, our loyal customers, especially Brenda, Jake, and Marcus. For god's sake Marcus, you need to shave. It's been 3 days and that stubble just does NOT look good on you."
[ link to this | view in thread ]
What about the bandwidth costs and the connection that is being 'stolen' by the hardware to transmit the images?
First this 'unauthorized access of a computer network' since the users didn't give permission for the pictures to be transmitted over their internet connection. This bogus claim has been used against multiple individuals for various computer related 'crimes' that weren't really crimes, so it should be applicable to Companies as well.... right?
If this data put anyone over their ISP's limit and forced them to pay additional fees, there should be some sort of claim to recoup these costs. also they 'stole' the connection, so there has to be some payment for that (if you can steal a song, you can steal an internet connection, amIright?)
I'm sure this would also all depend on who the laptop was rented to... I'm sure the laptop rented to the 18 year old female college swimsuit model was 'transmitting' a lot more pictures and video than the one rented to the 40 year old overweight balding middle aged man...
Yes, I'm a cynic... but that doesn't mean I'm wrong
[ link to this | view in thread ]
An overview:
Designerware installs their PC Rental Agent software onto a computer intended for rental. This software works along with a CD or USB dongle, and maybe some additional hardware soldered onto the motherboard. The "agent" reports back to a Designerware server every two hours. Designerware gets paid only for rented computers that are in use so that two hour interval is probably only for a simple status report. Any data stored in the server about a computer is made available to Aaron's. According to Aaron's, only regional managers can access this data and change PC Rental Agent settings. The purpose of the agent software is, in case of payment default or theft, to prevent the use of the computer and to aid in recovery. When a renter defaults, an Aaron's manager can change the settings remotely to lockdown the computer until the user enters a special password known to Aaron's.
Hardware based?
The lawsuit says that some device from Designerware, the maker of the PC Rental Agent, was soldered onto the motherboard and/or is part of the Intel chipset. Really, part of the Intel chipset? (ROTFL!) It further explains that a "wand" is needed to deactivate this hardware/software system.
My speculation is that, if there is something soldered into the motherboard, it is put there by Designerware to prevent both Aarons and the end-user from disabling the PC rental agent from running on the computer. I am skeptical because hand soldering a motherboard is both labor intensive and risky. Their business model of $1.95 for setup and 50 cents/month for use does not support such a risky and labor intensive step. Designerware's current product page describes a CD or USB dongle that is needed to unlock the computer. This is the only hardware described! The vast majority of the functionality of this agent is undoubtedly implemented via software.
Can Aaron's disable the system?
I am guessing that the system's normal, default, setting is to only collect status information, that the computer is in use. Aaron's regional managers can change the software settings. One would expect that Aaron's only changes the settings when the renter has stopped paying. What may be true is that Aaron's cannot disable the whole system from reporting to Designerware's servers. I think they do have control over what information, beyond status, is collected. This brings up the question as to how is the PC Rental Agent is removed if a user actually ends up buying the computer. I see two possible methods:
1). the software stays installed, but is disabled remotely by Designerware and afterward does not send any data to their server and no longer requires the dongle.
2). Aaron's must re-install the OS, presumably Windows. This eliminates the software, the need for a dongle, and all user data.
Undoubtedly, a more common step is the user returns the computer without buying it. Here, the F3 key is used to reload Windows with an option to save user data. It is not clear if they mean re-installing Windows or simply rebooting Windows. Allowing a reboot of a locked system seems to be a security loophole allowing the machine to be used until it is locked again.
What information can be collected?
Software with administrative privileges has the potential to monitor and transmit information about everything you do on your computer. The lawsuit claims the Designerware system collects screenshots, webcam images, and keystrokes. It is clear a webcam photo can be taken and transmitted to the server. I think they are just speculating. What Ashton Kelly of Designerware describes is a pop-up window which, deceptively, asks for name, address, and telephone number because the Windows Registry requires it. When this information is entered the webcam takes a photo and all that data is sent to Designerware's central server. I think the plaitiff's lawyers are taking this and extrapolating to a much more intrusive capability. However, it is conceivable that Designerware has allowed a lot of information to be collected in order to recover a stolen computer or one with payments in default. It will be interesting to see these details come out.
Can privacy intrusion be justified?
If the computer was stolen, there should be no question that the owner has the right to collect any information about the user in a stealthy manner. I'm not sure that a default in payment justifies collecting any and all information. I think the information collected from the pop-up window is justified, even if it is done deceptively because it is quite limited in scope. If such limited collection of information is legal then Aaron's collecting such information mistakenly, with no malevolent intent, is also legal. The question, in this case, is why was the PC Rental Agent software still active two months after the Byrd's had purchased the system. Does Aaron's ever move to deactivate this software when a computer is purchased?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Who owns
Can't have it both ways.
[ link to this | view in thread ]
Fourth Amendment Violation
[ link to this | view in thread ]
Justice Served
[ link to this | view in thread ]
Re: Fourth Amendment Violation
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Rent to pwn
[ link to this | view in thread ]
Web Cam monitoring
Sounds like this falls under the area of law with respect to employers and employees. After all, the computer belongs to the rental agency (pseudo employer) with the renters being the pseudo "employees". Not sure how it would play out, I suspect it depends on the terms of the rental agreement and, as you said, other facts.
[ link to this | view in thread ]
Re: Fourth Amendment Violation
> amendment says, "The right of the people to be secure in
> their persons, houses, papers and effects, against unreasonable
> searches and seizures, shall not be violated
The 4th Amendment doesn't apply to private individuals or businesses.
This sort of misperception comes up so frequently in discussions of this nature that It really is disheartening how many people have no understanding of the basic fundamentals of our system of government.
[ link to this | view in thread ]
Re: Web Cam monitoring
A renter is not an employee, pseudo or otherwise. A renter is a customer.
[ link to this | view in thread ]
Free Aarons Laptop
[ link to this | view in thread ]
Free Aarons Laptop
[ link to this | view in thread ]
[ link to this | view in thread ]
Missed a payment by a few days they tried to kill the system.....FAIL
I paid them they gave passkey but I told them kinda pointless as I never even used the windows partion
[ link to this | view in thread ]
[ link to this | view in thread ]