Okay, folks, we won’t beat around the bush. This is just plain creepy! On Monday, the FTC finalized its order against Aaron’s, one of the country’s largest rent-to-own (RTO) stores, charging that its franchisees were spying on its customers.1 By the way, by spying, we mean to include taking webcam pictures every two minutes that the rented computer was connected to the Internet until directed to stop.

Background

Many of Aaron’s franchisees licensed and installed PC Rental Agent, a privacy-intrusion software, on computers rented to consumers. Unbeknownst to the renters, the software allowed the franchisees to collect private, confidential and personal information about them. Ostensibly, the information was to be used to gather data to assist franchisees in collecting on past-due accounts and recovering computers after default. Nonetheless, the software allowed much more. When in “Detective Mode,” the software logged keystrokes, captured screenshots and activated a computer’s webcam. The program also allowed franchisees to track the physical location of rented computers using WiFi hotspot information.

Quite obviously, the franchisees’ use of this software, without notice to computer users, compromised the renters’ personal, financial and medical information, not to mention the untoward “invasion into the peaceful enjoyment of their homes.” The consumers were also harmed, according to the FTC, by the surreptitious capture of the private details of their lives, including images of visitors, children, family interactions, partially undressed individuals and, as the FTC delicately put it, “people engaged in intimate conduct.” As Walter Dartland, a former deputy attorney general of Florida and executive director of the Consumer Federation of the Southeast, quipped, the key takeaway from this is “Please dress appropriately when at home at all times.”

Why the corporate parent?

If the franchisees were the perpetrators, why did the FTC sue Aaron’s? The answer is twofold. First, the FTC believed that Aaron’s management was aware of at least some of the more egregious aspects of the program since 2009 and did nothing to curtail it. For instance, Aaron’s requires its franchisees to have company-provided email addresses, and provides the franchisees with email accounts and server space to store email messages. Those corporate email addresses were the recipients of the invasive -invading information.

According to the FTC, “Aaron’s maintained on its corporate server upwards of 100,000 Detective Mode messages containing covertly gathered consumer information. … Aaron’s has stored such messages on its computer network since at least 2009” and Aaron’s did not deny franchisee access to the website and offending emails until December 2011. Indeed, the complaint states that Aaron’s IT personnel were aware that company server space was being used to store these emails and knew what they contained. In practiced understatement, the complaint alleges that an Aaron’s employee who reviewed certain Detective Mode images “described the program as ‘very intrusive’ in an email to Aaron’s chief information officer.”

Second, and more incredibly, Aaron’s facilitated the spying program, according to the FTC complaint. Franchisees had to access PC Rental Agent’s manufacturer’s website to activate the software, but the program did not work well with Aaron’s network configurations. Aaron facilitated that interface. Moreover, numerous times franchisees sought written permission from Aaron’s to access the website and senior Aaron’s management approved these requests.

Ironically, Aaron’s considered, but decided against, purchasing PC Rental Agent for its corporate stores.

FTC order

The FTC order prohibits Aaron’s (and its franchisees) from:

  • Engaging in the challenged practices and similar future conduct
  • Using monitoring technology on computers
  • Using geophysical location tracking technology on any consumer product without notifying and obtaining consent from renters
  • The deceptive gathering of consumer information
  • Making any misrepresentations concerning its privacy policy

The order allows monitoring and tracking software only to the extent it is required for technical assistance whose request was initiated by the renter. The FTC also required Aaron’s and its franchisees to destroy all data using monitoring or tracking technology, all data collected by such technology, and mandates the encryption of any properly collected data when it is transmitted. In the future, Aaron’s must prohibit its franchisees from all the above as well.

Conclusion

Clearly, most privacy violations are nowhere near this blatant or disturbing. Nevertheless, this case does demonstrate the increasing ease to gather consumer information. In fact, just this week the FTC held an all-day “Internet of Things” workshop designed “to explore consumer privacy and security issues posed by the growing connectivity of devices.” Increasingly, violations will grow out of sincere efforts to collect data for seemingly legitimate goals. The temptation to gather more data on those who use, license, purchase or rent our products will just be too great.

Unfortunately, the FTC does not possess the authority to impose civil penalties for privacy violations, and instead must wait until one of its orders has been violated. Accordingly, first offenses are given a monetary pass. Many consumer advocates have been lobbying to give the FTC such authority and time will tell whether that movement gathers steam. Interestingly, the software was the subject of other FTC actions earlier this year. Lest you think privacy violators are getting off scot-free, consumer class actions have been filed against Aaron’s, its franchisees and others.