Investigative & Security Professionals for Legislative Action

Expect New Legislation Regarding Software Installed On Computers

04 May 2011 4:45 PM | Anonymous member (Administrator)

WEBCAMS, SPYWARE & KEYSTROKE MONITORING

A Pennsylvania federal lawsuit filed May 2 and reported in today’s Washington Post claims that Aaron’s Inc., a large furniture rental chain store based out of

Atlanta, Georgia , placed spyware on computers they rented to track their customers’ keystrokes, take screenshots and even transmit webcam images of users at their homes. The case was brought by a young couple, Brian and Crystal Byrd. The lawsuit is reminiscent of the Lower Merion School District matter which last year brought about the introduction of anti-surreptitious video surveillance legislation by then Pennsylvania Senator Arlen Specter which ISPLA in Washington worked hard to successfully defeat.

Privacy experts contend that Aaron’s has the right to equip its computers with such software to shut off the devices remotely if customers stop paying their bills.  However, customers must be notified of such monitoring. “If I’m renting a computer ... then I have a right to know what the limitations are and I have a right to know if they’re going to be collecting data from my computer,” said Annie Anton, a professor and computer privacy expert with North Carolina State University.

But the couple who sued Aaron’s said they had no knowledge that the computer they rented came equipped with a device that could spy on them. It was not until December 22, 2010 when an Aaron’s manager came to their home to repossess the computer because he mistakenly believed the Byrds had not paid off their “rent-to-own” agreement. However, after they produced a paid receipt the manager showed them a picture of them using the computer that had been taken by the computer’s webcam.

Aaron’s claims it hasn’t authorized any of its corporate stores to install the software described in the lawsuit. Police were contacted by the customer who ascertained the image had been taken by software of Designerware LLC and installed on all Aaron’s rental computers. Designerware is a codefendant in this matter. The Byrds leased their computer from an independently owned and operated franchisee. Aaron’s believes that none of its more than 1,140 company-operated stores had used Designerware’s product or had done any business with it.

It remains to be seen if the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act were violated. If either law was broken then Aaron’s went too far.

Former FTC Commissioner, Peter Swire, an

Ohio State professor, is quoted in an AP item that using a software "kill switch" is legal because companies can protect themselves from fraud and other crimes.  "But this action sounds like it's stretching the self-defense exception pretty far," he said, because the software "was gathering lots of data that isn't needed for self-protection."  He is also quoted as indicating the Computer Fraud and Abuse Act "prohibits unauthorized access to my computer over the Internet. The renter here didn't authorize this kind of access."

Fred Cate, an information law professor at

Indiana University agrees that consent is required but said the real question might be: "Whose consent?"  Courts have allowed employers to record employee phone calls because the employers own the phones. Similar questions arise as digital technology becomes more omnipresent, Cate said. "We always talk about deterrence value. Well it doesn't make sense to put (the software) on there" without telling people what it can do," according to Cate. "That's why we all put alarm signs in front of our houses, even if we don't have alarms."

According to the lawsuit, components were soldered into the computer's motherboard or otherwise physically attached to the PC's electronics. It can only be uninstalled and deactivated using a wand.  John Robinson, the plaintiffs’ attorney, indicated the computer is currently held as police evidence. His clients want the federal court to declare their case a class action and are seeking unspecified damages and attorneys' fees. They contend the privacy act allows for a penalty of $10,000 or $100 per day per violation, plus punitive damages and other costs.

PRNewswire released an Aaron's, Inc. item that the lawsuit regarding a violation of privacy relating to a computer rented from an Aaron's franchise store is without merit against Aaron's, Inc.

“The Company believes that none of its over 1,140 Company-operated stores have used the product developed or provided by PC Rental Agent or Designerware LLC, the two vendors named in the lawsuit, and neither vendor is approved or have done any business with Aaron's, Inc.

“Aaron's, Inc. respects its customers' privacy and has not authorized any of its corporate stores to install software that can activate a customer's webcam, capture screenshots, or track keystrokes.  The named plaintiffs leased the computer at issue from an independently owned and operated franchisee.  Aaron's, Inc. intends to vigorously defend itself against these allegations.

Aaron's, Inc. has company-operated and franchised stores in 48 states and

Canada . It also manufactures furniture and bedding at 12 facilities in seven states. Information related above is a compilation of reports from the Washington Post, Associated Press, PRNewswire, the American Bar Association, and ISPLA privacy reference material.

ISPLA expects that this revelation, along with recent coverage of Internet tracking by Google, and several Congressional hearings scheduled for next week, will keep our profession busy during the 112th Congress.

Bruce Hulme

ISPLA Director of Government Affairs

To join us and support our proactive efforts please visit www.ISPLA.org

We do much more than just keeping the profession informed!

                                                         ISPLA

Powered by Wild Apricot. Try our all-in-one platform for easy membership management